From 1bce1fa406aede8ec267d056cb1cd509d31d7b25 Mon Sep 17 00:00:00 2001
From: hpawe01 <friedrich.pawelka@googlemail.com>
Date: Tue, 13 Mar 2018 22:00:14 +0100
Subject: [PATCH 1/2] Fix #60

- Tries to extract shop from the `referer` header, if not in query
- Makes sure, that the shop from the session is the same as the shop performing the request
---
 middleware/withShop.js | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/middleware/withShop.js b/middleware/withShop.js
index 4f69cbe..8433755 100644
--- a/middleware/withShop.js
+++ b/middleware/withShop.js
@@ -1,8 +1,16 @@
 module.exports = function withShop({ authBaseUrl } = {}) {
   return function verifyRequest(request, response, next) {
-    const { query: { shop }, session, baseUrl } = request;
+    const { session, baseUrl } = request;
+    let shop = request.query.shop;
 
-    if (session && session.accessToken) {
+    if (!shop && request.get('referer')) {
+      const result = request.get('referer').match(/shop=([^&]+)/);
+      if (result) {
+        shop = result[1];
+      }
+    }
+
+    if (session && session.accessToken && session.shop && session.shop === shop) {
       next();
       return;
     }

From ba5dc32b9714bc7057dd29c2a73dc80a59559760 Mon Sep 17 00:00:00 2001
From: hpawe01 <friedrich.pawelka@googlemail.com>
Date: Sun, 18 Mar 2018 01:08:36 +0100
Subject: [PATCH 2/2] Follow shopify coding style

---
 middleware/withShop.js | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/middleware/withShop.js b/middleware/withShop.js
index 8433755..a218a3e 100644
--- a/middleware/withShop.js
+++ b/middleware/withShop.js
@@ -1,26 +1,27 @@
 module.exports = function withShop({ authBaseUrl } = {}) {
   return function verifyRequest(request, response, next) {
-    const { session, baseUrl } = request;
-    let shop = request.query.shop;
+    const { query = {}, session = {}, baseUrl } = request;
+    const { accessToken } = session;
+    const shop = getShopFromReferrer(request.get('referer')) || query.shop;
 
-    if (!shop && request.get('referer')) {
-      const result = request.get('referer').match(/shop=([^&]+)/);
-      if (result) {
-        shop = result[1];
-      }
-    }
-
-    if (session && session.accessToken && session.shop && session.shop === shop) {
+    if (accessToken && session.shop === shop) {
       next();
       return;
     }
 
     if (shop) {
-      response.redirect(`${authBaseUrl || baseUrl}/auth?shop=${shop}`);
+      response.redirect(`${authBaseUrl || baseUrl}/auth/shopify?shop=${shop}`);
       return;
     }
 
     response.redirect('/install');
-    return;
   };
+
+  function getShopFromReferrer(referrer) {
+    if (!referrer) {
+      return;
+    }
+    const result = referrer.match(/shop=([^&]+)/);
+    return result && result[1];
+  }
 };