omniauth-shopify-oauth2 1.1.14 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: e88a21bce303e6c6d637d58c50a2bfa7d75dfe86
-  data.tar.gz: bced14c2fffa27c843425fe95dd088dbb5866c28
+SHA256:
+  metadata.gz: 0031b4b2dbba2b3b01f7805026f5a1a1043dd154192102244563ad248090f0ce
+  data.tar.gz: 3fd9935fe819c0bc35813d08c0c8e41baa1de43e8333fa3c1f7c494e068336c1
 SHA512:
-  metadata.gz: 575588b874c8c8d1774070ed66fbf55e8d70f9b82f9097c6f97e1ccb3423e792b82b400c2c3e481527eb60f5f54a69092aebd5715a5211845033bdc3a3be974c
-  data.tar.gz: 3aa7bb0263d3c262f6c93aa39ce8729d92225fe712c9f0acc46560aed468f8c9dc125b4820a20273add6d4490b424215ba89565ac8c9fd8488d74dcc4dbe0f17
+  metadata.gz: 819569da31d85ea93405929aab51022a4fdfdb998524de8f39d616bfaace0bac71d193b82414c4b04dcad06f0fcc81081079a6d1e10b82a4509eeed81c99888e
+  data.tar.gz: 86a9888309a4d6e46f80d56455469160a056aeb961beefc5aefc9f2ff0df42689cb4d349bac3212219093554aa534a841fd50127ab4af6faa7952dc4413194b8

data/.github/probots.yml

@@ -0,0 +1,2 @@
+enabled:
+  - cla

data/.github/workflows/build.yml

@@ -0,0 +1,25 @@
+name: CI
+
+on: 
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Ruby ${{ matrix.version }}
+    strategy:
+      matrix:
+        version: [2.5.0, 2.7.1]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby ${{ matrix.version }}
+        uses: ruby/setup-ruby@v1
+        with: 
+          ruby-version: ${{ matrix.version }}
+          bundler-cache: true
+      - name: Install dependencies
+        run: bundle
+      - name: Run Tests
+        run: bundle exec rake
+          

data/Gemfile

@@ -1,3 +1,11 @@
 source "https://rubygems.org"
 
 gemspec
+
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.2")
+  gem 'rack', '~> 1.6'
+end
+
+group :development, :test do
+  gem 'fakeweb', git: 'https://github.com/chrisk/fakeweb.git'
+end

data/README.md

@@ -1,4 +1,4 @@
-[![Build Status](https://api.travis-ci.org/Shopify/omniauth-shopify-oauth2.png?branch=master)](http://travis-ci.org/Shopify/omniauth-shopify-oauth2)
+[![Build Status](https://github.com/Shopify/omniauth-shopify-oauth2/workflows/CI/badge.svg?branch=master)](https://github.com/Shopify/omniauth-shopify-oauth2/actions)
 
 # OmniAuth Shopify
 
@@ -26,8 +26,49 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+Authenticate the user by having them visit /auth/shopify with a `shop` query parameter of their shop's myshopify.com domain. For example, the following form could be used
+
+```html
+<form action="/auth/shopify" method="get">
+  <label for="shop">Enter your store's URL:</label>
+  <input type="text" name="shop" placeholder="your-shop-url.myshopify.com">
+  <button type="submit">Log In</button>
+</form>
+```
+
+Or without form `/auth/shopify?shop=your-shop-url.myshopify.com`
+Alternatively you can put shop parameter to session as [Shopify App](https://github.com/Shopify/shopify_app) do
+
+```ruby
+session['shopify.omniauth_params'] = { shop: params[:shop] }
+```
+
+And finally it's possible to use your own query parameter by overriding default setup method. For example, like below:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify,
+    ENV['SHOPIFY_API_KEY'],
+    ENV['SHOPIFY_SHARED_SECRET'],
+    option :setup, proc { |env|
+      strategy = env['omniauth.strategy']
+
+
+
+      site = if strategy.request.params['site']
+        "https://#{strategy.request.params['site']}"
+      else
+        ''
+      end
+
+      env['omniauth.strategy'].options[:client_options][:site] = site
+    }
+```
+
 ## Configuring
 
+### Scope
+
 You can configure the scope, which you pass in to the `provider` method via a `Hash`:
 
 * `scope`: A comma-separated list of permissions you want to request from the user. See [the Shopify API docs](http://docs.shopify.com/api/tutorials/oauth) for a full list of available permissions.
