ruby_shopify_app 1.0.0

data/lib/generators/shopify_app/shopify_app_generator.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module Generators
+    class ShopifyAppGenerator < Rails::Generators::Base
+      def initialize(args, *options)
+        @opts = options.first
+        super(args, *options)
+      end
+
+      def run_all_generators
+        generate("shopify_app:install #{@opts.join(' ')}")
+        generate("shopify_app:shop_model #{@opts.join(' ')}")
+        generate("shopify_app:authenticated_controller")
+        generate("shopify_app:home_controller #{@opts.join(' ')}")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb

@@ -0,0 +1,5 @@
+class AddUserAccessScopesColumn < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def change
+    add_column :users, :access_scopes, :string
+  end
+end

data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb

@@ -0,0 +1,16 @@
+class CreateUsers < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def self.up
+    create_table :users do |t|
+      t.bigint :shopify_user_id, null: false
+      t.string :shopify_domain, null: false
+      t.string :shopify_token, null: false
+      t.timestamps
+    end
+
+    add_index :users, :shopify_user_id, unique: true
+  end
+
+  def self.down
+    drop_table :users
+  end
+end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+class User < ActiveRecord::Base
+  include ShopifyApp::UserSessionStorageWithScopes
+
+  def api_version
+    ShopifyApp.configuration.api_version
+  end
+end

data/lib/generators/shopify_app/user_model/templates/users.yml

@@ -0,0 +1,4 @@
+regular_user:
+  shopify_domain: 'regular-shop.myshopify.com'
+  shopify_token: 'token'
+  shopify_user_id: 1

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+require 'rails/generators/base'
+require 'rails/generators/active_record'
+
+module ShopifyApp
+  module Generators
+    class UserModelGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+      source_root File.expand_path('../templates', __FILE__)
+
+      class_option :new_shopify_cli_app, type: :boolean, default: false
+
+      def create_user_model
+        copy_file('user.rb', 'app/models/user.rb')
+      end
+
+      def create_user_migration
+        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
+      end
+
+      def create_scopes_storage_in_user_model
+        scopes_column_prompt = <<~PROMPT
+          It is highly recommended that apps record the access scopes granted by \
+          merchants during app installation. See app/models/user.rb to modify how \
+          access scopes are stored and retrieved.
+
+          [WARNING] You will need to update the access_scopes accessors in the User model \
+          to allow shopify_app to store and retrieve scopes when going through OAuth.
+
+          The following migration will add an `access_scopes` column to the User model. \
+          Do you want to include this migration? [y/n]
+        PROMPT
+
+        if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
+          migration_template(
+            'db/migrate/add_user_access_scopes_column.erb',
+            'db/migrate/add_user_access_scopes_column.rb'
+          )
+        end
+      end
+
+      def update_shopify_app_initializer
+        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
+      end
+
+      def create_user_fixtures
+        copy_file('users.yml', 'test/fixtures/users.yml')
+      end
+
+      private
+
+      def new_shopify_cli_app?
+        options['new_shopify_cli_app']
+      end
+
+      def rails_migration_version
+        Rails.version.match(/\d\.\d/)[0]
+      end
+
+      class << self
+        private :next_migration_number
+
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/views/views_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+require 'rails/generators/base'
+
+module ShopifyApp
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../../../..", __FILE__)
+
+      def create_views
+        views.each do |view|
+          copy_file(view)
+        end
+      end
+
+      private
+
+      def views
+        files_within_root('.', 'app/views/**/*.*')
+      end
+
+      def files_within_root(prefix, glob)
+        root = "#{self.class.source_root}/#{prefix}"
+
+        Dir["#{root}/#{glob}"].sort.map do |full_path|
+          full_path.sub(root, '.').gsub('/./', '/')
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/noop_strategy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class NoopStrategy
+      class << self
+        def update_access_scopes?(*_args)
+          false
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/shop_strategy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class ShopStrategy
+      class << self
+        def update_access_scopes?(shop_domain)
+          shop_access_scopes = shop_access_scopes(shop_domain)
+          configuration_access_scopes != shop_access_scopes
+        end
+
+        private
+
+        def shop_access_scopes(shop_domain)
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.access_scopes
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.shop_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class UserStrategy
+      class InvalidInput < StandardError; end
+
+      class << self
+        def update_access_scopes?(user_id: nil, shopify_user_id: nil)
+          return update_access_scopes_for_user_id?(user_id) if user_id
+          return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
+          raise(InvalidInput, '#update_access_scopes? requires user_id or shopify_user_id parameter inputs')
+        end
+
+        private
+
+        def update_access_scopes_for_user_id?(user_id)
+          user_access_scopes = user_access_scopes_by_user_id(user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def update_access_scopes_for_shopify_user_id?(shopify_user_id)
+          user_access_scopes = user_access_scopes_by_shopify_user_id(shopify_user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def user_access_scopes_by_user_id(user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.access_scopes
+        end
+
+        def user_access_scopes_by_shopify_user_id(shopify_user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.access_scopes
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.user_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class Configuration
+    # Shopify App settings. These values should match the configuration
+    # for the app in your Shopify Partners page. Change your settings in
+    # `config/initializers/shopify_app.rb`
+    attr_accessor :application_name
+    attr_accessor :api_key
+    attr_accessor :secret
+    attr_accessor :old_secret
+    attr_accessor :scope
+    attr_writer :shop_access_scopes
+    attr_writer :user_access_scopes
+    attr_accessor :embedded_app
+    alias_method  :embedded_app?, :embedded_app
+    attr_accessor :webhooks
+    attr_accessor :scripttags
+    attr_accessor :after_authenticate_job
+    attr_accessor :api_version
+
+    attr_accessor :reauth_on_access_scope_changes
+
+    # customise urls
+    attr_accessor :root_url
+    attr_writer :login_url
+
+    # customise ActiveJob queue names
+    attr_accessor :scripttags_manager_queue_name
+    attr_accessor :webhooks_manager_queue_name
+
+    # configure myshopify domain for local shopify development
+    attr_accessor :myshopify_domain
+
+    # ability to have webpacker installed but not used in this gem and the generators
+    attr_accessor :disable_webpacker
+
+    # allow namespacing webhook jobs
+    attr_accessor :webhook_jobs_namespace
+
+    # allow enabling of same site none on cookies
+    attr_writer :enable_same_site_none
+
+    # allow enabling jwt headers for authentication
+    attr_accessor :allow_jwt_authentication
+
+    attr_accessor :allow_cookie_authentication
+
+    def initialize
+      @root_url = '/'
+      @myshopify_domain = 'myshopify.com'
+      @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
+      @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
+      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
+      @allow_cookie_authentication = true
+    end
+
+    def login_url
+      @login_url || File.join(@root_url, 'login')
+    end
+
+    def user_session_repository=(klass)
+      ShopifyApp::SessionRepository.user_storage = klass
+    end
+
+    def user_session_repository
+      ShopifyApp::SessionRepository.user_storage
+    end
+
+    def shop_session_repository=(klass)
+      ShopifyApp::SessionRepository.shop_storage = klass
+    end
+
+    def shop_session_repository
+      ShopifyApp::SessionRepository.shop_storage
+    end
+
+    def shop_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::ShopStrategy
+    end
+
+    def user_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::UserStrategy
+    end
+
+    def has_webhooks?
+      webhooks.present?
+    end
+
+    def has_scripttags?
+      scripttags.present?
+    end
+
+    def enable_same_site_none
+      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
+    end
+
+    def shop_access_scopes
+      @shop_access_scopes || scope
+    end
+
+    def user_access_scopes
+      @user_access_scopes || scope
+    end
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  def self.configure
+    yield configuration
+  end
+end

