shopify_app 11.3.2 → 11.7.0

data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
+  def preload_form_data
+    preload_data = {
+      "form_data": {
+        "budget": {
+          "currency": "USD",
+        }
+      }
+    }
+    render(json: preload_data, status: :ok)
+  end
+
+  def update
+    render(json: {}, status: :accepted)
+  end
+
+  def pause
+    render(json: {}, status: :accepted)
+  end
+
+  def resume
+    render(json: {}, status: :accepted)
+  end
+
+  def delete
+    render(json: {}, status: :accepted)
+  end
+
+  def preview
+    placeholder_img = "https://cdn.shopify.com/s/files/1/0533/2089/files/placeholder-images-image_small.png"
+    preview_response = {
+      "desktop": {
+        "preview_url": placeholder_img,
+        "content_type": "text/html",
+        "width": 360,
+        "height": 200
+      },
+      "mobile": {
+        "preview_url": placeholder_img,
+        "content_type": "text/html",
+        "width": 360,
+        "height": 200
+      }
+    }
+    render(json: preview_response, status: :ok)
+  end
+
+  def create
+    render(json: {}, status: :ok)
+  end
+
+  def republish
+    render(json: {}, status: :accepted)
+  end
+
+  def errors
+    request_id = params[:request_id]
+    message = params[:message]
+
+    Rails.logger.info("[Marketing Activity App Error Feedback] Request id: #{request_id}, message: #{message}")
+
+    render(json: {}, status: :ok)
+  end
+end

data/lib/generators/shopify_app/install/install_generator.rb

@@ -11,10 +11,6 @@ module ShopifyApp
       class_option :embedded, type: :string, default: 'true'
       class_option :api_version, type: :string, default: nil
 
-      def add_dotenv_gem
-        gem('dotenv-rails', group: [:test, :development])
-      end
-
       def create_shopify_app_initializer
         @application_name = format_array_argument(options['application_name'])
         @scope = format_array_argument(options['scope'])

data/lib/generators/shopify_app/install/templates/shopify_app.rb

@@ -8,7 +8,7 @@ ShopifyApp.configure do |config|
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
-  config.session_repository = ShopifyApp::InMemorySessionStore
+  config.session_repository = 'ShopifyApp::InMemorySessionStore'
 end
 
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/generators/shopify_app/install/templates/shopify_provider.rb

@@ -4,6 +4,7 @@ provider :shopify,
   ShopifyApp.configuration.api_key,
   ShopifyApp.configuration.secret,
   scope: ShopifyApp.configuration.scope,
+  per_user_permissions: ShopifyApp.configuration.per_user_tokens,
   setup: lambda { |env|
     strategy = env['omniauth.strategy']
 

data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb

@@ -0,0 +1,16 @@
+class CreateUsers < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def self.up
+    create_table :users do |t|
+      t.bigint :shopify_user_id, null: false
+      t.string :shopify_domain, null: false
+      t.string :shopify_token, null: false
+      t.timestamps
+    end
+
+    add_index :users, :shopify_user_id, unique: true
+  end
+
+  def self.down
+    drop_table :users
+  end
+end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -0,0 +1,7 @@
+class User < ActiveRecord::Base
+  include ShopifyApp::SessionStorage
+
+  def api_version
+    ShopifyApp.configuration.api_version
+  end
+end

data/lib/generators/shopify_app/user_model/templates/users.yml

@@ -0,0 +1,4 @@
+regular_user:
+  shopify_domain: 'regular-shop.myshopify.com'
+  shopify_token: 'token'
+  shopify_user_id: 1

