shopify_api 9.3.0 → 9.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73854704f72bca959d915cec44e6c54f794d3d5d60dc97f343f4993a88e08a55
-  data.tar.gz: a85ee03d769fddbbb6f5df673cffedbd5b6f2706c3f3a27ba2096fbde622585e
+  metadata.gz: 933903ae7a032f32236d6ab88916650e03e4b0288f65208babba3141816454ac
+  data.tar.gz: 7260bf183dfe4327d6d94880dd67745bcc0f413576c7c2e95aa143a0e7649721
 SHA512:
-  metadata.gz: d98a3b0c0c57787436e557aa66f3f5d7de4f2373ae7e97eb0dd3283da7935f0c30d561ed690b132c54a7336ad040d25e2be66888892b05e1ca8844ad0eb6266f
-  data.tar.gz: 6d11786b5b42c116370c5696ae8cf43b3ee111a6ab344b3d0d0e7c738510323b74f7d7df6441c9c83dba6286d53218185c41ef211eb5f61b64a95c807ea1c9c9
+  metadata.gz: 5a54d8ee191a8fc3bfa8f11a0df12106ba3b1f46d78d17d4168988e6c56563532ebd1225e076d24e19d90925cc17bc59c1d8cf96be40fd009cacd0251965be9b
+  data.tar.gz: 6463e8c51171d93d226adab9441530397bc334aaabf36fa00ab8a9b0e6128e46fa768957faa132971bf402fc9e3618d8b87f7f45d3f538f545391fbc3fd1da23

data/.github/CODEOWNERS

@@ -1 +1 @@
-*       @shopify/platform-dev-tools-education
+*       @shopify/core-build-learn

data/.github/workflows/build.yml

@@ -12,17 +12,19 @@ jobs:
     strategy:
       matrix:
         version:
-          - 2.4
-          - 2.5
-          - 2.6
-          - 2.7
+          - "2.6"
+          - "2.7"
+          - "3.0"
         gemfile:
           - Gemfile_ar41
           - Gemfile_ar50
           - Gemfile_ar51
-          - Gemfile_ar_master
+          - Gemfile_ar60
+          - Gemfile_ar_main
         exclude:
-          - version: 2.7
+          - version: "2.7"
+            gemfile: Gemfile_ar41
+          - version: "3.0"
             gemfile: Gemfile_ar41
     steps:
       - uses: actions/checkout@v2

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+## Unreleased
+
+## Version 9.5.1
+
+- [#891](https://github.com/Shopify/shopify_api/pull/891) Removed the upper bound on the `activeresource` dependency to allow apps to use the latest version
+
+## Version 9.5
+
+* [#883](https://github.com/Shopify/shopify_api/pull/883) Add support for Ruby 3.0
+
+## Version 9.4.1
+
+* [#847](https://github.com/Shopify/shopify_api/pull/847) Update `create_permission_url` method to use grant_options
+* [#852](https://github.com/Shopify/shopify_api/pull/852) Bumping kramdown to fix a security vulnerability
+
+## Version 9.4.0
+
+* [#843](https://github.com/Shopify/shopify_api/pull/843) Introduce a new `access_scopes` attribute on the Session class.
+  * Specifying this in the Session constructor is optional. By default, this attribute returns `nil`.
+
 ## Version 9.3.0
 
 * [#797](https://github.com/Shopify/shopify_api/pull/797) Release new Endpoint `fulfillment_order.open` and `fulfillment_order.reschedule`.

data/Gemfile.lock

@@ -1,8 +1,8 @@
 PATH
   remote: .
   specs:
-    shopify_api (9.3.0)
-      activeresource (>= 4.1.0, < 6.0.0)
+    shopify_api (9.5.1)
+      activeresource (>= 4.1.0)
       graphql-client
       rack
 
