RubyGems - shopify_app - Versions diffs - 13.5.0 - Mend

shopify_app 13.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (156) hide show

checksums.yaml +7 -0
data/.babelrc +5 -0
data/.github/CODEOWNERS +1 -0
data/.github/ISSUE_TEMPLATE.md +14 -0
data/.github/PULL_REQUEST_TEMPLATE.md +6 -0
data/.github/probots.yml +2 -0
data/.github/workflows/rubocop.yml +28 -0
data/.gitignore +16 -0
data/.nvmrc +1 -0
data/.rubocop.yml +17 -0
data/.ruby-version +1 -0
data/.travis.yml +28 -0
data/CHANGELOG.md +505 -0
data/Gemfile +11 -0
data/LICENSE +19 -0
data/README.md +620 -0
data/Rakefile +7 -0
data/SECURITY.md +59 -0
data/app/assets/images/storage_access.svg +2 -0
data/app/assets/javascripts/shopify_app/enable_cookies.js +3 -0
data/app/assets/javascripts/shopify_app/itp_helper.js +40 -0
data/app/assets/javascripts/shopify_app/partition_cookies.js +8 -0
data/app/assets/javascripts/shopify_app/redirect.js +33 -0
data/app/assets/javascripts/shopify_app/request_storage_access.js +3 -0
data/app/assets/javascripts/shopify_app/storage_access.js +153 -0
data/app/assets/javascripts/shopify_app/storage_access_redirect.js +17 -0
data/app/assets/javascripts/shopify_app/top_level.js +2 -0
data/app/assets/javascripts/shopify_app/top_level_interaction.js +11 -0
data/app/controllers/concerns/shopify_app/authenticated.rb +16 -0
data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
data/app/controllers/shopify_app/authenticated_controller.rb +8 -0
data/app/controllers/shopify_app/callback_controller.rb +140 -0
data/app/controllers/shopify_app/extension_verification_controller.rb +15 -0
data/app/controllers/shopify_app/sessions_controller.rb +184 -0
data/app/controllers/shopify_app/webhooks_controller.rb +37 -0
data/app/views/shopify_app/partials/_button_styles.html.erb +104 -0
data/app/views/shopify_app/partials/_card_styles.html.erb +33 -0
data/app/views/shopify_app/partials/_empty_state_styles.html.erb +129 -0
data/app/views/shopify_app/partials/_layout_styles.html.erb +167 -0
data/app/views/shopify_app/partials/_typography_styles.html.erb +35 -0
data/app/views/shopify_app/sessions/enable_cookies.html.erb +75 -0
data/app/views/shopify_app/sessions/new.html.erb +123 -0
data/app/views/shopify_app/sessions/request_storage_access.html.erb +68 -0
data/app/views/shopify_app/sessions/top_level_interaction.html.erb +64 -0
data/app/views/shopify_app/shared/redirect.html.erb +23 -0
data/config/locales/cs.yml +23 -0
data/config/locales/da.yml +20 -0
data/config/locales/de.yml +22 -0
data/config/locales/en.yml +15 -0
data/config/locales/es.yml +22 -0
data/config/locales/fi.yml +20 -0
data/config/locales/fr.yml +23 -0
data/config/locales/hi.yml +23 -0
data/config/locales/it.yml +21 -0
data/config/locales/ja.yml +17 -0
data/config/locales/ko.yml +19 -0
data/config/locales/ms.yml +22 -0
data/config/locales/nb.yml +21 -0
data/config/locales/nl.yml +21 -0
data/config/locales/pl.yml +21 -0
data/config/locales/pt-BR.yml +21 -0
data/config/locales/pt-PT.yml +22 -0
data/config/locales/sv.yml +21 -0
data/config/locales/th.yml +20 -0
data/config/locales/tr.yml +22 -0
data/config/locales/zh-CN.yml +16 -0
data/config/locales/zh-TW.yml +16 -0
data/config/routes.rb +23 -0
data/docs/Quickstart.md +93 -0
data/docs/Releasing.md +18 -0
data/docs/Troubleshooting.md +16 -0
data/docs/install-on-dev-shop.png +0 -0
data/docs/test-your-app.png +0 -0
data/images/app-proxy-screenshot.png +0 -0
data/karma.conf.js +44 -0
data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +47 -0
data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +11 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +40 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +62 -0
data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +69 -0
data/lib/generators/shopify_app/add_webhook/templates/webhook_job.rb.tt +13 -0
data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +26 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +8 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +11 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/index.html.erb +19 -0
data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +15 -0
