disco_app 0.8.5

data/app/controllers/disco_app/carrier_request_controller.rb

@@ -0,0 +1,23 @@
+module DiscoApp
+  module CarrierRequestController
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :verify_carrier_request
+    end
+
+    private
+
+      def verify_carrier_request
+        unless carrier_request_signature_is_valid?
+          head :unauthorized
+        end
+      end
+
+      def carrier_request_signature_is_valid?
+        return true if DiscoApp.configuration.skip_carrier_request_verification?
+        DiscoApp::CarrierRequestService.is_valid_hmac?(request.body.read.to_s, ShopifyApp.configuration.secret, request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'])
+      end
+
+  end
+end

data/app/controllers/disco_app/charges_controller.rb

@@ -0,0 +1,30 @@
+module DiscoApp
+  class ChargesController < ApplicationController
+    include DiscoApp::AuthenticatedController
+
+    skip_before_action :verify_status, only: [:create, :activate]
+
+    # Display a "pre-charge" page, giving the opportunity to explain why a charge needs to be made.
+    def new
+    end
+
+    # Create a new charge for the currently logged in shop, then redirect to the charge's confirmation URL.
+    def create
+      if (shopify_charge = DiscoApp::ChargesService.create(@shop)).nil?
+        redirect_to action: :new and return
+      end
+      redirect_to shopify_charge.confirmation_url
+    end
+
+    # Attempt to activate a charge after a user has accepted or declined it. Redirect to the main application's root URL
+    # immediately afterwards - if the charge wasn't accepted, the flow will start again.
+    def activate
+      if (shopify_charge = DiscoApp::ChargesService.get_accepted_charge(@shop, params[:charge_id])).nil?
+        redirect_to action: :new and return
+      end
+      DiscoApp::ChargesService.activate(@shop, shopify_charge)
+      redirect_to main_app.root_url
+    end
+
+  end
+end

data/app/controllers/disco_app/frame_controller.rb

@@ -0,0 +1,9 @@
+class DiscoApp::FrameController < ActionController::Base
+
+  layout nil
+
+  def frame
+
+  end
+
+end

data/app/controllers/disco_app/install_controller.rb

@@ -0,0 +1,26 @@
+module DiscoApp
+  class InstallController < ApplicationController
+    include DiscoApp::AuthenticatedController
+
+    # Start the installation process for the current shop, then redirect to the installing screen.
+    def install
+      AppInstalledJob.perform_later(@shop.shopify_domain)
+      redirect_to action: :installing
+    end
+
+    # Display an "installing" page.
+    def installing
+      if @shop.installed?
+        redirect_to main_app.root_path
+      end
+    end
+
+    # Display an "uninstalling" page. Should be almost never used.
+    def uninstalling
+      if @shop.uninstalled?
+        redirect_to main_app.root_path
+      end
+    end
+
+  end
+end

data/app/controllers/disco_app/webhooks_controller.rb

@@ -0,0 +1,46 @@
+module DiscoApp
+  class WebhooksController < ActionController::Base
+
+    before_action :verify_webhook
+
+    def process_webhook
+      # Get the topic and domain for this webhook.
+      topic = request.headers['HTTP_X_SHOPIFY_TOPIC']
+      domain = request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+
+      # Ensure a domain was provided in the headers.
+      unless domain
+        head :bad_request
+      end
+
+      # Try to find a matching background job task for the given topic using class name.
+      job_class = DiscoApp::WebhookService.find_job_class(topic)
+
+      # Return bad request if we couldn't match a job class.
+      unless job_class.present?
+        head :bad_request
+      end
+
+      # Decode the body data and enqueue the appropriate job.
+      data = ActiveSupport::JSON::decode(request.body.read).with_indifferent_access
+      job_class.perform_later(domain, data)
+
+      render nothing: true
+    end
+
+    private
+
+      def verify_webhook
+        unless webhook_is_valid?
+          head :unauthorized
+        end
+        request.body.rewind
+      end
+
+      def webhook_is_valid?
+        return true if DiscoApp.configuration.skip_webhook_verification?
+        DiscoApp::WebhookService.is_valid_hmac?(request.body.read.to_s, ShopifyApp.configuration.secret, request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'])
+      end
+
+  end
+end

