duodealer_app 1.0.0

data/lib/duodealer_app/controller_concerns/app_proxy_verification.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  module AppProxyVerification
+    extend ActiveSupport::Concern
+
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_proxy_request
+    end
+
+    def verify_proxy_request
+      return head :forbidden unless query_string_valid?(request.query_string)
+    end
+
+    private
+      def query_string_valid?(query_string)
+        query_hash = Rack::Utils.parse_query(query_string)
+
+        signature = query_hash.delete("signature")
+        return false if signature.nil?
+
+        ActiveSupport::SecurityUtils.secure_compare(
+          calculated_signature(query_hash),
+          signature
+        )
+      end
+
+      def calculated_signature(query_hash_without_signature)
+        sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+
+        OpenSSL::HMAC.hexdigest(
+          OpenSSL::Digest.new("sha256"),
+          DuodealerApp.configuration.secret,
+          sorted_params
+        )
+      end
+  end
+end

data/lib/duodealer_app/controller_concerns/embedded_app.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  module EmbeddedApp
+    extend ActiveSupport::Concern
+
+    included do
+      if DuodealerApp.configuration.embedded_app?
+        after_action :set_esdk_headers
+        layout "embedded_app"
+      end
+    end
+
+    private
+      def set_esdk_headers
+        response.set_header("P3P", 'CP="Not used"')
+        response.headers.except!("X-Frame-Options")
+      end
+  end
+end

data/lib/duodealer_app/controller_concerns/itp.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  # Cookie management helpers required for ITP implementation
+  module Itp
+    private
+      def set_test_cookie
+        return unless DuodealerApp.configuration.embedded_app?
+        return unless user_agent_can_partition_cookies
+
+        session["duodealer.cookies_persist"] = true
+      end
+
+      def set_top_level_oauth_cookie
+        session["duodealer.top_level_oauth"] = true
+      end
+
+      def clear_top_level_oauth_cookie
+        session.delete("duodealer.top_level_oauth")
+      end
+
+      def user_agent_is_mobile
+        user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+        user_agent[:name].to_s.match(/Duo\sDealer\sMobile/)
+      end
+
+      def user_agent_is_pos
+        user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+        user_agent[:name].to_s.match(/Duo\sDealer\sPOS/)
+      end
+
+      def user_agent_can_partition_cookies
+        user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+        is_safari = user_agent[:name].to_s.match(/Safari/)
+
+        return false unless is_safari
+
+        user_agent[:version].to_s.match(/12\.0/)
+      end
+  end
+end

data/lib/duodealer_app/controller_concerns/localization.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  module Localization
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :set_locale
+    end
+
+    private
+      def set_locale
+        if params[:locale]
+          session[:locale] = params[:locale]
+        else
+          session[:locale] ||= I18n.default_locale
+        end
+        I18n.locale = session[:locale]
+      rescue I18n::InvalidLocale
+        I18n.locale = I18n.default_locale
+      end
+  end
+end

