shopify_api 14.7.0 → 14.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2594b938c059a24c4f17f5a435612a01fe880eb4ab5096f25ac0d0513129c71c
-  data.tar.gz: 3b584fffb9213fefaf5f1a603c76de8292ecb30e7434ccc63af7265ab3377987
+  metadata.gz: 80e32598197d0d0becb6f4fb8175cd9f0b7ca5ad83763a5934a55ff7c8a3f769
+  data.tar.gz: 38f4b87f9432966ac19017991fb85f8696e0adcd6e047378b3b6c2c35e088f66
 SHA512:
-  metadata.gz: 5e565a15428752c7838332f42d02c6aad73fe837dcc1c91774ed2cd523c81b6cd440e82dc0f2d8d65494a0d7715bb75f8533a3105304d2a510b1cd104690b1f2
-  data.tar.gz: e3625bc9e1e17ef36162fcc8c416478dbdf9f8b7bc868fb228d07ba4c2878bedb72738765e82737da9cd59b4c5d7197ba81c15d9013a38f13987e5ba3fbdf93d
+  metadata.gz: 2be22dec439c86f297e71e19fa0fbc04f5bb31eb296fd0632567caee65874985b3595d4bf9e9452a09540cb76c302117413e397ba90342e590882b72fbcf7dc8
+  data.tar.gz: 2d22864ebcb109ba38cef3a461696d7c7b19426c4f8e75b9041b3fc48e26af957a30a1dfa02895d7f2da1e000d44bf797ad5b7529ebd5240a1d19a56a8fa60df

data/.github/workflows/close-waiting-for-response-issues.yml

@@ -13,8 +13,8 @@ jobs:
           actions: 'close-issues'
           token: ${{ secrets.GITHUB_TOKEN }}
           labels: 'Waiting for Response'
-          inactive-day: 7
+          inactive-day: 14
           body: |
-            We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to respond and reopen this issue.
+            We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to create a new issue with the additional information.
 
             We appreciate your understanding as we try to manage our number of open issues.

data/.ruby-version

@@ -1 +1 @@
-3.0.6
+3.3.7

data/CHANGELOG.md

@@ -3,11 +3,24 @@
 Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 ## Unreleased
 
+## 14.9.0
+
+- [#1362](https://github.com/Shopify/shopify-api-ruby/pull/1362) Add support for client credentials grant
+- [#1372](https://github.com/Shopify/shopify-api-ruby/pull/1372) Add support for 2025-04 API version
+- [#1369](https://github.com/Shopify/shopify-api-ruby/pull/1369) Make `sub` and `sid` jwt claims optional (Checkout ui extension support)
+- [#1370](https://github.com/Shopify/shopify-api-ruby/pull/1370) Add support for Shopify internal hosts
+- [#1366](https://github.com/Shopify/shopify-api-ruby/pull/1366) Add support for release candidate API versions
+
+## 14.8.0
+
+- [#1355](https://github.com/Shopify/shopify-api-ruby/pull/1355) Add support for 2025-01 API version
+
 ## 14.7.0
 
 - [#1347](https://github.com/Shopify/shopify-api-ruby/pull/1347) Extend webhook registration to support filters
 - [#1344](https://github.com/Shopify/shopify-api-ruby/pull/1344) Allow ShopifyAPI::Webhooks::Registry to update a webhook when fields or metafield_namespaces are changed.
 - [#1343](https://github.com/Shopify/shopify-api-ruby/pull/1343) Make ShopifyAPI::Context::scope parameter optional. `scope` defaults to empty list `[]`.
+- [#1348](https://github.com/Shopify/shopify-api-ruby/pull/1348) Add config option that will disable the REST API client and REST resources. New apps should use the GraphQL Admin API
 
