duodealer_app 1.0.0

data/app/controllers/duodealer_app/callback_controller.rb-e

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  # Performs login after OAuth completes
+  class CallbackController < ApplicationController
+    include DuodealerApp::LoginProtection
+
+    def callback
+      if auth_hash
+        login_shop
+        install_webhooks
+        install_scripttags
+        perform_after_authenticate_job
+
+        redirect_to return_address
+      else
+        flash[:error] = I18n.t("could_not_log_in")
+        redirect_to(login_url_with_optional_shop)
+      end
+    end
+
+    private
+      def login_shop
+        reset_session_options
+        set_duodealer_session
+      end
+
+      def auth_hash
+        request.env["omniauth.auth"]
+      end
+
+      def shop_name
+        auth_hash.uid
+      end
+
+      def associated_user
+        return if auth_hash["extra"].blank?
+
+        auth_hash["extra"]["associated_user"]
+      end
+
+      def token
+        auth_hash["credentials"]["token"]
+      end
+
+      def reset_session_options
+        request.session_options[:renew] = true
+        session.delete(:_csrf_token)
+      end
+
+      def set_duodealer_session
+        session_store = DuodealerAPI::Session.new(
+          domain: shop_name,
+          token: token,
+          api_version: DuodealerApp.configuration.api_version
+        )
+        session[:duodealer] = DuodealerApp::SessionRepository.store(session_store, user: associated_user)
+        session[:duodealer_domain] = shop_name
+        session[:duodealer_user] = associated_user
+
+        if DuodealerApp.configuration.per_user_tokens?
+          # Adds the user_session to the session to determine if the logged in user has changed
+          user_session = auth_hash&.extra&.session
+          raise IndexError, "Missing user session signature" if user_session.nil?
+          session[:user_session] = user_session
+        end
+      end
+
+      def install_webhooks
+        return unless DuodealerApp.configuration.has_webhooks?
+
+        WebhooksManager.queue(
+          shop_name,
+          token,
+          DuodealerApp.configuration.webhooks
+        )
+      end
+
+      def install_scripttags
+        return unless DuodealerApp.configuration.has_scripttags?
+
+        ScripttagsManager.queue(
+          shop_name,
+          token,
+          DuodealerApp.configuration.scripttags
+        )
+      end
+
+      def perform_after_authenticate_job
+        config = DuodealerApp.configuration.after_authenticate_job
+
+        return unless config && config[:job].present?
+
+        job = config[:job]
+        job = job.constantize if job.is_a?(String)
+
+        if config[:inline] == true
+          job.perform_now(shop_domain: session[:duodealer_domain])
+        else
+          job.perform_later(shop_domain: session[:duodealer_domain])
+        end
+      end
+  end
+end

data/app/controllers/duodealer_app/extension_verification_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class ExtensionVerificationController < ApplicationController
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+      def verify_request
+        hmac_header = request.headers["HTTP_X_DUODEALER_HMAC_SHA256"]
+        request_body = request.body.read
+        secret = DuodealerApp.configuration.secret
+        digest = OpenSSL::Digest.new("sha256")
+
+        expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+        head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      end
+  end
+end

data/app/controllers/duodealer_app/extension_verification_controller.rb-e

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class ExtensionVerificationController < ApplicationController
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+      def verify_request
+        hmac_header = request.headers["HTTP_X_DUODEALER_HMAC_SHA256"]
+        request_body = request.body.read
+        secret = DuodealerApp.configuration.secret
+        digest = OpenSSL::Digest.new("sha256")
+
+        expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+        head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      end
+  end
+end

data/app/controllers/duodealer_app/sessions_controller.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class SessionsController < ApplicationController # rubocop:disable Metrics/ClassLength
+    include DuodealerApp::LoginProtection
+
+    layout false, only: :new
+    after_action only: [:new, :create] do |controller|
+      controller.response.headers.except!("X-Frame-Options")
+    end
+
+    def new
+      authenticate if sanitized_shop_name.present?
+    end
+
+    def create
+      authenticate
+    end
+
+    def enable_cookies
+      return unless validate_shop
+
+      render(:enable_cookies, layout: false, locals: {
+        does_not_have_storage_access_url: top_level_interaction_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        has_storage_access_url: login_url_with_optional_shop(top_level: true),
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        current_duodealer_domain: current_duodealer_domain
+      })
+    end
+
+    def top_level_interaction
+      @url = login_url_with_optional_shop(top_level: true)
+      validate_shop
+    end
+
+    def granted_storage_access
+      return unless validate_shop
+
+      session["duodealer.granted_storage_access"] = true
+
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
+    end
+
+    def destroy
+      reset_session
+      flash[:notice] = I18n.t(".logged_out")
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    private
+      def authenticate
+        return render_invalid_shop_error if sanitized_shop_name.blank?
+        session["duodealer.omniauth_params"] = { shop: sanitized_shop_name }
+
+        copy_return_to_param_to_session
+
+        if user_agent_can_partition_cookies
+          authenticate_with_partitioning
+        else
+          authenticate_normally
+        end
+      end
+
+      def authenticate_normally
+        if request_storage_access?
+          redirect_to_request_storage_access
+        elsif authenticate_in_context?
+          authenticate_in_context
+        else
+          authenticate_at_top_level
+        end
+      end
+
+      def authenticate_with_partitioning
+        if session["duodealer.cookies_persist"]
+          clear_top_level_oauth_cookie
+          authenticate_in_context
+        else
+          set_top_level_oauth_cookie
+          enable_cookie_access
+        end
+      end
+
+      def validate_shop
+        @shop = sanitized_shop_name
+        unless @shop
+          render_invalid_shop_error
+          return false
+        end
+
+        true
+      end
+
+      def copy_return_to_param_to_session
+        session[:return_to] = params[:return_to] if params[:return_to]
+      end
+
+      def render_invalid_shop_error
+        flash[:error] = I18n.t("invalid_shop_url")
+        redirect_to return_address
+      end
+
+      def enable_cookie_access
+        fullpage_redirect_to(enable_cookies_path(
+                               shop: sanitized_shop_name,
+                               return_to: session[:return_to]
+        ))
+      end
+
+      def authenticate_in_context
+        redirect_to "#{main_app.root_path}auth/duodealer"
+      end
+
+      def authenticate_at_top_level
+        fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
+      end
+
+      def authenticate_in_context?
+        return true unless DuodealerApp.configuration.embedded_app?
+        params[:top_level]
+      end
+
+      def request_storage_access?
+        return false unless DuodealerApp.configuration.embedded_app?
+        return false if params[:top_level]
+        return false if user_agent_is_mobile
+        return false if user_agent_is_pos
+
+        !session["duodealer.granted_storage_access"]
+      end
+
+      def redirect_to_request_storage_access
+        render(
+          :request_storage_access,
+          layout: false,
+          locals: {
+            does_not_have_storage_access_url: top_level_interaction_path(
+              shop: sanitized_shop_name,
+              return_to: session[:return_to]
+            ),
+            has_storage_access_url: login_url_with_optional_shop(top_level: true),
+            app_target_url: granted_storage_access_path(
+              shop: sanitized_shop_name,
+              return_to: session[:return_to]
+            ),
+            current_duodealer_domain: current_duodealer_domain
+          }
+        )
+      end
+  end
+end

