shopify-sinatra-app 0.11.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06c208a5e6a5d5b7f496276e1aedea79466f8d7abc6082afdb7cff0b88223d49
-  data.tar.gz: 18439bd6c8f38719b02b7afdd1ec7559bf1b016f97fcca41d473739c85708042
+  metadata.gz: bd601f8ec2bc981f54dcda8ce30a7b373e42f0b3db148d400a58f5642dfbfbcc
+  data.tar.gz: 5a9d30b5cf9ccca7883fb4a7329cdf54bd6ee9a18d5f248137193a90bde27749
 SHA512:
-  metadata.gz: fbd6555480c19155bb742b423e27df1f53aacdb3779134fdc8b18294926611f863f43abed6a2393e4994247381cc21653c64a4171786063da5f022b1aef52f2d
-  data.tar.gz: bae80dff8e96cc0dd29febed95b8a2336a944cab4b397803f9ad816b4c93f6996e7cc094e605bb5e3d88a12fbbbb2cf1e516d81f7575cfc7eec68dd50ea8afe1
+  metadata.gz: 01f6a06bcd48313f281a0f59eed41d87dc71da586f095d7192667d67af8cc37ad5b6e18846a2c9bb88298b46d5f240290784edf54e3ca6ca1d69dff5932e4662
+  data.tar.gz: 49de0b0f1982746dedab5792515a9d27dd777abb74363016db794fa92ce5a365addcb527c6e549920aee93d094e2dcdfcd2209ab5b898a32af26a2ceb1f39bd9

data/.circleci/config.yml

@@ -0,0 +1,15 @@
+version: 2.1
+orbs:
+  ruby: circleci/ruby@0.1.2
+
+jobs:
+  build:
+    docker:
+      - image: circleci/ruby:2.6.6
+    executor: ruby/default
+    steps:
+      - checkout
+      - ruby/bundle-install
+      - run:
+          name: Tests
+          command: ./bin/ci.sh

data/.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "09:00"
+    timezone: America/Toronto
+  open-pull-requests-limit: 3
+  ignore:
+  - dependency-name: omniauth
+    versions:
+    - 2.0.2
+    - 2.0.3

data/CHANGELOG

@@ -1,5 +1,26 @@
+1.0.1
+-----
+* drop sinatra version requirement from gemspec
+
+1.0.0
+-----
+* Update to omniauth 2.0.4 and add rack protection authenticity token
+  * All forms will need an authenticity_token param added like in the login view
+  * Refactored the provided routes to be simpler. Now only login and logout (no more install)
+  * shopify_webhook now defines the route because it needs to also configure ignoring csrf for the route
+  * refactored other internal methods to simplify and reduce surface area
+* Removed heroku rake tasks. They are out of date and don't encourage best practises
+
+0.12.0
+------
+* Update to use the Shopify AppBridge instead of the ESDK
+  * This change is mostly to generated files so you'll need to apply those updates
+    to your own versions.
+* shop_origin no longer includes protocol
+* return_to re-worked to function with the AppBridge
+
 0.11.0
-----------
+------
 * remove rack-flash3 use sinatra-flash instead
 * remove a duplicate config of sessions that was breaking the same_site fix
 * remove a runtime dependency that didn't end up being used for the same_site fix but was added anyways

data/README.md

@@ -58,7 +58,10 @@ This will create a new skeleton shopify-sinatra-app. The generator will create s
 
 ### Setting the app to use your Shopify API credentials
 
-You'll need to create a Shopify Partner Account and a new application. You can make an account [here](http://www.shopify.ca/partners) and see this [tutorial](http://docs.shopify.com/api/the-basics/getting-started) for creating a new application. This app uses the default redirect_uri from omniauth `<your domain>/auth/shopify/callback` so set it accordingly when creating your app.
+You'll need to create a Shopify Partner Account and a new application. You can make an account [here](http://www.shopify.ca/partners) and see this [tutorial](http://docs.shopify.com/api/the-basics/getting-started) for creating a new application. The requires 2 redirects configured:
+
+  * the default redirect_uri from omniauth `<your domain>/auth/shopify/callback`
+  * and `<your domain>/login`
 
 Note - The shopify-sinatra-app creates an embedded app! You need change the embedded setting to `enabled` in the [Shopify Partner area](https://app.shopify.com/services/partners/api_clients) for your app. If you don't want your app to be embedded then remove the related code in `layout/application.erb` and delete the `layout/_top_bar.erb` file and the references to it in the other views.
 
