Find shop domain in request when getting the token

src/ShopifyApp/Http/Middleware/VerifyShopify.php

@@ -8,7 +8,6 @@
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
-use Illuminate\Support\Arr;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Str;
@@ -21,7 +20,6 @@
 use function Osiset\ShopifyApp\getShopifyConfig;
 use Osiset\ShopifyApp\Objects\Enums\DataSource;
 use Osiset\ShopifyApp\Objects\Values\NullableSessionId;
-use Osiset\ShopifyApp\Objects\Values\NullShopDomain;
 use Osiset\ShopifyApp\Objects\Values\SessionToken;
 use Osiset\ShopifyApp\Objects\Values\ShopDomain;
 use Osiset\ShopifyApp\Services\SessionContext;
@@ -210,7 +208,7 @@ protected function handleInvalidShop(Request $request)
             throw new HttpException('Shop is not installed or missing data.', Response::HTTP_FORBIDDEN);
         }
 
-        return $this->installRedirect($this->getShopDomainFromRequest($request));
+        return $this->installRedirect(ShopDomain::getFromRequest($request));
     }
 
     /**
@@ -300,7 +298,7 @@ protected function tokenRedirect(Request $request): RedirectResponse
         return Redirect::route(
             getShopifyConfig('route_names.authenticate.token'),
             [
-                'shop'   => $this->getShopDomainFromRequest($request)->toNative(),
+                'shop'   => ShopDomain::getFromRequest($request)->toNative(),
                 'target' => $target,
             ]
         );
@@ -321,48 +319,6 @@ protected function installRedirect(ShopDomainValue $shopDomain): RedirectRespons
         );
     }
 
-    /**
-     * Grab the shop, if present, and how it was found.
-     * Order of precedence is:.
-     *
-     *  - GET/POST Variable
-     *  - Headers
-     *  - Referer
-     *
-     * @param Request $request The request object.
-     *
-     * @return ShopDomainValue
-     */
-    protected function getShopDomainFromRequest(Request $request): ShopDomainValue
-    {
-        // All possible methods
-        $options = [
-            // GET/POST
-            DataSource::INPUT()->toNative() => $request->input('shop'),
-            // Headers
-            DataSource::HEADER()->toNative() => $request->header('X-Shop-Domain'),
-            // Headers: Referer
-            DataSource::REFERER()->toNative() => function () use ($request): ?string {
-                $url = parse_url($request->header('referer'), PHP_URL_QUERY);
-                parse_str($url, $refererQueryParams);
-
-                return Arr::get($refererQueryParams, 'shop');
-            },
-        ];
-
-        // Loop through each until we find the HMAC
-        foreach ($options as $method => $value) {
-            $result = is_callable($value) ? $value() : $value;
-            if ($result !== null) {
-                // Found a shop
-                return ShopDomain::fromNative($result);
-            }
-        }
-
-        // No shop domain found in any source
-        return NullShopDomain::fromNative(null);
-    }
-
     /**
      * Grab the HMAC value, if present, and how it was found.
      * Order of precedence is:.
@@ -548,7 +504,7 @@ protected function isApiRequest(Request $request): bool
      */
     protected function checkPreviousInstallation(Request $request): bool
     {
-        $shop = $this->shopQuery->getByDomain($this->getShopDomainFromRequest($request), [], true);
+        $shop = $this->shopQuery->getByDomain(ShopDomain::getFromRequest($request), [], true);
 
         return ($shop && !$shop->trashed());
     }

src/ShopifyApp/Objects/Values/SessionToken.php

@@ -129,19 +129,22 @@ final class SessionToken implements SessionTokenValue
      * Contructor.
      *
      * @param string $token The JWT.
+     * @param bool $verifyToken Should the token be verified? Use false to only decode the token.
      *
-     * @return void
+     * @throws AssertionFailedException
      */
-    public function __construct(string $token)
+    public function __construct(string $token, bool $verifyToken = true)
     {
         // Confirm token formatting and decode the token
         $this->string = $token;
         $this->decodeToken();
 
