shopify_app 11.5.1 → 12.0.1

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -27,12 +27,30 @@ module ShopifyApp
     end
 
     def shop_session
-      return unless session[:shopify]
-      @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      if ShopifyApp.configuration.per_user_tokens?
+        return unless session[:shopify_user]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
+      else
+        return unless session[:shopify]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      end
     end
 
-    def login_again_if_different_shop
+    def login_again_if_different_user_or_shop
+      if ShopifyApp.configuration.per_user_tokens?
+        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+
+        if valid_session_data && sessions_do_not_match
+          clear_session = true
+        end
+      end
+
       if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+        clear_session = true
+      end
+
+      if clear_session
         clear_shop_session
         redirect_to_login
       end
@@ -45,8 +63,14 @@ module ShopifyApp
         head :unauthorized
       else
         if request.get?
-          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+          path = request.path
+          query = sanitized_params.to_query
+        else
+          referer = URI(request.referer || "/")
+          path = referer.path
+          query = "#{referer.query}&#{sanitized_params.to_query}"
         end
+        session[:return_to] = "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
@@ -60,6 +84,7 @@ module ShopifyApp
       session[:shopify] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
+      session[:user_session] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -75,8 +100,10 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
-      if session[:return_to] && return_to_param_required?
-        query_params[:return_to] = session[:return_to]
+      return_to = session[:return_to] || params[:return_to]
+
+      if return_to.present? && return_to_param_required?
+        query_params[:return_to] = return_to
       end
 
       has_referer_shop_name = referer_sanitized_shop_name.present?

data/lib/shopify_app/engine.rb

@@ -12,5 +12,9 @@ module ShopifyApp
         storage_access.svg
       ]
     end
+
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
+    end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -0,0 +1,60 @@
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      _status, headers, _body = @app.call(env)
+    ensure
+      user_agent = env['HTTP_USER_AGENT']
+
+      if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
+          ShopifyApp.configuration.enable_same_site_none
+
+        cookies = headers['Set-Cookie'].split("\n").compact
+
+        cookies.each do |cookie|
+          unless cookie.include?("; SameSite")
+            headers['Set-Cookie'] = headers['Set-Cookie'].gsub(cookie, "#{cookie}; secure; SameSite=None")
+          end
+        end
+      end
+    end
+
+    def self.same_site_none_incompatible?(user_agent)
+      sniffer = BrowserSniffer.new(user_agent)
+
+      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
+    rescue
+      true
+    end
+
+    def self.webkit_same_site_bug?(sniffer)
+      (sniffer.os == :ios && sniffer.os_version.match(/^([0-9]|1[12])[\.\_]/)) ||
+        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match(/^10[\.\_]14/))
+    end
+
+    def self.drops_unrecognized_same_site_cookies?(sniffer)
+      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
+        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
+    end
+
+    def self.chromium_based?(sniffer)
+      sniffer.browser_name.downcase.match(/chrom(e|ium)/)
+    end
+
+    def self.uc_browser?(sniffer)
+      sniffer.user_agent.downcase.match(/uc\s?browser/)
+    end
+
+    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
+      digits = sniffer.browser_version.split('.').map(&:to_i)
+      return false unless digits.count >= 3
+
+      return digits[0] > major if digits[0] != major
+      return digits[1] > minor if digits[1] != minor
+      digits[2] >= build
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -6,7 +6,7 @@ module ShopifyApp
       repo[id]
     end
 
-    def self.store(session)
+    def self.store(session, *args)
       id = SecureRandom.uuid
       repo[id] = session
       id

data/lib/shopify_app/session/session_repository.rb

@@ -15,8 +15,8 @@ module ShopifyApp
         storage.retrieve(id)
       end
 
-      def store(session)
-        storage.store(session)
+      def store(session, *args)
+        storage.store(session, *args)
       end
 
       def storage

data/lib/shopify_app/session/session_storage.rb

@@ -3,9 +3,18 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     included do
-      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+      if ShopifyApp.configuration.per_user_tokens?
+        extend ShopifyApp::SessionStorage::UserStorageStrategy
+      else
+        extend ShopifyApp::SessionStorage::ShopStorageStrategy
+      end
+
       validates :shopify_token, presence: true
       validates :api_version, presence: true
+      validates :shopify_domain, presence: true,
+        if: Proc.new {|_| ShopifyApp.configuration.per_user_tokens? }
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false },
+        if: Proc.new {|_| !ShopifyApp.configuration.per_user_tokens? }
     end
 
     def with_shopify_session(&block)
@@ -16,26 +25,5 @@ module ShopifyApp
         &block
       )
     end
-
-    class_methods do
-      def store(session)
-        shop = find_or_initialize_by(shopify_domain: session.domain)
-        shop.shopify_token = session.token
-        shop.save!
-        shop.id
-      end
-
-      def retrieve(id)
-        return unless id
-
-        if shop = self.find_by(id: id)
-          ShopifyAPI::Session.new(
-            domain: shop.shopify_domain,
-            token: shop.shopify_token,
-            api_version: shop.api_version
-          )
-        end
-      end
-    end
   end
 end

data/lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb

@@ -0,0 +1,23 @@
+module ShopifyApp
+  module SessionStorage
+    module ShopStorageStrategy
+      def store(auth_session, *args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+
+      def retrieve(id)
+        return unless id
+        if shop = self.find_by(id: id)
+          ShopifyAPI::Session.new(
+            domain: shop.shopify_domain,
+            token: shop.shopify_token,
+            api_version: shop.api_version
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/session/storage_strategies/user_storage_strategy.rb

