shopify_api 9.0.4 → 9.5

data/lib/shopify_api/resources/transaction.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class Transaction < Base
     init_prefix :order

data/lib/shopify_api/resources/usage_charge.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class UsageCharge < Base
     init_prefix :recurring_application_charge

data/lib/shopify_api/resources/user.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class User < Base
   end

data/lib/shopify_api/resources/variant.rb

@@ -1,8 +1,43 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class Variant < Base
     include Metafields
     include DisablePrefixCheck
 
     conditional_prefix :product
+
+    def initialize(*)
+      super
+      attributes.except!('old_inventory_quantity')
+    end
+
+    def inventory_quantity_adjustment=(new_value)
+      raise_deprecated_inventory_call('inventory_quantity_adjustment')
+      super
+    end
+
+    def inventory_quantity=(new_value)
+      raise_deprecated_inventory_call('inventory_quantity')
+      super
+    end
+
+    def old_inventory_quantity=(new_value)
+      raise_deprecated_inventory_call('old_inventory_quantity')
+      super
+    end
+
+    def save
+      attributes.except!('inventory_quantity')
+      super
+    end
+
+    private
+
+    def raise_deprecated_inventory_call(parameter)
+      raise(
+        ShopifyAPI::ValidationException,
+        "'#{parameter}' is deprecated - see https://help.shopify.com/en/api/guides/inventory-migration-guide",
+      )
+    end
   end
 end

data/lib/shopify_api/resources/webhook.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class Webhook < Base
   end

data/lib/shopify_api/resources.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'shopify_api/resources/base'
 require 'shopify_api/resources/array_base'
 Dir.glob("#{File.dirname(__FILE__)}/resources/*").each { |file| require(file) }

data/lib/shopify_api/session.rb

@@ -1,26 +1,27 @@
+# frozen_string_literal: true
 require 'openssl'
 require 'rack'
 
 module ShopifyAPI
-
   class ValidationException < StandardError
   end
 
   class Session
+    SECONDS_IN_A_DAY = 24 * 60 * 60
+
     cattr_accessor :api_key, :secret, :myshopify_domain
     self.myshopify_domain = 'myshopify.com'
 
     attr_accessor :domain, :token, :name, :extra
-    attr_reader :api_version
+    attr_reader :api_version, :access_scopes
     alias_method :url, :domain
 
     class << self
-
       def setup(params)
-        params.each { |k,value| public_send("#{k}=", value) }
+        params.each { |k, value| public_send("#{k}=", value) }
       end
 
-      def temp(domain:, token:, api_version:, &block)
+      def temp(domain:, token:, api_version: ShopifyAPI::Base.api_version, &block)
         session = new(domain: domain, token: token, api_version: api_version)
 
         with_session(session, &block)
@@ -28,12 +29,17 @@ module ShopifyAPI
 
       def with_session(session, &_block)
         original_session = extract_current_session
+        original_user = ShopifyAPI::Base.user
+        original_password = ShopifyAPI::Base.password
 
         begin
+          ShopifyAPI::Base.clear_session
           ShopifyAPI::Base.activate_session(session)
           yield
         ensure
           ShopifyAPI::Base.activate_session(original_session)
+          ShopifyAPI::Base.user = original_user
+          ShopifyAPI::Base.password = original_password
         end
       end
 
@@ -51,7 +57,7 @@ module ShopifyAPI
         # extract host, removing any username, password or path
         shop = URI.parse("https://#{domain}").host
         # extract subdomain of .myshopify.com
-        if idx = shop.index(".")
+        if (idx = shop.index("."))
           shop = shop.slice(0, idx)
         end
         return nil if shop.empty?
@@ -62,20 +68,17 @@ module ShopifyAPI
 
       def validate_signature(params)
         params = (params.respond_to?(:to_unsafe_hash) ? params.to_unsafe_hash : params).with_indifferent_access
-        return false unless signature = params[:hmac]
+        return false unless (signature = params[:hmac])
 
-        calculated_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new(), secret, encoded_params_for_signature(params))
+        calculated_signature = OpenSSL::HMAC.hexdigest(
+          OpenSSL::Digest.new('SHA256'), secret, ShopifyAPI::HmacParams.encode(params)
+        )
 
         Rack::Utils.secure_compare(calculated_signature, signature)
       end
 
       private
 
-      def encoded_params_for_signature(params)
-        params = params.except(:signature, :hmac, :action, :controller)
-        params.map{|k,v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}"}.sort.join('&')
-      end
-
       def extract_current_session
         site = ShopifyAPI::Base.site.to_s
         token = ShopifyAPI::Base.headers['X-Shopify-Access-Token']
@@ -84,23 +87,26 @@ module ShopifyAPI
       end
     end
 
