disco_app 0.8.3 → 0.8.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd66d842458698a15b8be312434d4b07f3df1b8671eb5a21c56fb505a2c0aa45
-  data.tar.gz: 4fe046f44e70debb6d73636e9e84ff8bcaa76398764117f099220ba3750e5134
+  metadata.gz: '0874200090d68b8be05ff9d0a17c96a91896d0065b810041a459da29d8a2a9a8'
+  data.tar.gz: 75ab0d47c9b75349bf6ac5d4aeba7d531a904ea1331de3df34d5145af922c931
 SHA512:
-  metadata.gz: ae57c0e9ce4c3c3d709bda36580a6510cf6466d1de31e961167665ebe71e3e58a12bf96d1880da7f3288dfb884bca4aeee936e42acffbb7917e3799a7db42da7
-  data.tar.gz: 5ce8ff4597bcd3c9c848d076b5ebbb11db1a47a8fdea11006d6e8fc825a87df675d935582352281b673691f3f2d88f27e3e8fe07c83b7eee9237923a04d557f7
+  metadata.gz: 43e23ef9eab56ee15dcc179cd86d6b0afafd5b8d059c4c82a98efaa64e6a3d19ffd9584652946ccbd24c3d16372bc14f1903217035c00437e91336a14240f3c8
+  data.tar.gz: b0dcf3ee172de718935d8a8ee530fffc6eaba51fc1b14dc344f4092d22209d614a52e13f6b4c0fc1140ae639b87f6acdf8427698e27b4a07523ad4752dd3c037

data/app/controllers/disco_app/app_proxy_controller.rb

@@ -4,6 +4,7 @@ module DiscoApp
 
     included do
       before_action :verify_proxy_signature
+      before_action :shopify_shop
       after_action :add_liquid_header
 
       rescue_from ActiveRecord::RecordNotFound do |exception|
@@ -20,12 +21,12 @@ module DiscoApp
       end
 
       def proxy_signature_is_valid?
-        return true unless Rails.env.production?
-        query_hash = Rack::Utils.parse_query(request.query_string)
-        signature = query_hash.delete("signature")
-        sorted_params = query_hash.collect{ |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
-        calculated_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), ShopifyApp.configuration.secret, sorted_params)
-        signature == calculated_signature
+        return true if DiscoApp.configuration.skip_proxy_verification?
+        DiscoApp::ProxyService.proxy_signature_is_valid?(request.query_string, ShopifyApp.configuration.secret)
+      end
+
+      def shopify_shop
+        @shop = Shop.find_by_shopify_domain!(params[:shop])
       end
 
       def add_liquid_header

data/app/controllers/disco_app/carrier_request_controller.rb

@@ -3,25 +3,20 @@ module DiscoApp
     extend ActiveSupport::Concern
 
     included do
-      before_action :verify_carrier_request_signature
+      before_action :verify_carrier_request
     end
 
     private
 
-      def verify_carrier_request_signature
+      def verify_carrier_request
         unless carrier_request_signature_is_valid?
           head :unauthorized
         end
       end
 
       def carrier_request_signature_is_valid?
-        return true unless Rails.env.production?
-        data = request.body.read.to_s
-        hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-        digest  = OpenSSL::Digest.new('sha256')
-        calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, ShopifyApp.configuration.secret, data)).strip
-        request.body.rewind
-        calculated_hmac == hmac_header
+        return true if DiscoApp.configuration.skip_carrier_request_verification?
+        DiscoApp::CarrierRequestService.is_valid_hmac?(request.body.read.to_s, ShopifyApp.configuration.secret, request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'])
       end
 
   end

data/app/controllers/disco_app/webhooks_controller.rb

@@ -30,13 +30,17 @@ module DiscoApp
 
     private
 
-      # Verify a webhook request.
       def verify_webhook
-        unless DiscoApp::WebhookService.is_valid_hmac?(request.body.read.to_s, ShopifyApp.configuration.secret, request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'])
+        unless webhook_is_valid?
           head :unauthorized
         end
         request.body.rewind
       end
 
