Deprecate validate_shop call from JWT class

Shopify · Apr 25, 2022 · 57e4f98 · 57e4f98
1 parent 8430c82
commit 57e4f98
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,8 +3,9 @@
 ## Unreleased
 
 ### Fixed
+
 - [#935](https://github.com/Shopify/shopify_api/pull/935) Fix issue [#931](https://github.com/Shopify/shopify_api/pull/931), weight of variant should be float
-- [#939](https://github.com/Shopify/shopify_api/pull/939) Hotfix for `.spin.dev` JWT validation.
+- [#944](https://github.com/Shopify/shopify_api/pull/944) Deprecated the `validate_shop` method from the JWT class since we can trust the token payload, since it comes from Shopify.
 
 ## Version 10.0.2
 

diff --git a/lib/shopify_api/auth/jwt_payload.rb b/lib/shopify_api/auth/jwt_payload.rb
@@ -35,18 +35,21 @@ def initialize(token)
 
         raise ShopifyAPI::Errors::InvalidJwtTokenError,
           "Session token had invalid API key" unless @aud == Context.api_key
-        raise ShopifyAPI::Errors::InvalidJwtTokenError,
-          "Session token had invalid shop" unless validate_shop(shop)
       end
 
       sig { returns(String) }
       def shop
         @dest.gsub("https://", "")
       end
 
+      # TODO: Remove before releasing v11
       sig { params(shop: String).returns(T::Boolean) }
       def validate_shop(shop)
-        /\A[a-z0-9]+[a-z0-9\-\.]*[a-z0-9]+\.(myshopify\.(io|com)|spin\.dev)\z/.match?(shop)
+        Context.logger.warn(
+          "Deprecation notice: ShopifyAPI::Auth::JwtPayload.validate_shop no longer checks the given shop and always " \
+            "returns true. It will be removed in v11."
+        )
+        true
       end
 
       alias_method :eql?, :==

diff --git a/test/auth/jwt_payload_test.rb b/test/auth/jwt_payload_test.rb
@@ -83,15 +83,6 @@ def test_decode_jwt_payload_fails_if_not_activated_yet
         end
       end
 
-      def test_decode_jwt_payload_fails_if_domain_is_invalid
-        payload = @jwt_payload.dup
-        payload[:dest] = "https://notadomain"
-        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
-        assert_raises(ShopifyAPI::Errors::InvalidJwtTokenError) do
-          ShopifyAPI::Auth::JwtPayload.new(jwt_token)
-        end
-      end
-
       def test_decode_jwt_payload_fails_with_invalid_api_key
         jwt_token = JWT.encode(@jwt_payload, ShopifyAPI::Context.api_secret_key, "HS256")