ruby_shopify_app 1.0.0

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Authenticated
+    extend ActiveSupport::Concern
+
+    included do
+      include ShopifyApp::Localization
+      include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
+      include ShopifyApp::EmbeddedApp
+      before_action :login_again_if_different_user_or_shop
+      around_action :activate_shopify_session
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureAuthenticatedLinks
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_splash_page, if: :missing_expected_jwt?
+    end
+
+    private
+
+    def splash_page
+      splash_page_with_params(
+        return_to: request.fullpath,
+        shop: current_shopify_domain,
+        host: params[:host]
+      )
+    end
+
+    def splash_page_with_params(params)
+      uri = URI(root_path)
+      uri.query = params.compact.to_query
+      uri.to_s
+    end
+
+    def redirect_to_splash_page
+      redirect_to(splash_page)
+    rescue ShopifyApp::LoginProtection::ShopifyDomainNotFound => error
+      Rails.logger.warn("[ShopifyApp::EnsureAuthenticatedLinks] Redirecting to login: [#{error.class}] "\
+                         "Could not determine current shop domain")
+      redirect_to(ShopifyApp.configuration.login_url)
+    end
+
+    def missing_expected_jwt?
+      jwt_shopify_domain.blank?
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        host: params[:host],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module ShopAccessScopesVerification
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :login_on_scope_changes
+    end
+
+    protected
+
+    def login_on_scope_changes
+      redirect_to(shop_login) if scopes_mismatch?
+    end
+
+    private
+
+    def scopes_mismatch?
+      ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(current_shopify_domain)
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    def shop_login
+      ShopifyApp::Utils.shop_login_url(shop: params[:shop], host: params[:host], return_to: request.fullpath)
+    end
+  end
+end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class AuthenticatedController < ActionController::Base
+    include ShopifyApp::Authenticated
+
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/shopify_app/callback_controller.rb

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  # Performs login after OAuth completes
+  class CallbackController < ActionController::Base
+    include ShopifyApp::LoginProtection
+
+    def callback
+      return respond_with_error if invalid_request?
+
+      store_access_token_and_build_session
+
+      if start_user_token_flow?
+        return respond_with_user_token_flow
+      end
+
+      perform_post_authenticate_jobs
+
+      respond_successfully
+    end
+
+    private
+
+    def respond_successfully
+      if jwt_request?
+        head(:ok)
+      else
+        redirect_to(return_address)
+      end
+    end
+
+    def respond_with_user_token_flow
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    def store_access_token_and_build_session
+      if native_browser_request?
+        reset_session_options
+      end
+      set_shopify_session
+    end
+
+    def invalid_request?
+      return true unless auth_hash
+
+      jwt_request? && !valid_jwt_auth?
+    end
+
+    def native_browser_request?
+      !jwt_request?
+    end
+
+    def perform_post_authenticate_jobs
+      install_webhooks
+      install_scripttags
+      perform_after_authenticate_job
+    end
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
+      else
+        flash[:error] = I18n.t('could_not_log_in')
+        redirect_to(login_url_with_optional_shop)
+      end
+    end
+
+    # Override user_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
+    # setting check because session cookies are justified at top level
+    def user_session_by_cookie
+      return unless session[:user_id].present?
+      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    end
+
+    def start_user_token_flow?
+      if jwt_request?
+        false
+      else
+        return false unless ShopifyApp::SessionRepository.user_storage.present?
+        update_user_access_scopes?
+      end
+    end
+
+    def update_user_access_scopes?
+      return true if user_session.blank?
+      user_access_scopes_strategy.update_access_scopes?(user_id: session[:user_id])
+    end
+
+    def user_access_scopes_strategy
+      ShopifyApp.configuration.user_access_scopes_strategy
+    end
+
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
+    end
+
+    def auth_hash
+      request.env['omniauth.auth']
+    end
+
+    def shop_name
+      auth_hash.uid
+    end
+
+    def offline_access_token
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_name)&.token
+    end
+
+    def online_access_token
+      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(associated_user_id)&.token
+    end
+
+    def associated_user
+      return unless auth_hash.dig('extra', 'associated_user').present?
+
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
+    end
+
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
+
+    def token
+      auth_hash['credentials']['token']
+    end
+
+    def access_scopes
+      auth_hash.dig('extra', 'scope')
+    end
+
+    def reset_session_options
+      request.session_options[:renew] = true
+      session.delete(:_csrf_token)
+    end
+
+    def set_shopify_session
+      session_store = ShopifyAPI::Session.new(
+        domain: shop_name,
+        token: token,
+        api_version: ShopifyApp.configuration.api_version,
+        access_scopes: access_scopes
+      )
+
+      session[:shopify_user] = associated_user
+      if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
+        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
+      else
+        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
+      end
+      session[:shopify_domain] = shop_name
+      session[:user_session] = auth_hash&.extra&.session
+    end
+
+    def install_webhooks
+      return unless ShopifyApp.configuration.has_webhooks?
+
+      WebhooksManager.queue(
+        shop_name,
+        offline_access_token || online_access_token,
+        ShopifyApp.configuration.webhooks
+      )
+    end
+
+    def install_scripttags
+      return unless ShopifyApp.configuration.has_scripttags?
+
+      ScripttagsManager.queue(
+        shop_name,
+        offline_access_token || online_access_token,
+        ShopifyApp.configuration.scripttags
+      )
+    end
+
+    def perform_after_authenticate_job
+      config = ShopifyApp.configuration.after_authenticate_job
+
+      return unless config && config[:job].present?
+
+      job = config[:job]
+      job = job.constantize if job.is_a?(String)
+
+      if config[:inline] == true
+        job.perform_now(shop_domain: session[:shopify_domain])
+      else
+        job.perform_later(shop_domain: session[:shopify_domain])
+      end
+    end
+  end
+end