-    def initialize(domain:, token:, api_version:, extra: {})
+    def initialize(domain:, token:, access_scopes: nil, api_version: ShopifyAPI::Base.api_version, extra: {})
       self.domain = self.class.prepare_domain(domain)
       self.api_version = api_version
       self.token = token
+      self.access_scopes = access_scopes
       self.extra = extra
     end
 
     def create_permission_url(scope, redirect_uri, options = {})
-      params = { client_id: api_key, scope: scope.join(','), redirect_uri: redirect_uri }
+      params = { client_id: api_key, scope: ShopifyAPI::ApiAccess.new(scope).to_s, redirect_uri: redirect_uri }
       params[:state] = options[:state] if options[:state]
+      params["grant_options[]".to_sym] = options[:grant_options] if options[:grant_options]
       construct_oauth_url("authorize", params)
     end
 
     def request_token(params)
       return token if token
 
-      unless self.class.validate_signature(params) && params[:timestamp].to_i > 24.hours.ago.utc.to_i
+      twenty_four_hours_ago = Time.now.utc.to_i - SECONDS_IN_A_DAY
+      unless self.class.validate_signature(params) && params[:timestamp].to_i > twenty_four_hours_ago
         raise ShopifyAPI::ValidationException, "Invalid Signature: Possible malicious login"
       end
 
@@ -109,12 +115,12 @@ module ShopifyAPI
         self.extra = JSON.parse(response.body)
         self.token = extra.delete('access_token')
 
-        if expires_in = extra.delete('expires_in')
+        if (expires_in = extra.delete('expires_in'))
           extra['expires_at'] = Time.now.utc.to_i + expires_in
         end
         token
       else
-        raise RuntimeError, response.msg
+        raise response.msg
       end
     end
 
@@ -127,7 +133,11 @@ module ShopifyAPI
     end
 
     def api_version=(version)
-      @api_version = ApiVersion::NullVersion.matches?(version) ? ApiVersion::NullVersion : ApiVersion.find_version(version)
+      @api_version = if ApiVersion::NullVersion.matches?(version)
+        ApiVersion::NullVersion
+      else
+        ApiVersion.find_version(version)
+      end
     end
 
     def valid?
@@ -149,10 +159,31 @@ module ShopifyAPI
       expires_in <= 0
     end
 
+    def hash
+      state.hash
+    end
+
+    def ==(other)
+      self.class == other.class && state == other.state
+    end
+
+    alias_method :eql?, :==
+
+    protected
+
+    def state
+      [domain, token, api_version, extra]
+    end
+
     private
 
+    def access_scopes=(access_scopes)
+      return unless access_scopes
+      @access_scopes = ShopifyAPI::ApiAccess.new(access_scopes)
+    end
+
     def parameterize(params)
-      URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
+      URI.encode_www_form(params)
     end
 
     def access_token_request(code)

data/lib/shopify_api/version.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyAPI
-  VERSION = "9.0.4"
+  VERSION = "9.5"
 end

data/lib/shopify_api.rb

@@ -1,4 +1,5 @@
-$:.unshift File.dirname(__FILE__)
+# frozen_string_literal: true
+$:.unshift(File.dirname(__FILE__))
 require 'active_resource'
 require 'active_support/core_ext/class/attribute_accessors'
 require 'digest/md5'
@@ -20,6 +21,8 @@ require 'shopify_api/metafields'
 require 'shopify_api/countable'
 require 'shopify_api/resources'
 require 'shopify_api/session'
+require 'shopify_api/hmac_params'
+require 'shopify_api/api_access'
 require 'shopify_api/message_enricher'
 require 'shopify_api/connection'
 require 'shopify_api/pagination_link_headers'
@@ -31,3 +34,8 @@ if ShopifyAPI::Base.respond_to?(:connection_class)
 else
   require 'active_resource/connection_ext'
 end
+
+if ENV["SHOPIFY_LOG_PATH"]
+  ActiveResource::Base.logger = Logger.new(ENV["SHOPIFY_LOG_PATH"])
+  ActiveResource::DetailedLogSubscriber.attach_to(:active_resource_detailed)
+end

data/lib/verify_docs.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+class VerifyDocs
+  def self.call
+    readme_content = File.read("README.md").lines[2..-1]
+    docs_content = File.read("docs/index.md").lines[4..-1]
+    readme_content == docs_content
+  end
+end

data/service.yml

@@ -1,8 +1,5 @@
 audience: partner
 classification: library
-org_line: App & Partner Platform
-owners:
-  - Shopify/app-partner-dev-tools-education
 slack_channels:
-  - dev-tools-education
-  - api-patterns-team
+- core-build-learn
+- help-api-patterns

data/shopify_api.gemspec

@@ -1,4 +1,5 @@
-$:.push File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
+$:.push(File.expand_path("../lib", __FILE__))
 require "shopify_api/version"
 