data/lib/duodealer_app/controller_concerns/login_protection.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+require "browser_sniffer"
+
+module DuodealerApp
+  module LoginProtection
+    extend ActiveSupport::Concern
+    include DuodealerApp::Itp
+
+    class DuodealerDomainNotFound < StandardError; end
+
+    included do
+      after_action :set_test_cookie
+      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+    end
+
+    def duodealer_session
+      return redirect_to_login unless shop_session
+      clear_top_level_oauth_cookie
+
+      begin
+        DuodealerAPI::Base.activate_session(shop_session)
+        yield
+      ensure
+        DuodealerAPI::Base.clear_session
+      end
+    end
+
+    def shop_session
+      if DuodealerApp.configuration.per_user_tokens?
+        return unless session[:duodealer_user]
+        @shop_session ||= DuodealerApp::SessionRepository.retrieve(session[:duodealer_user]["id"])
+      else
+        return unless session[:duodealer]
+        @shop_session ||= DuodealerApp::SessionRepository.retrieve(session[:duodealer])
+      end
+    end
+
+    def login_again_if_different_user_or_shop
+      if DuodealerApp.configuration.per_user_tokens?
+        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+
+        if valid_session_data && sessions_do_not_match
+          clear_session = true
+        end
+      end
+
+      if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+        clear_session = true
+      end
+
+      if clear_session
+        clear_shop_session
+        redirect_to_login
+      end
+    end
+
+    protected
+      def redirect_to_login
+        if request.xhr?
+          head :unauthorized
+        else
+          if request.get?
+            path = request.path
+            query = sanitized_params.to_query
+          else
+            referer = URI(request.referer || "/")
+            path = referer.path
+            query = "#{referer.query}&#{sanitized_params.to_query}"
+          end
+          session[:return_to] = "#{path}?#{query}"
+          redirect_to(login_url_with_optional_shop)
+        end
+      end
+
+      def close_session
+        clear_shop_session
+        redirect_to(login_url_with_optional_shop)
+      end
+
+      def clear_shop_session
+        session[:duodealer] = nil
+        session[:duodealer_domain] = nil
+        session[:duodealer_user] = nil
+        session[:user_session] = nil
+      end
+
+      def login_url_with_optional_shop(top_level: false)
+        url = DuodealerApp.configuration.login_url
+
+        query_params = login_url_params(top_level: top_level)
+
+        url = "#{url}?#{query_params.to_query}" if query_params.present?
+        url
+      end
+
+      def login_url_params(top_level:)
+        query_params = {}
+        query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
+
+        return_to = session[:return_to] || params[:return_to]
+
+        if return_to.present? && return_to_param_required?
+          query_params[:return_to] = return_to
+        end
+
+        has_referer_shop_name = referer_sanitized_shop_name.present?
+
+        if has_referer_shop_name
+          query_params[:shop] ||= referer_sanitized_shop_name
+        end
+
+        query_params[:top_level] = true if top_level
+        query_params
+      end
+
+      def return_to_param_required?
+        native_params = %i[shop hmac timestamp locale protocol return_to]
+        request.path != "/" || sanitized_params.except(*native_params).any?
+      end
+
+      def fullpage_redirect_to(url)
+        if DuodealerApp.configuration.embedded_app?
+          render "duodealer_app/shared/redirect", layout: false, locals: { url: url, current_duodealer_domain: current_duodealer_domain }
+        else
+          redirect_to url
+        end
+      end
+
+      def current_duodealer_domain
+        duodealer_domain = sanitized_shop_name || session[:duodealer_domain]
+        return duodealer_domain if duodealer_domain.present?
+
+        raise DuodealerDomainNotFound
+      end
+
+      def sanitized_shop_name
+        @sanitized_shop_name ||= sanitize_shop_param(params)
+      end
+
+      def referer_sanitized_shop_name
+        return if request.referer.blank?
+
+        @referer_sanitized_shop_name ||= begin
+          referer_uri = URI(request.referer)
+          query_params = Rack::Utils.parse_query(referer_uri.query)
+
+          sanitize_shop_param(query_params.with_indifferent_access)
+        end
+      end
+
+      def sanitize_shop_param(params)
+        return if params[:shop].blank?
+        DuodealerApp::Utils.sanitize_shop_domain(params[:shop])
+      end
+
+      def sanitized_params
+        request.query_parameters.clone.tap do |query_params|
+          if params[:shop].is_a?(String)
+            query_params[:shop] = sanitize_shop_param(params)
+          end
+        end
+      end
+
+      def return_address
+        session.delete(:return_to) || DuodealerApp.configuration.root_url
+      end
+
+      def return_address_with_params(params)
+        uri = URI(return_address)
+        uri.query = CGI.parse(uri.query.to_s)
+          .symbolize_keys
+          .transform_values { |v| v.one? ? v.first : v }
+          .merge(params)
+          .to_query
+        uri.to_s
+      end
+  end
+end