@@ -87,13 +90,11 @@ get '/products.json' do
 end
 ```
 
-**shopify_webhook** - This method is for an endpoint that receives a webhook from Shopify. Webhooks are a great way to keep your app in sync with a shop's data without polling. You can read more about webhooks [here](http://docs.shopify.com/api/tutorials/using-webhooks). This method also takes a block and yields the `shop_name` and `webhook_body` as a hash (note only works for json webhooks, don't use xml). Here is an example that listens to an order creation webhook:
+**shopify_webhook** - This method defines a `post` endpoint that receives a webhook from Shopify. Webhooks are a great way to keep your app in sync with a shop's data without polling. You can read more about webhooks [here](http://docs.shopify.com/api/tutorials/using-webhooks). This method also takes a block and yields the `shop_name` and `webhook_body` as a hash (note only works for json webhooks, don't use xml). Here is an example that listens to an order creation webhook:
 
 ```ruby
-post '/order.json' do
-  shopify_webhook do |shop_name, webhook_data|
-    # do something with the data
-  end
+shopify_webhook('/order.json') do |shop_name, webhook_data|
+  # do something with the data
 end
 ```
 
@@ -107,14 +108,11 @@ ShopifyAPI::Base.activate_session(api_session)
 
 It's impossible to control the flow of webhooks to your app from Shopify especially if a larger store installs your app or if a shop has a flash sale. To prevent your app from getting overloaded with webhook requests it is best practise to process webhooks in a background queue and return a `200` to Shopify immediately. Ruby has several good background job frameworks that work with Sinatra including [Sidekiq](https://github.com/mperham/sidekiq) and [Resque](https://github.com/resque/resque).
 
-
 **after_shopify_auth** - This is a private method provided with the framework that gets called whenever the app is authorized. You should fill this method in with anything you need to initialize, for example webhooks and services on Shopify or any other database models you have created specific to a shop. Note that this method will be called anytime the auth flow is completed so this method should be idempotent (running it twice has the same effect as running it once).
 
-**logout** - This method clears the current session
-
 shopify-sinatra-app includes sinatra/activerecord for creating models that can be persisted in the database. You might want to read more about sinatra/activerecord and the methods it makes available to you: [https://github.com/janko-m/sinatra-activerecord](https://github.com/janko-m/sinatra-activerecord)
 
-shopify-sinatra-app also includes `rack-flash3` and the flash messages are forwarded to the Shopify Embedded App SDK (see the code in `views/layouts/application.erb`). Flash messages are useful for signalling to your users that a request was successful without changing the page. The following is an example of how to use a flash message in a route:
+shopify-sinatra-app also includes `sinatra-flash` and the flash messages are forwarded to the Shopify Embedded App SDK (see the code in `views/layouts/application.erb`). Flash messages are useful for signalling to your users that a request was successful without changing the page. The following is an example of how to use a flash message in a route:
 
 ```ruby
 post '/flash_message' do
@@ -128,17 +126,17 @@ note - a flash must be followed by a redirect or it won't work!
 
 Developing
 ----------
-The embedded app sdk won't load non https content so you'll need to use a forwarding service like [ngrok](https://ngrok.com/) or [forwardhq](https://forwardhq.com/). Set your application url in the [Shopify Partner area](https://app.shopify.com/services/partners/api_clients) to your forwarded url and set the redirect_uri to your forwarded url + `/auth/shopify/callback` which will allow you to install your app on a live shop while running it locally.
+The embedded app sdk won't load non https content so you'll need to use a real domain or a forwarding service like [ngrok](https://ngrok.com/). Set your application url in the [Shopify Partner area](https://app.shopify.com/services/partners/api_clients) to your forwarded url and set the redirect_uri to your forwarded url + `/auth/shopify/callback` which will allow you to install your app on a live shop while running it locally.
 