data/lib/generators/shopify_app/authenticated_controller/templates/authenticated_controller.rb +5 -0
data/lib/generators/shopify_app/controllers/controllers_generator.rb +30 -0
data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +26 -0
data/lib/generators/shopify_app/home_controller/templates/home_controller.rb +8 -0
data/lib/generators/shopify_app/home_controller/templates/index.html.erb +21 -0
data/lib/generators/shopify_app/install/install_generator.rb +83 -0
data/lib/generators/shopify_app/install/templates/_flash_messages.html.erb +3 -0
data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +41 -0
data/lib/generators/shopify_app/install/templates/flash_messages.js +24 -0
data/lib/generators/shopify_app/install/templates/omniauth.rb +3 -0
data/lib/generators/shopify_app/install/templates/session_store.rb +4 -0
data/lib/generators/shopify_app/install/templates/shopify_app.js +15 -0
data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt +15 -0
data/lib/generators/shopify_app/install/templates/shopify_app_index.js +2 -0
data/lib/generators/shopify_app/install/templates/shopify_provider.rb +20 -0
data/lib/generators/shopify_app/install/templates/user_agent.rb +6 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb +16 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake +17 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb +42 -0
data/lib/generators/shopify_app/routes/routes_generator.rb +32 -0
data/lib/generators/shopify_app/routes/templates/routes.rb +12 -0
data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +43 -0
data/lib/generators/shopify_app/shop_model/templates/db/migrate/create_shops.erb +15 -0
data/lib/generators/shopify_app/shop_model/templates/shop.rb +8 -0
data/lib/generators/shopify_app/shop_model/templates/shops.yml +3 -0
data/lib/generators/shopify_app/shopify_app_generator.rb +18 -0
data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb +16 -0
data/lib/generators/shopify_app/user_model/templates/user.rb +8 -0
data/lib/generators/shopify_app/user_model/templates/users.yml +4 -0
data/lib/generators/shopify_app/user_model/user_model_generator.rb +43 -0
data/lib/generators/shopify_app/views/views_generator.rb +30 -0
data/lib/shopify_app.rb +61 -0
data/lib/shopify_app/configuration.rb +94 -0
data/lib/shopify_app/controller_concerns/app_proxy_verification.rb +38 -0
data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
data/lib/shopify_app/controller_concerns/embedded_app.rb +20 -0
data/lib/shopify_app/controller_concerns/itp.rb +45 -0
data/lib/shopify_app/controller_concerns/localization.rb +23 -0
data/lib/shopify_app/controller_concerns/login_protection.rb +231 -0
data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
data/lib/shopify_app/controller_concerns/webhook_verification.rb +23 -0
data/lib/shopify_app/engine.rb +25 -0
data/lib/shopify_app/jobs/scripttags_manager_job.rb +16 -0
data/lib/shopify_app/jobs/webhooks_manager_job.rb +16 -0
data/lib/shopify_app/managers/scripttags_manager.rb +78 -0
data/lib/shopify_app/managers/webhooks_manager.rb +62 -0
data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +34 -0
data/lib/shopify_app/session/in_memory_session_store.rb +31 -0
data/lib/shopify_app/session/in_memory_shop_session_store.rb +14 -0
data/lib/shopify_app/session/in_memory_user_session_store.rb +14 -0
data/lib/shopify_app/session/jwt.rb +61 -0
data/lib/shopify_app/session/null_user_session_store.rb +22 -0
data/lib/shopify_app/session/session_repository.rb +56 -0
data/lib/shopify_app/session/session_storage.rb +20 -0
data/lib/shopify_app/session/shop_session_storage.rb +42 -0
data/lib/shopify_app/session/user_session_storage.rb +42 -0
data/lib/shopify_app/test_helpers/all.rb +2 -0
data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
data/lib/shopify_app/utils.rb +24 -0
data/lib/shopify_app/version.rb +4 -0
data/package-lock.json +7177 -0
data/package.json +28 -0
data/service.yml +7 -0
data/shipit.rubygems.yml +4 -0
data/shopify_app.gemspec +37 -0
data/translation.yml +7 -0
data/webpack.config.js +24 -0
data/yarn.lock +5263 -0
metadata +420 -0