+      def webhook_is_valid?
+        return true if DiscoApp.configuration.skip_webhook_verification?
+        DiscoApp::WebhookService.is_valid_hmac?(request.body.read.to_s, ShopifyApp.configuration.secret, request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'])
+      end
+
   end
 end

data/app/jobs/disco_app/concerns/synchronise_carrier_service_job.rb

@@ -30,7 +30,7 @@ module DiscoApp::Concerns::SynchroniseCarrierServiceJob
   protected
 
     def carrier_service_name
-      Rails.application.config.x.shopify_app_name
+      DiscoApp.configuration.app_name
     end
 
     def callback_url

data/app/models/disco_app/concerns/shop.rb

@@ -32,7 +32,7 @@ module DiscoApp::Concerns::Shop
     def new_charge_attributes
       {
           type: Rails.configuration.x.shopify_charges_default_type,
-          name: Rails.configuration.x.shopify_app_name,
+          name: DiscoApp.configuration.app_name,
           price: Rails.configuration.x.shopify_charges_default_price,
           trial_days: Rails.configuration.x.shopify_charges_default_trial_days,
       }

data/app/models/disco_app/concerns/synchronises_with_shopify.rb

@@ -0,0 +1,26 @@
+module DiscoApp::Concerns::SynchronisesWithShopify
+  extend ActiveSupport::Concern
+
+  class_methods do
+
+    def synchronise_from_shopify(shop, data)
+      data = data.with_indifferent_access
+
+      instance = self.find_or_create_by!(id: data[:id]) do |instance|
+        instance.shop = shop
+        instance.data = data
+      end
+
+      instance.update(data: data)
+
+      instance
+    end
+
+    def synchronise_deletion_from_shopify(shop, data)
+      data = data.with_indifferent_access
+      self.destroy_all(shop: shop, id: data[:id])
+    end
+
+  end
+
+end

data/app/services/disco_app/carrier_request_service.rb

@@ -0,0 +1,15 @@
+class DiscoApp::CarrierRequestService
+
+  # Return true iff the provided hmac_to_verify matches that calculated from the
+  # given data and secret.
+  def self.is_valid_hmac?(body, secret, hmac_to_verify)
+    ActiveSupport::SecurityUtils.secure_compare(self.calculated_hmac(body, secret), hmac_to_verify.to_s)
+  end
+
+  # Calculate the HMAC for the given data and secret.
+  def self.calculated_hmac(body, secret)
+    digest  = OpenSSL::Digest.new('sha256')
+    Base64.encode64(OpenSSL::HMAC.digest(digest, secret, body)).strip
+  end
+
+end

data/app/services/disco_app/proxy_service.rb

@@ -0,0 +1,17 @@
+class DiscoApp::ProxyService
+
+  # Return true iff the signature provided in the given query string matches
+  # that calculated from the remaining query parameters and the given secret.
+  def self.proxy_signature_is_valid?(query_string, secret)
+    query_hash = Rack::Utils.parse_query(query_string)
+    signature = query_hash.delete('signature').to_s
+    ActiveSupport::SecurityUtils.variable_size_secure_compare(self.calculated_signature(query_hash, secret), signature)
+  end
+
+  # Return the calculated signature for the given query hash and secret.
+  def self.calculated_signature(query_hash, secret)
+    sorted_params = query_hash.collect{ |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), secret, sorted_params)
+  end
+
+end

data/app/services/disco_app/webhook_service.rb

@@ -1,9 +1,9 @@
 class DiscoApp::WebhookService
 
   # Return true iff the provided hmac_to_verify matches that calculated from the
-  # give data and secret.
+  # given data and secret.
   def self.is_valid_hmac?(body, secret, hmac_to_verify)
-    self.calculated_hmac(body, secret) == hmac_to_verify
+    ActiveSupport::SecurityUtils.secure_compare(self.calculated_hmac(body, secret), hmac_to_verify.to_s)
   end
 
   # Calculate the HMAC for the given data and secret.

data/app/views/disco_app/charges/new.html.erb

@@ -27,7 +27,7 @@
   <% else %>
     <div class="alert alert-success">
       <p>
-        Thanks for installing <%= Rails.configuration.x.shopify_app_name %>!
+        Thanks for installing <%= DiscoApp.configuration.app_name %>!
       </p>
       <p>
         Before we start setting things up, we need you to authorize a charge for the application.

data/lib/disco_app/configuration.rb

@@ -0,0 +1,33 @@
+module DiscoApp
+
+  class Configuration
+
+    # Required configuration.
+    attr_accessor :app_name
+
+    # Set the below if using an application proxy.
+    attr_accessor :app_proxy_prefix
+
+    # Optional configuration, usually useful for development environments.
+    attr_accessor :skip_proxy_verification
+    alias_method  :skip_proxy_verification?, :skip_proxy_verification
+    attr_accessor :skip_webhook_verification
+    alias_method  :skip_webhook_verification?, :skip_webhook_verification
+    attr_accessor :skip_carrier_request_verification
+    alias_method  :skip_carrier_request_verification?, :skip_carrier_request_verification
+
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  def self.configure
+    yield configuration
+  end
+
+end

data/lib/disco_app/version.rb

@@ -1,3 +1,3 @@
 module DiscoApp
-  VERSION = '0.8.3'
+  VERSION = '0.8.4'
 end

data/lib/disco_app.rb

@@ -1,4 +1,6 @@
-require "disco_app/engine"
+require 'disco_app/version'
+require 'disco_app/configuration'
+require 'disco_app/engine'
 
 module DiscoApp
 end

data/lib/generators/disco_app/disco_app_generator.rb

@@ -33,6 +33,7 @@ class DiscoAppGenerator < Rails::Generators::Base
     gem 'bootstrap-sass', '~> 3.3.5.1'
     gem 'activerecord-session_store', '~> 0.1.2'
     gem 'activeresource', github: 'shopify/activeresource', tag: '4.2-threadsafe'
+    gem 'rails-bigint-pk', '~> 1.2.0'
 