-To run the app locally we use `foreman` which comes with the [Heroku Toolbelt](https://devcenter.heroku.com/articles/quickstart). Foreman handles running our application and setting our credentials as environment variables. To run the application type:
+To run the app locally we use [overmind](https://github.com/DarthSim/overmind) a tool for running multiple process and setting our credentials as environment variables. To run the application run:
 
 ```
-PORT=4567 foreman run web
+overmind start
 ```
 
-Note - we use `foreman run ...` not `foreman start ...` because we only want to start the single process that is our app. This means if you add a debugger in your app it will trigger properly in the command line when the debugger is hit. If you don't have any debuggers feel free to use `foreman start -p 4567`.
+To connect to a single process to use a debugger/break point use `overmind connect <process>`
 
-To debug your app simply add `require 'byebug'` at the top and then type `byebug` where you would like to drop into an interactive session. You may also want to try out [Pry](http://pryrepl.org/).
+To debug your app add `require 'byebug'` at the top and then add `byebug` to your code where you would like to drop into an interactive session. You may also want to try out [Pry](http://pryrepl.org/).
 
 If you are testing webhooks locally make sure they also go through the forwarded url and not `localhost`.
 
@@ -158,60 +156,6 @@ bundle exec rake test
 Checkout the contents of the `app_test.rb` file and the `test_helper.rb` and modify them as you add functionality to your app. You can also check the tests of other apps using this framework to see more about how to write tests for your own app.
 
 
-Deploying
----------
-
-This template was created with deploying to Heroku in mind. Heroku is a cloud based app hosting provider that makes it easy to get an application into a product environment.
-
-Before you can get started with Heroku you need to create a git repo for you application:
-
-```
-git init
-git add .
-git commit -m "initial commit"
-```
-
-Now you can create a new heroku application. Download the [Heroku Toolbelt](https://devcenter.heroku.com/articles/quickstart) and run the following command to create a new application:
-
-```
-heroku apps:create <your new app name>
-```
-
-You will also need to add the following (free) add-ons to your new Heroku app:
-
-```
-heroku addons:add heroku-postgresql
-```
-
-Now we can deploy the new application to Heroku. Deploying to Heroku is as simple as pushing the code using git:
-
-```
-git push heroku master
-```
-
-A `rake deploy2heroku` command is included in the generated Rakefile which does just this.
-
-Now that our application is deployed we need to run `rake db:migrate` to initialize our database on Heroku. To do this run:
-
-```
-heroku run rake db:migrate
-```
-
-We also need to set our environment variables on Heroku. The environment variables are stored in `.env` and are not tracked by git. This is to protect your credentials in the case of a source control breach. Heroku provides a command to set environment variables: `heroku config:set VAR=foo`. In the generated Rakefile there is a helper method that will properly set all the variables in your `.env` file:
-
-```
-rake creds2heroku
-```
-
-and make sure you have at least 1 dyno for web:
-
-```
-heroku scale web=1
-```
-
-Make sure you set your shopify apps url to your Heroku app url (and make sure to use the `https` version or else the Embedded App SDK won't work) in the Shopify Partner area https://app.shopify.com/services/partners/api_clients.
-
-
 Apps using this framework
 -------------------------
 

data/{test.sh → bin/ci.sh}

@@ -1,13 +1,10 @@
 #!/bin/bash
 
+set -e
+
 cd example
 
 bundle install
 bundle exec rake db:migrate
 bundle exec rake test:prepare
 bundle exec rake test
-EXIT_CODE=$?
-
-cd ../../..
-
-exit $EXIT_CODE

data/example/Gemfile

@@ -1,5 +1,5 @@
 source 'https://rubygems.org'
-ruby '2.6.3'
+ruby '2.6.6'
 
 gem 'shopify-sinatra-app', path: '../'
 gem 'sinatra-activerecord'
@@ -16,8 +16,6 @@ end
 
 group :development do
   gem 'rake', '>= 12.3.3'
-  gem 'foreman'
-  gem 'dotenv'
 end
 
 group :test do

data/example/Rakefile

@@ -2,24 +2,6 @@ require 'sinatra/activerecord/rake'
 require 'rake/testtask'
 require './src/app'
 
-task :creds2heroku do
-  Bundler.with_clean_env do
-    File.readlines('.env').each do |var|
-      pipe = IO.popen("heroku config:set #{var}")
-      while (line = pipe.gets)
-        print line
-      end
-    end
-  end
-end
-
-task :deploy2heroku do
-  pipe = IO.popen('git push heroku master --force')
-  while (line = pipe.gets)
-    print line
-  end
-end
-
 namespace :test do
   task :prepare do
     `RACK_ENV=test rake db:create`

data/example/config.ru

@@ -1,7 +1,3 @@
-if Gem::Specification.find_all_by_name('dotenv').any?
-  require 'dotenv'
-  Dotenv.load
-end
-
 require './src/app'
+SinatraApp.set :bind, '0.0.0.0'
 SinatraApp.run!