@@ -25,7 +25,7 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
       zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.1)
     builder (3.2.4)
@@ -41,10 +41,10 @@ GEM
     eventmachine (1.2.7)
     ffi (1.12.2)
     forwardable-extended (2.6.0)
-    graphql (1.12.3)
-    graphql-client (0.16.0)
+    graphql (1.13.4)
+    graphql-client (0.17.0)
       activesupport (>= 3.0)
-      graphql (~> 1.8)
+      graphql (~> 1.10)
     hashdiff (1.0.1)
     http_parser.rb (0.6.0)
     i18n (1.8.2)
@@ -68,7 +68,7 @@ GEM
       sassc (> 2.0.1, < 3.0)
     jekyll-watch (2.2.1)
       listen (~> 3.0)
-    kramdown (2.3.0)
+    kramdown (2.3.1)
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
@@ -78,7 +78,7 @@ GEM
       rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.4.0)
     method_source (1.0.0)
-    minitest (5.14.1)
+    minitest (5.14.4)
     mocha (1.11.2)
     parallel (1.19.2)
     parser (2.7.2.0)
@@ -91,7 +91,7 @@ GEM
     pry-byebug (3.9.0)
       byebug (~> 11.0)
       pry (~> 0.13.0)
-    public_suffix (4.0.5)
+    public_suffix (4.0.6)
     rack (2.2.3)
     rainbow (3.0.0)
     rake (13.0.1)
@@ -99,7 +99,7 @@ GEM
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     regexp_parser (1.8.2)
-    rexml (3.2.4)
+    rexml (3.2.5)
     rouge (3.19.0)
     rubocop (0.93.1)
       parallel (~> 1.10)
@@ -137,7 +137,7 @@ PLATFORMS
 DEPENDENCIES
   activeresource (~> 5.1)
   jekyll
-  minitest (>= 4.0)
+  minitest (>= 5.14)
   mocha (>= 1.4.0)
   pry
   pry-byebug
@@ -148,4 +148,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.1.4
+   2.2.22

data/Gemfile_ar60

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem "activeresource", "~> 6.0"

data/README.md

@@ -61,6 +61,8 @@ For more information and detailed documentation about the API visit https://deve
 
 This gem requires Ruby 2.4 as of version 7.0.
 
+**Note**: when we release the next major version, we will be dropping support for Ruby 2.4 and 2.5, which have now reached EOL, as per [the releases page](https://www.ruby-lang.org/en/downloads/branches/).
+
 ## Installation
 
 Add `shopify_api` to your `Gemfile`:
@@ -87,13 +89,13 @@ ShopifyAPI sessions need to be configured with a fully authorized URL of a parti
 
 ### 1) Create an app
 
-First, create a new application in either the partners admin or your store admin. 
+First, create a new application in either the partners admin or your store admin.
 
 **Private apps** are used for merchant-owned scripts and apps that run silently in the background on a single shop. Private apps aren't able to render any content in the admin. Private apps are created through the store admin.
 
 **Custom apps** are also used for a single shop, but they have access to [app extensions](https://shopify.dev/docs/app-extensions) that allow the app to render content in the admin and are managed and created through the partners dashboard.
 
-**Public apps** can be installed on many stores, and can be added to the Shopify App Store to generate revenue for the developer. 
+**Public apps** can be installed on many stores, and can be added to the Shopify App Store to generate revenue for the developer.
 
 For a private app, you'll need the API_KEY and the PASSWORD; otherwise, you'll need the API_KEY and SHARED_SECRET.
 
@@ -112,7 +114,7 @@ For a private App you just need to set the base site url as follows:
    That's it; you're done! Next, skip to step 6 and start using the API!
 
 ### 2B) Public and Custom Apps
-   
+
    For public and custom apps, you will need to supply two parameters to the Session class before you instantiate it:
 
    ```ruby
@@ -130,11 +132,11 @@ Public and Custom apps need an access token from each shop to access that shop's
    ```ruby
    # We need to instantiate the session object before using it
    shopify_session = ShopifyAPI::Session.new(domain: "#{SHOP_NAME}.myshopify.com", api_version: api_version, token: nil)
-   
+
 # Then, create a permission URL with the session
    permission_url = shopify_session.create_permission_url(scope, "https://my_redirect_uri.com", { state: "My Nonce" })
    ```
-   
+
 After creating the permission URL, the user should be directed to this URL to approve the app.
 
