RubyGems - shopify_app - Versions diffs - 11.5.0 → 12.0.0 - Mend

shopify_app 11.5.0 → 12.0.0

Files changed (27) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ba7612b4db7acb35c0fa91209e7b4421f90cefa6b95d52b433218e9be5a8703
-  data.tar.gz: 9db8d74d1f2bebd2b4fe8856bb8c2d0a3e7108cfb5a940521a70ca67b1f6e1fe
+  metadata.gz: d7f75f25ebd3015036f89240acd78fb1d38bd85c6c61c361df564e0eaa1e2195
+  data.tar.gz: 5b91f6dd61dd686a9cce74123a3b6de0498f683488204768542aa128e312f90f
 SHA512:
-  metadata.gz: 5b73cda40e6980ab59c5f5d40bcb09c93cfeb7e0fcfd8ff8cd953509e1d43eb45073f80e987aea8e7f585c28f50328613e5956d4d1de9e264908e3fc0265d670
-  data.tar.gz: 349bbdfea89e30efd696f50572d09af4e421caa8a3ce89f539e5b1a05b956c0b35af1651482fc20bfdfc7d451874ffebecf15ed4ee86bb9bb885cab358a1d707
+  metadata.gz: 9119cf0bf9b9ad3a9f03c89877a7fc2337b99a98b36ec5ec01446b9a9ef15841e0bf7ba05631d15d827b5b32c535c1176f5b4b46227846ace43d27c9d55155cb
+  data.tar.gz: c084b5f9fd03727c865621a6615e2837179f262941b2ef3c5b083515d4e23b075e0d904f9cccee29140c78d117c2624fad4ef73c883aaa0ba087d0bc816a9685

data/CHANGELOG.md CHANGED

@@ -1,3 +1,27 @@
+12.0.0
+-----
+* Updating shopify_api gem to 9.0.0
+11.7.1
+-----
+* Fix to allow SessionStorage to be flexible on what model names that the are used for storing shop and user data
+11.7.0
+-----
+* Move ExtensionVerificationController from engine to app controllers, as being in the engine makes ActionController::Base get loaded before app initiates [#855](https://github.com/Shopify/shopify_app/pull/855)
+* Add back per-user token support (added in 11.5.0, reverted in 11.5.1)
+  * If you have an override on the `self.store(auth_session)` method on your `SessionRepository` model, the method signature must be changed as according to this [change](https://github.com/Shopify/shopify_app/pull/856/files#diff-deaed2b262ec885f4e36de05621e41eaR18)
+11.6.0
+-----
+* Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)
+  * Ensures compatibility of embedded apps with upcoming Chrome version 80 changes to cookie behaviour
+  * Configurable via `ShopifyApp.configuration.enable_same_site_none` (default true for embedded apps)
+11.5.1
+-----
+* Revert per-user token support temporarily
 11.5.0
 -----
 * Modularizes durable session storage

data/README.md CHANGED

@@ -13,7 +13,7 @@ Shopify Application Rails engine and generator
 Table of Contents
 -----------------
 - [Introduction](#introduction)
-- [Becoming a Shopify App Developer](#becoming-a-shopify-app-developer)
+- [Become a Shopify App Developer](#become-a-shopify-app-developer)
 - [Installation](#installation)
 - [Generators](#generators)
 - [Mounting the Engine](#mounting-the-engine)
@@ -31,25 +31,25 @@ Table of Contents
 Introduction
 -----------
-This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
+Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
-*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete some of your files.*
+*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete your files.*
-Check out this screencast on how to create and deploy a new Shopify App to Heroku in 5 minutes:
+Learn how to create and deploy a new Shopify App to Heroku with our [quickstart guide](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md), or dive in in less than 5 minutes with this quickstart video:
 [https://www.youtube.com/watch?v=yGxeoAHlQOg](https://www.youtube.com/watch?v=yGxeoAHlQOg)
-Or if you prefer text instructions the steps in the video are written out [here](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md)
-Becoming a Shopify App Developer
+Become a Shopify App Developer
 --------------------------------
-If you don't have a Shopify Partner account yet head over to http://shopify.com/partners to create one, you'll need it before you can start developing apps.
