shopify_app 12.0.0 → 13.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7f75f25ebd3015036f89240acd78fb1d38bd85c6c61c361df564e0eaa1e2195
-  data.tar.gz: 5b91f6dd61dd686a9cce74123a3b6de0498f683488204768542aa128e312f90f
+  metadata.gz: d4e2d37f9112725500d1a9f36fe76b743e8981920eea4838024cafd6a71cb5eb
+  data.tar.gz: 3c52a0ee9a7f40433ad01b82bda3a0c6d30dd9bb45c319f1d457a0bd13c30fc0
 SHA512:
-  metadata.gz: 9119cf0bf9b9ad3a9f03c89877a7fc2337b99a98b36ec5ec01446b9a9ef15841e0bf7ba05631d15d827b5b32c535c1176f5b4b46227846ace43d27c9d55155cb
-  data.tar.gz: c084b5f9fd03727c865621a6615e2837179f262941b2ef3c5b083515d4e23b075e0d904f9cccee29140c78d117c2624fad4ef73c883aaa0ba087d0bc816a9685
+  metadata.gz: 19a445a22b25b01f860a84128551234313bc44e7acd1583ec90bc96f59d65a8fac208feb1d5a6899453935dd19458196c5253605d85e3ac346be2fa405a50b4c
+  data.tar.gz: 526354098526753ade6d30a346ffa75b2280707638b66dba61c89b34a771e72dd4c23cfae8bda319de58a7a373e7c05d233a13a4f2f8325c7754cda1ed58d835

data/CHANGELOG.md

@@ -1,3 +1,41 @@
+13.0.0
+------
++ #887 Added concurrent user and shop session support (online/offline)
+  BREAKING, please see README for migration notes.
+
+12.0.7
+------
+* Remove check for API_KEY in config that was throwing errors during install #919
+
+12.0.6
+------
+* Adds changelog information and README updates for 8.4.0 #916
+
+12.0.5
+------
+* Updating shopify_api gem to 9.0.1
+
+12.0.4
+------
+* Reverts reverted PR (#895) #897
+
+12.0.3
+------
+* Moves samesite middleware higher in the stack #898
+* Fix issue where not redirecting user to granted storage page casues infinite loop #900
+
+12.0.2
+------
+* Reverts "Fix for return_to in safari after enable_cookies/granted_storage_access" introduced in 12.0.1
+
+12.0.1
+------
+* disable samesite cookie middleware in tests
+* middleware compatibility for ruby 2.3
+* samesite cookie fixes for javascript libraries
+* change generators to add AppBridge instead of EASDK
+* Fix for return_to in safari after enable_cookies/granted_storage_access
+
 12.0.0
 -----
 * Updating shopify_api gem to 9.0.0
@@ -166,6 +204,7 @@ Added support for rotating Shopify access tokens:
 8.4.0
 ----
 * Fix embedded app session management in Safari 12.1
+  * Note that with this change we have extracted the callback action in its own controller. If you are relying on it, see the README for more details: https://github.com/Shopify/shopify_app#callback
 * Shop names passed to OAuth are no longer case sensitive
 
 8.3.2

data/README.md

@@ -25,6 +25,7 @@ Table of Contents
 - [AppProxyVerification](#appproxyverification)
 - [Troubleshooting](#troubleshooting)
 - [Testing an embedded app outside the Shopify admin](#testing-an-embedded-app-outside-the-shopify-admin)
+- [Migration to 13.0.0](#migrating-to-13)
 - [Questions or problems?](#questions-or-problems-)
 - [Rails 6 Compatibility](#rails-6-compatibility)
 - [Upgrading from 8.6 to 9.0.0](#upgrading-from-86-to-900)
@@ -43,9 +44,9 @@ Become a Shopify App Developer
 --------------------------------
 To become a Shopify App Developer you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
 
-Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials. 
+Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
 
-To create an application for development set your new app's `App URL` to the URL provided by [your tunnel](#app-tunneling), ensuring that you use `https://`. If you are not planning to embed your app inside the Shopify admin or receive webhooks, set your redirect URL to `http://localhost:3000/` and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`. 
+To create an application for development set your new app's `App URL` to the URL provided by [your tunnel](#app-tunneling), ensuring that you use `https://`. If you are not planning to embed your app inside the Shopify admin or receive webhooks, set your redirect URL to `http://localhost:3000/` and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`.
 