 Gem::Specification.new do |s|
@@ -7,7 +8,12 @@ Gem::Specification.new do |s|
   s.author = "Shopify"
 
   s.summary = %q{The Shopify API gem is a lightweight gem for accessing the Shopify admin REST web services}
-  s.description = %q{The Shopify API gem allows Ruby developers to programmatically access the admin section of Shopify stores. The API is implemented as JSON or XML over HTTP using all four verbs (GET/POST/PUT/DELETE). Each resource, like Order, Product, or Collection, has its own URL and is manipulated in isolation.}
+  s.description = <<~HERE
+    The Shopify API gem allows Ruby developers to programmatically access the admin
+    section of Shopify stores. The API is implemented as JSON or XML over HTTP using
+    all four verbs (GET/POST/PUT/DELETE). Each resource, like Order, Product, or
+    Collection, has its own URL and is manipulated in isolation.
+  HERE
   s.email = %q{developers@jadedpixel.com}
   s.homepage = %q{http://www.shopify.com/partners/apps}
 
@@ -15,11 +21,10 @@ Gem::Specification.new do |s|
 
   s.extra_rdoc_files = [
     "LICENSE",
-    "README.md"
+    "README.md",
   ]
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
 
   s.rdoc_options = ["--charset=UTF-8"]
   s.summary = %q{ShopifyAPI is a lightweight gem for accessing the Shopify admin REST web services}
@@ -30,13 +35,14 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("activeresource", ">= 4.1.0", "< 6.0.0")
   s.add_runtime_dependency("rack")
   s.add_runtime_dependency("graphql-client")
+  s.add_runtime_dependency("webrick")
 
-  s.add_development_dependency("mocha", ">= 0.9.8")
+  s.add_development_dependency("mocha", ">= 1.4.0")
   s.add_development_dependency("webmock")
-  s.add_development_dependency("minitest", ">= 4.0")
+  s.add_development_dependency("minitest", ">= 5.14")
   s.add_development_dependency("rake")
   s.add_development_dependency("timecop")
-  s.add_development_dependency("rubocop")
+  s.add_development_dependency("rubocop-shopify")
   s.add_development_dependency("pry")
   s.add_development_dependency("pry-byebug")
 end

data/test/access_token_test.rb

@@ -1,19 +1,20 @@
+# frozen_string_literal: true
 require 'test_helper'
 
 class AccessTokenTest < Test::Unit::TestCase
-
   def test_delegate_access_token
-    fake "access_tokens/delegate.json?delegate_access_scope%5B%5D=write_orders&" \
+    fake(
+      "access_tokens/delegate.json?delegate_access_scope%5B%5D=write_orders&" \
       "delegate_access_scope%5B%5D=read_products&expires_in=",
       method: :post,
       status: 201,
       body: load_fixture('access_token_delegate'),
       extension: false
-
+    )
     delegate_scope = ['write_orders', 'read_products']
     token = ShopifyAPI::AccessToken.delegate(delegate_scope)
 
-    assert_equal 'abracadabra', token.access_token
-    assert_equal 'write_orders,read_products', token.scope
+    assert_equal('abracadabra', token.access_token)
+    assert_equal('write_orders,read_products', token.scope)
   end
 end

data/test/active_resource/json_errors_test.rb

@@ -1,19 +1,19 @@
+# frozen_string_literal: true
 require 'test_helper'
 
 module ActiveResource
   class JsonErrorsTest < Test::Unit::TestCase
-
     def test_parsing_of_error_json_hash
       @model = ShopifyAPI::Order.new
-      @model.errors.from_json({errors: {name: ['missing']}}.to_json)
-      assert_equal ['missing'], @model.errors[:name]
+      @model.errors.from_json({ errors: { name: ['missing'] } }.to_json)
+      assert_equal(['missing'], @model.errors[:name])
     end
 
