shopify_api 15.0.0 → 16.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9730739b6693ca317bd357162beef7ad7424a5f584eadc345e8b53308724cd27
-  data.tar.gz: 5d4773a92f4f3dda6615b7e6e47a50ee96bfbb0b8015f4dbd6e519d851da119f
+  metadata.gz: fcfda3eae9679802b0a7d174700dfbd87d43f31f2a06a94369f5466c52da9c25
+  data.tar.gz: cd43a51872ca579701c3592603c9a41b9662191a62420fdbe87e26cd71020e3f
 SHA512:
-  metadata.gz: c5133fc7f61b53d0ee91c38848dad3f0afdc92070276caac0ad911ad0d122039c509ed88afb9a35f8ead5ee0332fbc7caa0782012d856c8886f426409d2826cd
-  data.tar.gz: 5f874a62238c6aef8f3383ed876104d895118a9e767f43143a4458327b40dce5ffd891ea05908737633bea8ba958840c49920e557090b9b05732611369a3ec8f
+  metadata.gz: 33c6187ea237123c293e5597e184f633ddcfedb7433f7d3ad14141fb4b401cd618264f2fe3143982141b03ba7ee00aad7ec08b26a0b489b6c00b836edc61a8ec
+  data.tar.gz: 251fea50aaa98a67b55797934744bd9a57599084740530535dd6c98d9a8f1f2f886617d3dd66a99c7f877c508ac2afbcf3cf18a52758dfb9b2262c0314d06c8e

data/.github/workflows/build.yml

@@ -11,10 +11,9 @@ jobs:
     strategy:
       matrix:
         version:
-          - 3.0
-          - 3.1
           - 3.2
           - 3.3
+          - 3.4
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Set up Ruby ${{ matrix.version }}

data/BREAKING_CHANGES_FOR_V16.md

@@ -0,0 +1,76 @@
+# Breaking change notice for version 16.0.0
+
+## Minimum Ruby Version Requirement
+
+The minimum required Ruby version has been updated from 3.0 to 3.2.
+
+### Why this change?
+
+Ruby 3.0  and 3.1 have reached End of Life (EOL).
+
+### Migration Guide
+
+If you're currently using Ruby 3.0 or 3.1, you'll need to upgrade to Ruby 3.2 or higher before upgrading to shopify-api-ruby v16.0.0.
+
+**Note:** Ruby 3.2+ includes performance improvements and new features. Most applications should not require code changes beyond updating the Ruby version itself.
+## Removal of `Session#serialize` and `Session.deserialize` methods
+
+The `Session#serialize` and `Session.deserialize` methods have been removed due to a security vulnerability. The `deserialize` method used `Oj.load` without safe mode, which allows instantiation of arbitrary Ruby objects.
+
+These methods were originally created for session persistence when the library handled session storage. After session storage was deprecated in v12.3.0, applications became responsible for their own session persistence, making these methods unnecessary for their original purpose.
+
+### Why this change?
+
+**No impact on most applications:** The `shopify_app gem` stores individual session attributes in database columns and reconstructs sessions using `Session.new()`, which is the recommended pattern.
+
+## Migration Guide
+
+If your application was using `Session#serialize` and `Session.deserialize` for session persistence, you'll need to refactor to store individual session attributes and reconstruct sessions using `Session.new()`.
+
+### Previous implementation (removed in v16.0.0)
+
+```ruby
+# Storing a session
+session = ShopifyAPI::Auth::Session.new(
+  shop: "example.myshopify.com",
+  access_token: "shpat_xxxxx",
+  scope: "read_products,write_orders"
+)
+
+serialized_data = session.serialize
+# Store serialized_data in Redis, database, etc.
+redis.set("session:#{session.id}", serialized_data)
+
+# Retrieving a session
+serialized_data = redis.get("session:#{session_id}")
+session = ShopifyAPI::Auth::Session.deserialize(serialized_data)
+```
+
+### New implementation (required in v16.0.0)
+
+Store individual session attributes and reconstruct using `Session.new()`:
+
+## Reference: shopify_app gem implementation
+
+The [shopify_app gem](https://github.com/Shopify/shopify_app) provides a reference implementation of session storage that follows these best practices:
+
+**Shop Session Storage** ([source](https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/session/shop_session_storage.rb)):
+```ruby
+# Stores attributes in database columns
+def store(auth_session)
+  shop = find_or_initialize_by(shopify_domain: auth_session.shop)
+  shop.shopify_token = auth_session.access_token
+  shop.save!
+end
+
+# Reconstructs using Session.new()
+def retrieve(id)
+  shop = find_by(id: id)
+  return unless shop
+
+  ShopifyAPI::Auth::Session.new(
+    shop: shop.shopify_domain,
+    access_token: shop.shopify_token
+  )
+end
+```

