omniauth-shopify-app 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e0adc6d98970d118184067f144d6cc6d07a9ec346e6add26b1b3bf97bf2d6970
+  data.tar.gz: db9f41aae849ffd1a55559a85258973ab4af59554a20f1a4fda7f88c26b0bf91
+SHA512:
+  metadata.gz: cb171fd3fe0eeb681215d60302c8f1d11af051b08337871a3eacc17713e69374c71196bed98e8b643aaff1b9700ad1a648b609502d4bcbd70c6817e8064055fd
+  data.tar.gz: '080bfe5fc359bafd7633308930dbd78074628af138748faa01c7f79a75f0188a2c944cc072533ee965de64f20f72805fdf2b91caded051fdeb1db064f4249d2a'

data/.github/workflows/build.yml

@@ -0,0 +1,25 @@
+name: CI
+
+on: 
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Ruby ${{ matrix.version }}
+    strategy:
+      matrix:
+        version: [2.7, 3.0, 3.1]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby ${{ matrix.version }}
+        uses: ruby/setup-ruby@v1
+        with: 
+          ruby-version: ${{ matrix.version }}
+          bundler-cache: true
+      - name: Install dependencies
+        run: bundle
+      - name: Run Tests
+        run: bundle exec rake
+          

data/.gitignore

@@ -0,0 +1,4 @@
+pkg/*
+Gemfile.lock
+.byebug_history
+*.gem

data/Gemfile

@@ -0,0 +1,8 @@
+source "https://rubygems.org"
+
+gemspec
+
+group :development, :test do
+  gem 'fakeweb', git: 'https://github.com/chrisk/fakeweb.git'
+  gem 'byebug'
+end

data/README.md

@@ -0,0 +1,107 @@
+# OmniAuth Shopify
+
+Shopify OAuth2 Strategy for OmniAuth 1.0.
+
+## Installing
+
+Add to your `Gemfile`:
+
+```ruby
+gem 'omniauth-shopify-app'
+```
+
+Then `bundle install`.
+
+## Usage
+
+`OmniAuth::Strategies::Shopify` is simply a Rack middleware. Read [the OmniAuth 1.0 docs](https://github.com/intridea/omniauth) for detailed instructions.
+
+Here's a quick example, adding the middleware to a Rails app in `config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify, ENV['SHOPIFY_API_KEY'], ENV['SHOPIFY_SHARED_SECRET']
+end
+```
+
+Authenticate the user by having them visit /auth/shopify with a `shop` query parameter of their shop's myshopify.com domain. For example, the following form could be used
+
+```html
+<form action="/auth/shopify" method="get">
+  <label for="shop">Enter your store's URL:</label>
+  <input type="text" name="shop" placeholder="your-shop-url.myshopify.com">
+  <button type="submit">Log In</button>
+</form>
+```
+
+Or without form `/auth/shopify?shop=your-shop-url.myshopify.com`
+Alternatively you can put shop parameter to session as [Shopify App](https://github.com/Shopify/shopify_app) do
+
+```ruby
+session['shopify.omniauth_params'] = { shop: params[:shop] }
+```
+
+And finally it's possible to use your own query parameter by overriding default setup method. For example, like below:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify,
+    ENV['SHOPIFY_API_KEY'],
+    ENV['SHOPIFY_SHARED_SECRET'],
+    option :setup, proc { |env|
+      strategy = env['omniauth.strategy']
+
+
+
+      site = if strategy.request.params['site']
+        "https://#{strategy.request.params['site']}"
+      else
+        ''
+      end
+
+      env['omniauth.strategy'].options[:client_options][:site] = site
+    }
+```
+
+## Configuring
+
+### Scope
+
+You can configure the scope, which you pass in to the `provider` method via a `Hash`:
+
+* `scope`: A comma-separated list of permissions you want to request from the user. See [the Shopify API docs](http://docs.shopify.com/api/tutorials/oauth) for a full list of available permissions.
+
+For example, to request `read_products`, `read_orders` and `write_content` permissions and display the authentication page:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify, ENV['SHOPIFY_API_KEY'], ENV['SHOPIFY_SHARED_SECRET'], :scope => 'read_products,read_orders,write_content'
+end
+```
+
+### Online Access
+
+Shopify offers two different types of access tokens: [online access and offline access](https://help.shopify.com/api/getting-started/authentication/oauth/api-access-modes). You can configure for online-access by passing the `per_user_permissions` option:
+
+```
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify, ENV['SHOPIFY_API_KEY'],
+                     ENV['SHOPIFY_SHARED_SECRET'],
+                     :scope => 'read_orders',
+                     :per_user_permissions => true
+end
+```
+
+## Authentication Hash
+
+Here's an example *Authentication Hash* available in `request.env['omniauth.auth']`:
+
+```ruby
+{
+  :provider => 'shopify',
+  :uid => 'example.myshopify.com',
+  :credentials => {
+    :token => 'afasd923kjh0934kf', # OAuth 2.0 access_token, which you store and use to authenticate API requests
+  }
+}
+```