+To become a Shopify App Developer you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
+Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
-Once you have a Partner account create a new application to get an API key and other API credentials. To create a development application set the `App URL` to the URL provided by [your tunnel](#app-tunneling) or `http://localhost:3000/` if you are not embeddeding your app inside the admin or receiving webhooks and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`. Ensure you are using `https://` URLs if you are using tunneling.
+To create an application for development set your new app's `App URL` to the URL provided by [your tunnel](#app-tunneling), ensuring that you use `https://`. If you are not planning to embed your app inside the Shopify admin or receive webhooks, set your redirect URL to `http://localhost:3000/` and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`.
 Installation
 ------------
-To get started add shopify_app to your Gemfile and bundle install
+To get started add `shopify_app` to your Gemfile and run `bundle install`:
 ``` sh
 # Create a new rails app
@@ -61,7 +61,7 @@ $ echo "gem 'shopify_app'" >> Gemfile
 $ bundle install
 ```
-Now we are ready to run any of the shopify_app generators. The following section explains the generators and what they can do.
+Now we are ready to run any of the [generators](#generators) included with `shopify_app`. The following section explains the generators and what you can do with them.
 #### Rails Compatibility
@@ -74,24 +74,24 @@ Generators
 ### Default Generator
-The default generator will run the `install`, `shop`, and `home_controller` generators. This is the recommended way to start your app.
+The default generator will run the `install`, `shop`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
 ```sh
 $ rails generate shopify_app
 ```
-After running the generator, you will need to run `rails db:migrate` to add tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting localhost.
+After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
 ### API Keys
-The default and install generators have been updated to source Shopify API key and secret from a `.env` file, which you will need to create with the following format:
+The default and install generators have been updated to source Shopify API key and secret from an Environment (`.env`) variables file, which you will need to create with the following format:
 ```
 SHOPIFY_API_KEY=your api key
 SHOPIFY_API_SECRET=your api secret
 ```
-These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard].
+These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
 ### Install Generator
@@ -123,7 +123,7 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
-This generator creates an example home controller and view which fetches and displays products using the ShopifyAPI
+This generator creates an example home controller and view which fetches and displays products using the Shopify API
 ### App Proxy Controller Generator
@@ -213,7 +213,7 @@ Authentication
 ### ShopifyApp::SessionRepository
-`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. See either the `ShopifyApp::InMemorySessionStore` class or the `ShopifyApp::SessionStorage` concern for details.
+`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
 If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. For multi-server environments, implement one of the following token-storage strategies.
@@ -233,6 +233,8 @@ This will generate a user model which will be the storage for the tokens necessa
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
+In this mode, The `self.store(auth_session, *args)` will be invoked with a Shopify User object hash, which is then used to store the token as part of a user record, rather than a store record.
 This will change the type of token that Shopify returns and it will only be valid for a short time. Read more about `Online access` [here](https://help.shopify.com/api/getting-started/authentication/oauth). Note that this means you won't be able to use this token to respond to Webhooks.
 #### Migrating from shop-based to user-based token strategy
@@ -247,7 +249,7 @@ provider :shopify,
   per_user_permissions: true
 # In the `shopify_app.rb` initializer:
-config.session_repository = User
+config.session_repository = 'User'
 config.per_user_tokens = true
 ```
@@ -406,9 +408,11 @@ strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
 App Tunneling
 -------------
-Your local app needs to be accessible from the public Internet in order to install it on a shop, use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks. Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), [Hookbin](https://hookbin.com/), etc.
+Your local app needs to be accessible from the public Internet in order to install it on a Shopify store, to use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks.
-For example with [ngrok](https://ngrok.com/), run this command to set up proxying to Rails' default port:
+Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), or [Hookbin](https://hookbin.com/) to make your development environment accessible to the internet.
+For example with [ngrok](https://ngrok.com/), run this command to set up a tunnel proxy to Rails' default port:
 ```sh
 ngrok http 3000
@@ -435,6 +439,11 @@ end
 Create your app proxy url in the [Shopify Partners' Dashboard][dashboard], making sure to point it to `https://your_app_website.com/app_proxy`.