     def test_parsing_of_error_json_plain_string
       @model = ShopifyAPI::Order.new
-      @model.errors.from_json({errors: 'some generic error'}.to_json)
-      assert_equal ['some generic error'], @model.errors[:base]
-      assert_equal 'some generic error', @model.errors.full_messages.to_sentence
+      @model.errors.from_json({ errors: 'some generic error' }.to_json)
+      assert_equal(['some generic error'], @model.errors[:base])
+      assert_equal('some generic error', @model.errors.full_messages.to_sentence)
     end
   end
 end

data/test/api_access_test.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class ApiAccessTest < Minitest::Test
+  def test_write_is_the_same_access_as_read_write_on_the_same_resource
+    read_write_orders = ShopifyAPI::ApiAccess.new(%w(read_orders write_orders))
+    write_orders = ShopifyAPI::ApiAccess.new(%w(write_orders))
+
+    assert_equal write_orders, read_write_orders
+  end
+
+  def test_write_is_the_same_access_as_read_write_on_the_same_unauthenticated_resource
+    unauthenticated_read_write_orders = ShopifyAPI::ApiAccess.new(%w(unauthenticated_read_orders unauthenticated_write_orders))
+    unauthenticated_write_orders = ShopifyAPI::ApiAccess.new(%w(unauthenticated_write_orders))
+
+    assert_equal unauthenticated_write_orders, unauthenticated_read_write_orders
+  end
+
+  def test_read_is_not_the_same_as_read_write_on_the_same_resource
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    read_write_orders = ShopifyAPI::ApiAccess.new(%w(write_orders read_orders))
+
+    refute_equal read_write_orders, read_orders
+  end
+
+  def test_two_different_resources_are_not_equal
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    read_products = ShopifyAPI::ApiAccess.new(%w(read_products))
+
+    refute_equal read_orders, read_products
+  end
+
+  def test_two_identical_scopes_are_equal
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    read_orders_identical = ShopifyAPI::ApiAccess.new(%w(read_orders))
+
+    assert_equal read_orders_identical, read_orders
+  end
+
+  def test_unauthenticated_is_not_implied_by_authenticated_access
+    unauthenticated_orders = ShopifyAPI::ApiAccess.new(%w(unauthenticated_read_orders))
+    authenticated_read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    authenticated_write_orders = ShopifyAPI::ApiAccess.new(%w(write_orders))
+
+    refute_equal unauthenticated_orders, authenticated_read_orders
+    refute_equal unauthenticated_orders, authenticated_write_orders
+  end
+
+  def test_scopes_covers_is_truthy_for_same_scopes
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    read_orders_identical = ShopifyAPI::ApiAccess.new(%w(read_orders))
+
+    assert read_orders.covers?(read_orders_identical)
+  end
+
+  def test_covers_is_falsy_for_different_scopes
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+    read_products = ShopifyAPI::ApiAccess.new(%w(read_products))
+
+    refute read_orders.covers?(read_products)
+  end
+
+  def test_covers_is_truthy_for_read_when_the_set_has_read_write
+    write_products = ShopifyAPI::ApiAccess.new(%w(write_products))
+    read_products = ShopifyAPI::ApiAccess.new(%w(read_products))
+
+    assert write_products.covers?(read_products)
+  end
+
+  def test_covers_is_truthy_for_read_when_the_set_has_read_write_for_that_resource_and_others
+    write_products_and_orders = ShopifyAPI::ApiAccess.new(%w(write_products, write_orders))
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+
+    assert write_products_and_orders.covers?(read_orders)
+  end
+
+  def test_covers_is_truthy_for_write_when_the_set_has_read_write_for_that_resource_and_others
+    write_products_and_orders = ShopifyAPI::ApiAccess.new(%w(write_products, write_orders))
+    write_orders = ShopifyAPI::ApiAccess.new(%w(write_orders))
+
+    assert write_products_and_orders.covers?(write_orders)
+  end
+
+  def test_covers_is_truthy_for_subset_of_scopes
+    write_products_orders_customers = ShopifyAPI::ApiAccess.new(%w(write_products write_orders write_customers))
+    write_orders_products = ShopifyAPI::ApiAccess.new(%w(write_orders read_products))
+
+    assert write_products_orders_customers.covers?(write_orders_products)
+  end
+
+  def test_covers_is_falsy_for_sets_of_scopes_that_have_no_common_elements
+    write_products_orders_customers = ShopifyAPI::ApiAccess.new(%w(write_products write_orders write_customers))
+    write_images_read_content = ShopifyAPI::ApiAccess.new(%w(write_images read_content))
+
+    refute write_products_orders_customers.covers?(write_images_read_content)
+  end
+
+  def test_covers_is_falsy_for_sets_of_scopes_that_have_only_some_common_access
+    write_products_orders_customers = ShopifyAPI::ApiAccess.new(%w(write_products write_orders write_customers))
+    write_products_read_content = ShopifyAPI::ApiAccess.new(%w(write_products read_content))
+
+    refute write_products_orders_customers.covers?(write_products_read_content)
+  end
+
+  def test_duplicate_scopes_resolve_to_one_scope
+    read_orders_duplicated = ShopifyAPI::ApiAccess.new(%w(read_orders read_orders read_orders read_orders))
+    read_orders = ShopifyAPI::ApiAccess.new(%w(read_orders))
+
+    assert_equal read_orders, read_orders_duplicated
+  end
+
+  def test_to_s_outputs_scopes_as_a_comma_separated_list_without_implied_read_scopes
+    serialized_read_products_write_orders = "read_products,write_orders"
+    read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products read_orders write_orders))
+
+    assert_equal read_products_write_orders.to_s, serialized_read_products_write_orders
+  end
+
+  def test_to_a_outputs_scopes_as_an_array_of_strings_without_implied_read_scopes
+    serialized_read_products_write_orders = %w(write_orders read_products)
+    read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products read_orders write_orders))
+
+    assert_equal read_products_write_orders.to_a.sort, serialized_read_products_write_orders.sort
+  end
+
+  def test_creating_scopes_removes_extra_whitespace_from_scope_name_and_blank_scope_names
+    deserialized_read_products_write_orders = ShopifyAPI::ApiAccess.new([' read_products', '  ', 'write_orders '])
+    serialized_read_products_write_orders = deserialized_read_products_write_orders.to_s
+    expected_read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products write_orders))
+
+    assert_equal expected_read_products_write_orders, ShopifyAPI::ApiAccess.new(serialized_read_products_write_orders)
+  end
+
+  def test_creating_scopes_from_a_string_works_with_a_comma_separated_list
+    deserialized_read_products_write_orders = ShopifyAPI::ApiAccess.new("read_products,write_orders")
+    serialized_read_products_write_orders = deserialized_read_products_write_orders.to_s
+    expected_read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products write_orders))
+
+    assert_equal expected_read_products_write_orders, ShopifyAPI::ApiAccess.new(serialized_read_products_write_orders)
+  end
+
+  def test_using_to_s_from_one_scopes_to_construct_another_will_be_equal
+    read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products write_orders))
+
+    assert_equal read_products_write_orders, ShopifyAPI::ApiAccess.new(read_products_write_orders.to_s)
+  end
+
+  def test_using_to_a_from_one_scopes_to_construct_another_will_be_equal
+    read_products_write_orders = ShopifyAPI::ApiAccess.new(%w(read_products write_orders))
+
+    assert_equal read_products_write_orders, ShopifyAPI::ApiAccess.new(read_products_write_orders.to_a)
+  end
+end