@@ -40,6 +81,19 @@ Rails.application.config.middleware.use OmniAuth::Builder do
 end
 ```
 
+### Online Access
+
+Shopify offers two different types of access tokens: [online access and offline access](https://help.shopify.com/api/getting-started/authentication/oauth/api-access-modes). You can configure for online-access by passing the `per_user_permissions` option:
+
+```
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :shopify, ENV['SHOPIFY_API_KEY'],
+                     ENV['SHOPIFY_SHARED_SECRET'],
+                     :scope => 'read_orders',
+                     :per_user_permissions => true
+end
+```
+
 ## Authentication Hash
 
 Here's an example *Authentication Hash* available in `request.env['omniauth.auth']`:

data/SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported versions
+
+### New features
+
+New features will only be added to the master branch and will not be made available in point releases.
+
+### Bug fixes
+
+Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
+
+### Security issues
+
+Only the latest release series will receive patches and new versions in case of a security issue.
+
+### Severe security issues
+
+For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
+
+## Reporting a bug
+
+All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
+Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
+
+## Disclosure Policy
+
+We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
+
+- Reply to all reports within one business day and triage within two business days (if applicable)
+- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
+- Award bounties within a week of resolution (excluding extenuating circumstances)
+- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
+
+**The following rules must be followed in order for any rewards to be paid:**
+
+- You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
+- You must not attempt to gain access to, or interact with, any shops other than those created by you.
+- The use of commercial scanners is prohibited (e.g., Nessus).
+- Rules for reporting must be followed.
+- Do not disclose any issues publicly before they have been resolved.
+- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
+- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
+- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
+- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
+- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
+- All content submitted by you to Shopify under this program is licensed under the MIT License.
+- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
+- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
+
+** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
+
+## Receiving Security Updates
+
+To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)

data/example/config.ru

@@ -1,5 +1,6 @@
 require 'bundler/setup'
 require 'sinatra/base'
+require 'active_support/core_ext/hash'
 require 'omniauth-shopify-oauth2'
 
 SCOPE = 'read_products,read_orders,read_customers,write_shipping'

data/lib/omniauth/shopify/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Shopify
-    VERSION = "1.1.14"
+    VERSION = "2.3.0"
   end
 end

data/lib/omniauth/strategies/shopify.rb

@@ -17,18 +17,42 @@ module OmniAuth
 
       option :callback_url
       option :myshopify_domain, 'myshopify.com'
+      option :old_client_secret
 
-      # When `true`, the authorization phase will fail if the granted scopes
-      # mismatch the requested scopes.
-      option :validate_granted_scopes, true
+      # When `true`, the user's permission level will apply (in addition to
+      # the requested access scope) when making API requests to Shopify.
+      option :per_user_permissions, false
 
       option :setup, proc { |env|
-        request = Rack::Request.new(env)
-        env['omniauth.strategy'].options[:client_options][:site] = "https://#{request.GET['shop']}"
+        strategy = env['omniauth.strategy']
+
+        shopify_auth_params = strategy.session['shopify.omniauth_params'] ||
+          strategy.session['omniauth.params'] ||
+          strategy.request.params
+
+        shopify_auth_params = shopify_auth_params && shopify_auth_params.with_indifferent_access
+        shop = if shopify_auth_params && shopify_auth_params['shop']
+          "https://#{shopify_auth_params['shop']}"
+        else
+          ''
+        end
+
+        strategy.options[:client_options][:site] = shop
       }
 
       uid { URI.parse(options[:client_options][:site]).host }
 
+      extra do
+        if access_token
+          {
+            'associated_user' => access_token['associated_user'],
+            'associated_user_scope' => access_token['associated_user_scope'],
+            'scope' => access_token['scope'],
+            'session' => access_token['session']
+          }
+        end
+      end
+
       def valid_site?
