shopify_app 11.6.0 → 12.0.2

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -8,7 +8,7 @@ module ShopifyApp
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
       include ShopifyApp::EmbeddedApp
-      before_action :login_again_if_different_shop
+      before_action :login_again_if_different_user_or_shop
       around_action :shopify_session
     end
   end

data/app/controllers/shopify_app/callback_controller.rb

@@ -55,10 +55,16 @@ module ShopifyApp
         token: token,
         api_version: ShopifyApp.configuration.api_version
       )
-
-      session[:shopify] = ShopifyApp::SessionRepository.store(session_store)
+      session[:shopify] = ShopifyApp::SessionRepository.store(session_store, user: associated_user)
       session[:shopify_domain] = shop_name
       session[:shopify_user] = associated_user
+
+      if ShopifyApp.configuration.per_user_tokens?
+        # Adds the user_session to the session to determine if the logged in user has changed
+        user_session = auth_hash&.extra&.session
+        raise IndexError, "Missing user session signature" if user_session.nil?
+        session[:user_session] = user_session
+      end
     end
 
     def install_webhooks

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+
+    def verify_request
+      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request_body = request.body.read
+      secret = ShopifyApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+
+      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+    end
+  end
+end

data/config/locales/pt-BR.yml

@@ -4,7 +4,7 @@ pt-BR:
   could_not_log_in: Não foi possível fazer login na Shopify store
   invalid_shop_url: Domínio de loja inválido
   enable_cookies_heading: Habilitar cookies de %{app}
-  enable_cookies_body: Você deve habilitar manualmente os cookies neste navegador
+  enable_cookies_body: Você precisa habilitar manualmente os cookies neste navegador
     para usar %{app} dentro da Shopify.
   enable_cookies_footer: Os cookies permitem que o app o autentique armazenando temporariamente
     suas preferências e dados pessoais. Eles expiram depois de 30 dias.

data/docs/Quickstart.md

@@ -1,11 +1,13 @@
 Quickstart
 ==========
 
-Build and deploy a new Shopify App to Heroku in minutes
+Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 
 1. New Rails App (with postgres)
 --------------------------------
 
+To create a new Rails app and use this generator, open your terminal and run the following commands:
+
 ```sh
 $ rails new test-app --database=postgresql
 $ cd test-app
@@ -17,43 +19,51 @@ $ git commit -m 'new rails app'
 2. Create a new Heroku app
 --------------------------
 
-The next step is to create a new heroku app. Pull up your heroku dashboard and make a new app!
+The next step is to create a new Heroku app to host your application. If you haven't got a Heroku account yet, create a free account [here](https://www.heroku.com/). 
+
+Head to the Heroku dashboard and create a new app, or run the following commands with the [Heroku CLI](https://devcenter.heroku.com/articles/heroku-cli#download-and-install) installed, substituting `name` for the name of your own app:
 
-cli:
+CLI:
 ```sh
 $ heroku create name
 $ heroku git:remote -a name
 ```
 
-now we need to let git know where the remote server is so we'll be able to deploy later
+Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
 
 web:
 ```sh
 # https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appinfive.git
+$ git remote add heroku git@heroku.com:appname.git
 ```
 
-3. Create a new App in the partners area
+3. Create a new App in the Shopify Partner dashboard
 -----------------------------------------
+* Create a Shopify app in the [Partners dashboard](https://partner.shopify.com). For this tutorial, you can choose either a public or custom app, but you can [learn about App Types here.](https://help.shopify.com/en/manual/apps/app-types)
 [https://app.shopify.com/services/partners/api_clients](https://app.shopify.com/services/partners/api_clients)
-* set the callback url to `https://<name>.herokuapp.com/`
-* choose an embedded app
-* set the redirect_uri to `https://<name>.herokuapp.com/auth/shopify/callback`
-
+* Set the callback url to `https://<appname>.herokuapp.com/`
+* Choose an embedded app
+* Set the app's `redirect_uri` to `https://<appname>.herokuapp.com/auth/shopify/callback`
 
-4. Add ShopifyApp to gemfile
+4. Add ShopifyApp to Gemfile
 ----------------------------
+
+Run these commands to add the `shopify_app` Gem to your app:
+
 ```sh
 $ echo "gem 'shopify_app'" >> Gemfile
 $ bundle install
 ```
 
-Note - its recommended to use the latest released version. Check the git tags to see the latest release and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
+**Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
 
 5. Run the ShopifyApp generator
 -------------------------------
+
+Generate the code for your app by running these commands: 
+
 ```sh
-# use the keys from your app in the partners area
+# Use the keys from your app you created in the partners area
 $ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
 $ git add .
 $ git commit -m 'generated shopify app'
@@ -61,10 +71,12 @@ $ git commit -m 'generated shopify app'
 