data/lib/shopify_app/jobs/scripttags_manager_job.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ScripttagsManagerJob < ActiveJob::Base
+    queue_as do
+      ShopifyApp.configuration.scripttags_manager_queue_name
+    end
+    def perform(shop_domain:, shop_token:, scripttags:)
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = ScripttagsManager.new(scripttags, shop_domain)
+        manager.create_scripttags
+      end
+    end
+  end
+end

data/lib/shopify_app/jobs/webhooks_manager_job.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class WebhooksManagerJob < ActiveJob::Base
+    queue_as do
+      ShopifyApp.configuration.webhooks_manager_queue_name
+    end
+    def perform(shop_domain:, shop_token:, webhooks:)
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = WebhooksManager.new(webhooks)
+        manager.create_webhooks
+      end
+    end
+  end
+end

data/lib/shopify_app/managers/scripttags_manager.rb ADDED

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ScripttagsManager
+    class CreationFailed < StandardError; end
+    def self.queue(shop_domain, shop_token, scripttags)
+      ShopifyApp::ScripttagsManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        # Procs cannot be serialized so we interpolate now, if necessary
+        scripttags: build_src(scripttags, shop_domain)
+      )
+    end
+    def self.build_src(scripttags, domain)
+      scripttags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+    attr_reader :required_scripttags, :shop_domain
+    def initialize(scripttags, shop_domain)
+      @required_scripttags = scripttags
+      @shop_domain = shop_domain
+    end
+    def recreate_scripttags!
+      destroy_scripttags
+      create_scripttags
+    end
+    def create_scripttags
+      return unless required_scripttags.present?
+      expanded_scripttags.each do |scripttag|
+        create_scripttag(scripttag) unless scripttag_exists?(scripttag[:src])
+      end
+    end
+    def destroy_scripttags
+      scripttags = expanded_scripttags
+      ShopifyAPI::ScriptTag.all.each do |tag|
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
+      end
+      @current_scripttags = nil
+    end
+    private
+    def expanded_scripttags
+      self.class.build_src(required_scripttags, shop_domain)
+    end
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
+    end
+    def create_scripttag(attributes)
+      attributes.reverse_merge!(format: 'json')
+      scripttag = ShopifyAPI::ScriptTag.create(attributes)
+      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag
+    end
+    def scripttag_exists?(src)
+      current_scripttags[src]
+    end
+    def current_scripttags
+      @current_scripttags ||= ShopifyAPI::ScriptTag.all.index_by(&:src)
+    end
+  end
+end

data/lib/shopify_app/managers/webhooks_manager.rb ADDED

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class WebhooksManager
+    class CreationFailed < StandardError; end
+    def self.queue(shop_domain, shop_token, webhooks)
+      ShopifyApp::WebhooksManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        webhooks: webhooks
+      )
+    end
+    attr_reader :required_webhooks
+    def initialize(webhooks)
+      @required_webhooks = webhooks
+    end
+    def recreate_webhooks!
+      destroy_webhooks
+      create_webhooks
+    end
+    def create_webhooks
+      return unless required_webhooks.present?
+      required_webhooks.each do |webhook|
+        create_webhook(webhook) unless webhook_exists?(webhook[:topic])
+      end
+    end
+    def destroy_webhooks
+      ShopifyAPI::Webhook.all.to_a.each do |webhook|
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
+      end
+      @current_webhooks = nil
+    end
+    private
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
+    end
+    def create_webhook(attributes)
+      attributes.reverse_merge!(format: 'json')
+      webhook = ShopifyAPI::Webhook.create(attributes)
+      raise CreationFailed, webhook.errors.full_messages.to_sentence unless webhook.persisted?
+      webhook
+    end
+    def webhook_exists?(topic)
+      current_webhooks[topic]
+    end
+    def current_webhooks
+      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
+    end
+  end
+end

data/lib/shopify_app/middleware/jwt_middleware.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+      token = extract_token(env)
+      return call_next(env) unless token
+      set_env_variables(token, env)
+      call_next(env)
+    end
+    private
+    def call_next(env)
+      @app.call(env)
+    end
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    COOKIE_SEPARATOR = "\n"
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      status, headers, body = @app.call(env)
+      user_agent = env['HTTP_USER_AGENT']
+      if headers && headers['Set-Cookie'] &&
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
+        set_cookies = headers['Set-Cookie']
+          .split(COOKIE_SEPARATOR)
+          .compact
+          .map do |cookie|
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
+            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie
+          end
+        headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
+      end
+      [status, headers, body]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_session_store.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
+  class InMemorySessionStore
+    class EnvironmentError < StandardError; end
+    def self.retrieve(id)
+      repo[id]
+    end
+    def self.store(session, *_args)
+      id = SecureRandom.uuid
+      repo[id] = session
+      id
+    end
+    def self.clear
+      @@repo = nil
+    end
+    def self.repo
+      if Rails.env.production?
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
+      end
+      @@repo ||= {}
+    end
+  end
+  # rubocop:enable Style/ClassVars
+end

data/lib/shopify_app/session/in_memory_shop_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
+  end
+end

data/lib/shopify_app/session/jwt.rb ADDED

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    class InvalidDestinationError < StandardError; end
+    class MismatchedHostsError < StandardError; end
+    class InvalidAudienceError < StandardError; end
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+    def shopify_domain
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+    def shopify_user_id
+      @payload && @payload['sub']
+    end
+    private
+    def set_payload
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
+    end
+    def parse_token_data(secret, old_secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::VerificationError
+      raise unless old_secret
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+    end
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+      payload
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb ADDED

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb ADDED

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SessionRepository
+    class ConfigurationError < StandardError; end
+    class << self
+      attr_writer :shop_storage
+      attr_writer :user_storage
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
+      end
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
+      end
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
+      end
+      def store_shop_session(session)
+        shop_storage.store(session)
+      end
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
+      end
+      def user_storage
+        load_user_storage
+      end
+      private
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+      def load_user_storage
+        return NullUserSessionStore unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+      end
+    end
+  end
+end