data/example/db/schema.rb

@@ -2,8 +2,8 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# This file is the source Rails uses to define your schema when running `rails
-# db:schema:load`. When creating a new database, `rails db:schema:load` tends to
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
 # be faster and is potentially less error prone than running all of your
 # migrations from scratch. Old migrations may fail to apply correctly if those
 # migrations use external dependencies or application code.

data/example/src/app.rb

@@ -23,10 +23,8 @@ class SinatraApp < Sinatra::Base
   # this endpoint recieves the uninstall webhook
   # and cleans up data, add to this endpoint as your app
   # stores more data.
-  post '/uninstall' do
-    shopify_webhook do |shop_name, params|
-      Shop.find_by(name: shop_name).destroy
-    end
+  shopify_webhook '/uninstall' do |shop_name, params|
+    Shop.find_by(name: shop_name).destroy
   end
 
   private

data/example/test/app_test.rb

@@ -42,18 +42,18 @@ class AppTest < Minitest::Test
   def test_root_without_session_redirects_to_install
     get '/'
     assert_equal 302, last_response.status
-    assert_equal 'http://example.org/install', last_response.location
+    assert_equal 'http://example.org/login', last_response.location
   end
 
   def test_root_with_shop_redirects_to_auth
     get '/?shop=othertestshop.myshopify.com'
-    assert_match '/auth/shopify?shop=othertestshop.myshopify.com', last_response.body
+    assert_equal 'http://example.org/login?shop=othertestshop.myshopify.com', last_response.location
   end
 
   def test_root_with_session_and_new_shop_redirects_to_auth
     set_session
     get '/?shop=othertestshop.myshopify.com'
-    assert_match '/auth/shopify?shop=othertestshop.myshopify.com', last_response.body
+    assert_equal 'http://example.org/login?shop=othertestshop.myshopify.com', last_response.location
   end
 
   def test_root_rescues_UnauthorizedAccess_clears_session_and_redirects

data/example/views/_flash_messages.erb

@@ -1,11 +1,25 @@
 <script type="text/javascript">
-  ShopifyApp.ready(function(){
-    <% if flash[:notice] %>
-      ShopifyApp.flashNotice("<%= flash[:notice] %>");
-    <% end %>
-
-    <% if flash[:error] %>
-      ShopifyApp.flashError("<%= flash[:error] %>");
-    <% end %>
-  });
+  var AppBridge = window['app-bridge'];
+
+  var actions = AppBridge.actions;
+  var Toast = actions.Toast;
+
+  <% if flash[:notice] %>
+    var notice = Toast.create(app, {
+      message: "<%= flash[:notice] %>",
+      duration: 5000
+    });
+
+    notice.dispatch(Toast.Action.SHOW);
+  <% end %>
+
+  <% if flash[:error] %>
+    var notice = Toast.create(app, {
+      message: "<%= flash[:error] %>",
+      duration: 5000,
+      isError: true,
+    });
+
+    notice.dispatch(Toast.Action.SHOW);
+  <% end %>
 </script>

data/example/views/_top_bar.erb

@@ -1,7 +1,10 @@
 <script type="text/javascript">
-  ShopifyApp.ready(function(){
-    ShopifyApp.Bar.initialize({
-      icon: '<%= "#{base_url}/icon.png" %>'
-    });
+  var AppBridge = window['app-bridge'];
+
+  var actions = AppBridge.actions;
+  var TitleBar = actions.TitleBar;
+
+  var titleBar = TitleBar.create(app, {
+    icon: '<%= "#{base_url}/icon.png" %>'
   });
 </script>

data/example/views/home.erb

@@ -7,3 +7,5 @@
     <li><a href=<%="https://#{@shop.myshopify_domain}/admin/products/#{product.id}"%> target="_blank"> <%= product.id %> </a></li>
   <% end %>
 </ul>
+
+<a href="/logout">Logout</a>

