Shopify · drewish · Sep 19, 2018 · drewish · Sep 19, 2018 · richter-alex
diff --git a/lib/shopify_api/session.rb b/lib/shopify_api/session.rb
@@ -73,9 +73,10 @@ def initialize(url, token = nil, extra = {})
       self.extra = extra
     end
 
-    def create_permission_url(scope, redirect_uri = nil)
-      params = {:client_id => api_key, :scope => scope.join(',')}
+    def create_permission_url(scope, redirect_uri = nil, state: nil)
+      params = { client_id: api_key, scope: scope.join(',') }
       params[:redirect_uri] = redirect_uri if redirect_uri
+      params[:state] = state if state
       "#{site}/oauth/authorize?#{parameterize(params)}"
     end
 

diff --git a/test/session_test.rb b/test/session_test.rb
@@ -74,35 +74,49 @@ def setup
   end
 
   test "create_permission_url returns correct url with single scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products"]
     permission_url = session.create_permission_url(scope)
     assert_equal "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=write_products", permission_url
   end
 
   test "create_permission_url returns correct url with single scope and redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products"]
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com")
     assert_equal "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=write_products&redirect_uri=http://my_redirect_uri.com", permission_url
   end
 
   test "create_permission_url returns correct url with dual scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products","write_customers"]
     permission_url = session.create_permission_url(scope)
     assert_equal "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=write_products,write_customers", permission_url
   end
 
   test "create_permission_url returns correct url with no scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = []
     permission_url = session.create_permission_url(scope)
-    assert_equal "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=", permission_url
+    assert_equal(
+      "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=",
+      permission_url
+    )
+  end
+
+  test "create_permission_url returns correct url with state" do
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
+    session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
+    scope = []
+    permission_url = session.create_permission_url(scope, nil, state: "My nonce")
+    assert_equal(
+      "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=&state=My%20nonce",
+      permission_url
+    )
   end
 
   test "raise exception if code invalid in request token" do