data/app/helpers/disco_app/application_helper.rb

@@ -0,0 +1,28 @@
+module DiscoApp::ApplicationHelper
+
+  # Generates a link pointing to an object (such as an order or customer) inside
+  # the given shop's Shopify admin. This helper makes it easy to  create links
+  # to objects within the admin that support both right-clicking and opening in
+  # a new tab as well as capturing a left click and redirecting to the relevant
+  # object using `ShopifyApp.redirect()`.
+  def link_to_shopify_admin(shop, name, admin_path, options = {})
+    options[:onclick] = "ShopifyApp.redirect('#{admin_path}'); return false;"
+    options[:'data-no-turbolink'] = true
+    link_to(name, "https://#{shop.shopify_domain}/admin/#{admin_path}", options)
+  end
+
+  # Generate a link that will open its href in an embedded Shopify modal.
+  def link_to_modal(name, path, options = {})
+    modal_options = {
+      src: path,
+      title: options.delete(:modal_title),
+      width: options.delete(:modal_width),
+      height: options.delete(:modal_height),
+      buttons: options.delete(:modal_buttons),
+    }
+    options[:onclick] = "ShopifyApp.Modal.open(#{modal_options.to_json}); return false;"
+    options[:onclick].gsub!(/"function(.*?)"/, 'function\1')
+    link_to(name, path, options)
+  end
+
+end

data/app/jobs/disco_app/app_installed_job.rb

@@ -0,0 +1,3 @@
+class DiscoApp::AppInstalledJob < DiscoApp::ShopJob
+  include DiscoApp::Concerns::AppInstalledJob
+end

data/app/jobs/disco_app/app_uninstalled_job.rb

@@ -0,0 +1,3 @@
+class DiscoApp::AppUninstalledJob < DiscoApp::ShopJob
+  include DiscoApp::Concerns::AppUninstalledJob
+end

data/app/jobs/disco_app/concerns/app_installed_job.rb

@@ -0,0 +1,22 @@
+module DiscoApp::Concerns::AppInstalledJob
+  extend ActiveSupport::Concern
+
+  included do
+    before_enqueue { @shop.awaiting_install! }
+    before_perform { @shop.installing! }
+    after_perform { @shop.installed! }
+  end
+
+  # Perform application installation.
+  #
+  # - Synchronise webhooks.
+  # - Synchronise carrier service, if required.
+  # - Perform initial update of shop information.
+  #
+  def perform(domain)
+    DiscoApp::SynchroniseWebhooksJob.perform_now(domain)
+    DiscoApp::SynchroniseCarrierServiceJob.perform_now(domain)
+    DiscoApp::ShopUpdateJob.perform_now(domain)
+  end
+
+end

data/app/jobs/disco_app/concerns/app_uninstalled_job.rb

@@ -0,0 +1,23 @@
+module DiscoApp::Concerns::AppUninstalledJob
+  extend ActiveSupport::Concern
+
+  included do
+    before_enqueue { @shop.awaiting_uninstall! }
+    before_perform { @shop.uninstalling! }
+    after_perform { @shop.uninstalled! }
+  end
+
+  # Perform application uninstallation.
+  #
+  # - Mark charge status as "cancelled" unless charges have been waived.
+  # - Remove any stored sessions for the shop.
+  #
+  def perform(domain, shop_data)
+    unless @shop.charge_waived?
+      @shop.charge_cancelled!
+    end
+
+    @shop.sessions.delete_all
+  end
+
+end

data/app/jobs/disco_app/concerns/shop_update_job.rb

@@ -0,0 +1,16 @@
+module DiscoApp::Concerns::ShopUpdateJob
+  extend ActiveSupport::Concern
+
+  # Perform an update of the current shop's information.
+  def perform(shopify_domain, shop_data = nil)
+    # If we weren't provided with shop data (eg from a webhook), fetch it.
+    shop_data ||= ActiveSupport::JSON::decode(ShopifyAPI::Shop.current.to_json)
+
+    # Ensure we can access shop data through symbols.
+    shop_data = HashWithIndifferentAccess.new(shop_data)
+
+    # Update model attributes present in both our model and the data hash.
+    @shop.update_attributes(shop_data.except(:id, :created_at).slice(*DiscoApp::Shop.column_names))
+  end
+
+end