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+task :default => :test
+
+Rake::TestTask.new(:test) do |t|
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end

data/example/Gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org/'
+
+gem 'rack', '~> 1.6'
+
+gem 'sinatra', '~> 1.4'
+gem 'omniauth-shopify-app', :path => '../'

data/example/config.ru

@@ -0,0 +1,68 @@
+require 'bundler/setup'
+require 'sinatra/base'
+require 'active_support/core_ext/hash'
+require 'omniauth-shopify-app'
+
+SCOPE = 'read_products,read_orders,read_customers,write_shipping'
+SHOPIFY_API_KEY = ENV['SHOPIFY_API_KEY']
+SHOPIFY_SHARED_SECRET = ENV['SHOPIFY_SHARED_SECRET']
+
+unless SHOPIFY_API_KEY && SHOPIFY_SHARED_SECRET
+  abort("SHOPIFY_API_KEY and SHOPIFY_SHARED_SECRET environment variables must be set")
+end
+
+class App < Sinatra::Base
+  get '/' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Shopify Oauth2</title>
+    </head>
+    <body>
+      <form action="/auth/shopify" method="get">
+      <label for="shop">Enter your store's URL:</label>
+      <input type="text" name="shop" placeholder="your-shop-url.myshopify.com">
+      <button type="submit">Log In</button>
+      </form>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/:provider/callback' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Shopify Oauth2</title>
+    </head>
+    <body>
+      <h3>Authorized</h3>
+      <p>Shop: #{request.env['omniauth.auth'].uid}</p>
+      <p>Token: #{request.env['omniauth.auth']['credentials']['token']}</p>
+    </body>
+    </html>
+    HTML
+  end
+
+  get '/auth/failure' do
+    <<-HTML
+    <html>
+    <head>
+      <title>Shopify Oauth2</title>
+    </head>
+    <body>
+      <h3>Failed Authorization</h3>
+      <p>Message: #{params[:message]}</p>
+    </body>
+    </html>
+    HTML
+  end
+end
+
+use Rack::Session::Cookie, secret: SecureRandom.hex(64)
+
+use OmniAuth::Builder do
+  provider :shopify, SHOPIFY_API_KEY, SHOPIFY_SHARED_SECRET, :scope => SCOPE
+end
+
+run App.new

data/lib/omniauth/shopify/encryptor.rb

@@ -0,0 +1,121 @@
+require 'openssl'
+
+module OmniAuth
+  module Shopify
+    # Encrypts messages with authentication
+    #
+    # The use of authentication is essential to avoid Chosen Ciphertext
+    # Attacks.  By using this in an encrypt then MAC form, we avoid some
+    # attacks such as e.g. being used as a CBC padding oracle to decrypt
+    # the ciphertext.
+    class Encryptor
+      # Create the encryptor
+      #
+      # Pass in the secret, which should be at least 32-bytes worth of
+      # entropy, e.g. a string generated by `SecureRandom.hex(32)`.
+      # This also allows specification of the algorithm for the cipher
+      # and MAC.  But don't change that unless you're very sure.
+      def initialize(secret, cipher = 'aes-256-cbc', hmac = 'SHA256')
+        @cipher = cipher
+        @hmac   = hmac
+
+        # use the HMAC to derive two independent keys for the encryption and
+        # authentication of ciphertexts It is bad practice to use the same key
+        # for encryption and authentication.  This also allows us to use all
+        # of the entropy in a long key (e.g. 64 hex bytes) when straight
+        # assignement would could result in assigning a key with a much
+        # reduced key space.  Also, the personalisation strings further help
+        # reduce the possibility of key reuse by ensuring it should be unique
+        # to this gem, even with shared secrets.
+        @encryption_key     = hmac("EncryptedCookie Encryption",     secret)
+        @authentication_key = hmac("EncryptedCookie Authentication", secret)
+      end
+
+      # Encrypts message
+      #
+      # Returns the base64 encoded ciphertext plus IV.  In addtion, the
+      # message is prepended with a MAC code to prevent chosen ciphertext
+      # attacks.
+      def encrypt(message)
+        # encrypt the message
+        encrypted = encrypt_message(message)
+
+        [authenticate_message(encrypted) +   encrypted].pack('m0')
+      end
+
+      # decrypts base64 encoded ciphertext
+      #
+      # First, it checks the message tag and returns nil if that fails to verify.
+      # Otherwise, the data is passed on to the AES function for decryption.
+      def decrypt(ciphertext)
+        ciphertext = ciphertext.unpack('m').first
+        tag        = ciphertext[0, hmac_length]
+        ciphertext = ciphertext[hmac_length..-1]
+
+        # make sure we actually had enough data for the tag too.
+        if tag && ciphertext && verify_message(tag, ciphertext)
+          decrypt_ciphertext(ciphertext)
+        else
+          nil
+        end
+      end
+
+      private
+
+      # HMAC digest of the message using the given secret
+      def hmac(secret, message)
+        OpenSSL::HMAC.digest(@hmac, secret, message)
+      end
+
+      def hmac_length
+        OpenSSL::Digest.new(@hmac).size
+      end
+
+      # returns the message authentication tag
+      #
+      # This is computed as HMAC(authentication_key, message)
+      def authenticate_message(message)
+        hmac(@authentication_key, message)
+      end
+
+      # verifies the message
+      #
+      # This does its best to be constant time, by use of the rack secure compare
+      # function.
+      def verify_message(tag, message)
+        own_tag = authenticate_message(message)
+        Rack::Utils.secure_compare(tag, own_tag)
+      end
+
+      # Encrypt
+      #
+      # Encrypts the given message with a random IV, then returns the ciphertext
+      # with the IV prepended.
+      def encrypt_message(message)
+        aes = OpenSSL::Cipher.new(@cipher).encrypt
+        aes.key = @encryption_key
+        iv = aes.random_iv
+        aes.iv = iv
+        iv + (aes.update(message) << aes.final)
+      end
+
+      # Decrypt
+      #
+      # Pulls the IV off the front of the message and decrypts.  Catches
+      # OpenSSL errors and returns nil.  But this should never happen, as the
+      # verify method should catch all corrupted ciphertexts.
+      def decrypt_ciphertext(ciphertext)
+        aes = OpenSSL::Cipher.new(@cipher).decrypt
+        aes.key = @encryption_key
+        iv = ciphertext[0, aes.iv_len]
+        aes.iv = iv
+        crypted_text = ciphertext[aes.iv_len..-1]
+        return nil if crypted_text.nil? || iv.nil?
+        aes.update(crypted_text) << aes.final
+      rescue
+        nil
+      end
+
+    end
+  end
+end