data/CHANGELOG.md

@@ -1,7 +1,12 @@
 # Changelog
 
 Note: For changes to the API, see https://shopify.dev/changelog?filter=api
-## Unreleased
+## 16.0.0 (2025-12-10)
+- ⚠️ [Breaking] Minimum required Ruby version is now 3.2. Ruby 3.0 and 3.1 are no longer supported.
+- ⚠️ [Breaking] Removed `Session#serialize` and `Session.deserialize` methods due to security concerns (RCE vulnerability via `Oj.load`). These methods were not used internally by the library. If your application relies on session serialization, use `Session.new()` to reconstruct sessions from stored attributes instead.
+
+- Add support for expiring offline access tokens with refresh tokens. See [OAuth documentation](docs/usage/oauth.md#expiring-offline-access-tokens) for details.
+- Add `ShopifyAPI::Auth::TokenExchange.migrate_to_expiring_token` method to migrate existing non-expiring offline tokens to expiring tokens. See [migration documentation](docs/usage/oauth.md#migrating-non-expiring-tokens-to-expiring-tokens) for details.
 
 ### 15.0.0
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shopify_api (15.0.0)
+    shopify_api (16.0.0)
       activesupport
       concurrent-ruby
       hash_diff

data/docs/getting_started.md

@@ -28,7 +28,8 @@ ShopifyAPI::Context.setup(
   scope: "read_orders,read_products,etc",
   is_embedded: true, # Set to true if you are building an embedded app
   is_private: false, # Set to true if you are building a private app
-  api_version: "2021-01" # The version of the API you would like to use
+  api_version: "2021-01", # The version of the API you would like to use
+  expiring_offline_access_tokens: true # Set to true to enable expiring offline access tokens with refresh tokens
 )
 ```
 

data/docs/usage/oauth.md

@@ -13,6 +13,9 @@ For more information on authenticating a Shopify app please see the [Types of Au
   - [Token Exchange](#token-exchange)
   - [Authorization Code Grant](#authorization-code-grant)
   - [Client Credentials Grant](#client-credentials-grant)
+- [Expiring Offline Access Tokens](#expiring-offline-access-tokens)
+  - [Refreshing Access Tokens](#refreshing-access-tokens)
+  - [Migrating Non-Expiring Tokens to Expiring Tokens](#migrating-non-expiring-tokens-to-expiring-tokens)
 - [Using OAuth Session to make authenticated API calls](#using-oauth-session-to-make-authenticated-api-calls)
 
 ## Session Persistence
@@ -305,6 +308,132 @@ end
 