 ## 14.6.0
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shopify_api (14.7.0)
+    shopify_api (14.9.0)
       activesupport
       concurrent-ruby
       hash_diff

data/docs/usage/graphql_storefront.md

@@ -39,7 +39,7 @@ QUERY
 
 # You may not need the "Shopify-Storefront-Buyer-IP" header, see its documentation: 
 # https://shopify.dev/docs/api/usage/authentication#making-server-side-requests
-response = client.query(query: query, headers: { "Shopify-Storefront-Buyer-IP": request.ip })
+response = client.query(query: query, headers: { "Shopify-Storefront-Buyer-IP": request.remote_ip })
 # do something with the returned data
 ```
 

data/docs/usage/oauth.md

@@ -11,7 +11,8 @@ For more information on authenticating a Shopify app please see the [Types of Au
 - [Note about Rails](#note-about-rails)
 - [Performing OAuth](#performing-oauth-1)
   - [Token Exchange](#token-exchange)
-  - [Authorization Code Grant Flow](#authorization-code-grant-flow)
+  - [Authorization Code Grant](#authorization-code-grant)
+  - [Client Credentials Grant](#client-credentials-grant)
 - [Using OAuth Session to make authenticated API calls](#using-oauth-session-to-make-authenticated-api-calls)
 
 ## Session Persistence
@@ -31,10 +32,14 @@ with [token exchange](#token-exchange) instead of the authorization code grant f
     - Recommended and is only available for embedded apps
     - Doesn't require redirects, which makes authorization faster and prevents flickering when loading the app
     - Access scope changes are handled by [Shopify managed installation](https://shopify.dev/docs/apps/auth/installation#shopify-managed-installation)
-2. [Authorization Code Grant Flow](#authorization-code-grant-flow)
+2. [Authorization Code Grant](#authorization-code-grant)
     - OAuth flow that requires the app to redirect the user to Shopify for installation/authorization of the app to access the shop's data.
     - Suitable for non-embedded apps
     - Installations, and access scope changes are managed by the app
+3. [Client Credentials Grant](#client-credentials-grant)
+    - Suitable for apps without a UI
+    - Doesn't require user interaction in the browser
+    - Access scope changes are handled by [Shopify managed installation](https://shopify.dev/docs/apps/auth/installation#shopify-managed-installation)
 
 ## Note about Rails
 If using in the Rails framework, we highly recommend you use the [shopify_app](https://github.com/Shopify/shopify_app) gem to perform OAuth, you won't have to follow the instructions below to start your own OAuth flow.
@@ -94,7 +99,7 @@ end
 