 Under the hood, the `create_permission_url` method is preparing the app to make the following request :
@@ -149,7 +151,7 @@ Under the hood, the `create_permission_url` method is preparing the app to make
    * ``scope`` – Required – The list of required scopes (explained here: https://shopify.dev/tutorials/authenticate-with-oauth#scopes)
    * ``redirect_uri`` – Required – The URL where you want to redirect the users after they authorize the client. The complete URL specified here must be identical to one of the Application Redirect URLs set in the app's section of the Partners dashboard.
    * ``state`` – Optional – A randomly selected value provided by your application, which is unique for each authorization request. During the OAuth callback phase, your application must check that this value matches the one you provided during authorization. [This mechanism is essential for the security of your application](https://tools.ietf.org/html/rfc6819#section-3.6).
-   * ``grant_options[]`` - Optional - Set this parameter to `per-user` to receive an access token that respects the user's permission level when making API requests (called online access). We strongly recommend using this parameter for embedded apps.
+   * ``grant_options`` - Optional - Set this parameter to `per-user` to receive an access token that respects the user's permission level when making API requests (called online access). We strongly recommend using this parameter for embedded apps.
 
 ### 4) Trading your `code` for an access token.
 
@@ -167,8 +169,8 @@ Once authorized, the shop redirects the owner to the return URL of your applicat
    token = shopify_session.request_token(params)
    ```
 
-   This method will save the token to the session object and return it. All fields returned by Shopify, other than the access token itself, are stored in the session's `extra` attribute. For a list of all fields returned by Shopify, read [our OAuth documentation](https://shopify.dev/tutorials/authenticate-with-oauth#confirming-installation). 
-   
+   This method will save the token to the session object and return it. All fields returned by Shopify, other than the access token itself, are stored in the session's `extra` attribute. For a list of all fields returned by Shopify, read [our OAuth documentation](https://shopify.dev/tutorials/authenticate-with-oauth#confirming-installation).
+
    If you prefer to exchange the token manually, you can make a POST request to the shop with the following parameters :
 
    ```
@@ -198,7 +200,7 @@ Once authorized, the shop redirects the owner to the return URL of your applicat
    1) The list of scopes in `shopify_session.extra['scope']` is the same as you requested.
    2) If you requested an online-mode access token, `shopify_session.extra['associated_user']` must be present.
    Failing either of these tests means the end-user may have tampered with the URL parameters during the OAuth authentication phase. You should avoid using this access token and revoke it immediately. If you use the [`omniauth-shopify-oauth2`](https://github.com/Shopify/omniauth-shopify-oauth2) gem, these checks are done automatically for you.
-   
+
 ### 5) Activating the session
 
 Once you have a token, simply pass in the `token` and `extra` hash (optional) when creating the session object:
@@ -333,7 +335,7 @@ If you were previously using Shopify's [activeresource fork](https://github.com/
 
 ## Bulk Operations
 
-With the GraphQL Admin API, you can use bulk operations to asynchronously fetch data in bulk. The API is designed to reduce complexity and improve performance when dealing with large volumes of data. 
+With the GraphQL Admin API, you can use bulk operations to asynchronously fetch data in bulk. The API is designed to reduce complexity and improve performance when dealing with large volumes of data.
 
 Instead of manually paginating results and managing a client-side throttle, you can instead run a bulk query operation. Shopify’s infrastructure does the hard work of executing your query, and then provides you with a URL where you can download all of the data.
 
@@ -465,7 +467,7 @@ end
 
 ## Pagination
 
-Shopify uses [Relative cursor-based pagination](https://shopify.dev/tutorials/make-paginated-requests-to-rest-admin-api) to provide more than a single page of results. 
+Shopify uses [Relative cursor-based pagination](https://shopify.dev/tutorials/make-paginated-requests-to-rest-admin-api) to provide more than a single page of results.
 
 ```ruby
 products = ShopifyAPI::Product.find(:all, params: { limit: 50 })
@@ -628,9 +630,9 @@ or you can even use our automated rake task for docker:
 bundle exec rake docker
 ```
 