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+
+    def verify_request
+      head(:unauthorized) unless hmac_valid?(request.body.read)
+    end
+  end
+end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -0,0 +1,202 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SessionsController < ActionController::Base
+    include ShopifyApp::LoginProtection
+
+    layout false, only: :new
+
+    after_action only: [:new, :create] do |controller|
+      controller.response.headers.except!('X-Frame-Options')
+    end
+
+    def new
+      authenticate if sanitized_shop_name.present?
+    end
+
+    def create
+      authenticate
+    end
+
+    def enable_cookies
+      return unless validate_shop_presence
+
+      render(:enable_cookies, layout: false, locals: {
+        does_not_have_storage_access_url: top_level_interaction_path(
+          shop: sanitized_shop_name,
+          host: host,
+          return_to: params[:return_to]
+        ),
+        has_storage_access_url: login_url_with_optional_shop(top_level: true),
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          host: host,
+          return_to: params[:return_to]
+        ),
+        current_shopify_domain: current_shopify_domain,
+      })
+    end
+
+    def top_level_interaction
+      @url = login_url_with_optional_shop(top_level: true)
+      validate_shop_presence
+    end
+
+    def granted_storage_access
+      return unless validate_shop_presence
+
+      session['shopify.granted_storage_access'] = true
+
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
+    end
+
+    def destroy
+      reset_session
+      flash[:notice] = I18n.t('.logged_out')
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    private
+
+    def authenticate
+      return render_invalid_shop_error unless sanitized_shop_name.present?
+      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
+
+      copy_return_to_param_to_session
+
+      set_user_tokens_option
+
+      if user_agent_can_partition_cookies
+        authenticate_with_partitioning
+      else
+        authenticate_normally
+      end
+    end
+
+    def authenticate_normally
+      if request_storage_access?
+        redirect_to_request_storage_access
+      elsif authenticate_in_context?
+        authenticate_in_context
+      else
+        authenticate_at_top_level
+      end
+    end
+
+    def authenticate_with_partitioning
+      if session['shopify.cookies_persist']
+        clear_top_level_oauth_cookie
+        authenticate_in_context
+      else
+        set_top_level_oauth_cookie
+        enable_cookie_access
+      end
+    end
+
+    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
+    # setting check because session cookies are justified at top level
+    def shop_session_by_cookie
+      return unless session[:shop_id].present?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    end
+
+    # rubocop:disable Lint/SuppressedException
+    def set_user_tokens_option
+      current_shop_session = shop_session
+
+      if current_shop_session.blank?
+        session[:user_tokens] = false
+        return
+      end
+
+      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+
+      ShopifyAPI::Session.temp(
+        domain: current_shop_session.domain,
+        token: current_shop_session.token,
+        api_version: current_shop_session.api_version
+      ) do
+        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
+      end
+    rescue ActiveResource::UnauthorizedAccess
+      session[:user_tokens] = false
+    rescue StandardError
+    end
+    # rubocop:enable Lint/SuppressedException
+
+    def validate_shop_presence
+      @shop = sanitized_shop_name
+      unless @shop
+        render_invalid_shop_error
+        return false
+      end
+
+      true
+    end
+
+    def copy_return_to_param_to_session
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+    end
+
+    def render_invalid_shop_error
+      flash[:error] = I18n.t('invalid_shop_url')
+      redirect_to(return_address)
+    end
+
+    def enable_cookie_access
+      fullpage_redirect_to(enable_cookies_path(
+        shop: sanitized_shop_name,
+        host: host,
+        return_to: session[:return_to]
+      ))
+    end
+
+    def authenticate_in_context
+      post_redirect_to_auth_shopify
+    end
+
+    def post_redirect_to_auth_shopify
+      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
+    end
+
+    def authenticate_at_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
+    end
+
+    def authenticate_in_context?
+      return true unless ShopifyApp.configuration.embedded_app?
+      params[:top_level]
+    end
+
+    def request_storage_access?
+      return false unless ShopifyApp.configuration.embedded_app?
+      return false if params[:top_level]
+      return false if user_agent_is_mobile
+      return false if user_agent_is_pos
+
+      !session['shopify.granted_storage_access']
+    end
+
+    def redirect_to_request_storage_access
+      render(
+        :request_storage_access,
+        layout: false,
+        locals: {
+          does_not_have_storage_access_url: top_level_interaction_path(
+            shop: sanitized_shop_name,
+            host: host,
+            return_to: session[:return_to]
+          ),
+          has_storage_access_url: login_url_with_optional_shop(top_level: true),
+          app_target_url: granted_storage_access_path(
+            shop: sanitized_shop_name,
+            host: host,
+            return_to: session[:return_to]
+          ),
+          current_shopify_domain: current_shopify_domain,
+        }
+      )
+    end
+  end
+end

