From dfbd384c95c426af70a48aec2a7dbef4dc25bcf3 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Sat, 25 Dec 2021 11:01:44 +0000
Subject: [PATCH] Refactor embedding to a Concern

---
 app/controllers/application_controller.rb     |  6 -----
 app/controllers/checkout_controller.rb        |  6 ++---
 .../concerns/checkout_callbacks.rb            |  1 -
 app/controllers/concerns/embedded_pages.rb    | 27 +++++++++++++++++++
 app/controllers/enterprises_controller.rb     |  2 +-
 app/controllers/groups_controller.rb          |  3 ++-
 app/controllers/home_controller.rb            |  4 +--
 .../payment_gateways/paypal_controller.rb     |  2 +-
 app/controllers/producers_controller.rb       |  4 +--
 app/controllers/shop_controller.rb            |  3 ++-
 app/controllers/shops_controller.rb           |  4 +--
 app/controllers/spree/orders_controller.rb    |  2 +-
 app/controllers/spree/users_controller.rb     |  8 +++---
 app/services/embedded_page_service.rb         |  7 ++---
 spec/services/embedded_page_service_spec.rb   |  9 +++----
 15 files changed, 53 insertions(+), 35 deletions(-)
 create mode 100644 app/controllers/concerns/embedded_pages.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a21f60f250..0b8b45d19f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -106,12 +106,6 @@ class ApplicationController < ActionController::Base
     session[:shopfront_redirect]
   end
 
-  def enable_embedded_shopfront
-    embed_service = EmbeddedPageService.new(params, session, request, response)
-    embed_service.embed!
-    @shopfront_layout = 'embedded' if embed_service.use_embedded_layout?
-  end
-
   def action
     params[:action].to_sym
   end
diff --git a/app/controllers/checkout_controller.rb b/app/controllers/checkout_controller.rb
index fae0c9ba25..f3469aa693 100644
--- a/app/controllers/checkout_controller.rb
+++ b/app/controllers/checkout_controller.rb
@@ -3,11 +3,12 @@
 require 'open_food_network/address_finder'
 
 class CheckoutController < ::BaseController
-  layout 'darkswarm'
-
   include OrderStockCheck
+  include EmbeddedPages
   include OrderCompletion
 
+  layout 'darkswarm'
+
   helper 'terms_and_conditions'
   helper 'checkout'
 
@@ -26,7 +27,6 @@ class CheckoutController < ::BaseController
 
   before_action :associate_user
   before_action :check_authorization
-  before_action :enable_embedded_shopfront
 
   helper 'spree/orders'
 
diff --git a/app/controllers/concerns/checkout_callbacks.rb b/app/controllers/concerns/checkout_callbacks.rb
index 4c97ee2bd9..991fd8e394 100644
--- a/app/controllers/concerns/checkout_callbacks.rb
+++ b/app/controllers/concerns/checkout_callbacks.rb
@@ -20,7 +20,6 @@ module CheckoutCallbacks
     before_action :ensure_checkout_allowed
     before_action :handle_insufficient_stock
     before_action :check_authorization
-    before_action :enable_embedded_shopfront
   end
 
   private
diff --git a/app/controllers/concerns/embedded_pages.rb b/app/controllers/concerns/embedded_pages.rb
new file mode 100644
index 0000000000..039e5aa69a
--- /dev/null
+++ b/app/controllers/concerns/embedded_pages.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module EmbeddedPages
+  extend ActiveSupport::Concern
+
+  included do
+    content_security_policy do |policy|
+      policy.frame_ancestors :self, -> { embed_service.embedding_domain }
+    end
+
+    before_action :enable_embedded_pages
+  end
+
+  private
+
+  def enable_embedded_pages
+    return unless embed_service.use_embedded_layout
+
+    @shopfront_layout = 'embedded'
+  end
+
+  def embed_service
+    @embed_service ||= EmbeddedPageService.
+      new(params, session, request, response).
+      tap(&:embed!)
+  end
+end
diff --git a/app/controllers/enterprises_controller.rb b/app/controllers/enterprises_controller.rb
index f047b1745d..9574a6ec9c 100644
--- a/app/controllers/enterprises_controller.rb
+++ b/app/controllers/enterprises_controller.rb
@@ -7,6 +7,7 @@ class EnterprisesController < BaseController
   helper Spree::ProductsHelper
   include OrderCyclesHelper
   include SerializerHelper
+  include EmbeddedPages
 
   protect_from_forgery except: :check_permalink
 
@@ -14,7 +15,6 @@ class EnterprisesController < BaseController
   prepend_before_action :set_order_cycles, :require_distributor_chosen, :reset_order, only: :shop
 
   before_action :clean_permalink, only: :check_permalink
-  before_action :enable_embedded_shopfront
 
   respond_to :js, only: :permalink_checker
 
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index c027a060e1..22445d44c2 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
 class GroupsController < BaseController
+  include EmbeddedPages
+
   layout 'darkswarm'
 
   def show
-    enable_embedded_shopfront
     @hide_menu = true if @shopfront_layout == 'embedded'
     @group = EnterpriseGroup.find_by(permalink: params[:id]) || EnterpriseGroup.find(params[:id])
   end
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
index bcc04e8365..bf13b77d48 100644
--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class HomeController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     if ContentConfig.home_show_stats
diff --git a/app/controllers/payment_gateways/paypal_controller.rb b/app/controllers/payment_gateways/paypal_controller.rb
index 60d6f35764..43d0e641ad 100644
--- a/app/controllers/payment_gateways/paypal_controller.rb
+++ b/app/controllers/payment_gateways/paypal_controller.rb
@@ -4,8 +4,8 @@ module PaymentGateways
   class PaypalController < ::BaseController
     include OrderStockCheck
     include OrderCompletion
+    include EmbeddedPages
 