     # Add gems for development and testing only.
     gem_group :development, :test do
@@ -92,15 +93,6 @@ class DiscoAppGenerator < Rails::Generators::Base
     application "routes.default_url_options[:host] = ENV['DEFAULT_HOST']\n"
     application "# Set the default host for absolute URL routing purposes"
 
-    # Add loading of the default application proxy prefix to set up support for
-    # reverse routings absolute proxy URLS.
-    application "config.x.shopify_app_proxy_prefix = ENV['SHOPIFY_APP_PROXY_PREFIX']\n"
-    application "# Set the application proxy path for absolute URL routing purposes"
-
-    # Add the Shopify application name to the configuration.
-    application "config.x.shopify_app_name = ENV['SHOPIFY_APP_NAME']\n"
-    application "# Set the name of the application"
-
     # Copy over the default puma configuration.
     copy_file 'config/puma.rb', 'config/puma.rb'
   end
@@ -110,10 +102,11 @@ class DiscoAppGenerator < Rails::Generators::Base
     route "mount DiscoApp::Engine, at: '/'"
   end
 
-  # Run shopify_app:install and shopify_app:home_controller
-  def shopify_app_install
+  # Run generators.
+  def run_generators
     generate 'shopify_app:install'
     generate 'shopify_app:home_controller'
+    generate 'bigint_pk:install'
   end
 
   # Copy template files to the appropriate location. In some cases, we'll be

data/lib/generators/disco_app/monitorify/monitorify_generator.rb

@@ -7,9 +7,9 @@ module DiscoApp
       # Install the Rollbar, OJ and New Relic gems.
       def install_gems
         # Add gem to Gemfile
-        gem 'rollbar', '~> 2.7.1'
-        gem 'oj', '~> 2.14.3'
-        gem 'newrelic_rpm', '~> 3.14.1.311'
+        gem 'rollbar', '~> 2.8.0'
+        gem 'oj', '~> 2.14.5'
+        gem 'newrelic_rpm', '~> 3.14.1.314'
 
         # Install gem.
         Bundler.with_clean_env do

data/lib/generators/disco_app/templates/initializers/disco_app.rb

@@ -1 +1,14 @@
-DiscoApp::Engine.routes.default_url_options[:host] = ENV['DEFAULT_HOST']
+DiscoApp::Engine.routes.default_url_options[:host] = ENV['DEFAULT_HOST']
+
+DiscoApp.configure do |config|
+  # Required configuration.
+  config.app_name = ENV['SHOPIFY_APP_NAME']
+
+  # Set the below if using an application proxy.
+  config.app_proxy_prefix = ENV['SHOPIFY_APP_PROXY_PREFIX']
+
+  # Optional configuration, usually useful for development environments.
+  config.skip_proxy_verification = ENV['SKIP_PROXY_VERIFICATION']
+  config.skip_webhook_verification = ENV['SKIP_WEBHOOK_VERIFICATION']
+  config.skip_carrier_request_verification = ENV['SKIP_CARRIER_REQUEST_VERIFICATION']
+end

data/test/controllers/proxy_controller_test.rb

@@ -0,0 +1,42 @@
+require 'test_helper'
+
+class ProxyControllerTest < ActionController::TestCase
+
+  def setup
+    @shop = disco_app_shops(:widget_store)
+    @secret = ShopifyApp.configuration.secret
+  end
+
+  def teardown
+    @shop = nil
+    @secret = nil
+  end
+
+  test 'app proxy request without authentication information returns unauthorized' do
+    get(:index)
+    assert_response :unauthorized
+  end
+
+  test 'app proxy request with incorrect authentication information returns unauthorized' do
+    get(:index, proxy_params(shop: @shop.shopify_domain).merge(signature: 'invalid_signature'))
+    assert_response :unauthorized
+  end
+
+  test 'app proxy request with correct authentication information returns ok and has shop context' do
+    get(:index, proxy_params(shop: @shop.shopify_domain))
+    assert_response :ok
+    assert_equal @shop, assigns(:shop)
+  end
+
+  test 'app proxy request with correct authentication information but unknown shop returns 404' do
+    get(:index, proxy_params(shop: 'unknown.myshopify.com'))
+    assert_response :not_found
+  end
+
+  private
+
+    def proxy_params(**params)
+      params.merge(signature: DiscoApp::ProxyService.calculated_signature(params, @secret))
+    end
+
+end

data/test/dummy/app/controllers/proxy_controller.rb

@@ -0,0 +1,8 @@
+class ProxyController < ActionController::Base
+  include DiscoApp::AppProxyController
+
+  def index
+    render text: 'ok'
+  end
+
+end

data/test/dummy/config/application.rb

@@ -21,9 +21,6 @@ module Dummy
     # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
     # config.i18n.default_locale = :de
 