-# Logging 
+# Logging
 
-Enable ActiveResource's logger with 
+Enable ActiveResource's logger with
 
 `export SHOPIFY_LOG_PATH={your_log_path}`
 

data/dev.yml

@@ -0,0 +1,11 @@
+name: shopify-api
+
+type: ruby
+
+up:
+  - ruby: "3.0"
+  - bundler
+
+commands:
+  test:
+    run: bundle exec rake test

data/lib/active_resource/detailed_log_subscriber.rb

@@ -3,6 +3,9 @@ module ActiveResource
   class DetailedLogSubscriber < ActiveSupport::LogSubscriber
     VERSION_EOL_WARNING_HEADER = 'x-shopify-api-version-warning'
     VERSION_DEPRECATION_HEADER = 'x-shopify-api-deprecated-reason'
+    SHOPIFY_ACCESS_TOKEN = 'X-Shopify-Access-Token'
+    FILTERED = '[FILTERED]'
+
     def request(event)
       log_request_response_details(event)
       warn_on_deprecated_header_or_version_eol_header(event)
@@ -17,6 +20,7 @@ module ActiveResource
     def log_request_response_details(event)
       data = event.payload[:data]
       headers = data.extract_options!
+      headers[SHOPIFY_ACCESS_TOKEN] = FILTERED
       request_body = data.first
 
       info("Request:\n#{request_body}") if request_body

data/lib/shopify_api/hmac_params.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module ShopifyAPI
+  module HmacParams
+    class << self
+      def encode(params)
+        params
+          .except(:signature, :hmac, :action, :controller)
+          .map { |k,v| sprintf("%s=%s", encode_key(k), encode_value(v)) }
+          .sort.join("&")
+      end
+
+      KEY_REGEXP = /([#{Regexp.escape("&=%")}])/n
+      def encode_key(key)
+        _escape(key.to_s, KEY_REGEXP)
+      end
+
+      VALUE_REGEXP = /([#{Regexp.escape("&%")}])/n
+      def encode_value(value)
+        _escape(value.to_s, VALUE_REGEXP)
+      end
+
+      private
+
+      def _escape(str, regex)
+        str = str.b
+        str.gsub!(regex) {"%%%02X" % $1.ord}
+        # %-escaped string should contain US-ASCII only
+        str.force_encoding(Encoding::US_ASCII)
+      end
+    end
+  end
+end

data/lib/shopify_api/session.rb

@@ -13,7 +13,7 @@ module ShopifyAPI
     self.myshopify_domain = 'myshopify.com'
 
     attr_accessor :domain, :token, :name, :extra
-    attr_reader :api_version
+    attr_reader :api_version, :access_scopes
     alias_method :url, :domain
 
     class << self
@@ -71,7 +71,7 @@ module ShopifyAPI
         return false unless (signature = params[:hmac])
 
         calculated_signature = OpenSSL::HMAC.hexdigest(
-          OpenSSL::Digest.new('SHA256'), secret, encoded_params_for_signature(params)
+          OpenSSL::Digest.new('SHA256'), secret, ShopifyAPI::HmacParams.encode(params)
         )
 
         Rack::Utils.secure_compare(calculated_signature, signature)
@@ -79,11 +79,6 @@ module ShopifyAPI
 
       private
 
-      def encoded_params_for_signature(params)
-        params = params.except(:signature, :hmac, :action, :controller)
-        params.map { |k, v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}" }.sort.join('&')
-      end
-
       def extract_current_session
         site = ShopifyAPI::Base.site.to_s
         token = ShopifyAPI::Base.headers['X-Shopify-Access-Token']
@@ -92,16 +87,18 @@ module ShopifyAPI
       end
     end
 
-    def initialize(domain:, token:, api_version: ShopifyAPI::Base.api_version, extra: {})
+    def initialize(domain:, token:, access_scopes: nil, api_version: ShopifyAPI::Base.api_version, extra: {})
       self.domain = self.class.prepare_domain(domain)
       self.api_version = api_version
       self.token = token
+      self.access_scopes = access_scopes
       self.extra = extra
     end
 
     def create_permission_url(scope, redirect_uri, options = {})
       params = { client_id: api_key, scope: ShopifyAPI::ApiAccess.new(scope).to_s, redirect_uri: redirect_uri }
       params[:state] = options[:state] if options[:state]
+      params["grant_options[]".to_sym] = options[:grant_options] if options[:grant_options]
       construct_oauth_url("authorize", params)
     end
 