data/app/controllers/duodealer_app/sessions_controller.rb-e

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+module DuodealerApp
+  class SessionsController < ApplicationController # rubocop:disable Metrics/ClassLength
+    include DuodealerApp::LoginProtection
+
+    layout false, only: :new
+    after_action only: [:new, :create] do |controller|
+      controller.response.headers.except!("X-Frame-Options")
+    end
+
+    def new
+      authenticate if sanitized_shop_name.present?
+    end
+
+    def create
+      authenticate
+    end
+
+    def enable_cookies
+      return unless validate_shop
+
+      render(:enable_cookies, layout: false, locals: {
+        does_not_have_storage_access_url: top_level_interaction_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        has_storage_access_url: login_url_with_optional_shop(top_level: true),
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        current_duodealer_domain: current_duodealer_domain
+      })
+    end
+
+    def top_level_interaction
+      @url = login_url_with_optional_shop(top_level: true)
+      validate_shop
+    end
+
+    def granted_storage_access
+      return unless validate_shop
+
+      session["duodealer.granted_storage_access"] = true
+
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
+    end
+
+    def destroy
+      reset_session
+      flash[:notice] = I18n.t(".logged_out")
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    private
+      def authenticate
+        return render_invalid_shop_error if sanitized_shop_name.blank?
+        session["duodealer.omniauth_params"] = { shop: sanitized_shop_name }
+
+        copy_return_to_param_to_session
+
+        if user_agent_can_partition_cookies
+          authenticate_with_partitioning
+        else
+          authenticate_normally
+        end
+      end
+
+      def authenticate_normally
+        if request_storage_access?
+          redirect_to_request_storage_access
+        elsif authenticate_in_context?
+          authenticate_in_context
+        else
+          authenticate_at_top_level
+        end
+      end
+
+      def authenticate_with_partitioning
+        if session["duodealer.cookies_persist"]
+          clear_top_level_oauth_cookie
+          authenticate_in_context
+        else
+          set_top_level_oauth_cookie
+          enable_cookie_access
+        end
+      end
+
+      def validate_shop
+        @shop = sanitized_shop_name
+        unless @shop
+          render_invalid_shop_error
+          return false
+        end
+
+        true
+      end
+
+      def copy_return_to_param_to_session
+        session[:return_to] = params[:return_to] if params[:return_to]
+      end
+
+      def render_invalid_shop_error
+        flash[:error] = I18n.t("invalid_shop_url")
+        redirect_to return_address
+      end
+
+      def enable_cookie_access
+        fullpage_redirect_to(enable_cookies_path(
+                               shop: sanitized_shop_name,
+                               return_to: session[:return_to]
+        ))
+      end
+
+      def authenticate_in_context
+        redirect_to "#{main_app.root_path}auth/duodealer"
+      end
+
+      def authenticate_at_top_level
+        fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
+      end
+
+      def authenticate_in_context?
+        return true unless DuodealerApp.configuration.embedded_app?
+        params[:top_level]
+      end
+
+      def request_storage_access?
+        return false unless DuodealerApp.configuration.embedded_app?
+        return false if params[:top_level]
+        return false if user_agent_is_mobile
+        return false if user_agent_is_pos
+
+        !session["duodealer.granted_storage_access"]
+      end
+
+      def redirect_to_request_storage_access
+        render(
+          :request_storage_access,
+          layout: false,
+          locals: {
+            does_not_have_storage_access_url: top_level_interaction_path(
+              shop: sanitized_shop_name,
+              return_to: session[:return_to]
+            ),
+            has_storage_access_url: login_url_with_optional_shop(top_level: true),
+            app_target_url: granted_storage_access_path(
+              shop: sanitized_shop_name,
+              return_to: session[:return_to]
+            ),
+            current_duodealer_domain: current_duodealer_domain
+          }
+        )
+      end
+  end
+end