         !!(/\A(https|http)\:\/\/[a-zA-Z0-9][a-zA-Z0-9\-]*\.#{Regexp.quote(options[:myshopify_domain])}[\/]?\z/ =~ options[:client_options][:site])
       end
@@ -43,8 +67,10 @@ module OmniAuth
 
         return false unless timestamp.to_i > Time.now.to_i - CODE_EXPIRES_AFTER
 
-        calculated_signature = self.class.hmac_sign(self.class.encoded_params_for_signature(params), options.client_secret)
-        Rack::Utils.secure_compare(calculated_signature, signature)
+        new_secret = options.client_secret
+        old_secret = options.old_client_secret
+
+        validate_signature(new_secret) || (old_secret && validate_signature(old_secret))
       end
 
       def valid_scope?(token)
@@ -56,7 +82,7 @@ module OmniAuth
 
       def normalized_scopes(scopes)
         scope_list = scopes.to_s.split(SCOPE_DELIMITER).map(&:strip).reject(&:empty?).uniq
-        ignore_scopes = scope_list.map { |scope| scope =~ /\Awrite_(.*)\z/ && "read_#{$1}" }.compact
+        ignore_scopes = scope_list.map { |scope| scope =~ /\A(unauthenticated_)?write_(.*)\z/ && "#{$1}read_#{$2}" }.compact
         scope_list - ignore_scopes
       end
 
@@ -64,15 +90,24 @@ module OmniAuth
         params = params.dup
         params.delete('hmac')
         params.delete('signature') # deprecated signature
-        params.map{|k,v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}"}.sort.join('&')
+        Rack::Utils.build_query(params.sort)
       end
 
       def self.hmac_sign(encoded_params, secret)
         OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, secret, encoded_params)
       end
 
+      def valid_permissions?(token)
+        return false unless token
+
+        return true if options[:per_user_permissions] && token['associated_user']
+        return true if !options[:per_user_permissions] && !token['associated_user']
+
+        false
+      end
+
       def fix_https
-        options[:client_options][:site].gsub!(/\Ahttp\:/, 'https:')
+        options[:client_options][:site] = options[:client_options][:site].gsub(/\Ahttp\:/, 'https:')
       end
 
       def setup_phase
@@ -96,8 +131,13 @@ module OmniAuth
         unless valid_scope?(token)
           return fail!(:invalid_scope, CallbackError.new(:invalid_scope, "Scope does not match, it may have been tampered with."))
         end
+        unless valid_permissions?(token)
+          return fail!(:invalid_permissions, CallbackError.new(:invalid_permissions, "Requested API access mode does not match."))
+        end
 
         super
+      rescue ::OAuth2::Error => e
+        fail!(:invalid_credentials, e)
       end
 
       def build_access_token
@@ -107,12 +147,21 @@ module OmniAuth
       def authorize_params
         super.tap do |params|
           params[:scope] = normalized_scopes(params[:scope] || DEFAULT_SCOPE).join(SCOPE_DELIMITER)
+          params[:grant_options] = ['per-user'] if options[:per_user_permissions]
         end
       end
 
       def callback_url
         options[:callback_url] || full_host + script_name + callback_path
       end
+
+      private
+
+      def validate_signature(secret)
+        params = request.GET
+        calculated_signature = self.class.hmac_sign(self.class.encoded_params_for_signature(params), secret)
+        Rack::Utils.secure_compare(calculated_signature, params['hmac'])
+      end
     end
   end
 end

data/omniauth-shopify-oauth2.gemspec

@@ -6,19 +6,24 @@ Gem::Specification.new do |s|
   s.name     = 'omniauth-shopify-oauth2'
   s.version  = OmniAuth::Shopify::VERSION
   s.authors  = ['Denis Odorcic']
-  s.email    = ['denis.odorcic@shopify.com']
+  s.email    = ['gems@shopify.com']
   s.summary  = 'Shopify strategy for OmniAuth'
   s.homepage = 'https://github.com/Shopify/omniauth-shopify-oauth2'
   s.license = 'MIT'
 
+  s.metadata['allowed_push_host'] = 'https://rubygems.org'
+
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ['lib']
+  s.required_ruby_version = '>= 2.1.9'
 
-  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.2'
+  s.add_runtime_dependency 'omniauth-oauth2', '~> 1.5'
+  s.add_runtime_dependency 'activesupport'
 
   s.add_development_dependency 'minitest', '~> 5.6'
+  s.add_development_dependency 'rspec', '~> 3.9.0'