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -0,0 +1,38 @@
+require 'rails/generators/base'
+require 'rails/generators/active_record'
+
+module ShopifyApp
+  module Generators
+    class UserModelGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+      source_root File.expand_path('../templates', __FILE__)
+
+      def create_user_model
+        copy_file 'user.rb', 'app/models/user.rb'
+      end
+
+      def create_user_migration
+        migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
+      end
+
+      def update_shopify_app_initializer
+        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'User'
+      end
+
+      def create_user_fixtures
+        copy_file 'users.yml', 'test/fixtures/users.yml'
+      end
+
+      private
+
+      def rails_migration_version
+        Rails.version.match(/\d\.\d/)[0]
+      end
+
+      # for generating a timestamp when using `create_migration`
+      def self.next_migration_number(dir)
+        ActiveRecord::Generators::Base.next_migration_number(dir)
+      end
+    end
+  end
+end

data/lib/shopify_app.rb

@@ -40,7 +40,12 @@ module ShopifyApp
   require 'shopify_app/managers/webhooks_manager'
   require 'shopify_app/managers/scripttags_manager'
 
+  # middleware
+  require 'shopify_app/middleware/same_site_cookie_middleware'
+
   # session
+  require 'shopify_app/session/storage_strategies/shop_storage_strategy'
+  require 'shopify_app/session/storage_strategies/user_storage_strategy'
   require 'shopify_app/session/session_storage'
   require 'shopify_app/session/session_repository'
   require 'shopify_app/session/in_memory_session_store'

data/lib/shopify_app/configuration.rb

@@ -14,7 +14,9 @@ module ShopifyApp
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
-    attr_accessor :session_repository
+    attr_reader :session_repository
+    attr_accessor :per_user_tokens
+    alias_method :per_user_tokens?, :per_user_tokens
     attr_accessor :api_version
 
     # customise urls
@@ -34,11 +36,15 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
+    # allow enabling of same site none on cookies
+    attr_accessor :enable_same_site_none
+
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
+      @per_user_tokens = false
       @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
     end
 
@@ -47,13 +53,8 @@ module ShopifyApp
     end
 
     def session_repository=(klass)
-      if Rails.configuration.cache_classes
-        ShopifyApp::SessionRepository.storage = klass
-      else
-        ActiveSupport::Reloader.to_prepare do
-          ShopifyApp::SessionRepository.storage = klass
-        end
-      end
+      @session_repository = klass
+      ShopifyApp::SessionRepository.storage = klass
     end
 
     def has_webhooks?
@@ -63,6 +64,10 @@ module ShopifyApp
     def has_scripttags?
       scripttags.present?
     end
+
+    def enable_same_site_none
+      @enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none
+    end
   end
 
   def self.configuration

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -27,12 +27,30 @@ module ShopifyApp
     end
 
     def shop_session
-      return unless session[:shopify]
-      @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      if ShopifyApp.configuration.per_user_tokens?
+        return unless session[:shopify_user]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
+      else
+        return unless session[:shopify]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      end
     end
 
-    def login_again_if_different_shop
+    def login_again_if_different_user_or_shop
+      if ShopifyApp.configuration.per_user_tokens?
+        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+
+        if valid_session_data && sessions_do_not_match
+          clear_session = true
+        end
+      end
+
       if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+        clear_session = true
+      end
+
+      if clear_session
         clear_shop_session
         redirect_to_login
       end
@@ -60,6 +78,7 @@ module ShopifyApp
       session[:shopify] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
+      session[:user_session] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)