 ```
 
+## Expiring Offline Access Tokens
+
+
+To start requesting expiring offline access tokens, set the `expiring_offline_access_tokens` parameter to `true` when setting up the Shopify context:
+
+```ruby
+ShopifyAPI::Context.setup(
+  api_key: <SHOPIFY_API_KEY>,
+  api_secret_key: <SHOPIFY_API_SECRET>,
+  api_version: <SHOPIFY_API_VERSION>,
+  scope: <SHOPIFY_API_SCOPES>,
+  expiring_offline_access_tokens: true, # Enable expiring offline access tokens
+  ...
+)
+```
+
+When enabled:
+- **Authorization Code Grant**: The OAuth flow will request expiring offline access tokens by sending `expiring: 1` parameter
+- **Token Exchange**: When requesting offline access tokens via token exchange, the flow will request expiring tokens
+
+The resulting `Session` object will contain:
+- `access_token`: The access token that will eventually expire
+- `expires`: The expiration time for the access token
+- `refresh_token`: A token that can be used to refresh the access token
+- `refresh_token_expires`: The expiration time for the refresh token
+
+### Refreshing Access Tokens
+
+When your access token expires, you can use the refresh token to obtain a new access token using the `ShopifyAPI::Auth::RefreshToken.refresh_access_token` method.
+
+#### Input
+| Parameter      | Type     | Required? | Notes                                                                                           |
+| -------------- | -------- | :-------: | ----------------------------------------------------------------------------------------------- |
+| `shop`         | `String` | Yes       | A Shopify domain name in the form `{exampleshop}.myshopify.com`.                               |
+| `refresh_token`| `String` | Yes       | The refresh token from the session.                                                             |
+
+#### Output
+This method returns a new `ShopifyAPI::Auth::Session` object with a fresh access token and a new refresh token. Your app should store this new session to replace the expired one.
+
+#### Example
+```ruby
+def refresh_session(shop, refresh_token)
+  begin
+    # Refresh the access token using the refresh token
+    new_session = ShopifyAPI::Auth::RefreshToken.refresh_access_token(
+      shop: shop,
+      refresh_token: refresh_token
+    )
+
+    # Store the new session, replacing the old one
+    MyApp::SessionRepository.store_shop_session(new_session)
+  rescue ShopifyAPI::Errors::HttpResponseError => e
+    puts("Failed to refresh access token: #{e.message}")
+    raise e
+  end
+end
+```
+#### Checking Token Expiration
+The `Session` object provides helper methods to check if tokens have expired:
+
+```ruby
+session = MyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop)
+
+# Check if the access token has expired
+if session.expired?
+  # Access token has expired, refresh it
+  new_session = ShopifyAPI::Auth::RefreshToken.refresh_access_token(
+    shop: session.shop,
+    refresh_token: session.refresh_token
+  )
+  MyApp::SessionRepository.store_shop_session(new_session)
+end
+
+# Check if the refresh token has expired
+if session.refresh_token_expired?
+  # Refresh token has expired, need to re-authenticate with OAuth
+end
+```
+
+### Migrating Non-Expiring Tokens to Expiring Tokens
+
+If you have existing non-expiring offline access tokens and want to migrate them to expiring tokens, you can use the `ShopifyAPI::Auth::TokenExchange.migrate_to_expiring_token` method. This performs a token exchange that converts your non-expiring offline token into an expiring one with a refresh token.
+
+> [!WARNING]
+> This is a **one-time, irreversible migration** per shop. Once you migrate a shop's token to an expiring token, you cannot convert it back to a non-expiring token. The shop would need to reinstall your app with `expiring_offline_access_tokens: false` in your Context configuration to obtain a new non-expiring token.
+
+#### Input
+| Parameter      | Type     | Required? | Notes                                                                                           |
+| -------------- | -------- | :-------: | ----------------------------------------------------------------------------------------------- |
+| `shop`         | `String` | Yes       | A Shopify domain name in the form `{exampleshop}.myshopify.com`.                               |
+| `non_expiring_offline_token` | `String` | Yes | The non-expiring offline access token to migrate. |
+
+#### Output
+This method returns a new `ShopifyAPI::Auth::Session` object with an expiring access token and refresh token. Your app should store this new session to replace the non-expiring one.
+
+#### Example
+```ruby
+def migrate_shop_to_expiring_offline_token(shop)
+  # Retrieve the existing non-expiring session
+  old_session = MyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop)
+
+  # Migrate to expiring token
+  new_session = ShopifyAPI::Auth::TokenExchange.migrate_to_expiring_token(
+    shop: shop,
+    non_expiring_offline_token: old_session.access_token
+  )
+
+  # Store the new expiring session, replacing the old one
+  MyApp::SessionRepository.store_shop_session(new_session)
+end
+```
+
+#### Migration Strategy
+When migrating your app to use expiring tokens, follow this order:
+
+1. **Update your database schema** to add `expires_at` (timestamp), `refresh_token` (string) and `refresh_token_expires` (timestamp) columns to your session storage
+2. **Implement refresh logic** in your app to handle token expiration using `ShopifyAPI::Auth::RefreshToken.refresh_access_token`
+3. **Enable expiring tokens in your Context setup** so new installations will request and receive expiring tokens:
+   ```ruby
+   ShopifyAPI::Context.setup(
+     expiring_offline_access_tokens: true,
+     # ... other config
+   )
+   ```
+4. **Migrate existing non-expiring tokens** for shops that have already installed your app using the migration method above
+
 ## Using OAuth Session to make authenticated API calls
 Once your OAuth flow is complete, and you have persisted your `Session` object, you may use that `Session` object to make authenticated API calls.
 