   s.add_development_dependency 'fakeweb', '~> 1.3'
   s.add_development_dependency 'rake'
 end

data/spec/omniauth/strategies/shopify_spec.rb

@@ -1,4 +1,3 @@
-require 'spec_helper'
 require 'omniauth-shopify-oauth2'
 require 'base64'
 
@@ -29,6 +28,12 @@ describe OmniAuth::Strategies::Shopify do
       subject.options[:client_options][:site].should eq('https://foo.bar/')
     end
 
+    it 'replaces http scheme by https with an immutable string' do
+      @options = {:client_options => {:site => 'http://foo.bar/'.freeze}}
+      subject.fix_https
+      subject.options[:client_options][:site].should eq('https://foo.bar/')
+    end
+
     it 'does not replace https scheme' do
       @options = {:client_options => {:site => 'https://foo.bar/'}}
       subject.fix_https
@@ -135,4 +140,80 @@ describe OmniAuth::Strategies::Shopify do
       subject.valid_site?.should eq(true)
     end
   end
+
+  describe '#valid_permissions?' do
+    let(:associated_user) do
+      {}
+    end
+
+    let(:token) do
+      {
+        'associated_user' => associated_user,
+      }
+    end
+
+    it 'returns false if there is no token' do
+      expect(subject.valid_permissions?(nil)).to be_falsey
+    end
+
+    context 'with per_user_permissions is present' do
+      before do
+        @options = @options.merge(per_user_permissions: true)
+      end
+
+      context 'when token does not have associated user' do
+        let(:associated_user) { nil }
+
+        it 'return false' do
+          expect(subject.valid_permissions?(token)).to be_falsey
+        end
+      end
+
+      context 'when token has associated user' do
+        it 'return true' do
+          expect(subject.valid_permissions?(token)).to be_truthy
+        end
+      end
+    end
+
+    context 'with per_user_permissions is false' do
+      before do
+        @options = @options.merge(per_user_permissions: false)
+      end
+
+      context 'when token does not have associated user' do
+        let(:associated_user) { nil }
+
+        it 'return true' do
+          expect(subject.valid_permissions?(token)).to be_truthy
+        end
+      end
+
+      context 'when token has associated user' do
+        it 'return false' do
+          expect(subject.valid_permissions?(token)).to be_falsey
+        end
+      end
+    end
+
+    context 'with per_user_permissions is nil' do
+      before do
+        @options = @options.merge(per_user_permissions: nil)
+      end
+
+      context 'when token does not have associated user' do
+        let(:associated_user) { nil }
+
+        it 'return true' do
+          expect(subject.valid_permissions?(token)).to be_truthy
+        end
+      end
+
+      context 'when token has associated user' do
+        it 'return false' do
+          expect(subject.valid_permissions?(token)).to be_falsey
+        end
+      end
+    end
+  end
 end

data/test/integration_test.rb

@@ -13,11 +13,19 @@ class IntegrationTest < Minitest::Test
   def test_authorize
     response = authorize('snowdevil.myshopify.com')
     assert_equal 302, response.status
-    assert_match /\A#{Regexp.quote("https://snowdevil.myshopify.com/admin/oauth/authorize?")}/, response.location
+    assert_match %r{\A#{Regexp.quote(shopify_authorize_url)}}, response.location
     redirect_params = Rack::Utils.parse_query(URI(response.location).query)
     assert_equal "123", redirect_params['client_id']
     assert_equal "https://app.example.com/auth/shopify/callback", redirect_params['redirect_uri']
     assert_equal "read_products", redirect_params['scope']
+    assert_nil redirect_params['grant_options']
+  end
+
+  def test_authorize_includes_auth_type_when_per_user_permissions_are_requested
+    build_app(per_user_permissions: true)
+    response = authorize('snowdevil.myshopify.com')
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'per-user', redirect_params['grant_options[]']
   end
 
   def test_authorize_overrides_site_with_https_scheme
@@ -26,8 +34,8 @@ class IntegrationTest < Minitest::Test
       env['omniauth.strategy'].options[:client_options][:site] = "http://#{params['shop']}"
     }
 
-    response = authorize('snowdevil.myshopify.com')