data/example/views/layouts/application.erb

@@ -1,12 +1,14 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
-  <script src="https://cdn.shopify.com/s/assets/external/app.js"></script>
+  <script src="https://unpkg.com/@shopify/app-bridge"></script>
   <script type="text/javascript">
-    ShopifyApp.init({
+    var AppBridge = window['app-bridge'];
+    var createApp = AppBridge.default;
+
+    var app = createApp({
       apiKey: "<%= SinatraApp.settings.api_key %>",
       shopOrigin: "<%= shop_origin %>",
-      debug: true
     });
   </script>
   <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" rel="stylesheet" integrity="sha256-7s5uDGW3AHqw6xtJmNNtr+OBRJUlgkNJEo78P4b0yRw= sha512-nNo+yCHEyn0smMxSswnf/OnX6/KwJuZTlNZBjauKhTK0c+zT+q5JOCx0UFhXQ6rJR9jg6Es8gPuD2uZcYDLqSw==" crossorigin="anonymous">

data/example/views/{install.erb → login.erb}

@@ -28,13 +28,15 @@
   <div style="margin-top: 30px"></div>
 
   <div class="container">
-    <form role="form" class="form-large" action="/login" method="post">
-        <div class="input-group form-wide">
-          <input class="form-control" type="url" name="shop" placeholder="Shop URL">
-          <span class="input-group-btn">
-            <input class="btn" type="submit" value="Install App" />
-          </span>
-        </div>
+    <form id="login" role="form" class="form-large" action="/auth/shopify" method="post">
+      <input type="hidden" name="authenticity_token" value="<%= env['rack.session'][:csrf] %>" />
+      <div class="input-group form-wide">
+        <input class="form-control" name="shop" value="<%= params['shop'] %>" placeholder="your-shop-url.myshopify.com">
+        <span class="input-group-btn">
+          <input class="btn" type="submit" value="Login" />
+        </span>
+      </div>
     </form>
   </div>
-</body>
+ </body>
+

data/lib/sinatra/shopify-sinatra-app.rb

@@ -11,18 +11,13 @@ module Sinatra
   module Shopify
     module Methods
 
-      # designed to be overriden
+      # designed to be overridden
       def after_shopify_auth
       end
 
-      def logout
-        session.delete(:shopify)
-        session.clear
-      end
-
-      # for the esdk initializer
+      # for the app bridge initializer
       def shop_origin
-        "https://#{session[:shopify][:shop]}"
+        "#{session[:shopify][:shop]}"
       end
 
       def shopify_session(&blk)
@@ -31,35 +26,42 @@ module Sinatra
 
         if no_session?
           authenticate(return_to, return_params)
+
         elsif different_shop?
-          logout
+          clear_session
           authenticate(return_to, return_params)
+
         else
           shop_name = session[:shopify][:shop]
           token = session[:shopify][:token]
           activate_shopify_api(shop_name, token)
           yield shop_name
         end
+
       rescue ActiveResource::UnauthorizedAccess
-        clear_session shop_name
-        redirect request.path
-      end
+        clear_session
 
-      def shopify_webhook(&blk)
-        return unless verify_shopify_webhook
-        shop_name = request.env['HTTP_X_SHOPIFY_SHOP_DOMAIN']
-        webhook_body = ActiveSupport::JSON.decode(request.body.read.to_s)
-        yield shop_name, webhook_body
-        status 200
+        shop = Shop.find_by(name: shop_name)
+        shop.token = nil
+        shop.save
+
+        redirect request.path
       end
 
       private
 
-      def request_protocol
-        request.secure? ? 'https' : 'http'
+      def authenticate(return_to = '/', return_params = nil)
+        session[:return_params] = return_params if return_params
+
+        if shop_name = sanitized_shop_param(params)
+          redirect "/login?shop=#{shop_name}"
+        else
+          redirect '/login'
+        end
       end
 
       def base_url
+        request_protocol = request.secure? ? 'https' : 'http'
         "#{request_protocol}://#{request.env['HTTP_HOST']}"
       end
 
@@ -68,17 +70,12 @@ module Sinatra
       end
 
       def different_shop?
-        params[:shop].present? && session[:shopify][:shop] != sanitize_shop_param(params)
+        params[:shop].present? && session[:shopify][:shop] != sanitized_shop_param(params)
       end
 
