Refactor embedding to a Concern

app/controllers/application_controller.rb

@@ -106,12 +106,6 @@ class ApplicationController < ActionController::Base
     session[:shopfront_redirect]
   end
 
-  def enable_embedded_shopfront
-    embed_service = EmbeddedPageService.new(params, session, request, response)
-    embed_service.embed!
-    @shopfront_layout = 'embedded' if embed_service.use_embedded_layout?
-  end
-
   def action
     params[:action].to_sym
   end

app/controllers/checkout_controller.rb

@@ -3,11 +3,12 @@
 require 'open_food_network/address_finder'
 
 class CheckoutController < ::BaseController
-  layout 'darkswarm'
-
   include OrderStockCheck
+  include EmbeddedPages
   include OrderCompletion
 
+  layout 'darkswarm'
+
   helper 'terms_and_conditions'
   helper 'checkout'
 
@@ -26,7 +27,6 @@ class CheckoutController < ::BaseController
 
   before_action :associate_user
   before_action :check_authorization
-  before_action :enable_embedded_shopfront
 
   helper 'spree/orders'
 

app/controllers/concerns/checkout_callbacks.rb

@@ -20,7 +20,6 @@ module CheckoutCallbacks
     before_action :ensure_checkout_allowed
     before_action :handle_insufficient_stock
     before_action :check_authorization
-    before_action :enable_embedded_shopfront
   end
 
   private

app/controllers/concerns/embedded_pages.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module EmbeddedPages
+  extend ActiveSupport::Concern
+
+  included do
+    content_security_policy do |policy|
+      policy.frame_ancestors :self, -> { embed_service.embedding_domain }
+    end
+
+    before_action :enable_embedded_pages
+  end
+
+  private
+
+  def enable_embedded_pages
+    return unless embed_service.use_embedded_layout
+
+    @shopfront_layout = 'embedded'
+  end
+
+  def embed_service
+    @embed_service ||= EmbeddedPageService.
+      new(params, session, request, response).
+      tap(&:embed!)
+  end
+end

app/controllers/enterprises_controller.rb

@@ -7,6 +7,7 @@ class EnterprisesController < BaseController
   helper Spree::ProductsHelper
   include OrderCyclesHelper
   include SerializerHelper
+  include EmbeddedPages
 
   protect_from_forgery except: :check_permalink
 
@@ -14,7 +15,6 @@ class EnterprisesController < BaseController
   prepend_before_action :set_order_cycles, :require_distributor_chosen, :reset_order, only: :shop
 
   before_action :clean_permalink, only: :check_permalink
-  before_action :enable_embedded_shopfront
 
   respond_to :js, only: :permalink_checker
 

app/controllers/groups_controller.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
 class GroupsController < BaseController
+  include EmbeddedPages
+
   layout 'darkswarm'
 
   def show
-    enable_embedded_shopfront
     @hide_menu = true if @shopfront_layout == 'embedded'
     @group = EnterpriseGroup.find_by(permalink: params[:id]) || EnterpriseGroup.find(params[:id])
   end

app/controllers/home_controller.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class HomeController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     if ContentConfig.home_show_stats

app/controllers/payment_gateways/paypal_controller.rb

@@ -4,8 +4,8 @@ module PaymentGateways
   class PaypalController < ::BaseController
     include OrderStockCheck
     include OrderCompletion
+    include EmbeddedPages
 
-    before_action :enable_embedded_shopfront
     before_action :destroy_orphaned_paypal_payments, only: :confirm
     before_action :load_checkout_order, only: [:express, :confirm]
     before_action :handle_insufficient_stock, only: [:express, :confirm]

app/controllers/producers_controller.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class ProducersController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     @enterprises = Enterprise

app/controllers/shop_controller.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 class ShopController < BaseController
+  include EmbeddedPages
+
   layout "darkswarm"
   before_action :require_distributor_chosen, :set_order_cycles, except: :changeable_orders_alert
-  before_action :enable_embedded_shopfront
 
   def show
     redirect_to main_app.enterprise_shop_path(current_distributor)

app/controllers/shops_controller.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class ShopsController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     @enterprises = ShopsListService.new.open_shops

app/controllers/spree/orders_controller.rb

@@ -3,6 +3,7 @@
 module Spree
   class OrdersController < ::BaseController
     include OrderCyclesHelper
+    include EmbeddedPages
     include Rails.application.routes.url_helpers
 
     layout 'darkswarm'
@@ -15,7 +16,6 @@ module Spree
     before_action :check_authorization
     before_action :set_current_order, only: :update
     before_action :filter_order_params, only: :update
-    before_action :enable_embedded_shopfront
 
     prepend_before_action :require_order_authentication, only: :show
     prepend_before_action :require_order_cycle, only: :edit

app/controllers/spree/users_controller.rb

@@ -2,17 +2,17 @@
 
 module Spree
   class UsersController < ::BaseController
+    include Spree::Core::ControllerHelpers
+    include I18nHelper
+    include EmbeddedPages
+
     layout 'darkswarm'
 
     skip_before_action :set_current_order, only: :show
     prepend_before_action :load_object, only: [:show, :edit, :update]
     prepend_before_action :authorize_actions, only: :new
 
-    include Spree::Core::ControllerHelpers
-    include I18nHelper
-
     before_action :set_locale
-    before_action :enable_embedded_shopfront
 
     def show
       @payments_requiring_action = PaymentsRequiringAction.new(spree_current_user).query

app/services/embedded_page_service.rb

@@ -3,6 +3,8 @@
 # Processes requests for pages embedded in iframes
 
 class EmbeddedPageService
+  attr_reader :embedding_domain, :use_embedded_layout
+
   def initialize(params, session, request, response)
     @params = params
     @session = session
@@ -19,11 +21,6 @@ class EmbeddedPageService
 
     process_embedded_request
     set_embedded_layout
-    @embedding_domain
-  end
-
-  def use_embedded_layout?
-    @use_embedded_layout
   end
 
   private

spec/services/embedded_page_service_spec.rb

@@ -31,9 +31,8 @@ describe EmbeddedPageService do
     context "when the request's referer is in the whitelist" do
       before { service.embed! }
 
-      it "sets the response headers to enables embedding requests from the embedding site" do
-        expect(response.headers).to_not include 'X-Frame-Options' => 'DENY'
-        expect(response.headers).to eq 'Content-Security-Policy' => "frame-ancestors 'self' embedding-enterprise.com"
+      it "returns the domain for the embedding site" do
+        expect(service.embedding_domain).to eq "embedding-enterprise.com"
       end
 
       it "sets session variables" do
@@ -43,7 +42,7 @@ describe EmbeddedPageService do
       end
 
       it "publicly reports that embedded layout should be used" do
-        expect(service.use_embedded_layout?).to be true
+        expect(service.use_embedded_layout).to be true
       end
     end
 
@@ -68,7 +67,7 @@ describe EmbeddedPageService do
       end
 
       it "does not enable embedding" do
-        expect(response.headers['X-Frame-Options']).to eq 'DENY'
+        expect(service.embedding_domain).to be_nil
       end
     end