-    assert_match /\A#{Regexp.quote("https://snowdevil.myshopify.com/admin/oauth/authorize?")}/, response.location
+    response = request.get('https://app.example.com/auth/shopify?shop=snowdevil.myshopify.com')
+    assert_match %r{\A#{Regexp.quote(shopify_authorize_url)}}, response.location
   end
 
   def test_site_validation
@@ -40,10 +48,11 @@ class IntegrationTest < Minitest::Test
       'user@snowdevil.myshopify.com',   # shop contains user
       'snowdevil.myshopify.com:22',     # shop contains port
     ].each do |shop, valid|
+      @shop = shop
       response = authorize(shop)
       assert_auth_failure(response, 'invalid_site')
 
-      response = callback(sign_params(shop: shop, code: code))
+      response = callback(sign_with_new_secret(shop: shop, code: code))
       assert_auth_failure(response, 'invalid_site')
     end
   end
@@ -53,7 +62,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, OmniAuth::Strategies::Shopify::DEFAULT_SCOPE)
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_callback_success(response, access_token, code)
   end
@@ -64,7 +73,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, OmniAuth::Strategies::Shopify::DEFAULT_SCOPE)
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]).merge(signature: 'ignored'))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]).merge(signature: 'ignored'))
 
     assert_callback_success(response, access_token, code)
   end
@@ -77,7 +86,7 @@ class IntegrationTest < Minitest::Test
 
     now = Time.now.to_i
     params = { shop: 'snowdevil.myshopify.com', code: code, timestamp: now, next: '/products?page=2&q=red%20shirt', state: opts["rack.session"]["omniauth.state"] }
-    encoded_params = "code=#{code}&next=/products?page=2%26q=red%2520shirt&shop=snowdevil.myshopify.com&state=#{opts["rack.session"]["omniauth.state"]}&timestamp=#{now}"
+    encoded_params = "code=#{code}&next=%2Fproducts%3Fpage%3D2%26q%3Dred%2520shirt&shop=snowdevil.myshopify.com&state=#{opts["rack.session"]["omniauth.state"]}&timestamp=#{now}"
     params[:hmac] = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, @secret, encoded_params)
 
     response = callback(params)
@@ -91,21 +100,21 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'read_orders,write_products')
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_callback_success(response, access_token, code)
   end
 
   def test_callback_rejects_invalid_hmac
     @secret = 'wrong_secret'
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: SecureRandom.hex(16)))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: SecureRandom.hex(16)))
 
     assert_auth_failure(response, 'invalid_signature')
   end
 
   def test_callback_rejects_old_timestamps
     expired_timestamp = Time.now.to_i - OmniAuth::Strategies::Shopify::CODE_EXPIRES_AFTER - 1
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: SecureRandom.hex(16), timestamp: expired_timestamp))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: SecureRandom.hex(16), timestamp: expired_timestamp))
 
     assert_auth_failure(response, 'invalid_signature')
   end
@@ -120,12 +129,15 @@ class IntegrationTest < Minitest::Test
 
   def test_callback_rejects_body_params
     code = SecureRandom.hex(16)
-    params = sign_params(shop: 'snowdevil.myshopify.com', code: code)
+    params = sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code)
     body = Rack::Utils.build_nested_query(unsigned: 'value')
 
     response = request.get("https://app.example.com/auth/shopify/callback?#{Rack::Utils.build_query(params)}",
                            input: body,
-                           "CONTENT_TYPE" => 'application/x-www-form-urlencoded')
+                           "CONTENT_TYPE" => 'application/x-www-form-urlencoded',
+                           'rack.session' => {
+                              'shopify.omniauth_params' => { shop: 'snowdevil.myshopify.com' }
+                            })
 
     assert_auth_failure(response, 'invalid_signature')
   end
@@ -140,28 +152,47 @@ class IntegrationTest < Minitest::Test
                 env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
               }
 
-    response = authorize('snowdevil')