@@ -180,8 +177,13 @@ module ShopifyAPI
 
     private
 
+    def access_scopes=(access_scopes)
+      return unless access_scopes
+      @access_scopes = ShopifyAPI::ApiAccess.new(access_scopes)
+    end
+
     def parameterize(params)
-      URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
+      URI.encode_www_form(params)
     end
 
     def access_token_request(code)

data/lib/shopify_api/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyAPI
-  VERSION = "9.3.0"
+  VERSION = "9.5.1"
 end

data/lib/shopify_api.rb

@@ -12,6 +12,10 @@ require 'active_resource/json_errors'
 require 'shopify_api/paginated_collection'
 require 'shopify_api/disable_prefix_check'
 
+if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("2.6")
+  puts("\nshopify_api: NOTE: Support for Ruby #{RUBY_VERSION} will be dropped in the next major release. Please update to Ruby 2.6 or newer before updating this gem.\n\n")
+end
+
 module ShopifyAPI
   include Limits
 end
@@ -21,6 +25,7 @@ require 'shopify_api/metafields'
 require 'shopify_api/countable'
 require 'shopify_api/resources'
 require 'shopify_api/session'
+require 'shopify_api/hmac_params'
 require 'shopify_api/api_access'
 require 'shopify_api/message_enricher'
 require 'shopify_api/connection'

data/service.yml

@@ -1,8 +1,5 @@
 audience: partner
 classification: library
-org_line: App & Partner Platform
-owners:
-  - Shopify/app-partner-dev-tools-education
 slack_channels:
-  - dev-tools-education
-  - help-api-patterns
+- core-build-learn
+- help-api-patterns

data/shopify_api.gemspec

@@ -32,13 +32,13 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = ">= 2.4"
 
-  s.add_runtime_dependency("activeresource", ">= 4.1.0", "< 6.0.0")
+  s.add_runtime_dependency("activeresource", ">= 4.1.0")
   s.add_runtime_dependency("rack")
   s.add_runtime_dependency("graphql-client")
 
   s.add_development_dependency("mocha", ">= 1.4.0")
   s.add_development_dependency("webmock")
-  s.add_development_dependency("minitest", ">= 4.0")
+  s.add_development_dependency("minitest", ">= 5.14")
   s.add_development_dependency("rake")
   s.add_development_dependency("timecop")
   s.add_development_dependency("rubocop-shopify")

data/test/detailed_log_subscriber_test.rb

@@ -14,7 +14,7 @@ class LogSubscriberTest < Test::Unit::TestCase
     @ua_header = "\"User-Agent\"=>\"ShopifyAPI/#{ShopifyAPI::VERSION} " \
       "ActiveResource/#{ActiveResource::VERSION::STRING} Ruby/#{RUBY_VERSION}\""
     @request_headers = "Headers: {\"Accept\"=>\"application/json\", " \
-      "#{@ua_header}, \"X-Shopify-Access-Token\"=>\"access_token\"}"
+      "#{@ua_header}, \"X-Shopify-Access-Token\"=>\"[FILTERED]\"}"
 
     ShopifyAPI::Base.clear_session
     fake(

data/test/fulfillment_order_test.rb

@@ -315,7 +315,7 @@ class FulFillmentOrderTest < Test::Unit::TestCase
           fulfillment_order_line_items: [{ id: 1, quantity: 1 }],
           message: "Fulfill this FO, please.",
         }
-        response_fulfillment_orders = fulfillment_order.request_fulfillment(params)
+        response_fulfillment_orders = fulfillment_order.request_fulfillment(**params)
 
         assert_equal('closed', fulfillment_order.status)
         assert_equal(3, response_fulfillment_orders.size)
@@ -367,7 +367,7 @@ class FulFillmentOrderTest < Test::Unit::TestCase
           fulfillment_order_line_items: [{ id: 1, quantity: 1 }],
           message: "Fulfill this FO, please.",
         }
-        response_fulfillment_orders = fulfillment_order.request_fulfillment(params)
+        response_fulfillment_orders = fulfillment_order.request_fulfillment(**params)
 
         assert_equal('closed', fulfillment_order.status)
         assert_equal(3, response_fulfillment_orders.size)