 If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
 
-We recommend adding a gem or utilizing ENV variables to handle your keys before releasing your app.
+We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
 
-6. Deploy
+6. Deploy your app
 ---------
+
+Once you've generated your app, push it into your Heroku environment to see it up and running:
 ```sh
 $ git push heroku
 $ heroku run rake db:migrate
@@ -72,4 +84,20 @@ $ heroku run rake db:migrate
 
 7. Install the App!
 -------------------
-`https://<name>.herokuapp.com/`
+
+Ensure you have created a [development store](https://help.shopify.com/en/api/getting-started/making-your-first-request#create-a-development-store) using the Shopify Partner Dashboard. If you don't already have one, [create one by following these instructions](https://help.shopify.com/en/api/getting-started/making-your-first-request#create-a-development-store).
+
+##### Note: The following step will cause your store to become `transfer-disabled.` Read more about store transfer and why it's important [here](https://help.shopify.com/en/api/guides/store-transfers#transfer-disabled-stores). This is an irreversible change, so be sure you don't plan to transfer this store to a merchant.
+
+Install the app onto your new development store using the Partner Dashboard. Log in to your account, visit the apps page, click the app you created earlier, and looking for the `Test your app` instructions where you can select a store to install your app on.
+
+![Installing an app on the partners dashboard dropdown](/docs/install-on-dev-shop.png)
+
+### OR
+
+![Installing an app on the partners dashboard card](/docs/test-your-app.png)
+
+8. Great work! 
+-------------------
+
+You're done creating your first app on Shopify. Keep going and learn more by [diving into our full documentation](https://help.shopify.com/en/api/getting-started), or join our [community of developers.](https://community.shopify.com/c/Shopify-Apps/bd-p/shopify-apps)

data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb

@@ -1,13 +1,9 @@
 # frozen_string_literal: true
 
-class MarketingActivitiesController < ExtensionVerificationController
+class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
   def preload_form_data
     preload_data = {
-      "form_data": {
-        "budget": {
-          "currency": "USD",
-        }
-      }
+      "form_data": {}
     }
     render(json: preload_data, status: :ok)
   end

data/lib/generators/shopify_app/home_controller/home_controller_generator.rb

@@ -11,12 +11,6 @@ module ShopifyApp
 
       def create_home_index_view
         copy_file 'index.html.erb', 'app/views/home/index.html.erb'
-        if embedded_app?
-          prepend_to_file(
-            'app/views/home/index.html.erb',
-            File.read(File.expand_path(find_in_source_paths('shopify_app_ready_script.html.erb')))
-          )
-        end
       end
 
       def add_home_index_route

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -24,11 +24,11 @@
 
     <%= render 'layouts/flash_messages' %>
 
-    <script src="https://cdn.shopify.com/s/assets/external/app.js?<%= Time.now.strftime('%Y%m%d%H') %>"></script>
+    <script src="https://unpkg.com/@shopify/app-bridge"></script>
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
-      shop_origin: ("https://#{ @shop_session.url }" if @shop_session),
+      shop_origin: (@shop_session.domain if @shop_session),
       debug: Rails.env.development?
     } ) %>
 

data/lib/generators/shopify_app/install/templates/flash_messages.js

@@ -4,12 +4,21 @@ if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
   document.addEventListener(eventName, function flash() {
     var flashData = JSON.parse(document.getElementById('shopify-app-flash').dataset.flash);
 
+    var Toast = window['app-bridge'].actions.Toast;
+
     if (flashData.notice) {
-      ShopifyApp.flashNotice(flashData.notice);
+      Toast.create(app, {
+        message: flashData.notice,
+        duration: 5000,
+      }).dispatch(Toast.Action.SHOW);
     }
 
     if (flashData.error) {
-      ShopifyApp.flashError(flashData.error);
+      Toast.create(app, {
+        message: flashData.error,
+        duration: 5000,
+        isError: true,
+      }).dispatch(Toast.Action.SHOW);
     }
 
     document.removeEventListener(eventName, flash)

data/lib/generators/shopify_app/install/templates/shopify_app.js

@@ -1,9 +1,15 @@
 document.addEventListener('DOMContentLoaded', () => {
   var data = document.getElementById('shopify-app-init').dataset;
-  ShopifyApp.init({
+  var AppBridge = window['app-bridge'];
+  var createApp = AppBridge.default;
+  window.app = createApp({
     apiKey: data.apiKey,
     shopOrigin: data.shopOrigin,
-    debug: data.debug === 'true',
-    forceRedirect: true
+  });
+
+  var actions = AppBridge.actions;
+  var TitleBar = actions.TitleBar;
+  TitleBar.create(app, {
+    title: data.page,
   });
 });

data/lib/generators/shopify_app/install/templates/shopify_provider.rb

@@ -4,6 +4,7 @@ provider :shopify,
   ShopifyApp.configuration.api_key,
   ShopifyApp.configuration.secret,
   scope: ShopifyApp.configuration.scope,
+  per_user_permissions: ShopifyApp.configuration.per_user_tokens,