data/lib/shopify_api/auth/oauth/access_token_response.rb

@@ -13,6 +13,8 @@ module ShopifyAPI
         const :expires_in, T.nilable(Integer)
         const :associated_user, T.nilable(AssociatedUser)
         const :associated_user_scope, T.nilable(String)
+        const :refresh_token, T.nilable(String)
+        const :refresh_token_expires_in, T.nilable(Integer)
 
         sig { returns(T::Boolean) }
         def online_token?
@@ -29,7 +31,9 @@ module ShopifyAPI
             session == other.session &&
             expires_in == other.expires_in &&
             associated_user == other.associated_user &&
-            associated_user_scope == other.associated_user_scope
+            associated_user_scope == other.associated_user_scope &&
+            refresh_token == other.refresh_token &&
+            refresh_token_expires_in == other.refresh_token_expires_in
         end
       end
     end

data/lib/shopify_api/auth/oauth.rb

@@ -71,7 +71,12 @@ module ShopifyAPI
             "Invalid state in OAuth callback." unless state == auth_query.state
 
           null_session = Auth::Session.new(shop: auth_query.shop)
-          body = { client_id: Context.api_key, client_secret: Context.api_secret_key, code: auth_query.code }
+          body = {
+            client_id: Context.api_key,
+            client_secret: Context.api_secret_key,
+            code: auth_query.code,
+            expiring: Context.expiring_offline_access_tokens ? 1 : 0, # Only applicable for offline tokens
+          }
 
           client = Clients::HttpClient.new(session: null_session, base_path: "/admin/oauth")
           response = begin
@@ -100,7 +105,7 @@ module ShopifyAPI
           else
             SessionCookie.new(
               value: session.id,
-              expires: session.online? ? session.expires : nil,
+              expires: session.expires ? session.expires : nil,
             )
           end
 

data/lib/shopify_api/auth/refresh_token.rb

@@ -0,0 +1,57 @@
+# typed: strict
+# frozen_string_literal: true
+
+module ShopifyAPI
+  module Auth
+    module RefreshToken
+      extend T::Sig
+
+      class << self
+        extend T::Sig
+
+        sig do
+          params(
+            shop: String,
+            refresh_token: String,
+          ).returns(ShopifyAPI::Auth::Session)
+        end
+        def refresh_access_token(shop:, refresh_token:)
+          unless ShopifyAPI::Context.setup?
+            raise ShopifyAPI::Errors::ContextNotSetupError,
+              "ShopifyAPI::Context not setup, please call ShopifyAPI::Context.setup"
+          end
+
+          shop_session = ShopifyAPI::Auth::Session.new(shop:)
+          body = {
+            client_id: ShopifyAPI::Context.api_key,
+            client_secret: ShopifyAPI::Context.api_secret_key,
+            grant_type: "refresh_token",
+            refresh_token:,
+          }
+
+          client = Clients::HttpClient.new(session: shop_session, base_path: "/admin/oauth")
+          response = begin
+            client.request(
+              Clients::HttpRequest.new(
+                http_method: :post,
+                path: "access_token",
+                body:,
+                body_type: "application/json",
+              ),
+            )
+          rescue ShopifyAPI::Errors::HttpResponseError => error
+            ShopifyAPI::Context.logger.debug("Failed to refresh access token: #{error.message}")
+            raise error
+          end
+
+          session_params = T.cast(response.body, T::Hash[String, T.untyped]).to_h
+
+          Session.from(
+            shop:,
+            access_token_response: Oauth::AccessTokenResponse.from_hash(session_params),
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_api/auth/session.rb

@@ -30,6 +30,12 @@ module ShopifyAPI
       sig { returns(T.nilable(String)) }
       attr_accessor :shopify_session_id
 
+      sig { returns(T.nilable(String)) }
+      attr_accessor :refresh_token
+
+      sig { returns(T.nilable(Time)) }
+      attr_accessor :refresh_token_expires
+
       sig { returns(T::Boolean) }
       def online?
         @is_online
@@ -40,6 +46,11 @@ module ShopifyAPI
         @expires ? @expires < Time.now : false
       end
 
+      sig { returns(T::Boolean) }
+      def refresh_token_expired?
+        @refresh_token_expires ? @refresh_token_expires < Time.now + 60 : false
+      end
+
       sig do
         params(
           shop: String,
@@ -52,10 +63,12 @@ module ShopifyAPI
           is_online: T.nilable(T::Boolean),
           associated_user: T.nilable(AssociatedUser),
           shopify_session_id: T.nilable(String),
+          refresh_token: T.nilable(String),
+          refresh_token_expires: T.nilable(Time),
         ).void
       end
       def initialize(shop:, id: nil, state: nil, access_token: "", scope: [], associated_user_scope: nil, expires: nil,
-        is_online: nil, associated_user: nil, shopify_session_id: nil)
+        is_online: nil, associated_user: nil, shopify_session_id: nil, refresh_token: nil, refresh_token_expires: nil)
         @id = T.let(id || SecureRandom.uuid, String)
         @shop = shop
         @state = state
@@ -68,6 +81,8 @@ module ShopifyAPI
         @associated_user = associated_user
         @is_online = T.let(is_online || !associated_user.nil?, T::Boolean)
         @shopify_session_id = shopify_session_id
+        @refresh_token = refresh_token
+        @refresh_token_expires = refresh_token_expires
       end
 
       class << self
@@ -105,6 +120,10 @@ module ShopifyAPI
             expires = Time.now + access_token_response.expires_in.to_i
           end
 