data/lib/omniauth/shopify/oauth_session.rb

@@ -0,0 +1,81 @@
+require 'rack'
+require_relative './encryptor'
+
+# Copy and modify from https://github.com/cvonkleist/encrypted_cookie
+
+module OmniAuth
+  module Shopify
+    class OAuthSession
+      EXPIRES = '_encrypted_cookie_expires_'
+      KEY = 'shopify_oauth_session'
+
+      def initialize(app, options={})
+        @app = app
+        @key = options[:key] || KEY
+        @secret = options[:secret]
+        fail "Error! A secret is required to use encrypted cookies. Do something like this:\n\nuse OmniAuth::Shopify::OauthSession, :secret => YOUR_VERY_LONG_VERY_RANDOM_SECRET_KEY_HERE" unless @secret
+        @default_options = {:domain => nil,
+          :path => "/",
+          :time_to_live => 1800,
+          :expire_after => nil}.merge(options)
+        @encryptor = Encryptor.new(@secret)
+      end
+
+      def call(env)
+        load_session(env)
+        status, headers, body = @app.call(env)
+        commit_session(env, status, headers, body)
+      end
+
+      private
+
+      def remove_expiration(session_data)
+        expires = session_data.delete(EXPIRES)
+        if expires and expires < Time.now
+          session_data.clear
+        end
+      end
+
+      def load_session(env)
+        request = Rack::Request.new(env)
+        env["rack.#{@key}.options"] = @default_options.dup
+
+        session_data = request.cookies[@key]
+        session_data = @encryptor.decrypt(session_data)
+        session_data = Marshal.load(session_data)
+        remove_expiration(session_data)
+
+        env["rack.#{@key}"] = session_data
+      rescue
+        env["rack.#{@key}"] = Hash.new
+      end
+
+      def add_expiration(session_data, options)
+        if options[:time_to_live] && !session_data.key?(EXPIRES)
+          expires = Time.now + options[:time_to_live]
+          session_data.merge!({EXPIRES => expires})
+        end
+      end
+
+      def commit_session(env, status, headers, body)
+        options = env["rack.#{@key}.options"]
+
+        session_data = env["rack.#{@key}"]
+        add_expiration(session_data, options)
+        session_data = Marshal.dump(session_data)
+        session_data = @encryptor.encrypt(session_data)
+
+        if session_data.size > (4096 - @key.size)
+          env["rack.errors"].puts("Warning! ShopifyOAuthSession data size exceeds 4K. Content dropped.")
+        else
+          cookie = Hash.new
+          cookie[:value] = session_data
+          cookie[:expires] = Time.now + options[:expire_after] unless options[:expire_after].nil?
+          Rack::Utils.set_cookie_header!(headers, @key, cookie.merge(options))
+        end
+
+        [status, headers, body]
+      end
+    end
+  end
+end

data/lib/omniauth/shopify/version.rb

@@ -0,0 +1,5 @@
+module OmniAuth
+  module Shopify
+    VERSION = "1.0.0"
+  end
+end

data/lib/omniauth/shopify.rb

@@ -0,0 +1,3 @@
+require 'omniauth/shopify/version'
+require 'omniauth/shopify/oauth_session'
+require 'omniauth/strategies/shopify'