 ![Creating an App Proxy](/images/app-proxy-screenshot.png)
+App Bridge
+---
+A basic example of using [App Bridge][app-bridge] is included in the install generator. An app instance is automatically initialized in [shopify_app.js](https://github.com/Shopify/shopify_app/blob/master/lib/generators/shopify_app/install/templates/shopify_app.js) and [flash_messages.js](https://github.com/Shopify/shopify_app/blob/master/lib/generators/shopify_app/install/templates/flash_messages.js) converts Rails [flash messages](https://api.rubyonrails.org/classes/ActionDispatch/Flash.html) to App Bridge Toast actions automatically. By default, this library is included via [unpkg in the embedded_app layout](https://github.com/Shopify/shopify_app/blob/master/lib/generators/shopify_app/install/templates/embedded_app.html.erb#L27). For more advanced uses it is recommended to [install App Bridge via npm or yarn](https://help.shopify.com/en/api/embedded-apps/app-bridge/getting-started#set-up-shopify-app-bridge-in-your-app).
 Troubleshooting
 ---------------
@@ -455,6 +464,12 @@ Questions or problems?
 - [Ask questions!](https://ecommerce.shopify.com/c/shopify-apis-and-technology)
 - [Read the docs!](https://help.shopify.com/api/guides)
+Upgrading to 11.7.0
+---------------------------
+### Session storage method signature breaking change
+If you override `def self.store(auth_session)` method in your session storage model (e.g. Shop), the method signature has changed to `def self.store(auth_session, *args)` in order to support user-based token storage. Please update your method signature to include the second argument.
 Rails 6 Compatibility
 ---------------------
@@ -527,3 +542,4 @@ is changed to
 You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with api versioning.
 [dashboard]:https://partners.shopify.com
+[app-bridge]:https://help.shopify.com/en/api/embedded-apps/app-bridge

data/app/controllers/shopify_app/extension_verification_controller.rb ADDED

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+    private
+    def verify_request
+      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request_body = request.body.read
+      secret = ShopifyApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+    end
+  end
+end

data/docs/Quickstart.md CHANGED

@@ -1,11 +1,13 @@
 Quickstart
 ==========
-Build and deploy a new Shopify App to Heroku in minutes
+Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 1. New Rails App (with postgres)
 --------------------------------
+To create a new Rails app and use this generator, open your terminal and run the following commands:
 ```sh
 $ rails new test-app --database=postgresql
 $ cd test-app
@@ -17,43 +19,51 @@ $ git commit -m 'new rails app'
 2. Create a new Heroku app
 --------------------------
-The next step is to create a new heroku app. Pull up your heroku dashboard and make a new app!
+The next step is to create a new Heroku app to host your application. If you haven't got a Heroku account yet, create a free account [here](https://www.heroku.com/).
+Head to the Heroku dashboard and create a new app, or run the following commands with the [Heroku CLI](https://devcenter.heroku.com/articles/heroku-cli#download-and-install) installed, substituting `name` for the name of your own app:
-cli:
+CLI:
 ```sh
 $ heroku create name
 $ heroku git:remote -a name
 ```
-now we need to let git know where the remote server is so we'll be able to deploy later
+Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
 web:
 ```sh
 # https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appinfive.git
+$ git remote add heroku git@heroku.com:appname.git
 ```
-3. Create a new App in the partners area
+3. Create a new App in the Shopify Partner dashboard
 -----------------------------------------
+* Create a Shopify app in the [Partners dashboard](https://partner.shopify.com). For this tutorial, you can choose either a public or custom app, but you can [learn about App Types here.](https://help.shopify.com/en/manual/apps/app-types)
 [https://app.shopify.com/services/partners/api_clients](https://app.shopify.com/services/partners/api_clients)
-* set the callback url to `https://<name>.herokuapp.com/`
-* choose an embedded app
-* set the redirect_uri to `https://<name>.herokuapp.com/auth/shopify/callback`
+* Set the callback url to `https://<appname>.herokuapp.com/`
+* Choose an embedded app
+* Set the app's `redirect_uri` to `https://<appname>.herokuapp.com/auth/shopify/callback`
-4. Add ShopifyApp to gemfile
+4. Add ShopifyApp to Gemfile
 ----------------------------
+Run these commands to add the `shopify_app` Gem to your app:
 ```sh
 $ echo "gem 'shopify_app'" >> Gemfile
 $ bundle install
 ```
-Note - its recommended to use the latest released version. Check the git tags to see the latest release and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
+**Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
 5. Run the ShopifyApp generator
 -------------------------------
+Generate the code for your app by running these commands:
 ```sh
-# use the keys from your app in the partners area
+# Use the keys from your app you created in the partners area
 $ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
 $ git add .
