lucid-shopify-session 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9ab531b412e4121b375dfc46db8194436b0a00f42d7abc5a92424663fc8db1a5
+  data.tar.gz: 174d49b35b6ee27a16c06033950134eca1f1e8b6a9cc0d7d361075108e3b3a31
+SHA512:
+  metadata.gz: e3bb3f3cc25fac5b93c9fe49a64c5bdefcb21c37f439bddfe8c81ed5d698bc52d9fa53f4d1dc04da7aae67bca20c5d60b7af132a65e0d688c6f6d6e3712aa168
+  data.tar.gz: cdd5992a9d7b7cbde6f8af8b237d4d3420eb08026c427bdb4dbdf72b89432344d9935d2c209547e3a5649038752859c1b455bac59d38e2bee747ef8b0fa28613

data/README.md

@@ -0,0 +1,30 @@
+lucid-shopify-session
+=====================
+
+This is [Shopify's new cookieless authentication][0] method for embedded apps,
+which makes use of session tokens provided by App Bridge to identify the shop.
+Session cookies are no longer viable due to browsers (starting with Safari)
+disabling third-party cookies by default. It is possible to work around, but
+quite impractical and harmful to the user experience, so all embedded apps
+should use this new method going forward.
+
+This method also replaces CSRF tokens, as the JWT provides the same protection
+considering that the signed JWT must originate from the Shopify admin (with the
+shared secret), so authenticated requests cannot be forged.
+
+[0]: https://shopify.dev/tools/app-bridge/authentication
+
+
+Installation
+------------
+
+Add the gem to your ‘Gemfile’:
+
+    gem 'lucid-shopify'
+    gem 'lucid-shopify-session'
+
+
+Usage
+-----
+
+_WIP_

data/lib/lucid-shopify-session.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'lucid/shopify/session'

data/lib/lucid/shopify/session.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Lucid
+  module Shopify
+    module Session
+      autoload :Authorise, 'lucid/shopify/session/authorise'
+      autoload :DecodeSessionToken, 'lucid/shopify/session/decode_session_token'
+      autoload :Middleware, 'lucid/shopify/session/middleware'
+      autoload :VERSION, 'lucid/shopify/session/version'
+    end
+  end
+end

data/lib/lucid/shopify/session/authorise.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'lucid-shopify-session'
+
+module Lucid
+  module Shopify
+    module Session
+      class Authorise
+        UnauthorisedError = Class.new(Error)
+
+        # @param env [Hash]
+        #
+        # @raise [UnauthorisedError]
+        def call(env)
+          session_token = env['HTTP_AUTHORIZATION']&.[](/Bearer (\S+)/, 1) || ''
+
+          env['lucid-shopify-session.shop'] = DecodeSessionToken.new.(session_token)
+        rescue DecodeSessionToken::Error
+          raise UnauthorisedError
+        end
+      end
+    end
+  end
+end

data/lib/lucid/shopify/session/decode_session_token.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'lucid-shopify'
+require 'jwt'
+
+module Lucid
+  module Shopify
+    module Session
+      class DecodeSessionToken
+        Error = Class.new(Error)
+
+        # @param token [String]
+        #
+        # @return [String] the *.myshopify.com domain of the authenticated shop
+        #
+        # @raise [Error]
+        def call(token)
+          payload, _ = JWT.decode(token, Shopify.config.shared_secret, true, algorithm: 'HS256')
+
+          raise Error unless valid?(payload)
+
+          myshopify_domain(payload)
+        rescue JWT::DecodeError
+          raise Error
+        end
+
+        # @param payload [Hash]
+        #
+        # @return [String]
+        private def myshopify_domain(payload)
+          payload['dest'].sub('https://', '')
+        end
+
+        # @param payload [Hash]
+        #
+        # @return [Boolean]
+        private def valid?(payload)
+          return false unless payload['aud'] == Shopify.config.api_key
+          return false unless payload['iss'].start_with?(payload['dest'])
+          return true
+      end
+      end
+    end
+  end
+end

data/lib/lucid/shopify/session/middleware.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'lucid-shopify-session'
+
+module Lucid
+  module Shopify
+    module Session
+      class Middleware
+        # @param app [#call]
+        def initialize(app)
+          @app = app
+        end
+
+        # @param env [Hash]
+        #
+        # @param [Array<Integer, Hash{String => String}, Array<String>]
+        def call(env)
+          Authorise.new.(env)
+
+          @app.call(env)
+        rescue UnauthorisedError
+          Rack::Response.new do |res|
+            res.status = 401
+            res.set_header('Content-Type', 'application/json')
+            res.write({
+              error: 'Invalid session token',
+            }.to_json)
+          end.to_a
+        end
+      end
+    end
+  end
+end

data/lib/lucid/shopify/session/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Lucid
+  module Shopify
+    module Session
+      VERSION = '0.0.1'
+    end
+  end
+end

metadata

@@ -0,0 +1,105 @@
+--- !ruby/object:Gem::Specification
+name: lucid-shopify-session
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Kelsey Judson
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-12-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.9'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.89'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.89'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: lucid-shopify
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.64'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.64'
+description:
+email: kelsey@kelseyjudson.dev
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/lucid-shopify-session.rb
+- lib/lucid/shopify/session.rb
+- lib/lucid/shopify/session/authorise.rb
+- lib/lucid/shopify/session/decode_session_token.rb
+- lib/lucid/shopify/session/middleware.rb
+- lib/lucid/shopify/session/version.rb
+homepage: https://github.com/kj/lucid-shopify-session
+licenses:
+- ISC
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.4
+signing_key:
+specification_version: 4
+summary: Shopify client library session token helpers for embedded apps
+test_files: []