data/app/jobs/disco_app/concerns/synchronise_carrier_service_job.rb

@@ -0,0 +1,52 @@
+module DiscoApp::Concerns::SynchroniseCarrierServiceJob
+  extend ActiveSupport::Concern
+
+  # Ensure that any carrier service required by our app is registered.
+  def perform(shopify_domain)
+    # Don't proceed unless we have a name and callback url.
+    return unless carrier_service_name and callback_url
+
+    # Registered the carrier service if it hasn't been registered yet.
+    unless current_carrier_service_names.include?(carrier_service_name)
+      ShopifyAPI::CarrierService.create(
+        name: carrier_service_name,
+        callback_url: callback_url,
+        service_discovery: true,
+        format: :json
+      )
+    end
+
+    # Ensure any existing carrier services (with the correct name) are active
+    # and have a current callback URL.
+    current_carrier_services.each do |carrier_service|
+      if carrier_service.name == carrier_service_name
+        carrier_service.callback_url = callback_url
+        carrier_service.active = true
+        carrier_service.save
+      end
+    end
+  end
+
+  protected
+
+    def carrier_service_name
+      DiscoApp.configuration.app_name
+    end
+
+    def callback_url
+      nil
+    end
+
+  private
+
+    # Return a list of currently registered carrier service names.
+    def current_carrier_service_names
+      current_carrier_services.map(&:name)
+    end
+
+    # Return a list of currently registered carrier services.
+    def current_carrier_services
+      @current_carrier_service ||= ShopifyAPI::CarrierService.find(:all)
+    end
+
+end

data/app/jobs/disco_app/concerns/synchronise_webhooks_job.rb

@@ -0,0 +1,61 @@
+module DiscoApp::Concerns::SynchroniseWebhooksJob
+  extend ActiveSupport::Concern
+
+  # Ensure the webhooks registered with our shop are the same as those listed
+  # in our application configuration.
+  def perform(shopify_domain)
+    # Get the full list of expected webhook topics.
+    expected_topics = [:'app/uninstalled', :'shop/update'] + topics
+
+    # Registered any webhooks that haven't been registered yet.
+    (expected_topics - current_topics).each do |topic|
+      ShopifyAPI::Webhook.create(
+        topic: topic,
+        address: webhooks_url,
+        format: 'json'
+      )
+    end
+
+    # Remove any extraneous topics.
+    current_webhooks.each do |webhook|
+      unless expected_topics.include?(webhook.topic.to_sym)
+        webhook.delete
+      end
+    end
+
+    # Ensure webhook addresses are current.
+    current_webhooks.each do |webhook|
+      unless webhook.address == webhooks_url
+        webhook.address = webhooks_url
+        webhook.save
+      end
+    end
+  end
+
+  protected
+
+    # Return a list of additional webhook topics to listen for. This method
+    # can be overridden in the application to provide a list of app-specific
+    # webhooks that should be created during synchronisation.
+    def topics
+      []
+    end
+
+  private
+
+    # Return a list of currently registered topics.
+    def current_topics
+      current_webhooks.map(&:topic).map(&:to_sym)
+    end
+
+    # Return a list of current registered webhooks.
+    def current_webhooks
+      @current_webhooks ||= ShopifyAPI::Webhook.find(:all)
+    end
+
+    # Return the absolute URL to the webhooks endpoint.
+    def webhooks_url
+      DiscoApp::Engine.routes.url_helpers.webhooks_url
+    end
+
+end

data/app/jobs/disco_app/shop_job.rb

@@ -0,0 +1,27 @@
+# The base class for all jobs that should be performed in the context of a
+# particular Shop's API session. The first argument to any job inheriting from
+# this class must be the domain of the relevant store, so that the appropriate
+# Shop model can be fetched and the temporary API session created.
+class DiscoApp::ShopJob < ActiveJob::Base
+
+  queue_as :default
+
+  before_perform { |job| find_shop(job) }
+  before_enqueue { |job| find_shop(job) }
+
+  around_enqueue { |job, block| shop_context(job, block) }
+  around_perform { |job, block| shop_context(job, block) }
+
+  private
+
+    def find_shop(job)
+      @shop ||= DiscoApp::Shop.find_by!(shopify_domain: job.arguments.first)
+    end
+
+    def shop_context(job, block)
+      @shop.temp {
+        block.call(job.arguments)
+      }
+    end
+
+end

data/app/jobs/disco_app/shop_update_job.rb

@@ -0,0 +1,3 @@
+class DiscoApp::ShopUpdateJob < DiscoApp::ShopJob
+  include DiscoApp::Concerns::ShopUpdateJob
+end

data/app/jobs/disco_app/synchronise_carrier_service_job.rb

@@ -0,0 +1,3 @@
+class DiscoApp::SynchroniseCarrierServiceJob < DiscoApp::ShopJob
+  include DiscoApp::Concerns::SynchroniseCarrierServiceJob
+end

data/app/jobs/disco_app/synchronise_webhooks_job.rb

@@ -0,0 +1,3 @@
+class DiscoApp::SynchroniseWebhooksJob < DiscoApp::ShopJob
+  include DiscoApp::Concerns::SynchroniseWebhooksJob
+end

data/app/models/disco_app/concerns/plan.rb

@@ -0,0 +1,14 @@
+module DiscoApp::Concerns::Plan
+  extend ActiveSupport::Concern
+
+  included do
+
+    has_many :subscriptions
+    has_many :shops, through: :subscriptions
+
+    enum status: [:available, :unavailable, :hidden]
+
+    scope :available, -> { where status: statuses[:available] }
+
+  end
+end

