ruby_shopify_app 1.0.0

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+    class << self
+      def store(session, *args)
+        id = super
+        repo[session.domain] = session
+        id
+      end
+
+      def retrieve_by_shopify_domain(shopify_domain)
+        repo[shopify_domain]
+      end
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+    class << self
+      def store(session, user)
+        id = super
+        repo[user.shopify_user_id] = session
+        id
+      end
+
+      def retrieve_by_shopify_user_id(user_id)
+        repo[user_id]
+      end
+    end
+  end
+end

data/lib/shopify_app/session/jwt.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    class InvalidDestinationError < StandardError; end
+
+    class MismatchedHostsError < StandardError; end
+
+    class InvalidAudienceError < StandardError; end
+
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+
+    def shopify_domain
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+
+    def shopify_user_id
+      @payload['sub'].to_i if @payload && @payload['sub']
+    end
+
+    def expire_at
+      @payload['exp'].to_i if @payload && @payload['exp']
+    end
+
+    private
+
+    def set_payload
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
+    end
+
+    def parse_token_data(secret, old_secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::VerificationError
+      raise unless old_secret
+
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+    end
+
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+
+      payload
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SessionRepository
+    class ConfigurationError < StandardError; end
+
+    class << self
+      attr_writer :shop_storage
+
+      attr_writer :user_storage
+
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
+      end
+
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
+      end
+
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
+      end
+
+      def store_shop_session(session)
+        shop_storage.store(session)
+      end
+
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
+      end
+
+      def user_storage
+        load_user_storage
+      end
+
+      private
+
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+
+      def load_user_storage
+        return NullUserSessionStore unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_storage.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module SessionStorage
+    extend ActiveSupport::Concern
+
+    included do
+      validates :shopify_token, presence: true
+      validates :api_version, presence: true
+    end
+
+    def with_shopify_session(&block)
+      ShopifyAPI::Session.temp(
+        domain: shopify_domain,
+        token: shopify_token,
+        api_version: api_version,
+        &block
+      )
+    end
+  end
+end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module ShopSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+
+    class_methods do
+      def store(auth_session, *_args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+
+      def retrieve(id)
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+
+      private
+
+      def construct_session(shop)
+        return unless shop
+
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module ShopSessionStorageWithScopes
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+
+    class_methods do
+      def store(auth_session, *_args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.access_scopes = auth_session.access_scopes
+
+        shop.save!
+        shop.id
+      end
+
+      def retrieve(id)
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+
+      private
+
+      def construct_session(shop)
+        return unless shop
+
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+          access_scopes: shop.access_scopes
+        )
+      end
+    end
+
+    def access_scopes=(scopes)
+      super(scopes)
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to handle storing access scopes: #{scopes}"
+    end
+
+    def access_scopes
+      super
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to hook into stored access scopes"
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module UserSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true
+    end
+
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+
+      def retrieve(id)
+        user = find_by(id: id)
+        construct_session(user)
+      end
+
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+
+      private
+
+      def construct_session(user)
+        return unless user
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage_with_scopes.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module UserSessionStorageWithScopes
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true
+    end
+
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.access_scopes = auth_session.access_scopes
+
+        user.save!
+        user.id
+      end
+
+      def retrieve(id)
+        user = find_by(id: id)
+        construct_session(user)
+      end
+
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+
+      private
+
+      def construct_session(user)
+        return unless user
+
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+          access_scopes: user.access_scopes
+        )
+      end
+    end
+
+    def access_scopes=(scopes)
+      super(scopes)
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to handle storing access scopes: #{scopes}"
+    end
+
+    def access_scopes
+      super
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to hook into stored access scopes"
+    end
+  end
+end

data/lib/shopify_app/test_helpers/all.rb

@@ -0,0 +1,2 @@
+# frozen_string_literal: true
+require 'shopify_app/test_helpers/webhook_verification_helper'

data/lib/shopify_app/test_helpers/webhook_verification_helper.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module TestHelpers
+    module WebhookVerificationHelper
+      def authorized_webhook_verification_headers!(params = {})
+        digest = OpenSSL::Digest.new('sha256')
+        secret = ShopifyApp.configuration.secret
+        valid_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, params.to_query)).strip
+        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = valid_hmac
+      end
+
+      def unauthorized_webhook_verification_headers!
+        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = "invalid_hmac"
+      end
+    end
+  end
+end