+    response = request.get("https://app.example.com/auth/shopify?shop=snowdevil.myshopify.dev:3000")
     assert_equal 302, response.status
-    assert_match /\A#{Regexp.quote("https://snowdevil.myshopify.dev:3000/admin/oauth/authorize?")}/, response.location
+    assert_match %r{\A#{Regexp.quote("https://snowdevil.myshopify.dev:3000/admin/oauth/authorize?")}}, response.location
     redirect_params = Rack::Utils.parse_query(URI(response.location).query)
     assert_equal 'read_products,read_orders,write_content', redirect_params['scope']
     assert_equal 'https://app.example.com/admin/auth/legacy/callback', redirect_params['redirect_uri']
   end
 
+  def test_default_setup_reads_shop_from_session
+    build_app
+    response = authorize('snowdevil.myshopify.com')
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("https://snowdevil.myshopify.com/admin/oauth/authorize?")}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'https://app.example.com/auth/shopify/callback', redirect_params['redirect_uri']
+  end
+
+  def test_default_setup_reads_shop_from_params
+    build_app
+
+    response = request.get('https://app.example.com/auth/shopify?shop=snowdevil.myshopify.com', opts)
+
+    assert_equal 302, response.status
+    assert_match %r{\A#{Regexp.quote("https://snowdevil.myshopify.com/admin/oauth/authorize?")}}, response.location
+    redirect_params = Rack::Utils.parse_query(URI(response.location).query)
+    assert_equal 'https://app.example.com/auth/shopify/callback', redirect_params['redirect_uri']
+  end
+
   def test_unnecessary_read_scopes_are_removed
-    build_app scope: 'read_content,read_products,write_products',
+    build_app scope: 'read_content,read_products,write_products,unauthenticated_read_checkouts,unauthenticated_write_checkouts',
               callback_path: '/admin/auth/legacy/callback',
               myshopify_domain: 'myshopify.dev:3000',
               setup: lambda { |env|
                 shop = Rack::Request.new(env).GET['shop']
-                shop += ".myshopify.dev:3000" unless shop.include?(".")
                 env['omniauth.strategy'].options[:client_options][:site] = "https://#{shop}"
               }
 
-    response = authorize('snowdevil')
+    response = request.get("https://app.example.com/auth/shopify?shop=snowdevil.myshopify.dev:3000")
     assert_equal 302, response.status
     redirect_params = Rack::Utils.parse_query(URI(response.location).query)
-    assert_equal 'read_content,write_products', redirect_params['scope']
+    assert_equal 'read_content,write_products,unauthenticated_write_checkouts', redirect_params['scope']
   end
 
   def test_callback_with_invalid_state_fails
@@ -169,7 +200,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, OmniAuth::Strategies::Shopify::DEFAULT_SCOPE)
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: 'invalid'))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: 'invalid'))
 
     assert_equal 302, response.status
     assert_equal '/auth/failure?message=csrf_detected&strategy=shopify', response.location
@@ -178,9 +209,9 @@ class IntegrationTest < Minitest::Test
   def test_callback_with_mismatching_scope_fails
     access_token = SecureRandom.hex(16)
     code = SecureRandom.hex(16)
-    expect_access_token_request(access_token, 'some_invalid_scope')
+    expect_access_token_request(access_token, 'some_invalid_scope', nil)
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_equal 302, response.status
     assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
@@ -191,7 +222,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, nil)
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_equal 302, response.status
     assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
@@ -204,7 +235,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'first_scope')
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_equal 302, response.status
     assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
@@ -217,7 +248,7 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'second_scope,first_scope,third_scope')
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_equal 302, response.status
     assert_equal '/auth/failure?message=invalid_scope&strategy=shopify', response.location
