Move covered scopes check into strategy

CHANGELOG.md

@@ -1,5 +1,6 @@
 Unreleased
 ----------
+* Move covered scopes check into user access strategy [#1600](https://github.com/Shopify/shopify_app/pull/1600)
 * Add configuration option for user access strategy [#1599](https://github.com/Shopify/shopify_app/pull/1599)
 * Fixes a bug with `EnsureAuthenticatedLinks` causing deep links to not work [#1549](https://github.com/Shopify/shopify_app/pull/1549)
 * Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566)

lib/shopify_app/access_scopes/noop_strategy.rb

@@ -7,6 +7,10 @@ class << self
         def update_access_scopes?(*_args)
           false
         end
+
+        def covers_scopes?(*_args)
+          true
+        end
       end
     end
   end

lib/shopify_app/access_scopes/user_strategy.rb

@@ -12,6 +12,11 @@ def update_access_scopes?(user_id: nil, shopify_user_id: nil)
             "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
+        def covers_scopes?(current_shopify_session)
+          # NOTE: this not Ruby's `covers?` method, it is defined in ShopifyAPI::Auth::AuthScopes
+          current_shopify_session.scope.to_a.empty? || current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
+        end
+
         private
 
         def update_access_scopes_for_user_id?(user_id)

lib/shopify_app/controller_concerns/login_protection.rb

@@ -29,9 +29,7 @@ def activate_shopify_session
         return redirect_to_login
       end
 
-      unless current_shopify_session.scope.to_a.empty? ||
-          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
-
+      unless ShopifyApp.configuration.user_access_scopes_strategy.covers_scopes?(current_shopify_session)
         clear_shopify_session
         return redirect_to_login
       end