try to prevent double redirect

TheSecurityDev · Nov 23, 2022 · 94adc6b · 94adc6b
1 parent 908f839
commit 94adc6b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "simple-koa-shopify-auth",
-  "version": "2.1.9",
+  "version": "2.1.10",
   "description": "A better, simplified version of the (no longer supported) @Shopify/koa-shopify-auth middleware library. It removes the use of cookies for sessions (which greatly smooths the auth process), replaces a deprecated API call, and supports v2 of the official @shopify/shopify-api package.",
   "author": "TheSecurityDev",
   "license": "MIT",

diff --git a/src/top-level-oauth-redirect.ts b/src/top-level-oauth-redirect.ts
@@ -65,6 +65,10 @@ async function getTopLevelRedirectScript(host: string, redirectTo: string, apiKe
       document.addEventListener('DOMContentLoaded', function() {
         const apiKey = '${apiKey}';
         const redirectUrl = '${redirectTo}';
+        const host = '${encodeURI(host)}';
+        const hostManual = '${encodeURI(
+          Buffer.from(`admin.shopify.com/store/${shopName}`, "utf8").toString("base64")
+        )}'; // This is the manual host that we use to redirect to the new admin
         if (window.top === window.self) {
           // If the current window is the 'parent', change the URL by setting location.href
           window.location.href = redirectUrl;
@@ -74,24 +78,26 @@ async function getTopLevelRedirectScript(host: string, redirectTo: string, apiKe
           var createApp = AppBridge.default;
           var Redirect = AppBridge.actions.Redirect;
           try {
-            var app = createApp({
+            var app = createApp({ 
               apiKey,
-              host: "${encodeURI(host)}",
+              host
             });
             var redirect = Redirect.create(app);
             redirect.dispatch(Redirect.Action.REMOTE, redirectUrl);
           } catch (e) {
             console.error(e);
           }
           try {
-            // For some reason, we get the old host parameter sometimes when using the new admin.shopify.com domain, and this causes issues with the redirect.
-            // So we will create a second redirect using the new host, just in case.
-            var app = createApp({
-              apiKey,
-              host: encodeURI(btoa("admin.shopify.com/store/" + "${shopName}")),
-            });
-            var redirect = Redirect.create(app);
-            redirect.dispatch(Redirect.Action.REMOTE, redirectUrl);
+            if (atob(host) !== atob(hostManual)) {
+              // For some reason, we get the old host parameter sometimes when using the new admin.shopify.com domain, and this causes issues with the redirect.
+              // So we will create a second redirect using the new host, just in case.
+              var app = createApp({
+                apiKey,
+                host: hostManual
+              });
+              var redirect = Redirect.create(app);
+              redirect.dispatch(Redirect.Action.REMOTE, redirectUrl);
+            }
           } catch (e) {
             console.error(e);
           }