data/app/models/disco_app/concerns/shop.rb

@@ -0,0 +1,70 @@
+module DiscoApp::Concerns::Shop
+  extend ActiveSupport::Concern
+
+  included do
+    include ShopifyApp::Shop
+
+    # Define relationships to plans and subscriptions.
+    has_many :subscriptions
+    has_many :plans, through: :subscriptions
+
+    # Define relationship to sessions.
+    has_many :sessions, class_name: 'DiscoApp::Session', dependent: :destroy
+
+    # Define possible installation statuses as an enum.
+    enum status: [:never_installed, :awaiting_install, :installing, :installed, :awaiting_uninstall, :uninstalling, :uninstalled]
+
+    # Define possible charge statuses as an enum.
+    enum charge_status: [:charge_none, :charge_pending, :charge_accepted, :charge_declined, :charge_active, :charge_cancelled, :charge_waived]
+
+    # Define some useful scopes.
+    scope :status, -> (status) { where status: status }
+    scope :installed, -> { where status: statuses[:installed] }
+    scope :has_active_shopify_plan, -> { where.not(plan_name: [:cancelled, :frozen, :fraudulent]) }
+
+    # Alias 'with_shopify_session' as 'temp', as per our existing conventions.
+    alias_method :temp, :with_shopify_session
+
+    # Return a hash of attributes that should be used to create a new charge for this shop.
+    # This method can be overridden by the inheriting Shop class in order to provide charges
+    # customised to a particular shop. Otherwise, the default settings configured in application.rb
+    # will be used.
+    def new_charge_attributes
+      {
+          type: Rails.configuration.x.shopify_charges_default_type,
+          name: DiscoApp.configuration.app_name,
+          price: Rails.configuration.x.shopify_charges_default_price,
+          trial_days: Rails.configuration.x.shopify_charges_default_trial_days,
+      }
+    end
+
+    # Update this Shop's charge_status attribute based on the given Shopify charge object.
+    def update_charge_status(shopify_charge)
+      status_update_method_name = "charge_#{shopify_charge.status}!"
+      self.public_send(status_update_method_name) if self.respond_to? status_update_method_name
+    end
+
+    # Convenience method to get the currently active subscription for this Shop.
+    def current_subscription
+      subscriptions.active.first
+    end
+
+    # Return the absolute URL to the shop's storefront.
+    def url
+      "#{protocol}://#{domain}"
+    end
+
+    # Return the protocol the shop's storefront uses. This should now always be
+    # https as all Shopify stores have SSL enabled.
+    def protocol
+      'https'
+    end
+
+    # Return the absolute URL to the shop's admin.
+    def admin_url
+      "https://#{shopify_domain}/admin"
+    end
+
+  end
+
+end

data/app/models/disco_app/concerns/subscription.rb

@@ -0,0 +1,14 @@
+module DiscoApp::Concerns::Subscription
+  extend ActiveSupport::Concern
+
+  included do
+
+    belongs_to :shop
+    belongs_to :plan
+
+    enum status: [:active, :replaced, :cancelled]
+
+    scope :active, -> { where status: statuses[:active] }
+
+  end
+end

data/app/models/disco_app/concerns/synchronises_with_shopify.rb

@@ -0,0 +1,26 @@
+module DiscoApp::Concerns::SynchronisesWithShopify
+  extend ActiveSupport::Concern
+
+  class_methods do
+
+    def synchronise_from_shopify(shop, data)
+      data = data.with_indifferent_access
+
+      instance = self.find_or_create_by!(id: data[:id]) do |instance|
+        instance.shop = shop
+        instance.data = data
+      end
+
+      instance.update(data: data)
+
+      instance
+    end
+
+    def synchronise_deletion_from_shopify(shop, data)
+      data = data.with_indifferent_access
+      self.destroy_all(shop: shop, id: data[:id])
+    end
+
+  end
+
+end

data/app/models/disco_app/plan.rb

@@ -0,0 +1,3 @@
+class DiscoApp::Plan < ActiveRecord::Base
+  include DiscoApp::Concerns::Plan
+end

data/app/models/disco_app/session_storage.rb

@@ -0,0 +1,18 @@
+module DiscoApp
+  class SessionStorage
+    def self.store(session)
+      shop = Shop.find_or_initialize_by(shopify_domain: session.url)
+      shop.shopify_token = session.token
+      shop.save!
+      shop.id
+    end
+
+    def self.retrieve(id)
+      return unless id
+      shop = Shop.find(id)
+      ShopifyAPI::Session.new(shop.shopify_domain, shop.shopify_token)
+    rescue ActiveRecord::RecordNotFound
+      nil
+    end
+  end
+end