 $ git commit -m 'generated shopify app'
@@ -61,10 +71,12 @@ $ git commit -m 'generated shopify app'
 If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
-We recommend adding a gem or utilizing ENV variables to handle your keys before releasing your app.
+We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
-6. Deploy
+6. Deploy your app
 ---------
+Once you've generated your app, push it into your Heroku environment to see it up and running:
 ```sh
 $ git push heroku
 $ heroku run rake db:migrate
@@ -72,4 +84,20 @@ $ heroku run rake db:migrate
 7. Install the App!
 -------------------
-`https://<name>.herokuapp.com/`
+Ensure you have created a [development store](https://help.shopify.com/en/api/getting-started/making-your-first-request#create-a-development-store) using the Shopify Partner Dashboard. If you don't already have one, [create one by following these instructions](https://help.shopify.com/en/api/getting-started/making-your-first-request#create-a-development-store).
+##### Note: The following step will cause your store to become `transfer-disabled.` Read more about store transfer and why it's important [here](https://help.shopify.com/en/api/guides/store-transfers#transfer-disabled-stores). This is an irreversible change, so be sure you don't plan to transfer this store to a merchant.
+Install the app onto your new development store using the Partner Dashboard. Log in to your account, visit the apps page, click the app you created earlier, and looking for the `Test your app` instructions where you can select a store to install your app on.
+![Installing an app on the partners dashboard dropdown](/docs/install-on-dev-shop.png)
+### OR
+![Installing an app on the partners dashboard card](/docs/test-your-app.png)
+8. Great work!
+-------------------
+You're done creating your first app on Shopify. Keep going and learn more by [diving into our full documentation](https://help.shopify.com/en/api/getting-started), or join our [community of developers.](https://community.shopify.com/c/Shopify-Apps/bd-p/shopify-apps)

data/docs/install-on-dev-shop.png ADDED

Binary file

data/docs/test-your-app.png ADDED

Binary file

data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb CHANGED

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-class MarketingActivitiesController < ExtensionVerificationController
+class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
   def preload_form_data
     preload_data = {
       "form_data": {

data/lib/generators/shopify_app/home_controller/home_controller_generator.rb CHANGED

@@ -11,12 +11,6 @@ module ShopifyApp
       def create_home_index_view
         copy_file 'index.html.erb', 'app/views/home/index.html.erb'
-        if embedded_app?
-          prepend_to_file(
-            'app/views/home/index.html.erb',
-            File.read(File.expand_path(find_in_source_paths('shopify_app_ready_script.html.erb')))
-          )
-        end
       end
       def add_home_index_route

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb CHANGED

@@ -24,11 +24,11 @@
     <%= render 'layouts/flash_messages' %>
-    <script src="https://cdn.shopify.com/s/assets/external/app.js?<%= Time.now.strftime('%Y%m%d%H') %>"></script>
+    <script src="https://unpkg.com/@shopify/app-bridge"></script>
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
-      shop_origin: ("https://#{ @shop_session.url }" if @shop_session),
+      shop_origin: (@shop_session.domain if @shop_session),
       debug: Rails.env.development?