data/test/hmac_params_test.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+require 'test_helper'
+
+class HmacParamsTest < Test::Unit::TestCase
+  test "cgi param keys are prepared for hmac validation by encoding equals, ampersand, and percent characters" do
+    assert_equal(
+      "abcd%26%3D%251234",
+      ShopifyAPI::HmacParams.encode_key("abcd&=%1234")
+    )
+  end
+
+  test "cgi param values are prepared for hmac validation by encoding ampersand and percent characters" do
+    assert_equal(
+      "abcd%26=%251234",
+      ShopifyAPI::HmacParams.encode_value("abcd&=%1234")
+    )
+  end
+
+  test "cgi params are encoded properly for hmac validation" do
+    assert_equal(
+      "abcd%26%3D%251234=abcd%26=%251234",
+      ShopifyAPI::HmacParams.encode({"abcd&=%1234" => "abcd&=%1234"})
+    )
+  end
+end

data/test/meta_test.rb

@@ -40,8 +40,8 @@ class ApiVersionTest < Test::Unit::TestCase
         "display_name": "unstable",
         "supported": false,
       },
-    ].to_json
+    ].as_json
 
-    assert_equal versions, ShopifyAPI::Meta.admin_versions.to_json
+    assert_equal versions, ShopifyAPI::Meta.admin_versions.as_json
   end
 end

data/test/session_test.rb

@@ -54,6 +54,39 @@ class SessionTest < Test::Unit::TestCase
     assert(session.valid?)
   end
 
+  test "be valid with nil access_scopes" do
+    session = ShopifyAPI::Session.new(
+      domain: "testshop.myshopify.com",
+      token: "any-token",
+      api_version: any_api_version,
+      access_scopes: nil
+    )
+
+    assert(session.valid?)
+  end
+
+  test "be valid with string of access_scopes" do
+    session = ShopifyAPI::Session.new(
+      domain: "testshop.myshopify.com",
+      token: "any-token",
+      api_version: any_api_version,
+      access_scopes: "read_products, write_orders"
+    )
+
+    assert(session.valid?)
+  end
+
+  test "be valid with a collection of access_scopes" do
+    session = ShopifyAPI::Session.new(
+      domain: "testshop.myshopify.com",
+      token: "any-token",
+      api_version: any_api_version,
+      access_scopes: %w(read_products write_orders)
+    )
+
+    assert(session.valid?)
+  end
+
   test "not raise error without params" do
     assert_nothing_raised do
       ShopifyAPI::Session.new(domain: "testshop.myshopify.com", token: "any-token", api_version: any_api_version)
@@ -61,7 +94,7 @@ class SessionTest < Test::Unit::TestCase
   end
 
   test "ignore everything but the subdomain in the shop" do
-    assert_equal(
+    assert_equal_uri(
       "https://testshop.myshopify.com",
       ShopifyAPI::Session.new(
         domain: "http://user:pass@testshop.notshopify.net/path",
@@ -72,7 +105,7 @@ class SessionTest < Test::Unit::TestCase
   end
 
   test "append the myshopify domain if not given" do
-    assert_equal(
+    assert_equal_uri(
       "https://testshop.myshopify.com",
       ShopifyAPI::Session.new(domain: "testshop", token: "any-token", api_version: any_api_version).site
     )
@@ -84,6 +117,36 @@ class SessionTest < Test::Unit::TestCase
     end
   end
 