data/test/api_version_test.rb

@@ -45,7 +45,7 @@ class ApiVersionTest < Test::Unit::TestCase
   test "find_version does raise when coercing a string if no versions are defined when version_lookup_mode is :raise_on_unknown" do
     refute ShopifyAPI::ApiVersion.versions['made up version']
     ShopifyAPI::ApiVersion.version_lookup_mode = :raise_on_unknown
-    assert_raises ShopifyAPI::ApiVersion::UnknownVersion do
+    assert_raises(ShopifyAPI::ApiVersion::UnknownVersion) do
       ShopifyAPI::ApiVersion.find_version('made up version')
     end
   end
@@ -54,7 +54,7 @@ class ApiVersionTest < Test::Unit::TestCase
     ShopifyAPI::ApiVersion.clear_known_versions
     ShopifyAPI::ApiVersion.version_lookup_mode = :define_on_unknown
     assert_equal :define_on_unknown, ShopifyAPI::ApiVersion.version_lookup_mode
-    assert_raises ArgumentError do
+    assert_raises(ArgumentError) do
       ShopifyAPI::ApiVersion.find_version(ShopifyAPI::ApiVersion::NullVersion)
     end
   end
@@ -108,7 +108,6 @@ class ApiVersionTest < Test::Unit::TestCase
       }
     )
     silence_warnings do
-
       refute_equal(
         ShopifyAPI::ApiVersion.new(handle: '2019-01'),
         ShopifyAPI::ApiVersion.latest_stable_version
@@ -151,6 +150,7 @@ class ApiVersionTest < Test::Unit::TestCase
 
   class TestApiVersion < ShopifyAPI::ApiVersion
     def initialize(name)
+      super(name)
       @version_name = name
     end
   end