@@ -0,0 +1,24 @@
+module ShopifyApp
+  module SessionStorage
+    module UserStorageStrategy
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+
+      def retrieve(id)
+        return unless id
+        if user = self.find_by(shopify_user_id: id)
+          ShopifyAPI::Session.new(
+            domain: user.shopify_domain,
+            token: user.shopify_token,
+            api_version: user.api_version
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '11.5.1'.freeze
+  VERSION = '12.0.1'.freeze
 end

data/package.json

@@ -1,5 +1,6 @@
 {
   "name": "shopify_app",
+  "version": "12.0.1",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/service.yml

@@ -2,6 +2,6 @@ audience: partner
 classification: library
 org_line: App & Partner Platform
 owners:
-  - Shopify/app-partner-dev-tools-education
+  - Shopify/platform-dev-tools-education
 slack_channels:
   - dev-tools-education

data/shopify_app.gemspec

@@ -12,12 +12,15 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.1.3')
   s.add_runtime_dependency('rails', '> 5.2.1')
-  s.add_runtime_dependency('shopify_api', '~> 8.0')
+  s.add_runtime_dependency('shopify_api', '~> 9.0')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.0')
 
   s.add_development_dependency('rake')
   s.add_development_dependency('byebug')
   s.add_development_dependency('pry')
+  s.add_development_dependency('pry-nav')
+  s.add_development_dependency('pry-stack_explorer')
+  s.add_development_dependency('rb-readline')
   s.add_development_dependency('sqlite3', '~> 1.4')
   s.add_development_dependency('minitest')
   s.add_development_dependency('mocha')
@@ -26,4 +29,4 @@ Gem::Specification.new do |s|
   s.files         = `git ls-files`.split("\n").reject { |f| f.match(%r{^(test|example)/}) }
   s.test_files    = `git ls-files -- {test}/*`.split("\n")
   s.require_paths = ["lib"]
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 11.5.1
+  version: 12.0.1
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-01-08 00:00:00.000000000 Z
+date: 2020-02-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '9.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.0'
+        version: '9.0'
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -108,6 +108,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-nav
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-stack_explorer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rb-readline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -197,6 +239,7 @@ files:
 - app/controllers/concerns/shopify_app/authenticated.rb
 - app/controllers/shopify_app/authenticated_controller.rb
 - app/controllers/shopify_app/callback_controller.rb
+- app/controllers/shopify_app/extension_verification_controller.rb
 - app/controllers/shopify_app/sessions_controller.rb
 - app/controllers/shopify_app/webhooks_controller.rb
 - app/views/shopify_app/partials/_button_styles.html.erb
@@ -235,6 +278,8 @@ files:
 - docs/Quickstart.md
 - docs/Releasing.md
 - docs/Troubleshooting.md
+- docs/install-on-dev-shop.png
+- docs/test-your-app.png
 - images/app-proxy-screenshot.png
 - karma.conf.js
 - lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb
@@ -253,7 +298,6 @@ files:
 - lib/generators/shopify_app/home_controller/home_controller_generator.rb
 - lib/generators/shopify_app/home_controller/templates/home_controller.rb
 - lib/generators/shopify_app/home_controller/templates/index.html.erb
-- lib/generators/shopify_app/home_controller/templates/shopify_app_ready_script.html.erb
 - lib/generators/shopify_app/install/install_generator.rb
 - lib/generators/shopify_app/install/templates/_flash_messages.html.erb
 - lib/generators/shopify_app/install/templates/embedded_app.html.erb
@@ -275,6 +319,10 @@ files:
 - lib/generators/shopify_app/shop_model/templates/shop.rb
 - lib/generators/shopify_app/shop_model/templates/shops.yml
 - lib/generators/shopify_app/shopify_app_generator.rb
+- lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb
+- lib/generators/shopify_app/user_model/templates/user.rb
+- lib/generators/shopify_app/user_model/templates/users.yml
+- lib/generators/shopify_app/user_model/user_model_generator.rb
 - lib/generators/shopify_app/views/views_generator.rb
 - lib/shopify_app.rb
 - lib/shopify_app/configuration.rb
@@ -284,15 +332,17 @@ files:
 - lib/shopify_app/controller_concerns/localization.rb
 - lib/shopify_app/controller_concerns/login_protection.rb
 - lib/shopify_app/controller_concerns/webhook_verification.rb
-- lib/shopify_app/controllers/extension_verification_controller.rb
 - lib/shopify_app/engine.rb
 - lib/shopify_app/jobs/scripttags_manager_job.rb
 - lib/shopify_app/jobs/webhooks_manager_job.rb
 - lib/shopify_app/managers/scripttags_manager.rb
 - lib/shopify_app/managers/webhooks_manager.rb
+- lib/shopify_app/middleware/same_site_cookie_middleware.rb
 - lib/shopify_app/session/in_memory_session_store.rb
 - lib/shopify_app/session/session_repository.rb
 - lib/shopify_app/session/session_storage.rb
+- lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb
+- lib/shopify_app/session/storage_strategies/user_storage_strategy.rb
 - lib/shopify_app/utils.rb
 - lib/shopify_app/version.rb
 - package-lock.json

data/lib/generators/shopify_app/home_controller/templates/shopify_app_ready_script.html.erb

@@ -1,7 +0,0 @@
-<% content_for :javascript do %>
-  <script type="text/javascript">
-    ShopifyApp.ready(function(){
-      ShopifyApp.Bar.initialize({ title: "Home" });
-    });
-  </script>
-<% end %>