-      def authenticate(return_to = '/', return_params = nil)
-        if shop_name = sanitized_shop_name
-          session[:return_params] = return_params if return_params
-          redirect_url = "/auth/shopify?shop=#{shop_name}&return_to=#{base_url}#{return_to}"
-          redirect_javascript redirect_url
-        else
-          redirect '/install'
-        end
+      def clear_session
+        session.delete(:shopify)
+        session.clear
       end
 
       def activate_shopify_api(shop_name, token)
@@ -86,48 +83,15 @@ module Sinatra
         ShopifyAPI::Base.activate_session(api_session)
       end
 
-      def clear_session(shop_name)
-        logout
-        shop = Shop.find_by(name: shop_name)
-        shop.token = nil
-        shop.save
-      end
-
-      def redirect_javascript(url)
-        erb %(
-          <!DOCTYPE html>
-          <html lang="en">
-          <head>
-            <meta charset="utf-8" />
-            <base target="_top">
-            <title>Redirecting…</title>
-
-            <script type='text/javascript'>
-              // If the current window is the 'parent', change the URL by setting location.href
-              if (window.top == window.self) {
-                window.top.location.href = #{url.to_json};
-
-              // If the current window is the 'child', change the parent's URL with postMessage
-              } else {
-                message = JSON.stringify({
-                  message: 'Shopify.API.remoteRedirect',
-                  data: { location: window.location.origin + #{url.to_json} }
-                });
-                window.parent.postMessage(message, 'https://#{sanitized_shop_name}');
-              }
-            </script>
-          </head>
-          <body>
-          </body>
-        </html>
-        ), layout: false
-      end
-
-      def sanitized_shop_name
-        @sanitized_shop_name ||= sanitize_shop_param(params)
+      def receive_webhook(&blk)
+        return unless verify_shopify_webhook
+        shop_name = request.env['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+        webhook_body = ActiveSupport::JSON.decode(request.body.read.to_s)
+        yield shop_name, webhook_body
+        status 200
       end
 
-      def sanitize_shop_param(params)
+      def sanitized_shop_param(params)
         return unless params[:shop].present?
         name = params[:shop].to_s.strip
         name += '.myshopify.com' if !name.include?('myshopify.com') && !name.include?('.')
@@ -147,21 +111,30 @@ module Sinatra
         if calculated_hmac == request.env['HTTP_X_SHOPIFY_HMAC_SHA256']
           true
         else
-          puts 'Shopify Webhook verifictation failed!'
+          puts 'Shopify Webhook verification failed!'
           false
         end
       end
     end
 
+    def shopify_webhook(route, &blk)
+      settings.webhook_routes << route
+      post(route) do
+        receive_webhook(&blk)
+      end
+    end
+
     def self.registered(app)
       app.helpers Shopify::Methods
       app.register Sinatra::ActiveRecordExtension
-      app.enable :inline_templates
 
       app.set :database_file, File.expand_path('config/database.yml')
+
+      app.set :erb, layout: :'layouts/application'
       app.set :views, File.expand_path('views')
       app.set :public_folder, File.expand_path('public')
-      app.set :erb, layout: :'layouts/application'
+      app.enable :inline_templates
+
       app.set :protection, except: :frame_options
 
       app.set :api_version, '2019-07'
@@ -171,7 +144,12 @@ module Sinatra
       app.set :shared_secret, ENV['SHOPIFY_SHARED_SECRET']
       app.set :secret, ENV['SECRET']
 
+      # csrf needs to be disabled for webhook routes
+      app.set :webhook_routes, ['/uninstall']
+
+      # add support for put/patch/delete
       app.use Rack::MethodOverride
+
       app.use Rack::Session::Cookie, key: 'rack.session',
                                      path: '/',
                                      secure: true,
@@ -179,18 +157,27 @@ module Sinatra
                                      secret: app.settings.secret,
                                      expire_after: 60 * 30 # half an hour in seconds
 
+      app.use Rack::Protection::AuthenticityToken, allow_if: lambda { |env|
+        app.settings.webhook_routes.include?(env["PATH_INFO"])
+      }
+
+      OmniAuth.config.allowed_request_methods = [:post]
+
       app.use OmniAuth::Builder do
         provider :shopify,
-                 app.settings.api_key,
-                 app.settings.shared_secret,
+          app.settings.api_key,
+          app.settings.shared_secret,
+          scope: app.settings.scope,
+          setup: lambda { |env|
+            shop = if env['REQUEST_METHOD'] == 'POST'
+              env['rack.request.form_hash']['shop']
+            else
+              Rack::Utils.parse_query(env['QUERY_STRING'])['shop']
+            end
 
