Merge pull request #1374 from Shopify/fix-internal-host-api-calls

gbzodek · web-flow · commit cf0c4fe762ad · 2025-04-25T16:32:21.000+02:00
Fix edge cases for internal hosts
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 ## Unreleased
+- [#1374](https://github.com/Shopify/shopify-api-ruby/pull/1374) Fix edge cases for Shopify internal hosts
 
 ## 14.9.0
 
diff --git a/lib/shopify_api/auth/oauth.rb b/lib/shopify_api/auth/oauth.rb
@@ -111,7 +111,7 @@ def validate_auth_callback(cookies:, auth_query:)
 
         sig { params(shop: String).returns(String) }
         def auth_base_uri(shop)
-          return "https://#{shop}/admin" unless defined?(DevServer)
+          return "https://#{shop}/admin" unless defined?(DevServer) && shop.include?(".my.shop.dev")
 
           # For first-party apps in development only, we leverage DevServer to build the admin base URI
           admin_web = T.unsafe(Object.const_get("DevServer")).new("web") # rubocop:disable Sorbet/ConstantsFromStrings
diff --git a/lib/shopify_api/clients/http_client.rb b/lib/shopify_api/clients/http_client.rb
@@ -131,6 +131,7 @@ def serialized_error(response)
       def append_first_party_development_headers(headers, parsed_uri)
         return headers unless defined?(DevServer)
         return headers unless headers["Host"]&.include?(".my.shop.dev") || parsed_uri.host&.include?(".my.shop.dev")
+        return headers if headers["x-forwarded-host"]&.include?(".my.shop.dev")
 
         # These headers are only used for first party applications in development mode
         headers["x-forwarded-host"] = headers["Host"] || parsed_uri.host