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module AppProxyVerification
+    extend ActiveSupport::Concern
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_proxy_request
+    end
+
+    def verify_proxy_request
+      return head(:forbidden) unless query_string_valid?(request.query_string)
+    end
+
+    private
+
+    def query_string_valid?(query_string)
+      query_hash = Rack::Utils.parse_query(query_string)
+
+      signature = query_hash.delete('signature')
+      return false if signature.nil?
+
+      ActiveSupport::SecurityUtils.secure_compare(
+        calculated_signature(query_hash),
+        signature
+      )
+    end
+
+    def calculated_signature(query_hash_without_signature)
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+
+      OpenSSL::HMAC.hexdigest(
+        OpenSSL::Digest.new('sha256'),
+        ShopifyApp.configuration.secret,
+        sorted_params
+      )
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+
+    private
+
+    def valid_session_token?
+      request.env['jwt.shopify_domain']
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module EmbeddedApp
+    extend ActiveSupport::Concern
+
+    included do
+      if ShopifyApp.configuration.embedded_app?
+        after_action(:set_esdk_headers)
+        layout('embedded_app')
+      end
+    end
+
+    private
+
+    def set_esdk_headers
+      response.set_header('P3P', 'CP="Not used"')
+      response.headers.except!('X-Frame-Options')
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  # Cookie management helpers required for ITP implementation
+  module Itp
+    private
+
+    def set_test_cookie
+      return unless ShopifyApp.configuration.embedded_app?
+      return unless user_agent_can_partition_cookies
+
+      session['shopify.cookies_persist'] = true
+    end
+
+    def set_top_level_oauth_cookie
+      session['shopify.top_level_oauth'] = true
+    end
+
+    def clear_top_level_oauth_cookie
+      session.delete('shopify.top_level_oauth')
+    end
+
+    def user_agent_is_mobile
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      user_agent[:name].to_s.match(/Shopify\sMobile/)
+    end
+
+    def user_agent_is_pos
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      user_agent[:name].to_s.match(/Shopify\sPOS/)
+    end
+
+    def user_agent_can_partition_cookies
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+
+      is_safari = user_agent[:name].to_s.match(/Safari/)
+
+      return false unless is_safari
+
+      user_agent[:version].to_s.match(/12\.0/)
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/localization.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module Localization
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :set_locale
+    end
+
+    private
+
+    def set_locale
+      if params[:locale]
+        session[:locale] = params[:locale]
+      else
+        session[:locale] ||= I18n.default_locale
+      end
+      I18n.locale = session[:locale]
+    rescue I18n::InvalidLocale
+      I18n.locale = I18n.default_locale
+    end
+  end
+end