 ```
 
-### Authorization Code Grant Flow
+### Authorization Code Grant
 ##### Steps
 1. [Add a route to start OAuth](#1-add-a-route-to-start-oauth)
 2. [Add an Oauth callback route](#2-add-an-oauth-callback-route)
@@ -265,9 +270,41 @@ def callback
   end
 end
 ```
-
 ⚠️ You can see a concrete example in the `ShopifyApp` gem's [CallbackController](https://github.com/Shopify/shopify_app/blob/main/app/controllers/shopify_app/callback_controller.rb).
 
+### Client Credentials Grant
+
+> [!NOTE]
+> You can only use the client credentials grant when building apps for your own organization.
+
+> [!WARNING]
+> [token exchange](#token-exchange) (for embedded apps) or the [authorization code grant](#authorization-code-grant) should be used instead of the client credentials grant, if your app is a browser based web app.
+
+#### Perform Client Credentials Grant
+Use [`ShopifyAPI::Auth::ClientCredentials`](https://github.com/Shopify/shopify-api-ruby/blob/main/lib/shopify_api/auth/client_credentials.rb) to
+exchange the [app's client ID and client secret](https://shopify.dev/docs/apps/build/authentication-authorization/client-secrets) for an access token.
+#### Input
+| Parameter      | Type                   | Required? | Default Value | Notes                                                                                                       |
+| -------------- | ---------------------- | :-------: | :-----------: | ----------------------------------------------------------------------------------------------------------- |
+| `shop`         | `String` | Yes | - | A Shopify domain name in the form `{exampleshop}.myshopify.com`. |
+
+#### Output
+This method returns the new `ShopifyAPI::Auth::Session` object from the client credentials grant, your app should store this `Session` object to be used later [when making authenticated API calls](#using-oauth-session-to-make-authenticated-api-calls).
+
+#### Example
+```ruby
+
+# `shop` is the shop domain name - "this-is-my-example-shop.myshopify.com"
+
+def authenticate(shop)
+  session = ShopifyAPI::Auth::ClientCredentials.client_credentials(
+     shop: shop,
+   )
+  SessionRepository.store_session(session)
+end
+
+```
+
 ## Using OAuth Session to make authenticated API calls
 Once your OAuth flow is complete, and you have persisted your `Session` object, you may use that `Session` object to make authenticated API calls.
 

data/docs/usage/rest.md

@@ -1,4 +1,6 @@
 # Make a REST API call
+> [!WARNING]
+> The Admin REST API has been deprecated. New apps should use the GraphQL Admin API. For more information see [All in on GraphQL](https://www.shopify.com/ca/partners/blog/all-in-on-graphql). New apps will be created with the config option `rest_disabled: true`. This will raise a `ShopifyAPI::Errors::DisabledResourceError` if you try to use the REST API.
 
 Once OAuth is complete, we can use `ShopifyAPI`'s REST library to make authenticated API calls to the Shopify Admin API.
 #### Required Session

data/lib/shopify_api/admin_versions.rb

@@ -5,6 +5,9 @@ module ShopifyAPI
   module AdminVersions
     SUPPORTED_ADMIN_VERSIONS = T.let([
       "unstable",
+      "2025-07",
+      "2025-04",
+      "2025-01",
       "2024-10",
       "2024-07",
       "2024-04",
@@ -19,9 +22,11 @@ module ShopifyAPI
       "2022-01",
     ], T::Array[String])
 
-    LATEST_SUPPORTED_ADMIN_VERSION = T.let("2024-10", String)
+    LATEST_SUPPORTED_ADMIN_VERSION = T.let("2025-04", String)
+    RELEASE_CANDIDATE_ADMIN_VERSION = T.let("2025-07", String)
   end
 
   SUPPORTED_ADMIN_VERSIONS = ShopifyAPI::AdminVersions::SUPPORTED_ADMIN_VERSIONS
   LATEST_SUPPORTED_ADMIN_VERSION = ShopifyAPI::AdminVersions::LATEST_SUPPORTED_ADMIN_VERSION
+  RELEASE_CANDIDATE_ADMIN_VERSION = ShopifyAPI::AdminVersions::RELEASE_CANDIDATE_ADMIN_VERSION
 end

data/lib/shopify_api/auth/client_credentials.rb

@@ -0,0 +1,52 @@
+# typed: strict
+# frozen_string_literal: true
+
+module ShopifyAPI
+  module Auth
+    module ClientCredentials
+      extend T::Sig
+
+      CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials"
+
+      class << self
+        extend T::Sig
+
+        sig do
+          params(
+            shop: String,
+          ).returns(ShopifyAPI::Auth::Session)
+        end
+        def client_credentials(shop:)
+          unless ShopifyAPI::Context.setup?
+            raise ShopifyAPI::Errors::ContextNotSetupError,
+              "ShopifyAPI::Context not setup, please call ShopifyAPI::Context.setup"
+          end
+
+          shop_session = ShopifyAPI::Auth::Session.new(shop: shop)
+          body = {
+            client_id: ShopifyAPI::Context.api_key,
+            client_secret: ShopifyAPI::Context.api_secret_key,
+            grant_type: CLIENT_CREDENTIALS_GRANT_TYPE,
+          }
+