+  test "provides default nil access_scopes attribute" do
+    session = ShopifyAPI::Session.new(
+      domain: "testshop.myshopify.com",
+      token: "any-token",
+      api_version: any_api_version
+    )
+    assert_nil session.access_scopes
+  end
+
+  test "provides specified nil access_scopes attribute" do
+    session = ShopifyAPI::Session.new(
+      domain: "testshop.myshopify.com",
+      token: "any-token",
+      access_scopes: "read_products",
+      api_version: any_api_version
+    )
+    assert_equal "read_products", session.access_scopes.to_s
+  end
+
+  test "session instantiation raises error if bad access scopes are provided" do
+    assert_raises NoMethodError do
+      ShopifyAPI::Session.new(
+        domain: "testshop.myshopify.com",
+        token: "any-token",
+        access_scopes: { bad_input: "bad_input" },
+        api_version: any_api_version
+      )
+    end
+  end
+
   test "raise error if params passed but signature omitted" do
     assert_raises(ShopifyAPI::ValidationException) do
       session = ShopifyAPI::Session.new(domain: "testshop.myshopify.com", token: nil, api_version: any_api_version)
@@ -220,7 +283,7 @@ class SessionTest < Test::Unit::TestCase
     )
     scope = ["write_products"]
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com")
-    assert_equal(
+    assert_equal_uri(
       "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&" \
         "scope=write_products&redirect_uri=http://my_redirect_uri.com",
       permission_url
@@ -236,7 +299,7 @@ class SessionTest < Test::Unit::TestCase
     )
     scope = ["write_products", "write_customers"]
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com")
-    assert_equal(
+    assert_equal_uri(
       "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&" \
         "scope=write_products,write_customers&redirect_uri=http://my_redirect_uri.com",
       permission_url
@@ -252,7 +315,7 @@ class SessionTest < Test::Unit::TestCase
     )
     scope = []
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com")
-    assert_equal(
+    assert_equal_uri(
       "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&" \
         "scope=&redirect_uri=http://my_redirect_uri.com",
       permission_url
@@ -268,9 +331,25 @@ class SessionTest < Test::Unit::TestCase
     )
     scope = []
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com", state: "My nonce")
-    assert_equal(
+    assert_equal_uri(
       "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&" \
-        "scope=&redirect_uri=http://my_redirect_uri.com&state=My%20nonce",
+        "scope=&redirect_uri=http://my_redirect_uri.com&state=My+nonce",
+      permission_url
+    )
+  end
+
+  test "create_permission_url returns correct url with grant_options[]" do
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
+    session = ShopifyAPI::Session.new(
+      domain: 'http://localhost.myshopify.com',
+      token: 'any-token',
+      api_version: any_api_version
+    )
+    scope = []
+    permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com", grant_options: "per-user")
+    assert_equal_uri(
+      "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&" \
+        "scope=&redirect_uri=http://my_redirect_uri.com&grant_options[]=per-user",
       permission_url
     )
   end
@@ -301,7 +380,7 @@ class SessionTest < Test::Unit::TestCase
       token: "any-token",
       api_version: any_api_version
     )
-    assert_equal("https://testshop.myshopify.com", session.site)
+    assert_equal_uri("https://testshop.myshopify.com", session.site)
   end
 
   test "return_token_if_signature_is_valid" do
@@ -539,6 +618,10 @@ class SessionTest < Test::Unit::TestCase
 
   private
 
+  def assert_equal_uri(expected, actual)
+    assert_equal(Addressable::URI.parse(expected), Addressable::URI.parse(actual))
+  end
+
   def make_sorted_params(params)
     params.with_indifferent_access.except(
       :signature, :hmac, :action, :controller

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_api
 version: !ruby/object:Gem::Version
-  version: 9.3.0
+  version: 9.5.1
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-27 00:00:00.000000000 Z
+date: 2022-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -17,9 +17,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.1.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 6.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -27,9 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.1.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -92,14 +86,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '5.14'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -198,12 +192,14 @@ files:
 - Gemfile_ar41
 - Gemfile_ar50
 - Gemfile_ar51
-- Gemfile_ar_master
+- Gemfile_ar60
+- Gemfile_ar_main
 - LICENSE
 - README.md
 - RELEASING
 - Rakefile
 - SECURITY.md
+- dev.yml
 - docker-compose.yml
 - docs/_config.yml
 - docs/_includes/footer.html
@@ -225,6 +221,7 @@ files:
 - lib/shopify_api/graphql/http_client.rb
 - lib/shopify_api/graphql/railtie.rb
 - lib/shopify_api/graphql/task.rake
+- lib/shopify_api/hmac_params.rb
 - lib/shopify_api/limits.rb
 - lib/shopify_api/message_enricher.rb
 - lib/shopify_api/meta.rb
@@ -487,6 +484,7 @@ files:
 - test/gift_card_test.rb
 - test/graphql/http_client_test.rb
 - test/graphql_test.rb
+- test/hmac_params_test.rb
 - test/image_test.rb
 - test/inventory_level_test.rb
 - test/lib/webmock_extensions/last_request.rb
@@ -547,7 +545,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.20
 signing_key: 
 specification_version: 4
 summary: ShopifyAPI is a lightweight gem for accessing the Shopify admin REST web