-    before_action :enable_embedded_shopfront
     before_action :destroy_orphaned_paypal_payments, only: :confirm
     before_action :load_checkout_order, only: [:express, :confirm]
     before_action :handle_insufficient_stock, only: [:express, :confirm]
diff --git a/app/controllers/producers_controller.rb b/app/controllers/producers_controller.rb
index 38e4e1c00f..8d9cf0e7a3 100644
--- a/app/controllers/producers_controller.rb
+++ b/app/controllers/producers_controller.rb
@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class ProducersController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     @enterprises = Enterprise
diff --git a/app/controllers/shop_controller.rb b/app/controllers/shop_controller.rb
index b992d21a79..581c882821 100644
--- a/app/controllers/shop_controller.rb
+++ b/app/controllers/shop_controller.rb
@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 class ShopController < BaseController
+  include EmbeddedPages
+
   layout "darkswarm"
   before_action :require_distributor_chosen, :set_order_cycles, except: :changeable_orders_alert
-  before_action :enable_embedded_shopfront
 
   def show
     redirect_to main_app.enterprise_shop_path(current_distributor)
diff --git a/app/controllers/shops_controller.rb b/app/controllers/shops_controller.rb
index 6fc655c8bb..150a07a984 100644
--- a/app/controllers/shops_controller.rb
+++ b/app/controllers/shops_controller.rb
@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 class ShopsController < BaseController
-  layout 'darkswarm'
+  include EmbeddedPages
 
-  before_action :enable_embedded_shopfront
+  layout 'darkswarm'
 
   def index
     @enterprises = ShopsListService.new.open_shops
diff --git a/app/controllers/spree/orders_controller.rb b/app/controllers/spree/orders_controller.rb
index 344d0c8f4a..d6405ef1ac 100644
--- a/app/controllers/spree/orders_controller.rb
+++ b/app/controllers/spree/orders_controller.rb
@@ -3,6 +3,7 @@
 module Spree
   class OrdersController < ::BaseController
     include OrderCyclesHelper
+    include EmbeddedPages
     include Rails.application.routes.url_helpers
 
     layout 'darkswarm'
@@ -15,7 +16,6 @@ module Spree
     before_action :check_authorization
     before_action :set_current_order, only: :update
     before_action :filter_order_params, only: :update
-    before_action :enable_embedded_shopfront
 
     prepend_before_action :require_order_authentication, only: :show
     prepend_before_action :require_order_cycle, only: :edit
diff --git a/app/controllers/spree/users_controller.rb b/app/controllers/spree/users_controller.rb
index 24c070ed8a..6557b046b9 100644
--- a/app/controllers/spree/users_controller.rb
+++ b/app/controllers/spree/users_controller.rb
@@ -2,17 +2,17 @@
 
 module Spree
   class UsersController < ::BaseController
+    include Spree::Core::ControllerHelpers
+    include I18nHelper
+    include EmbeddedPages
+
     layout 'darkswarm'
 
     skip_before_action :set_current_order, only: :show
     prepend_before_action :load_object, only: [:show, :edit, :update]
     prepend_before_action :authorize_actions, only: :new
 
-    include Spree::Core::ControllerHelpers
-    include I18nHelper
-
     before_action :set_locale
-    before_action :enable_embedded_shopfront
 
     def show
       @payments_requiring_action = PaymentsRequiringAction.new(spree_current_user).query
diff --git a/app/services/embedded_page_service.rb b/app/services/embedded_page_service.rb
index 76cefc60ec..e088efad52 100644
--- a/app/services/embedded_page_service.rb
+++ b/app/services/embedded_page_service.rb
@@ -3,6 +3,8 @@
 # Processes requests for pages embedded in iframes
 
 class EmbeddedPageService
+  attr_reader :embedding_domain, :use_embedded_layout
+
   def initialize(params, session, request, response)
     @params = params
     @session = session
@@ -19,11 +21,6 @@ class EmbeddedPageService
 
     process_embedded_request
     set_embedded_layout
-    @embedding_domain
-  end
-
-  def use_embedded_layout?
-    @use_embedded_layout
   end
 
   private
diff --git a/spec/services/embedded_page_service_spec.rb b/spec/services/embedded_page_service_spec.rb
index bcf92447f4..8a1a5efafa 100644
--- a/spec/services/embedded_page_service_spec.rb
+++ b/spec/services/embedded_page_service_spec.rb
@@ -31,9 +31,8 @@ describe EmbeddedPageService do
     context "when the request's referer is in the whitelist" do
       before { service.embed! }
 
-      it "sets the response headers to enables embedding requests from the embedding site" do
-        expect(response.headers).to_not include 'X-Frame-Options' => 'DENY'
-        expect(response.headers).to eq 'Content-Security-Policy' => "frame-ancestors 'self' embedding-enterprise.com"
+      it "returns the domain for the embedding site" do
+        expect(service.embedding_domain).to eq "embedding-enterprise.com"
       end
 
       it "sets session variables" do
@@ -43,7 +42,7 @@ describe EmbeddedPageService do
       end
 
       it "publicly reports that embedded layout should be used" do
-        expect(service.use_embedded_layout?).to be true
+        expect(service.use_embedded_layout).to be true
       end
     end
 
@@ -68,7 +67,7 @@ describe EmbeddedPageService do
       end
 
       it "does not enable embedding" do
-        expect(response.headers['X-Frame-Options']).to eq 'DENY'
+        expect(service.embedding_domain).to be_nil
       end
     end