-        // Confirm token signature, validity, and expiration
-        $this->verifySignature();
-        $this->verifyValidity();
-        $this->verifyExpiration();
+        if ($verifyToken) {
+            // Confirm token signature, validity, and expiration
+            $this->verifySignature();
+            $this->verifyValidity();
+            $this->verifyExpiration();
+        }
     }
 
     /**

src/ShopifyApp/Objects/Values/ShopDomain.php

@@ -2,9 +2,14 @@
 
 namespace Osiset\ShopifyApp\Objects\Values;
 
+use Assert\AssertionFailedException;
 use Funeralzone\ValueObjects\Scalars\StringTrait;
+use Illuminate\Http\Request;
+use Illuminate\Support\Arr;
 use Osiset\ShopifyApp\Contracts\Objects\Values\ShopDomain as ShopDomainValue;
+use Osiset\ShopifyApp\Objects\Enums\DataSource;
 use function Osiset\ShopifyApp\getShopifyConfig;
+use function Osiset\ShopifyApp\parseQueryString;
 
 /**
  * Value object for shop's domain.
@@ -25,6 +30,70 @@ public function __construct(string $domain)
         $this->string = $this->sanitizeShopDomain($domain);
     }
 
+    /**
+     * Grab the shop, if present, and how it was found.
+     * Order of precedence is:.
+     *
+     *  - GET/POST Variable ("shop" or "shopDomain")
+     *  - Headers ("X-Shop-Domain")
+     *  - Referer ("shop" or "shopDomain" query param or decoded "token" query param)
+     *
+     * @param Request $request The request object.
+     *
+     * @return ShopDomainValue
+     */
+    public static function getFromRequest(Request $request): ShopDomainValue
+    {
+        // All possible methods
+        $options = [
+            // GET/POST
+            DataSource::INPUT()->toNative() => $request->input('shop') ?? $request->input('shopDomain'),
+
+            // Headers
+            DataSource::HEADER()->toNative() => $request->header('X-Shop-Domain'),
+
+            // Headers: Referer
+            DataSource::REFERER()->toNative() => function () use ($request): ?string {
+                $url = parse_url($request->header('referer'), PHP_URL_QUERY);
+                $params = parseQueryString($url);
+                $shop = Arr::get($params, 'shop') ?? Arr::get($params, 'shopDomain');
+
+                if ($shop) {
+                    return $shop;
+                }
+
+                $token = Arr::get($params, 'token');
+
+                if ($token) {
+                    try {
+                        $token = new SessionToken($token, $verifyToken = false);
+
+                        if ($shopDomain = $token->getShopDomain()) {
+                            return $shopDomain->toNative();
+                        }
+                    } catch (AssertionFailedException $e) {
+                        // unable to decode the token
+                    }
+                }
+
+                return null;
+            },
+        ];
+
+        // Loop through each until we find the shop
+        foreach ($options as $value) {
+            $result = is_callable($value) ? $value() : $value;
+
+            if ($result !== null) {
+                // Found a shop
+                return self::fromNative($result);
+            }
+        }
+
+        // No shop domain found in any source
+        return NullShopDomain::fromNative(null);
+    }
+
     /**
      * Ensures shop domain meets the specs.
      *

src/ShopifyApp/Traits/AuthController.php

@@ -69,8 +69,9 @@ public function authenticate(Request $request, AuthenticateShop $authShop)
      */
     public function token(Request $request)
     {
-        $target = $request->query('target');
+        $shopDomain = ShopDomain::getFromRequest($request);
 
+        $target = $request->query('target');
         $query = parse_url($target, PHP_URL_QUERY);
 
         if ($query) {
@@ -86,7 +87,7 @@ public function token(Request $request)
         return View::make(
             'shopify-app::auth.token',
             [
-                'shopDomain' => ShopDomain::fromNative($request->query('shop'))->toNative(),
+                'shopDomain' => $shopDomain->toNative(),
                 'target'     => $cleanTarget,
             ]
         );