-                 scope: app.settings.scope,
-
-                 setup: lambda { |env|
-                   params = Rack::Utils.parse_query(env['QUERY_STRING'])
-                   site_url = "https://#{params['shop']}"
-                   env['omniauth.strategy'].options[:client_options][:site] = site_url
-                 }
+            site_url = "https://#{shop}"
+            env['omniauth.strategy'].options[:client_options][:site] = site_url
+          }
       end
 
       ShopifyAPI::Session.setup(
@@ -198,21 +185,13 @@ module Sinatra
         secret: app.settings.shared_secret
       )
 
-      app.get '/install' do
-        if params[:shop].present?
-          authenticate
-        else
-          erb :install, layout: false
-        end
-      end
-
-      app.post '/login' do
-        authenticate
+      app.get '/login' do
+        erb :login, layout: false
       end
 
       app.get '/logout' do
-        logout
-        redirect '/install'
+        clear_session
+        redirect '/login'
       end
 
       app.get '/auth/shopify/callback' do
@@ -230,10 +209,10 @@ module Sinatra
 
         after_shopify_auth()
 
-        return_to = env['omniauth.params']['return_to']
         return_params = session[:return_params]
         session.delete(:return_params)
 
+        return_to = '/'
         return_to += "?#{return_params.to_query}" if return_params.present?
 
         redirect return_to

data/shopify-sinatra-app.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'shopify-sinatra-app'
-  s.version = '0.11.0'
+  s.version = '1.0.1'
 
   s.summary     = 'A classy shopify app'
   s.description = 'A Sinatra extension for building Shopify Apps. Akin to the shopify_app gem but for Sinatra'
@@ -13,13 +13,14 @@ Gem::Specification.new do |s|
   s.files = `git ls-files`.split("\n")
   s.executables << 'shopify-sinatra-app-generator'
 
-  s.add_runtime_dependency 'sinatra', '~> 2.0.2'
+  s.add_runtime_dependency 'sinatra'
   s.add_runtime_dependency 'sinatra-activerecord', '~> 2.0.9'
   s.add_runtime_dependency 'activesupport'
   s.add_runtime_dependency 'attr_encrypted', '~> 3.1.0'
 
-  s.add_runtime_dependency 'shopify_api', '>= 7.0.1', '< 9.1.0'
-  s.add_runtime_dependency 'omniauth-shopify-oauth2'
+  s.add_runtime_dependency 'shopify_api', '>= 7.0.1', '< 9.6'
+  s.add_runtime_dependency 'omniauth-shopify-oauth2', '>= 2.3.2'
+  s.add_runtime_dependency 'omniauth', '>= 2.0.4'
 
   s.add_development_dependency 'rake', '>= 12.3.3'
   s.add_development_dependency 'sqlite3'

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: shopify-sinatra-app
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Kevin Hughes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-29 00:00:00.000000000 Z
+date: 2022-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.2
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.0.2
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sinatra-activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -75,7 +75,7 @@ dependencies:
         version: 7.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: '9.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -85,21 +85,35 @@ dependencies:
         version: 7.0.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: '9.6'
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.3.2
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.4
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -192,12 +206,14 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
+- ".github/dependabot.yml"
 - ".gitignore"
-- ".travis.yml"
 - CHANGELOG
 - Gemfile
 - LICENSE
 - README.md
+- bin/ci.sh
 - bin/shopify-sinatra-app-generator
 - example/.gitignore
 - example/Gemfile
@@ -218,11 +234,10 @@ files:
 - example/views/_flash_messages.erb
 - example/views/_top_bar.erb
 - example/views/home.erb
-- example/views/install.erb
 - example/views/layouts/application.erb
+- example/views/login.erb
 - lib/sinatra/shopify-sinatra-app.rb
 - shopify-sinatra-app.gemspec
-- test.sh
 homepage: https://github.com/kevinhughes27/shopify-sinatra-app/
 licenses:
 - MIT

data/.travis.yml

@@ -1,13 +0,0 @@
-language: ruby
-
-rvm:
-  - 2.6.3
-
-gemfile: example/Gemfile
-
-script: "./test.sh"
-
-notifications:
-  email:
-    on_success: never
-    on_failure: never