   setup: lambda { |env|
     strategy = env['omniauth.strategy']
 

data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb

@@ -0,0 +1,16 @@
+class CreateUsers < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def self.up
+    create_table :users do |t|
+      t.bigint :shopify_user_id, null: false
+      t.string :shopify_domain, null: false
+      t.string :shopify_token, null: false
+      t.timestamps
+    end
+
+    add_index :users, :shopify_user_id, unique: true
+  end
+
+  def self.down
+    drop_table :users
+  end
+end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -0,0 +1,7 @@
+class User < ActiveRecord::Base
+  include ShopifyApp::SessionStorage
+
+  def api_version
+    ShopifyApp.configuration.api_version
+  end
+end

data/lib/generators/shopify_app/user_model/templates/users.yml

@@ -0,0 +1,4 @@
+regular_user:
+  shopify_domain: 'regular-shop.myshopify.com'
+  shopify_token: 'token'
+  shopify_user_id: 1

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -0,0 +1,38 @@
+require 'rails/generators/base'
+require 'rails/generators/active_record'
+
+module ShopifyApp
+  module Generators
+    class UserModelGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+      source_root File.expand_path('../templates', __FILE__)
+
+      def create_user_model
+        copy_file 'user.rb', 'app/models/user.rb'
+      end
+
+      def create_user_migration
+        migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
+      end
+
+      def update_shopify_app_initializer
+        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'User'
+      end
+
+      def create_user_fixtures
+        copy_file 'users.yml', 'test/fixtures/users.yml'
+      end
+
+      private
+
+      def rails_migration_version
+        Rails.version.match(/\d\.\d/)[0]
+      end
+
+      # for generating a timestamp when using `create_migration`
+      def self.next_migration_number(dir)
+        ActiveRecord::Generators::Base.next_migration_number(dir)
+      end
+    end
+  end
+end

data/lib/shopify_app.rb

@@ -24,9 +24,6 @@ module ShopifyApp
   # utils
   require 'shopify_app/utils'
 
-  # controllers
-  require 'shopify_app/controllers/extension_verification_controller'
-
   # controller concerns
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
@@ -47,6 +44,8 @@ module ShopifyApp
   require 'shopify_app/middleware/same_site_cookie_middleware'
 
   # session
+  require 'shopify_app/session/storage_strategies/shop_storage_strategy'
+  require 'shopify_app/session/storage_strategies/user_storage_strategy'
   require 'shopify_app/session/session_storage'
   require 'shopify_app/session/session_repository'
   require 'shopify_app/session/in_memory_session_store'

data/lib/shopify_app/configuration.rb

@@ -15,6 +15,8 @@ module ShopifyApp
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
     attr_reader :session_repository
+    attr_accessor :per_user_tokens
+    alias_method :per_user_tokens?, :per_user_tokens
     attr_accessor :api_version
 
     # customise urls
@@ -42,6 +44,7 @@ module ShopifyApp
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
+      @per_user_tokens = false
       @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
     end
 
@@ -63,7 +66,7 @@ module ShopifyApp
     end
 
     def enable_same_site_none
-      @enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none
+      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
     end
   end
 

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -27,12 +27,30 @@ module ShopifyApp
     end
 
     def shop_session
-      return unless session[:shopify]
-      @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      if ShopifyApp.configuration.per_user_tokens?
+        return unless session[:shopify_user]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
+      else
+        return unless session[:shopify]
+        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      end
     end
 
-    def login_again_if_different_shop
+    def login_again_if_different_user_or_shop
+      if ShopifyApp.configuration.per_user_tokens?
+        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+
+        if valid_session_data && sessions_do_not_match
+          clear_session = true
+        end
+      end
+
       if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+        clear_session = true
+      end
+
+      if clear_session
         clear_shop_session
         redirect_to_login
       end
@@ -45,8 +63,14 @@ module ShopifyApp
         head :unauthorized
       else
         if request.get?
-          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+          path = request.path
+          query = sanitized_params.to_query
+        else
+          referer = URI(request.referer || "/")
+          path = referer.path
+          query = "#{referer.query}&#{sanitized_params.to_query}"
         end
+        session[:return_to] = "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
@@ -60,6 +84,7 @@ module ShopifyApp
       session[:shopify] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
+      session[:user_session] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)