     } ) %>

data/lib/generators/shopify_app/install/templates/flash_messages.js CHANGED

@@ -4,12 +4,21 @@ if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
   document.addEventListener(eventName, function flash() {
     var flashData = JSON.parse(document.getElementById('shopify-app-flash').dataset.flash);
+    var Toast = window['app-bridge'].actions.Toast;
     if (flashData.notice) {
-      ShopifyApp.flashNotice(flashData.notice);
+      Toast.create(app, {
+        message: flashData.notice,
+        duration: 5000,
+      }).dispatch(Toast.Action.SHOW);
     }
     if (flashData.error) {
-      ShopifyApp.flashError(flashData.error);
+      Toast.create(app, {
+        message: flashData.error,
+        duration: 5000,
+        isError: true,
+      }).dispatch(Toast.Action.SHOW);
     }
     document.removeEventListener(eventName, flash)

data/lib/generators/shopify_app/install/templates/shopify_app.js CHANGED

@@ -1,9 +1,15 @@
 document.addEventListener('DOMContentLoaded', () => {
   var data = document.getElementById('shopify-app-init').dataset;
-  ShopifyApp.init({
+  var AppBridge = window['app-bridge'];
+  var createApp = AppBridge.default;
+  window.app = createApp({
     apiKey: data.apiKey,
     shopOrigin: data.shopOrigin,
-    debug: data.debug === 'true',
-    forceRedirect: true
+  });
+  var actions = AppBridge.actions;
+  var TitleBar = actions.TitleBar;
+  TitleBar.create(app, {
+    title: data.page,
   });
 });

data/lib/generators/shopify_app/install/templates/shopify_app.rb CHANGED

@@ -8,7 +8,7 @@ ShopifyApp.configure do |config|
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
-  config.session_repository = ShopifyApp::InMemorySessionStore
+  config.session_repository = 'ShopifyApp::InMemorySessionStore'
 end
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/shopify_app.rb CHANGED

@@ -24,9 +24,6 @@ module ShopifyApp
   # utils
   require 'shopify_app/utils'
-  # controllers
-  require 'shopify_app/controllers/extension_verification_controller'
   # controller concerns
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
@@ -43,6 +40,9 @@ module ShopifyApp
   require 'shopify_app/managers/webhooks_manager'
   require 'shopify_app/managers/scripttags_manager'
+  # middleware
+  require 'shopify_app/middleware/same_site_cookie_middleware'
   # session
   require 'shopify_app/session/storage_strategies/shop_storage_strategy'
   require 'shopify_app/session/storage_strategies/user_storage_strategy'

data/lib/shopify_app/configuration.rb CHANGED

@@ -14,7 +14,7 @@ module ShopifyApp
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
-    attr_accessor :session_repository
+    attr_reader :session_repository
     attr_accessor :per_user_tokens
     alias_method :per_user_tokens?, :per_user_tokens
     attr_accessor :api_version
@@ -36,6 +36,9 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
+    # allow enabling of same site none on cookies
+    attr_accessor :enable_same_site_none
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
@@ -50,13 +53,8 @@ module ShopifyApp
     end
     def session_repository=(klass)
-      if Rails.configuration.cache_classes
-        ShopifyApp::SessionRepository.storage = klass
-      else
-        ActiveSupport::Reloader.to_prepare do
-          ShopifyApp::SessionRepository.storage = klass
-        end
-      end
+      @session_repository = klass
+      ShopifyApp::SessionRepository.storage = klass
     end
     def has_webhooks?
@@ -67,6 +65,9 @@ module ShopifyApp
       scripttags.present?
     end
+    def enable_same_site_none
+      @enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none
+    end
   end
   def self.configuration

data/lib/shopify_app/controller_concerns/login_protection.rb CHANGED

@@ -63,8 +63,14 @@ module ShopifyApp
         head :unauthorized
       else
         if request.get?