data/app/models/disco_app/shop.rb

@@ -0,0 +1,3 @@
+class DiscoApp::Shop < ActiveRecord::Base
+  include DiscoApp::Concerns::Shop
+end

data/app/models/disco_app/subscription.rb

@@ -0,0 +1,3 @@
+class DiscoApp::Subscription < ActiveRecord::Base
+  include DiscoApp::Concerns::Subscription
+end

data/app/services/disco_app/carrier_request_service.rb

@@ -0,0 +1,15 @@
+class DiscoApp::CarrierRequestService
+
+  # Return true iff the provided hmac_to_verify matches that calculated from the
+  # given data and secret.
+  def self.is_valid_hmac?(body, secret, hmac_to_verify)
+    ActiveSupport::SecurityUtils.secure_compare(self.calculated_hmac(body, secret), hmac_to_verify.to_s)
+  end
+
+  # Calculate the HMAC for the given data and secret.
+  def self.calculated_hmac(body, secret)
+    digest  = OpenSSL::Digest.new('sha256')
+    Base64.encode64(OpenSSL::HMAC.digest(digest, secret, body)).strip
+  end
+
+end

data/app/services/disco_app/charges_service.rb

@@ -0,0 +1,73 @@
+module DiscoApp
+  class ChargesService
+
+    # Create a new charge for the given Shop using the Shopify API.
+    #
+    # The attributes of the charge are fetched using the shop's `new_charge_attributes` method, which can be overriden
+    # to provide custom charge types for individual shops.
+    #
+    # Returns the new Shopify charge model on success, nil otherwise.
+    def self.create(shop)
+      shopify_charge = shop.temp {
+        self.charge_api_class(shop).create(self.new_charge_attributes(shop))
+      }
+
+      # If the charge was successfully created, update the charge status on the shop.
+      shop.update_charge_status(shopify_charge) if shopify_charge
+
+      # Return the charge.
+      shopify_charge
+    end
+
+    # Fetch the specified charge for the given Shop using the Shopify API and check that it has been actioned (either
+    # accepted or declined). Updates the shop object's charge status, then returns the charge if it was accepted or
+    # nil otherwise.
+    def self.get_accepted_charge(shop, charge_id)
+      begin
+        shopify_charge = shop.temp {
+          self.charge_api_class(shop).find(charge_id)
+        }
+
+        # If the charge was successfully fetched, update the status for the shop accordingly.
+        shop.update_charge_status(shopify_charge) if shopify_charge
+
+        shopify_charge
+      rescue
+        nil
+      end
+    end
+
+    # Attempt to activate the given Shopify charge for the given Shop using the Shopify API.
+    # Returns true on successful activation, false otherwise.
+    def self.activate(shop, shopify_charge)
+      begin
+        shop.temp {
+          shopify_charge.activate
+        }
+        shop.charge_active!
+        true
+      rescue
+        false
+      end
+    end
+
+    # Merge the new_charge_attributes returned by the given shop model and merge them with some application-level
+    # charge attributes.
+    def self.new_charge_attributes(shop)
+      shop.new_charge_attributes.merge(
+        return_url: DiscoApp::Engine.routes.url_helpers.activate_charge_url,
+        test: !Rails.configuration.x.shopify_charges_real,
+      )
+    end
+
+    # Get the appropriate Shopify API class for the given shop (either ApplicationCharge or RecurringApplicationCharge).
+    def self.charge_api_class(shop)
+      if shop.new_charge_attributes[:type] == :one_time
+        ShopifyAPI::ApplicationCharge
+      else
+        ShopifyAPI::RecurringApplicationCharge
+      end
+    end
+
+  end
+end

data/app/services/disco_app/proxy_service.rb

@@ -0,0 +1,17 @@
+class DiscoApp::ProxyService
+
+  # Return true iff the signature provided in the given query string matches
+  # that calculated from the remaining query parameters and the given secret.
+  def self.proxy_signature_is_valid?(query_string, secret)
+    query_hash = Rack::Utils.parse_query(query_string)
+    signature = query_hash.delete('signature').to_s
+    ActiveSupport::SecurityUtils.variable_size_secure_compare(self.calculated_signature(query_hash, secret), signature)
+  end
+
+  # Return the calculated signature for the given query hash and secret.
+  def self.calculated_signature(query_hash, secret)
+    sorted_params = query_hash.collect{ |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), secret, sorted_params)
+  end
+
+end