+          if access_token_response.refresh_token_expires_in
+            refresh_token_expires = Time.now + access_token_response.refresh_token_expires_in.to_i
+          end
+
           new(
             id: id,
             shop: shop,
@@ -115,31 +134,28 @@ module ShopifyAPI
             associated_user: associated_user,
             expires: expires,
             shopify_session_id: access_token_response.session,
+            refresh_token: access_token_response.refresh_token,
+            refresh_token_expires: refresh_token_expires,
           )
         end
-
-        sig { params(str: String).returns(Session) }
-        def deserialize(str)
-          Oj.load(str)
-        end
       end
 
       sig { params(other: Session).returns(Session) }
       def copy_attributes_from(other)
-        JSON.parse(other.serialize).keys.each do |key|
-          next if key.include?("^")
-
-          variable_name = "@#{key}"
-          instance_variable_set(variable_name, other.instance_variable_get(variable_name))
-        end
+        @shop = other.shop
+        @state = other.state
+        @access_token = other.access_token
+        @scope = other.scope
+        @associated_user_scope = other.associated_user_scope
+        @expires = other.expires
+        @associated_user = other.associated_user
+        @is_online = other.online?
+        @shopify_session_id = other.shopify_session_id
+        @refresh_token = other.refresh_token
+        @refresh_token_expires = other.refresh_token_expires
         self
       end
 
-      sig { returns(String) }
-      def serialize
-        Oj.dump(self)
-      end
-
       alias_method :eql?, :==
       sig { params(other: T.nilable(Session)).returns(T::Boolean) }
       def ==(other)
@@ -153,8 +169,9 @@ module ShopifyAPI
             (!(expires.nil? ^ other.expires.nil?) && (expires.nil? || expires.to_i == other.expires.to_i)) &&
             online? == other.online? &&
             associated_user == other.associated_user &&
-            shopify_session_id == other.shopify_session_id
-
+            shopify_session_id == other.shopify_session_id &&
+            refresh_token == other.refresh_token &&
+            refresh_token_expires&.to_i == other.refresh_token_expires&.to_i
         else
           false
         end

data/lib/shopify_api/auth/token_exchange.rb

@@ -49,6 +49,10 @@ module ShopifyAPI
             requested_token_type: requested_token_type.serialize,
           }
 
+          if requested_token_type == RequestedTokenType::OFFLINE_ACCESS_TOKEN
+            body.merge!({ expiring: ShopifyAPI::Context.expiring_offline_access_tokens ? 1 : 0 })
+          end
+
           client = Clients::HttpClient.new(session: shop_session, base_path: "/admin/oauth")
           response = begin
             client.request(
@@ -74,6 +78,52 @@ module ShopifyAPI
             access_token_response: Oauth::AccessTokenResponse.from_hash(session_params),
           )
         end
+
+        sig do
+          params(
+            shop: String,
+            non_expiring_offline_token: String,
+          ).returns(ShopifyAPI::Auth::Session)
+        end
+        def migrate_to_expiring_token(shop:, non_expiring_offline_token:)
+          unless ShopifyAPI::Context.setup?
+            raise ShopifyAPI::Errors::ContextNotSetupError,
+              "ShopifyAPI::Context not setup, please call ShopifyAPI::Context.setup"
+          end
+
+          shop_session = ShopifyAPI::Auth::Session.new(shop: shop)
+          body = {
+            client_id: ShopifyAPI::Context.api_key,
+            client_secret: ShopifyAPI::Context.api_secret_key,
+            grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
+            subject_token: non_expiring_offline_token,
+            subject_token_type: RequestedTokenType::OFFLINE_ACCESS_TOKEN.serialize,
+            requested_token_type: RequestedTokenType::OFFLINE_ACCESS_TOKEN.serialize,
+            expiring: "1",
+          }
+
+          client = Clients::HttpClient.new(session: shop_session, base_path: "/admin/oauth")
+          response = begin
+            client.request(
+              Clients::HttpRequest.new(
+                http_method: :post,
+                path: "access_token",
+                body: body,
+                body_type: "application/json",
+              ),
+            )
+          rescue ShopifyAPI::Errors::HttpResponseError => error
+            ShopifyAPI::Context.logger.debug("Failed to migrate to expiring offline token: #{error.message}")
+            raise error
+          end
+
+          session_params = T.cast(response.body, T::Hash[String, T.untyped]).to_h
+
+          Session.from(
+            shop: shop,
+            access_token_response: Oauth::AccessTokenResponse.from_hash(session_params),
+          )
+        end
       end
     end
   end