-          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+          path = request.path
+          query = sanitized_params.to_query
+        else
+          referer = URI(request.referer || "/")
+          path = referer.path
+          query = "#{referer.query}&#{sanitized_params.to_query}"
         end
+        session[:return_to] = "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end

data/lib/shopify_app/engine.rb CHANGED

@@ -12,5 +12,9 @@ module ShopifyApp
         storage_access.svg
       ]
     end
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
+    end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb ADDED

@@ -0,0 +1,60 @@
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      _status, headers, _body = @app.call(env)
+    ensure
+      user_agent = env['HTTP_USER_AGENT']
+      if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
+          ShopifyApp.configuration.enable_same_site_none
+        cookies = headers['Set-Cookie'].split("\n").compact
+        cookies.each do |cookie|
+          unless cookie.include?("; SameSite")
+            headers['Set-Cookie'] = headers['Set-Cookie'].gsub("#{cookie}", "#{cookie}; secure; SameSite=None")
+          end
+        end
+      end
+    end
+    def self.same_site_none_incompatible?(user_agent)
+      sniffer = BrowserSniffer.new(user_agent)
+      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
+    rescue
+      true
+    end
+    def self.webkit_same_site_bug?(sniffer)
+      (sniffer.os == :ios && sniffer.os_version.match?(/^([0-9]|1[12])[\.\_]/)) ||
+        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match?(/^10[\.\_]14/))
+    end
+    def self.drops_unrecognized_same_site_cookies?(sniffer)
+      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
+        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
+    end
+    def self.chromium_based?(sniffer)
+      sniffer.browser_name.downcase.match?(/chrom(e|ium)/)
+    end
+    def self.uc_browser?(sniffer)
+      sniffer.user_agent.downcase.match?(/uc\s?browser/)
+    end
+    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
+      digits = sniffer.browser_version.split('.').map(&:to_i)
+      return false unless digits.count >= 3
+      return digits[0] > major if digits[0] != major
+      return digits[1] > minor if digits[1] != minor
+      digits[2] >= build
+    end
+  end
+end

data/lib/shopify_app/session/session_storage.rb CHANGED

@@ -3,6 +3,12 @@ module ShopifyApp
     extend ActiveSupport::Concern
     included do
+      if ShopifyApp.configuration.per_user_tokens?
+        extend ShopifyApp::SessionStorage::UserStorageStrategy
+      else
+        extend ShopifyApp::SessionStorage::ShopStorageStrategy
+      end
       validates :shopify_token, presence: true
       validates :api_version, presence: true
       validates :shopify_domain, presence: true,
@@ -19,22 +25,5 @@ module ShopifyApp
         &block
       )
     end
-    class_methods do
-      def strategy_klass
-        ShopifyApp.configuration.per_user_tokens? ?
-          ShopifyApp::SessionStorage::UserStorageStrategy :
-          ShopifyApp::SessionStorage::ShopStorageStrategy
-      end
-      def store(auth_session, user: nil)
-        strategy_klass.store(auth_session, user)
-      end
-      def retrieve(id)
-        strategy_klass.retrieve(id)
-      end
-    end
   end
 end

data/lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb CHANGED

@@ -1,17 +1,16 @@
 module ShopifyApp
   module SessionStorage
-    class ShopStorageStrategy
-      def self.store(auth_session, *args)
-        shop = Shop.find_or_initialize_by(shopify_domain: auth_session.domain)
+    module ShopStorageStrategy
+      def store(auth_session, *args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
         shop.shopify_token = auth_session.token
         shop.save!
         shop.id
       end
-      def self.retrieve(id)
+      def retrieve(id)
         return unless id
-        if shop = Shop.find_by(id: id)
+        if shop = self.find_by(id: id)
           ShopifyAPI::Session.new(
             domain: shop.shopify_domain,
             token: shop.shopify_token,

data/lib/shopify_app/session/storage_strategies/user_storage_strategy.rb CHANGED

@@ -1,18 +1,17 @@
 module ShopifyApp
   module SessionStorage
-    class UserStorageStrategy
-      def self.store(auth_session, user)
-        user = User.find_or_initialize_by(shopify_user_id: user[:id])
+    module UserStorageStrategy
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
         user.shopify_token = auth_session.token
         user.shopify_domain = auth_session.domain
         user.save!