data/lib/shopify_app/engine.rb

@@ -12,5 +12,9 @@ module ShopifyApp
         storage_access.svg
       ]
     end
+
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
+    end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -0,0 +1,60 @@
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      _status, headers, _body = @app.call(env)
+    ensure
+      user_agent = env['HTTP_USER_AGENT']
+
+      if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
+          ShopifyApp.configuration.enable_same_site_none
+
+        cookies = headers['Set-Cookie'].split("\n").compact
+
+        cookies.each do |cookie|
+          unless cookie.include?("; SameSite")
+            headers['Set-Cookie'] = headers['Set-Cookie'].gsub("#{cookie}", "#{cookie}; secure; SameSite=None")
+          end
+        end
+      end
+    end
+
+    def self.same_site_none_incompatible?(user_agent)
+      sniffer = BrowserSniffer.new(user_agent)
+
+      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
+    rescue
+      true
+    end
+
+    def self.webkit_same_site_bug?(sniffer)
+      (sniffer.os == :ios && sniffer.os_version.match?(/^([0-9]|1[12])[\.\_]/)) ||
+        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match?(/^10[\.\_]14/))
+    end
+
+    def self.drops_unrecognized_same_site_cookies?(sniffer)
+      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
+        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
+    end
+
+    def self.chromium_based?(sniffer)
+      sniffer.browser_name.downcase.match?(/chrom(e|ium)/)
+    end
+
+    def self.uc_browser?(sniffer)
+      sniffer.user_agent.downcase.match?(/uc\s?browser/)
+    end
+
+    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
+      digits = sniffer.browser_version.split('.').map(&:to_i)
+      return false unless digits.count >= 3
+
+      return digits[0] > major if digits[0] != major
+      return digits[1] > minor if digits[1] != minor
+      digits[2] >= build
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -6,7 +6,7 @@ module ShopifyApp
       repo[id]
     end
 
-    def self.store(session)
+    def self.store(session, *args)
       id = SecureRandom.uuid
       repo[id] = session
       id

data/lib/shopify_app/session/session_repository.rb

@@ -15,8 +15,8 @@ module ShopifyApp
         storage.retrieve(id)
       end
 
-      def store(session)
-        storage.store(session)
+      def store(session, *args)
+        storage.store(session, *args)
       end
 
       def storage

data/lib/shopify_app/session/session_storage.rb

@@ -3,9 +3,12 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     included do
-      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
       validates :shopify_token, presence: true
       validates :api_version, presence: true
+      validates :shopify_domain, presence: true,
+        if: Proc.new {|_| ShopifyApp.configuration.per_user_tokens? }
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false },
+        if: Proc.new {|_| !ShopifyApp.configuration.per_user_tokens? }
     end
 
     def with_shopify_session(&block)
@@ -18,23 +21,19 @@ module ShopifyApp
     end
 
     class_methods do
-      def store(session)
-        shop = find_or_initialize_by(shopify_domain: session.domain)
-        shop.shopify_token = session.token
-        shop.save!
-        shop.id
+
+      def strategy_klass
+        ShopifyApp.configuration.per_user_tokens? ? 
+          ShopifyApp::SessionStorage::UserStorageStrategy : 
+          ShopifyApp::SessionStorage::ShopStorageStrategy
       end
 
-      def retrieve(id)
-        return unless id
+      def store(auth_session, user: nil)
+        strategy_klass.store(auth_session, user)
+      end
 
-        if shop = self.find_by(id: id)
-          ShopifyAPI::Session.new(
-            domain: shop.shopify_domain,
-            token: shop.shopify_token,
-            api_version: shop.api_version
-          )
-        end
+      def retrieve(id)
+        strategy_klass.retrieve(id)
       end
     end
   end

data/lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb

@@ -0,0 +1,24 @@
+module ShopifyApp
+  module SessionStorage
+    class ShopStorageStrategy
+
+      def self.store(auth_session, *args)
+        shop = Shop.find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+
+      def self.retrieve(id)
+        return unless id
+        if shop = Shop.find_by(id: id)
+          ShopifyAPI::Session.new(
+            domain: shop.shopify_domain,
+            token: shop.shopify_token,
+            api_version: shop.api_version
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/session/storage_strategies/user_storage_strategy.rb

@@ -0,0 +1,26 @@
+module ShopifyApp
+  module SessionStorage
+    class UserStorageStrategy
+
+      def self.store(auth_session, user)
+        user = User.find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+
+      def self.retrieve(id)
+        return unless id
+        if user = User.find_by(shopify_user_id: id)
+          ShopifyAPI::Session.new(
+            domain: user.shopify_domain,
+            token: user.shopify_token,
+            api_version: user.api_version
+          )
+        end
+      end
+
+    end
+  end
+end