data/lib/duodealer_app/controller_concerns/webhook_verification.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  module WebhookVerification
+    extend ActiveSupport::Concern
+
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_request
+    end
+
+    private
+      def verify_request
+        data = request.raw_post
+        return head :unauthorized unless hmac_valid?(data)
+      end
+
+      def hmac_valid?(data)
+        secrets = [DuodealerApp.configuration.secret, DuodealerApp.configuration.old_secret].reject(&:blank?)
+
+        secrets.any? do |secret|
+          digest = OpenSSL::Digest.new("sha256")
+
+          ActiveSupport::SecurityUtils.secure_compare(
+            duodealer_hmac,
+            Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+          )
+        end
+      end
+
+      def shop_domain
+        request.headers["HTTP_X_DUODEALER_SHOP_DOMAIN"]
+      end
+
+      def duodealer_hmac
+        request.headers["HTTP_X_DUODEALER_HMAC_SHA256"]
+      end
+  end
+end

data/lib/duodealer_app/engine.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class Engine < Rails::Engine
+    engine_name "duodealer_app"
+    isolate_namespace DuodealerApp
+
+    initializer "duodealer_app.assets.precompile" do |app|
+      app.config.assets.precompile += %w[
+        duodealer_app/redirect.js
+        duodealer_app/top_level.js
+        duodealer_app/enable_cookies.js
+        duodealer_app/request_storage_access.js
+        storage_access.svg
+      ]
+    end
+
+    initializer "duodealer_app.middleware" do |app|
+      app.config.middleware.insert_after(::Rack::Runtime, DuodealerApp::SameSiteCookieMiddleware)
+    end
+  end
+end

data/lib/duodealer_app/jobs/scripttags_manager_job.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class ScripttagsManagerJob < ActiveJob::Base
+    queue_as do
+      DuodealerApp.configuration.scripttags_manager_queue_name
+    end
+
+    def perform(shop_domain:, shop_token:, scripttags:)
+      api_version = DuodealerApp.configuration.api_version
+      DuodealerAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = ScripttagsManager.new(scripttags, shop_domain)
+        manager.create_scripttags
+      end
+    end
+  end
+end

data/lib/duodealer_app/jobs/webhooks_manager_job.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class WebhooksManagerJob < ActiveJob::Base
+    queue_as do
+      DuodealerApp.configuration.webhooks_manager_queue_name
+    end
+
+    def perform(shop_domain:, shop_token:, webhooks:)
+      api_version = DuodealerApp.configuration.api_version
+      DuodealerAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = WebhooksManager.new(webhooks)
+        manager.create_webhooks
+      end
+    end
+  end
+end

data/lib/duodealer_app/managers/scripttags_manager.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class ScripttagsManager
+    class CreationFailed < StandardError; end
+
+    def self.queue(shop_domain, shop_token, scripttags)
+      DuodealerApp::ScripttagsManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        # Procs cannot be serialized so we interpolate now, if necessary
+        scripttags: build_src(scripttags, shop_domain)
+      )
+    end
+
+    def self.build_src(scripttags, domain)
+      scripttags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+
+    attr_reader :required_scripttags, :shop_domain
+
+    def initialize(scripttags, shop_domain)
+      @required_scripttags = scripttags
+      @shop_domain = shop_domain
+    end
+
+    def recreate_scripttags!
+      destroy_scripttags
+      create_scripttags
+    end
+
+    def create_scripttags
+      return if required_scripttags.blank?
+
+      expanded_scripttags.each do |scripttag|
+        create_scripttag(scripttag) unless scripttag_exists?(scripttag[:src])
+      end
+    end
+
+    def destroy_scripttags
+      scripttags = expanded_scripttags
+      DuodealerAPI::ScriptTag.all.each do |tag|
+        DuodealerAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+      end
+
+      @current_scripttags = nil
+    end
+
+    private
+      def expanded_scripttags
+        self.class.build_src(required_scripttags, shop_domain)
+      end
+
+      def is_required_scripttag?(scripttags, tag)
+        scripttags.map { |w| w[:src] }.include? tag.src
+      end
+
+      def create_scripttag(attributes)
+        attributes.reverse_merge!(format: "json")
+        scripttag = DuodealerAPI::ScriptTag.create(attributes)
+        raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+        scripttag
+      end
+
+      def scripttag_exists?(src)
+        current_scripttags[src]
+      end
+
+      def current_scripttags
+        @current_scripttags ||= DuodealerAPI::ScriptTag.all.index_by(&:src)
+      end
+  end
+end