         user.id
       end
-      def self.retrieve(id)
+      def retrieve(id)
         return unless id
-        if user = User.find_by(shopify_user_id: id)
+        if user = self.find_by(shopify_user_id: id)
           ShopifyAPI::Session.new(
             domain: user.shopify_domain,
             token: user.shopify_token,
@@ -20,7 +19,6 @@ module ShopifyApp
           )
         end
       end
     end
   end
 end

data/lib/shopify_app/version.rb CHANGED

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '11.5.0'.freeze
+  VERSION = '12.0.0'.freeze
 end

data/package.json CHANGED

@@ -23,5 +23,6 @@
   },
   "scripts": {
     "test": "./node_modules/.bin/karma start --browsers ChromeHeadless --single-run"
-  }
+  },
+  "version": "12.0.0"
 }

data/shopify_app.gemspec CHANGED

@@ -12,7 +12,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency('browser_sniffer', '~> 1.1.3')
   s.add_runtime_dependency('rails', '> 5.2.1')
-  s.add_runtime_dependency('shopify_api', '~> 8.0')
+  s.add_runtime_dependency('shopify_api', '~> 9.0')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.0')
   s.add_development_dependency('rake')

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 11.5.0
+  version: 12.0.0
 platform: ruby
 authors:
 - Shopify
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-01-07 00:00:00.000000000 Z
+date: 2020-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '9.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '9.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -239,6 +239,7 @@ files:
 - app/controllers/concerns/shopify_app/authenticated.rb
 - app/controllers/shopify_app/authenticated_controller.rb
 - app/controllers/shopify_app/callback_controller.rb
+- app/controllers/shopify_app/extension_verification_controller.rb
 - app/controllers/shopify_app/sessions_controller.rb
 - app/controllers/shopify_app/webhooks_controller.rb
 - app/views/shopify_app/partials/_button_styles.html.erb
@@ -277,6 +278,8 @@ files:
 - docs/Quickstart.md
 - docs/Releasing.md
 - docs/Troubleshooting.md
+- docs/install-on-dev-shop.png
+- docs/test-your-app.png
 - images/app-proxy-screenshot.png
 - karma.conf.js
 - lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb
@@ -295,7 +298,6 @@ files:
 - lib/generators/shopify_app/home_controller/home_controller_generator.rb
 - lib/generators/shopify_app/home_controller/templates/home_controller.rb
 - lib/generators/shopify_app/home_controller/templates/index.html.erb
-- lib/generators/shopify_app/home_controller/templates/shopify_app_ready_script.html.erb
 - lib/generators/shopify_app/install/install_generator.rb
 - lib/generators/shopify_app/install/templates/_flash_messages.html.erb
 - lib/generators/shopify_app/install/templates/embedded_app.html.erb
@@ -330,12 +332,12 @@ files:
 - lib/shopify_app/controller_concerns/localization.rb
 - lib/shopify_app/controller_concerns/login_protection.rb
 - lib/shopify_app/controller_concerns/webhook_verification.rb
-- lib/shopify_app/controllers/extension_verification_controller.rb
 - lib/shopify_app/engine.rb
 - lib/shopify_app/jobs/scripttags_manager_job.rb
 - lib/shopify_app/jobs/webhooks_manager_job.rb
 - lib/shopify_app/managers/scripttags_manager.rb
 - lib/shopify_app/managers/webhooks_manager.rb
+- lib/shopify_app/middleware/same_site_cookie_middleware.rb
 - lib/shopify_app/session/in_memory_session_store.rb
 - lib/shopify_app/session/session_repository.rb
 - lib/shopify_app/session/session_storage.rb

data/lib/generators/shopify_app/home_controller/templates/shopify_app_ready_script.html.erb DELETED

@@ -1,7 +0,0 @@
-<% content_for :javascript do %>
-  <script type="text/javascript">
-    ShopifyApp.ready(function(){
-      ShopifyApp.Bar.initialize({ title: "Home" });
-    });
-  </script>
-<% end %>

data/lib/shopify_app/controllers/extension_verification_controller.rb DELETED

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-class ExtensionVerificationController < ActionController::Base
-  protect_from_forgery with: :null_session
-  before_action :verify_request
-  private
-  def verify_request
-    hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-    request_body = request.body.read
-    secret = ShopifyApp.configuration.secret
-    digest = OpenSSL::Digest.new('sha256')
-    expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-    head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
-  end
-end