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class MissingWebhookJobError < StandardError; end
+
+  class WebhooksController < ActionController::Base
+    include ShopifyApp::WebhookVerification
+
+    def receive
+      params.permit!
+      webhook_job_klass.perform_later(shop_domain: shop_domain, webhook: webhook_params.to_h)
+      head(:ok)
+    end
+
+    private
+
+    def webhook_params
+      params.except(:controller, :action, :type)
+    end
+
+    def webhook_job_klass
+      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
+    end
+
+    def webhook_job_klass_name(type = webhook_type)
+      [webhook_namespace, "#{type}_job"].compact.join('/').classify
+    end
+
+    def webhook_type
+      params[:type]
+    end
+
+    def webhook_namespace
+      ShopifyApp.configuration.webhook_jobs_namespace
+    end
+  end
+end

data/app/views/shopify_app/partials/_button_styles.html.erb

@@ -0,0 +1,109 @@
+<style>
+  .Polaris-Button {
+    position:relative;
+    display:-webkit-inline-box;
+    display:-ms-inline-flexbox;
+    display:inline-flex;
+    -webkit-box-align:center;
+    -ms-flex-align:center;
+    align-items:center;
+    -webkit-box-pack:center;
+    -ms-flex-pack:center;
+    justify-content:center;
+    min-height:3.6rem;
+    min-width:3.6rem;
+    margin:0;
+    padding:0.7rem 1.6rem;
+    background-color:#ffffff;
+    border:1px solid #babfc3;
+    border-top-color: #c9cccf;
+    border-bottom-color: #babfc4;
+    box-shadow:0 1px 0 0 rgba(0, 0, 0, 0.05);
+    border-radius:4px;
+    line-height:1;
+    color:#202223;
+    text-align:center;
+    cursor:pointer;
+    -webkit-user-select:none;
+    -moz-user-select:none;
+    -ms-user-select:none;
+    user-select:none;
+    text-decoration:none;
+    transition-property:background, border, box-shadow;
+    transition-duration:100ms;
+    transition-timing-function:cubic-bezier(0.64, 0, 0.35, 1);
+  }
+
+  .Polaris-Button:hover {
+    background-color:#f6f6f7;
+  }
+
+  .Polaris-Button:focus {
+    outline:0;
+  }
+
+  .Polaris-Button:focus:after {
+    box-shadow:0 0 0 .2rem #448fff;
+  }
+
+  .Polaris-Button:after {
+    content:'';
+    position:absolute;
+    z-index:1;
+    top:-.2rem;
+    right:-.2rem;
+    bottom:-.2rem;
+    left:-.2rem;
+    display:block;
+    pointer-events:none;
+    box-shadow:0 0 0 -.2rem #448fff;
+    transition:box-shadow 100ms cubic-bezier(0.64, 0, 0.35, 1);
+    border-radius:5px;
+  }
+
+  .Polaris-Button:active {
+    background-color:#f1f2f3);
+  }
+
+  .Polaris-Button__Content {
+    font-size:1.4rem;
+    font-weight:500;
+    line-height:1.6rem;
+    text-transform:initial;
+    letter-spacing:initial;
+    position:relative;
+    display:-webkit-box;
+    display:-ms-flexbox;
+    display:flex;
+    -webkit-box-pack:center;
+    -ms-flex-pack:center;
+    justify-content:center;
+    -webkit-box-align:center;
+    -ms-flex-align:center;
+    align-items:center;
+    min-width:1px;
+    min-height:1px;
+  }
+
+  .Polaris-Button--primary {
+    background-color:#008060;
+    border-color:transparent;
+    border-width:0;
+    color:white;
+  }
+
+  .Polaris-Button--primary:hover {
+    background-color:#006e52;
+    border-color:transparent;
+    color:white;
+  }
+
+  .Polaris-Button--primary:active {
+    background-color:#005e46;
+    border-color:transparent;
+  }
+
+  .Polaris-Button--sizeLarge {
+    padding:1.1rem 2.4rem;
+  }
+</style>