@@ -230,7 +261,19 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'second_scope,first_scope')
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_with_duplicate_read_scopes_works
+    build_app scope: 'read_products,write_products,unauthenticated_read_products,unauthenticated_write_products'
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'write_products,unauthenticated_write_products')
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
 
     assert_callback_success(response, access_token, code)
   end
@@ -242,26 +285,143 @@ class IntegrationTest < Minitest::Test
     code = SecureRandom.hex(16)
     expect_access_token_request(access_token, 'read_content,write_products')
 
-    response = callback(sign_params(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_when_per_user_permissions_are_present_but_not_requested
+    build_app(scope: 'scope', per_user_permissions: false)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=shopify', response.location
+  end
+
+  def test_callback_when_per_user_permissions_are_not_present_and_options_is_nil
+    build_app(scope: 'scope', per_user_permissions: nil)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', nil)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_callback_success(response, access_token, code)
+  end
+
+  def test_callback_when_per_user_permissions_are_not_present_but_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', nil)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_permissions&strategy=shopify', response.location
+  end
+
+  def test_callback_works_when_per_user_permissions_are_present_and_requested
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'})
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 200, response.status
+  end
+
+  def test_callback_when_a_session_is_present
+    build_app(scope: 'scope', per_user_permissions: true)
+
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    session = SecureRandom.hex
+    expect_access_token_request(access_token, 'scope', { id: 1, email: 'bob@bobsen.com'}, session)
+
+    response = callback(sign_with_new_secret(shop: 'snowdevil.myshopify.com', code: code, state: opts["rack.session"]["omniauth.state"]))
+
+    assert_equal 200, response.status
+  end
+
+  def test_callback_works_with_old_secret
+    build_app scope: OmniAuth::Strategies::Shopify::DEFAULT_SCOPE
+    access_token = SecureRandom.hex(16)
+    code = SecureRandom.hex(16)
+    expect_access_token_request(access_token, OmniAuth::Strategies::Shopify::DEFAULT_SCOPE)
+
+    signed_params = sign_with_old_secret(
+      shop: 'snowdevil.myshopify.com',
+      code: code,
+      state: opts["rack.session"]["omniauth.state"]
+    )
+
+    response = callback(signed_params)
 
     assert_callback_success(response, access_token, code)
   end
 
+  def test_callback_when_creds_are_invalid
+    build_app scope: OmniAuth::Strategies::Shopify::DEFAULT_SCOPE
+
+    FakeWeb.register_uri(
+      :post,
+      "https://snowdevil.myshopify.com/admin/oauth/access_token",
+      status: [ "401", "Invalid token" ],
+      body: "Token is invalid or has already been requested"
+    )
+
+    signed_params = sign_with_new_secret(
+      shop: 'snowdevil.myshopify.com',
+      code: SecureRandom.hex(16),
+      state: opts["rack.session"]["omniauth.state"]
+    )
+
+    response = callback(signed_params)
+
+    assert_equal 302, response.status
+    assert_equal '/auth/failure?message=invalid_credentials&strategy=shopify', response.location
+  end
+
   private
 
-  def sign_params(params)
-    params = params.dup
+  def sign_with_old_secret(params)
+    params = add_time(params)
+    encoded_params = OmniAuth::Strategies::Shopify.encoded_params_for_signature(params)
+    params['hmac'] = OmniAuth::Strategies::Shopify.hmac_sign(encoded_params, @old_secret)
+    params
+  end
 
+  def add_time(params)
+    params = params.dup
     params[:timestamp] ||= Time.now.to_i
+    params
+  end
 
+  def sign_with_new_secret(params)
+    params = add_time(params)
     encoded_params = OmniAuth::Strategies::Shopify.encoded_params_for_signature(params)
     params['hmac'] = OmniAuth::Strategies::Shopify.hmac_sign(encoded_params, @secret)