data/lib/shopify_app/utils.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module Utils
+    def self.sanitize_shop_domain(shop_domain)
+      myshopify_domain = ShopifyApp.configuration.myshopify_domain
+      name = shop_domain.to_s.downcase.strip
+      name += ".#{myshopify_domain}" if !name.include?(myshopify_domain.to_s) && !name.include?(".")
+      name.sub!(%r|https?://|, '')
+
+      u = URI("http://#{name}")
+      u.host if u.host&.match(/^[a-z0-9][a-z0-9\-]*[a-z0-9]\.#{Regexp.escape(myshopify_domain)}$/)
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def self.fetch_known_api_versions
+      Rails.logger.info("[ShopifyAPI::ApiVersion] Fetching known Admin API Versions from Shopify...")
+      ShopifyAPI::ApiVersion.fetch_known_versions
+      Rails.logger.info("[ShopifyAPI::ApiVersion] Known API Versions: #{ShopifyAPI::ApiVersion.versions.keys}")
+    rescue ActiveResource::ConnectionError
+      logger.error("[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
+    end
+
+    def self.shop_login_url(shop:, host:, return_to:)
+      return ShopifyApp.configuration.login_url unless shop
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: shop,
+        host: host,
+        return_to: return_to,
+      )
+
+      url.to_s
+    end
+  end
+end

data/lib/shopify_app/version.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+module ShopifyApp
+  VERSION = '1.0.0'
+end

data/lib/shopify_app.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+require 'shopify_app/version'
+
+# deps
+require 'ruby_shopify_api'
+require 'omniauth/rails_csrf_protection'
+require 'omniauth-shopify-oauth2'
+require 'redirect_safely'
+
+module ShopifyApp
+  def self.rails6?
+    Rails::VERSION::MAJOR >= 6
+  end
+
+  def self.rails7?
+    Rails::VERSION::MAJOR >= 7
+  end
+
+  def self.use_importmap?
+    rails7? && File.exist?("config/importmap.rb")
+  end
+
+  def self.use_webpacker?
+    rails6? &&
+      defined?(Webpacker) == 'constant' &&
+      !configuration.disable_webpacker
+  end
+
+  # config
+  require 'shopify_app/configuration'
+
+  # engine
+  require 'shopify_app/engine'
+
+  # utils
+  require 'shopify_app/utils'
+
+  # controller concerns
+  require 'shopify_app/controller_concerns/csrf_protection'
+  require 'shopify_app/controller_concerns/localization'
+  require 'shopify_app/controller_concerns/itp'
+  require 'shopify_app/controller_concerns/login_protection'
+  require 'shopify_app/controller_concerns/embedded_app'
+  require 'shopify_app/controller_concerns/payload_verification'
+  require 'shopify_app/controller_concerns/app_proxy_verification'
+  require 'shopify_app/controller_concerns/webhook_verification'
+
+  # jobs
+  require 'shopify_app/jobs/webhooks_manager_job'
+  require 'shopify_app/jobs/scripttags_manager_job'
+
+  # managers
+  require 'shopify_app/managers/webhooks_manager'
+  require 'shopify_app/managers/scripttags_manager'
+
+  # middleware
+  require 'shopify_app/middleware/jwt_middleware'
+  require 'shopify_app/middleware/same_site_cookie_middleware'
+
+  # session
+  require 'shopify_app/session/in_memory_session_store'
+  require 'shopify_app/session/in_memory_shop_session_store'
+  require 'shopify_app/session/in_memory_user_session_store'
+  require 'shopify_app/session/jwt'
+  require 'shopify_app/session/null_user_session_store'
+  require 'shopify_app/session/session_repository'
+  require 'shopify_app/session/session_storage'
+  require 'shopify_app/session/shop_session_storage'
+  require 'shopify_app/session/shop_session_storage_with_scopes'
+  require 'shopify_app/session/user_session_storage'
+  require 'shopify_app/session/user_session_storage_with_scopes'
+
+  # access scopes strategies
+  require 'shopify_app/access_scopes/shop_strategy'
+  require 'shopify_app/access_scopes/user_strategy'
+  require 'shopify_app/access_scopes/noop_strategy'
+
+  # omniauth_configuration
+  require 'shopify_app/omniauth/omniauth_configuration'
+end