+          client = Clients::HttpClient.new(session: shop_session, base_path: "/admin/oauth")
+          response =
+            client.request(
+              Clients::HttpRequest.new(
+                http_method: :post,
+                path: "access_token",
+                body: body,
+                body_type: "application/json",
+              ),
+            )
+          response_hash = T.cast(response.body, T::Hash[String, T.untyped]).to_h
+
+          Session.from(
+            shop: shop,
+            access_token_response: Oauth::AccessTokenResponse.from_hash(response_hash),
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_api/auth/jwt_payload.rb

@@ -10,11 +10,14 @@ module ShopifyAPI
       JWT_EXPIRATION_LEEWAY = JWT_LEEWAY
 
       sig { returns(String) }
-      attr_reader :iss, :dest, :aud, :sub, :jti, :sid
+      attr_reader :iss, :dest, :aud, :jti
 
       sig { returns(Integer) }
       attr_reader :exp, :nbf, :iat
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :sub, :sid
+
       alias_method :expire_at, :exp
 
       sig { params(token: String).void }
@@ -30,12 +33,12 @@ module ShopifyAPI
         @iss = T.let(payload_hash["iss"], String)
         @dest = T.let(payload_hash["dest"], String)
         @aud = T.let(payload_hash["aud"], String)
-        @sub = T.let(payload_hash["sub"], String)
+        @sub = T.let(payload_hash["sub"], T.nilable(String))
         @exp = T.let(payload_hash["exp"], Integer)
         @nbf = T.let(payload_hash["nbf"], Integer)
         @iat = T.let(payload_hash["iat"], Integer)
         @jti = T.let(payload_hash["jti"], String)
-        @sid = T.let(payload_hash["sid"], String)
+        @sid = T.let(payload_hash["sid"], T.nilable(String))
 
         raise ShopifyAPI::Errors::InvalidJwtTokenError,
           "Session token had invalid API key" unless @aud == Context.api_key
@@ -47,19 +50,9 @@ module ShopifyAPI
       end
       alias_method :shopify_domain, :shop
 
-      sig { returns(Integer) }
+      sig { returns(T.nilable(Integer)) }
       def shopify_user_id
-        @sub.to_i
-      end
-
-      # TODO: Remove before releasing v11
-      sig { params(shop: String).returns(T::Boolean) }
-      def validate_shop(shop)
-        Context.logger.warn(
-          "Deprecation notice: ShopifyAPI::Auth::JwtPayload.validate_shop no longer checks the given shop and always " \
-            "returns true. It will be removed in v11.",
-        )
-        true
+        @sub.to_i if user_id_sub? && admin_session_token?
       end
 
       alias_method :eql?, :==
@@ -86,6 +79,16 @@ module ShopifyAPI
       rescue JWT::DecodeError => err
         raise ShopifyAPI::Errors::InvalidJwtTokenError, "Error decoding session token: #{err.message}"
       end
+
+      sig { returns(T::Boolean) }
+      def admin_session_token?
+        @iss.end_with?("/admin")
+      end
+
+      sig { returns(T::Boolean) }
+      def user_id_sub?
+        @sub&.match?(/\A\d+\z/) || false
+      end
     end
   end
 end

data/lib/shopify_api/auth/oauth.rb

@@ -46,8 +46,8 @@ module ShopifyAPI
           }
 
           query_string = URI.encode_www_form(query)
+          auth_route = auth_base_uri(shop) + "/oauth/authorize?#{query_string}"
 
-          auth_route = "https://#{shop}/admin/oauth/authorize?#{query_string}"
           { auth_route: auth_route, cookie: cookie }
         end
 
@@ -106,6 +106,20 @@ module ShopifyAPI
 
           { session: session, cookie: cookie }
         end
+
+        private
+
+        sig { params(shop: String).returns(String) }
+        def auth_base_uri(shop)
+          return "https://#{shop}/admin" unless defined?(DevServer)
+
+          # For first-party apps in development only, we leverage DevServer to build the admin base URI
+          admin_web = T.unsafe(Object.const_get("DevServer")).new("web") # rubocop:disable Sorbet/ConstantsFromStrings
+          admin_host = admin_web.host!(nonstandard_host_prefix: "admin")
+          shop_name = shop.split(".").first
+
+          "https://#{admin_host}/store/#{shop_name}"
+        end
       end
     end
   end

data/lib/shopify_api/auth/session.rb

@@ -95,13 +95,16 @@ module ShopifyAPI
 
           if is_online
             associated_user = T.must(access_token_response.associated_user)
-            expires = Time.now + access_token_response.expires_in.to_i
             associated_user_scope = access_token_response.associated_user_scope
             id = "#{shop}_#{associated_user.id}"
           else
             id = "offline_#{shop}"
           end
 
+          if access_token_response.expires_in
+            expires = Time.now + access_token_response.expires_in.to_i
+          end
+
           new(
             id: id,
             shop: shop,

data/lib/shopify_api/clients/http_client.rb

