Users aren't signed into a new shop when clicking app link and already signed in

[shkm]

Background

We just upgraded to the latest version of Shopify app from 7.2.0 to 9.0.1 (omniauth-shopify_oauth2 1.5.0 -> 2.1.0) and we're seeing an issue involving users clicking app links from their shop. We're not using an embedded app.

Scenario

1. User is signed into app as shop1.myshopify.com
2. User clicks app link from shop2.myshopify.com
3. User redirects to app and remains signed in as shop1.myshopify.com

Problem

This seems to me because of the following code:

 option :setup, proc { |env|
        strategy = env['omniauth.strategy']

        shopify_auth_params = strategy.session['shopify.omniauth_params'] && strategy.session['shopify.omniauth_params'].with_indifferent_access
        shop = if shopify_auth_params && shopify_auth_params['shop']
          "https://#{shopify_auth_params['shop']}"
        else
          ''
        end

        strategy.options[:client_options][:site] = shop
}

i.e. we're not checking the params for the request params for the shop domain.

Fix

Changing the code to the following seems to resolve the issue:

  strategy = env["omniauth.strategy"]
  request = Rack::Request.new(env)

  shop = request.params.fetch("shop", strategy.session["shopify.omniauth_params"]&.[](:shop))
  strategy.options[:client_options][:site] = shop ? "https://#{shop}" : ""

i.e. use the shop in params if it exists, or fall back to usual behaviour.

Is there anything wrong with this approach? Am I missing something as to why this isn't the normal behaviour?