-    # Set the name of the application
-    config.x.shopify_app_name = ENV['SHOPIFY_APP_NAME']
-
     # Set the default host for absolute URL routing purposes
     routes.default_url_options[:host] = ENV['DEFAULT_HOST']
 

data/test/dummy/config/initializers/disco_app.rb

@@ -1 +1,14 @@
-DiscoApp::Engine.routes.default_url_options[:host] = ENV['DEFAULT_HOST']
+DiscoApp::Engine.routes.default_url_options[:host] = ENV['DEFAULT_HOST']
+
+DiscoApp.configure do |config|
+  # Required configuration.
+  config.app_name = ENV['SHOPIFY_APP_NAME']
+
+  # Set the below if using an application proxy.
+  config.app_proxy_prefix = ENV['SHOPIFY_APP_PROXY_PREFIX']
+
+  # Optional configuration, usually useful for development environments.
+  config.skip_proxy_verification = ENV['SKIP_PROXY_VERIFICATION']
+  config.skip_webhook_verification = ENV['SKIP_WEBHOOK_VERIFICATION']
+  config.skip_carrier_request_verification = ENV['SKIP_CARRIER_REQUEST_VERIFICATION']
+end

data/test/dummy/config/routes.rb

@@ -2,6 +2,8 @@ Rails.application.routes.draw do
 
   root to: 'home#index'
 
+  get '/proxy', to: 'proxy#index'
+
   mount ShopifyApp::Engine, at: '/'
   mount DiscoApp::Engine, at: '/'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: disco_app
 version: !ruby/object:Gem::Version
-  version: 0.8.3
+  version: 0.8.4
 platform: ruby
 authors:
 - Gavin Ballard
@@ -301,11 +301,14 @@ files:
 - app/models/disco_app/concerns/plan.rb
 - app/models/disco_app/concerns/shop.rb
 - app/models/disco_app/concerns/subscription.rb
+- app/models/disco_app/concerns/synchronises_with_shopify.rb
 - app/models/disco_app/plan.rb
 - app/models/disco_app/session_storage.rb
 - app/models/disco_app/shop.rb
 - app/models/disco_app/subscription.rb
+- app/services/disco_app/carrier_request_service.rb
 - app/services/disco_app/charges_service.rb
+- app/services/disco_app/proxy_service.rb
 - app/services/disco_app/subscription_service.rb
 - app/services/disco_app/webhook_service.rb
 - app/views/disco_app/charges/activate.html.erb
@@ -333,6 +336,7 @@ files:
 - db/migrate/20160112233706_create_disco_app_sessions.rb
 - db/migrate/20160113194418_add_shop_id_to_disco_app_sessions.rb
 - lib/disco_app.rb
+- lib/disco_app/configuration.rb
 - lib/disco_app/engine.rb
 - lib/disco_app/session.rb
 - lib/disco_app/support/file_fixtures.rb
@@ -362,12 +366,14 @@ files:
 - test/controllers/disco_app/install_controller_test.rb
 - test/controllers/disco_app/webhooks_controller_test.rb
 - test/controllers/home_controller_test.rb
+- test/controllers/proxy_controller_test.rb
 - test/disco_app_test.rb
 - test/dummy/Rakefile
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.scss
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/controllers/home_controller.rb
+- test/dummy/app/controllers/proxy_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/jobs/disco_app/app_uninstalled_job.rb
 - test/dummy/app/models/disco_app/shop.rb
@@ -459,6 +465,7 @@ test_files:
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/jobs/disco_app/app_uninstalled_job.rb
 - test/dummy/app/controllers/home_controller.rb
+- test/dummy/app/controllers/proxy_controller.rb
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/models/disco_app/shop.rb
@@ -499,6 +506,7 @@ test_files:
 - test/jobs/disco_app/app_installed_job_test.rb
 - test/controllers/disco_app/install_controller_test.rb
 - test/controllers/disco_app/webhooks_controller_test.rb
+- test/controllers/proxy_controller_test.rb
 - test/controllers/home_controller_test.rb
 - test/integration/navigation_test.rb
 - test/models/disco_app/plan_test.rb