@@ -40,13 +40,17 @@ module ShopifyAPI
         headers["Content-Type"] = T.must(request.body_type) if request.body_type
         headers = headers.merge(T.must(request.extra_headers)) if request.extra_headers
 
+        parsed_uri = URI(request_url(request))
+
+        headers = append_first_party_development_headers(headers, parsed_uri)
+
         tries = 0
         response = HttpResponse.new(code: 0, headers: {}, body: "")
         while tries < request.tries
           tries += 1
           res = T.cast(HTTParty.send(
             request.http_method,
-            request_url(request),
+            parsed_uri.to_s,
             headers: headers,
             query: request.query,
             body: request.body.class == Hash ? T.unsafe(request.body).to_json : request.body,
@@ -115,6 +119,27 @@ module ShopifyAPI
         end
         body.to_json
       end
+
+      private
+
+      sig do
+        params(
+          headers: T::Hash[T.any(Symbol, String), T.untyped],
+          parsed_uri: URI::Generic,
+        ).returns(T::Hash[T.any(Symbol, String), T.untyped])
+      end
+      def append_first_party_development_headers(headers, parsed_uri)
+        return headers unless defined?(DevServer)
+        return headers unless headers["Host"]&.include?(".my.shop.dev") || parsed_uri.host&.include?(".my.shop.dev")
+
+        # These headers are only used for first party applications in development mode
+        headers["x-forwarded-host"] = headers["Host"] || parsed_uri.host
+        headers["Host"] = T.unsafe(
+          Object.const_get("DevServer::Core"), # rubocop:disable Sorbet/ConstantsFromStrings
+        ).new.host!(:app)
+
+        headers
+      end
     end
   end
 end

data/lib/shopify_api/clients/rest/admin.rb

@@ -9,6 +9,11 @@ module ShopifyAPI
 
         sig { params(session: T.nilable(Auth::Session), api_version: T.nilable(String)).void }
         def initialize(session: nil, api_version: nil)
+          if Context.rest_disabled
+            raise Errors::DisabledResourceError,
+              "The Admin REST API has been deprecated. Please use the GraphQL Admin API. For more information see https://www.shopify.com/ca/partners/blog/all-in-on-graphql"
+          end
+
           @api_version = T.let(api_version || Context.api_version, String)
           if api_version
             if api_version == Context.api_version

data/lib/shopify_api/context.rb

@@ -22,6 +22,7 @@ module ShopifyAPI
     @user_agent_prefix = T.let(nil, T.nilable(String))
     @old_api_secret_key = T.let(nil, T.nilable(String))
     @response_as_struct = T.let(false, T.nilable(T::Boolean))
+    @rest_disabled = T.let(false, T.nilable(T::Boolean))
 
     @rest_resource_loader = T.let(nil, T.nilable(Zeitwerk::Loader))
 
@@ -45,6 +46,7 @@ module ShopifyAPI
           old_api_secret_key: T.nilable(String),
           api_host: T.nilable(String),
           response_as_struct: T.nilable(T::Boolean),
+          rest_disabled: T.nilable(T::Boolean),
         ).void
       end
       def setup(
@@ -62,7 +64,8 @@ module ShopifyAPI
         user_agent_prefix: nil,
         old_api_secret_key: nil,
         api_host: nil,
-        response_as_struct: false
+        response_as_struct: false,
+        rest_disabled: false
       )
         unless ShopifyAPI::AdminVersions::SUPPORTED_ADMIN_VERSIONS.include?(api_version)
           raise Errors::UnsupportedVersionError,
@@ -82,6 +85,7 @@ module ShopifyAPI
         @user_agent_prefix = user_agent_prefix
         @old_api_secret_key = old_api_secret_key
         @response_as_struct = response_as_struct
+        @rest_disabled = rest_disabled
         @log_level = if valid_log_level?(log_level)
           log_level.to_sym
         else
@@ -97,10 +101,11 @@ module ShopifyAPI
         @rest_resource_loader&.setup
         @rest_resource_loader&.unload
 
-        # No resources for the unstable version
-        return if api_version == "unstable"
+        # No resources for the unstable version or the release candidate version
+        return if api_version == "unstable" || api_version == RELEASE_CANDIDATE_ADMIN_VERSION
 
         version_folder_name = api_version.gsub("-", "_")
+
         path = "#{__dir__}/rest/resources/#{version_folder_name}"
 
         unless Dir.exist?(path)
@@ -178,6 +183,11 @@ module ShopifyAPI
         T.must(URI(T.must(host)).host)
       end
 
+      sig { returns(T::Boolean) }
+      def rest_disabled
+        T.must(@rest_disabled)
+      end
+
       private
 
       sig { params(log_level: T.any(Symbol, String)).returns(T::Boolean) }

data/lib/shopify_api/errors/disabled_resource_error.rb

@@ -0,0 +1,8 @@
+# typed: strict
+# frozen_string_literal: true
+
+module ShopifyAPI
+  module Errors
+    class DisabledResourceError < StandardError; end
+  end
+end