data/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "shopify_app",
+  "version": "18.1.2",
+  "repository": "git@github.com:Shopify/shopify_app.git",
+  "author": "Shopify",
+  "license": "MIT",
+  "dependencies": {},
+  "devDependencies": {
+    "babel-loader": "^8.0.6",
+    "babel-preset-shopify": "^21.0.0",
+    "chai": "^4.1.2",
+    "karma": "^5.2.1",
+    "karma-chai-sinon": "^0.1.5",
+    "karma-chrome-launcher": "^3.1.0",
+    "karma-cli": "^2.0.0",
+    "karma-mocha": "^2.0.1",
+    "karma-mocha-clean-reporter": "^0.0.1",
+    "karma-webpack": "^4.0.2",
+    "mocha": "^8.1.3",
+    "sinon": "^9.0.3",
+    "sinon-chai": "^3.2.0",
+    "webpack": "^4.44.1"
+  },
+  "scripts": {
+    "test": "./node_modules/.bin/karma start --browsers ChromeHeadless --single-run"
+  }
+}

data/service.yml

@@ -0,0 +1,4 @@
+audience: partner
+classification: library
+slack_channels:
+- shopify_app_gem

data/shipit.rubygems.yml

@@ -0,0 +1,4 @@
+# using the default shipit config
+ci:
+  hide:
+    - code-review/policial

data/shopify_app.gemspec

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+$LOAD_PATH.push(File.expand_path('../lib', __FILE__))
+require "shopify_app/version"
+
+Gem::Specification.new do |s|
+  s.name        = "ruby_shopify_app"
+  s.version     = ShopifyApp::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors = ["Hopper Gee"]
+  s.email = ["hopper.gee@hey.com"]
+  s.summary     = 'This gem is used to get quickly started with the Shopify API'
+
+  s.required_ruby_version = ">= 2.6"
+
+  s.metadata['allowed_push_host'] = 'https://rubygems.org'
+
+  s.add_runtime_dependency('browser_sniffer', '~> 1.4.0')
+  s.add_runtime_dependency('omniauth-rails_csrf_protection')
+  s.add_runtime_dependency('rails', '> 5.2.1')
+  s.add_runtime_dependency('ruby_shopify_api', '~> 1.0')
+  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.3')
+  s.add_runtime_dependency('jwt', '>= 2.2.3')
+  s.add_runtime_dependency('redirect_safely', '~> 1.0')
+
+  s.add_development_dependency('rake')
+  s.add_development_dependency('byebug')
+  s.add_development_dependency('pry')
+  s.add_development_dependency('pry-nav')
+  s.add_development_dependency('pry-stack_explorer')
+  s.add_development_dependency('rb-readline')
+  s.add_development_dependency('sqlite3', '~> 1.4')
+  s.add_development_dependency('minitest')
+  s.add_development_dependency('mocha')
+  s.add_development_dependency('webmock')
+
+  s.files         = %x(git ls-files).split("\n").reject { |f| f.match(%r{^(test|example)/}) }
+  s.test_files    = %x(git ls-files -- {test}/*).split("\n")
+  s.require_paths = ["lib"]
+end

data/translation.yml

@@ -0,0 +1,7 @@
+source_language: en
+target_languages: [cs, da, de, es, fi, fr, it, ja, ko, nb, nl, pl, pt-BR, pt-PT, sv, th, tr, vi, zh-CN, zh-TW]
+components:
+  - name: 'merchant'
+    paths:
+      - config/locales/{{language}}.yml
+      - config/locales/**/{{language}}.yml

data/webpack.config.js

@@ -0,0 +1,24 @@
+
+ var path = require('path');
+ var webpack = require('webpack');
+
+ module.exports = {
+  mode: 'development',
+  entry: 'test/javascripts/test.js',
+  output: {
+      path: path.resolve(__dirname, 'build'),
+      filename: 'test.bundle.js'
+  },
+  module: {
+      loaders: [
+          {
+              test: /\.js$/,
+              loader: 'babel-loader',
+          }
+      ]
+  },
+  stats: {
+      colors: true
+  },
+  devtool: 'source-map'
+ };