shopify_app 11.5.1 → 11.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1f2c7003fc52f7cdca6ab2ecd68fd087aee28e63e8bfbdc59ea7ca82886f28b8
4
- data.tar.gz: b967b29d2122d732af04ef1aeb3fcf814fe53fd5103b124009bfad0daf2d298b
3
+ metadata.gz: 14c540b5ab61f25b6a0ad180f76161ae69536d8fcf52f623bd997055b145e02a
4
+ data.tar.gz: 69be07412bfd24ca729a2e4d1207a7884d71418e5773337ddb477118d2594e86
5
5
  SHA512:
6
- metadata.gz: 325bc337b2be96e0cd91250ee19ddbed0ac34baf2c0bcea995f4b78048738e9a3d638e95334b55bb28e3350eb20365d1f9f2fcfe698356d338e2551797a7877c
7
- data.tar.gz: 7781e846d38666203e63eb6d17f182cea70a9011a5c5dec6b3b0dc540ae5473a21ae8f13fb82719435691b87e14c4981135d4f4e984e09a34cbd81316e89996a
6
+ metadata.gz: 901b0a51d2891756243f0903d23833dc3399b158fb27f703a5fe3f977550db9c7d87116b83b1c568de57236855704e80d1dec91fe2094a6cf4280abaff116219
7
+ data.tar.gz: 172ac0593c9ee3c0dd870a585e122feaeae4b387df367c6962d239e0a79a784c247bc1645ecbe3a3264ae3b57142bbd0854bc34a67461e134374214419a3125c
@@ -1,3 +1,9 @@
1
+ 11.6.0
2
+ -----
3
+ * Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)
4
+ * Ensures compatibility of embedded apps with upcoming Chrome version 80 changes to cookie behaviour
5
+ * Configurable via `ShopifyApp.configuration.enable_same_site_none` (default true for embedded apps)
6
+
1
7
  11.5.1
2
8
  -----
3
9
  * Revert per-user token support temporarily
@@ -43,6 +43,9 @@ module ShopifyApp
43
43
  require 'shopify_app/managers/webhooks_manager'
44
44
  require 'shopify_app/managers/scripttags_manager'
45
45
 
46
+ # middleware
47
+ require 'shopify_app/middleware/same_site_cookie_middleware'
48
+
46
49
  # session
47
50
  require 'shopify_app/session/session_storage'
48
51
  require 'shopify_app/session/session_repository'
@@ -34,6 +34,9 @@ module ShopifyApp
34
34
  # allow namespacing webhook jobs
35
35
  attr_accessor :webhook_jobs_namespace
36
36
 
37
+ # allow enabling of same site none on cookies
38
+ attr_accessor :enable_same_site_none
39
+
37
40
  def initialize
38
41
  @root_url = '/'
39
42
  @myshopify_domain = 'myshopify.com'
@@ -58,6 +61,10 @@ module ShopifyApp
58
61
  def has_scripttags?
59
62
  scripttags.present?
60
63
  end
64
+
65
+ def enable_same_site_none
66
+ @enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none
67
+ end
61
68
  end
62
69
 
63
70
  def self.configuration
@@ -12,5 +12,9 @@ module ShopifyApp
12
12
  storage_access.svg
13
13
  ]
14
14
  end
15
+
16
+ initializer "shopify_app.middleware" do |app|
17
+ app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
18
+ end
15
19
  end
16
20
  end
@@ -0,0 +1,60 @@
1
+ module ShopifyApp
2
+ class SameSiteCookieMiddleware
3
+ def initialize(app)
4
+ @app = app
5
+ end
6
+
7
+ def call(env)
8
+ _status, headers, _body = @app.call(env)
9
+ ensure
10
+ user_agent = env['HTTP_USER_AGENT']
11
+
12
+ if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
13
+ ShopifyApp.configuration.enable_same_site_none
14
+
15
+ cookies = headers['Set-Cookie'].split("\n").compact
16
+
17
+ cookies.each do |cookie|
18
+ unless cookie.include?("; SameSite")
19
+ headers['Set-Cookie'] = headers['Set-Cookie'].gsub("#{cookie}", "#{cookie}; secure; SameSite=None")
20
+ end
21
+ end
22
+ end
23
+ end
24
+
25
+ def self.same_site_none_incompatible?(user_agent)
26
+ sniffer = BrowserSniffer.new(user_agent)
27
+
28
+ webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
29
+ rescue
30
+ true
31
+ end
32
+
33
+ def self.webkit_same_site_bug?(sniffer)
34
+ (sniffer.os == :ios && sniffer.os_version.match?(/^([0-9]|1[12])[\.\_]/)) ||
35
+ (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match?(/^10[\.\_]14/))
36
+ end
37
+
38
+ def self.drops_unrecognized_same_site_cookies?(sniffer)
39
+ (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
40
+ (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
41
+ end
42
+
43
+ def self.chromium_based?(sniffer)
44
+ sniffer.browser_name.downcase.match?(/chrom(e|ium)/)
45
+ end
46
+
47
+ def self.uc_browser?(sniffer)
48
+ sniffer.user_agent.downcase.match?(/uc\s?browser/)
49
+ end
50
+
51
+ def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
52
+ digits = sniffer.browser_version.split('.').map(&:to_i)
53
+ return false unless digits.count >= 3
54
+
55
+ return digits[0] > major if digits[0] != major
56
+ return digits[1] > minor if digits[1] != minor
57
+ digits[2] >= build
58
+ end
59
+ end
60
+ end
@@ -1,3 +1,3 @@
1
1
  module ShopifyApp
2
- VERSION = '11.5.1'.freeze
2
+ VERSION = '11.6.0'.freeze
3
3
  end
@@ -23,5 +23,6 @@
23
23
  },
24
24
  "scripts": {
25
25
  "test": "./node_modules/.bin/karma start --browsers ChromeHeadless --single-run"
26
- }
26
+ },
27
+ "version": "11.6.0"
27
28
  }
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: shopify_app
3
3
  version: !ruby/object:Gem::Version
4
- version: 11.5.1
4
+ version: 11.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Shopify
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-08 00:00:00.000000000 Z
11
+ date: 2020-01-14 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: browser_sniffer
@@ -290,6 +290,7 @@ files:
290
290
  - lib/shopify_app/jobs/webhooks_manager_job.rb
291
291
  - lib/shopify_app/managers/scripttags_manager.rb
292
292
  - lib/shopify_app/managers/webhooks_manager.rb
293
+ - lib/shopify_app/middleware/same_site_cookie_middleware.rb
293
294
  - lib/shopify_app/session/in_memory_session_store.rb
294
295
  - lib/shopify_app/session/session_repository.rb
295
296
  - lib/shopify_app/session/session_storage.rb