data/lib/shopify_api/clients/http_client.rb

@@ -112,6 +112,8 @@ module ShopifyAPI
       def serialized_error(response)
         body = {}
         body["errors"] = response.body["errors"] if response.body["errors"]
+        body["error"] = response.body["error"] if response.body["error"]
+        body["error_description"] = response.body["error_description"] if response.body["error"]
 
         if response.headers["x-request-id"]
           id = T.must(response.headers["x-request-id"])[0]

data/lib/shopify_api/context.rb

@@ -25,6 +25,7 @@ module ShopifyAPI
     @rest_disabled = T.let(false, T.nilable(T::Boolean))
 
     @rest_resource_loader = T.let(nil, T.nilable(Zeitwerk::Loader))
+    @expiring_offline_access_tokens = T.let(false, T::Boolean)
 
     class << self
       extend T::Sig
@@ -47,6 +48,7 @@ module ShopifyAPI
           api_host: T.nilable(String),
           response_as_struct: T.nilable(T::Boolean),
           rest_disabled: T.nilable(T::Boolean),
+          expiring_offline_access_tokens: T.nilable(T::Boolean),
         ).void
       end
       def setup(
@@ -65,7 +67,8 @@ module ShopifyAPI
         old_api_secret_key: nil,
         api_host: nil,
         response_as_struct: false,
-        rest_disabled: false
+        rest_disabled: false,
+        expiring_offline_access_tokens: false
       )
         unless ShopifyAPI::AdminVersions::SUPPORTED_ADMIN_VERSIONS.include?(api_version)
           raise Errors::UnsupportedVersionError,
@@ -86,6 +89,7 @@ module ShopifyAPI
         @old_api_secret_key = old_api_secret_key
         @response_as_struct = response_as_struct
         @rest_disabled = rest_disabled
+        @expiring_offline_access_tokens = T.must(expiring_offline_access_tokens)
         @log_level = if valid_log_level?(log_level)
           log_level.to_sym
         else
@@ -148,6 +152,9 @@ module ShopifyAPI
       sig { returns(T.nilable(String)) }
       attr_reader :private_shop, :user_agent_prefix, :old_api_secret_key, :host, :api_host
 
+      sig { returns(T::Boolean) }
+      attr_reader :expiring_offline_access_tokens
+
       sig { returns(T::Boolean) }
       def embedded?
         @is_embedded

data/lib/shopify_api/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module ShopifyAPI
-  VERSION = "15.0.0"
+  VERSION = "16.0.0"
 end

data/shopify_api.gemspec

@@ -30,7 +30,7 @@ Gem::Specification.new do |s|
 
   s.license = "MIT"
 
-  s.required_ruby_version = ">= 3.0"
+  s.required_ruby_version = ">= 3.2"
 
   s.add_runtime_dependency("activesupport")
   s.add_runtime_dependency("concurrent-ruby")

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shopify_api
 version: !ruby/object:Gem::Version
-  version: 15.0.0
+  version: 16.0.0
 platform: ruby
 authors:
 - Shopify
@@ -178,6 +178,7 @@ files:
 - BREAKING_CHANGES_FOR_OLDER_VERSIONS.md
 - BREAKING_CHANGES_FOR_V10.md
 - BREAKING_CHANGES_FOR_V15.md
+- BREAKING_CHANGES_FOR_V16.md
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
@@ -211,6 +212,7 @@ files:
 - lib/shopify_api/auth/oauth/access_token_response.rb
 - lib/shopify_api/auth/oauth/auth_query.rb
 - lib/shopify_api/auth/oauth/session_cookie.rb
+- lib/shopify_api/auth/refresh_token.rb
 - lib/shopify_api/auth/session.rb
 - lib/shopify_api/auth/token_exchange.rb
 - lib/shopify_api/clients/graphql/admin.rb
@@ -1441,7 +1443,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.0'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="