     params
   end
 
-  def expect_access_token_request(access_token, scope)
+  def expect_access_token_request(access_token, scope, associated_user=nil, session=nil)
     FakeWeb.register_uri(:post, "https://snowdevil.myshopify.com/admin/oauth/access_token",
-                         body: JSON.dump(access_token: access_token, scope: scope),
+                         body: JSON.dump(
+                           access_token: access_token,
+                           scope: scope,
+                           associated_user: associated_user,
+                           session: session,
+                         ),
                          content_type: 'application/json')
   end
 
@@ -282,10 +442,13 @@ class IntegrationTest < Minitest::Test
   def assert_auth_failure(response, reason)
     assert_nil FakeWeb.last_request
     assert_equal 302, response.status
-    assert_match /\A#{Regexp.quote("/auth/failure?message=#{reason}")}/, response.location
+    assert_match %r{\A#{Regexp.quote("/auth/failure?message=#{reason}")}}, response.location
   end
 
   def build_app(options={})
+    @old_secret = '12d34s1'
+    @secret = '53cr3tz'
+    options.merge!(old_client_secret: @old_secret)
     app = proc { |env|
       @omniauth_result = env['omniauth.auth']
       [200, {Rack::CONTENT_TYPE => "text/plain"}, "OK"]
@@ -293,17 +456,22 @@ class IntegrationTest < Minitest::Test
 
     opts["rack.session"]["omniauth.state"] = SecureRandom.hex(32)
     app = OmniAuth::Builder.new(app) do
-      provider :shopify, '123', '53cr3tz', options
+      provider :shopify, '123', '53cr3tz' , options
     end
-    @secret = '53cr3tz'
     @app = Rack::Session::Cookie.new(app, secret: SecureRandom.hex(64))
   end
 
+  def shop
+    @shop ||= 'snowdevil.myshopify.com'
+  end
+
   def authorize(shop)
-    request.get("https://app.example.com/auth/shopify?shop=#{CGI.escape(shop)}", opts)
+    @opts['rack.session']['shopify.omniauth_params'] = { shop: shop }
+    request.get('https://app.example.com/auth/shopify', opts)
   end
 
   def callback(params)
+    @opts['rack.session']['shopify.omniauth_params'] = { shop: shop }
     request.get("https://app.example.com/auth/shopify/callback?#{Rack::Utils.build_query(params)}", opts)
   end
 
@@ -314,4 +482,8 @@ class IntegrationTest < Minitest::Test
   def request
     Rack::MockRequest.new(@app)
   end
+
+  def shopify_authorize_url
+    "https://snowdevil.myshopify.com/admin/oauth/authorize?"
+  end
 end

data/test/test_helper.rb

@@ -5,6 +5,7 @@ require 'omniauth-shopify-oauth2'
 require 'minitest/autorun'
 require 'fakeweb'
 require 'json'
+require 'active_support/core_ext/hash'
 
 OmniAuth.config.logger = Logger.new(nil)
 FakeWeb.allow_net_connect = false

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-shopify-oauth2
 version: !ruby/object:Gem::Version
-  version: 1.1.14
+  version: 2.3.0
 platform: ruby
 authors:
 - Denis Odorcic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-25 00:00:00.000000000 Z
+date: 2020-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-oauth2
@@ -16,14 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.6'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.9.0
 - !ruby/object:Gem::Dependency
   name: fakeweb
   requirement: !ruby/object:Gem::Requirement
@@ -68,16 +96,18 @@ dependencies:
         version: '0'
 description: 
 email:
-- denis.odorcic@shopify.com
+- gems@shopify.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/probots.yml"
+- ".github/workflows/build.yml"
 - ".gitignore"
-- ".travis.yml"
 - Gemfile
 - README.md
 - Rakefile
+- SECURITY.md
 - example/Gemfile
 - example/config.ru
 - lib/omniauth-shopify-oauth2.rb
@@ -92,7 +122,8 @@ files:
 homepage: https://github.com/Shopify/omniauth-shopify-oauth2
 licenses:
 - MIT
-metadata: {}
+metadata:
+  allowed_push_host: https://rubygems.org
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -101,15 +132,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.1.9
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.3
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Shopify strategy for OmniAuth

data/.travis.yml

@@ -1,4 +0,0 @@
-language: ruby
-rvm:
-  - 2.1.0
-  - 2.2.2