 Installation
 ------------
@@ -80,7 +81,7 @@ The default generator will run the `install`, `shop`, and `home_controller` gene
 $ rails generate shopify_app
 ```
 
-After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser. 
+After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
 
 ### API Keys
 
@@ -91,7 +92,9 @@ SHOPIFY_API_KEY=your api key
 SHOPIFY_API_SECRET=your api secret
 ```
 
-These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code. 
+These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
+
+**You will need to load the ENV variables into your enviroment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 
 ### Install Generator
 
@@ -211,12 +214,21 @@ end
 Authentication
 --------------
 
+### Callback
+
+Upon completing the authentication flow Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+* Logging into the shop and resetting the session
+* [Installing Webhooks](https://github.com/Shopify/shopify_app#webhooksmanager)
+* [Setting Scripttags](https://github.com/Shopify/shopify_app#scripttagsmanager)
+* [Performing the AfterAuthenticate Job](https://github.com/Shopify/shopify_app#afterauthenticatejob)
+* Redirecting to the return address
+
+**Note that starting with version 8.4.0, we have extracted the callback logic in its own controller. If you are upgrading from a version older than 8.4.0 the callback action and related helper methods were defined in `ShopifyApp::SessionsController` ==> you will have to extend `ShopifyApp::CallbackController` instead and port your logic to the new controller.**
+
 ### ShopifyApp::SessionRepository
 
 `ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
 
-If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. For multi-server environments, implement one of the following token-storage strategies.
-
 #### Shop-based token storage
 Storing tokens on the store model means that any user login associated to the store will have equal access levels to whatever the original user granted the app.
 ```sh
@@ -225,32 +237,35 @@ $ rails generate shopify_app:shop_model
 This will generate a shop model which will be the storage for the tokens necessary for authentication.
 
 #### User-based token storage
-A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed.
+A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
 ```sh
+$ rails generate shopify_app:shop_model
 $ rails generate shopify_app:user_model
 ```
-This will generate a user model which will be the storage for the tokens necessary for authentication.
+This will generate a shop model and user model which will be the storage for the tokens necessary for authentication.
 
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
 
-In this mode, The `self.store(auth_session, *args)` will be invoked with a Shopify User object hash, which is then used to store the token as part of a user record, rather than a store record.
-
-This will change the type of token that Shopify returns and it will only be valid for a short time. Read more about `Online access` [here](https://help.shopify.com/api/getting-started/authentication/oauth). Note that this means you won't be able to use this token to respond to Webhooks.
+Read more about Online vs. Offline access [here](https://help.shopify.com/api/getting-started/authentication/oauth).
 
 #### Migrating from shop-based to user-based token strategy
-After running the generator, ensure that configuration settings are successfully changed:
-
+1. Run the `user_model` generator as mentioned above.
+2. Ensure that both your `Shop` model and `User` model includes the necessary concerns `ShopifyApp::ShopSessionStorage` and `ShopifyApp::UserSessionStorage`.
+3. Make changes to 2 initializer files as shown below:
 ```ruby
 # In the `omniauth.rb` initializer:
 provider :shopify,
-  ShopifyApp.configuration.api_key,
-  ShopifyApp.configuration.secret,
-  scope: ShopifyApp.configuration.scope,
-  per_user_permissions: true
+  ...
+  setup: lambda { |env|
+    ...
+    # Add this line
+    strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
+    ...
+  }
 
 # In the `shopify_app.rb` initializer:
-config.session_repository = 'User'
-config.per_user_tokens = true
+config.shop_session_repository = {YOUR_SHOP_MODEL_CLASS}
+config.user_session_repository = {YOUR_USER_MODEL_CLASS}
 ```
 
 ### Authenticated
@@ -287,6 +302,14 @@ bin/rails g shopify_app:add_after_authenticate_job
 
 If you want to perform that action only once, e.g. send a welcome email to the user when they install the app, you should make sure that this action is idempotent, meaning that it won't have an impact if run multiple times.
 
+API Versioning
+--------------
+
+Shopify's API is versioned, and you can [read about that process in the Shopify Developers documentation page](https://shopify.dev/concepts/about-apis/versioning).
+
+Since shopify_app gem version 1.11.0, the included shopify_api gem has also been updated to allow you to easily set and switch what version of the Shopify API you want your app or service to use, as well as surface warnings to Rails apps about [deprecated endpoints, GraphQL fields and more](https://shopify.dev/concepts/about-apis/versioning#deprecation-practices).
+
+See the [shopify_api gem README](https://github.com/Shopify/shopify_api/) for more details.
 
 WebhooksManager
 ---------------
@@ -408,7 +431,7 @@ strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
 App Tunneling
 -------------
 
-Your local app needs to be accessible from the public Internet in order to install it on a Shopify store, to use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks. 
+Your local app needs to be accessible from the public Internet in order to install it on a Shopify store, to use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks.
 
 Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), or [Hookbin](https://hookbin.com/) to make your development environment accessible to the internet.
 
@@ -458,11 +481,35 @@ By default, loading your embedded app will redirect to the Shopify admin, with t
 forceRedirect: <%= Rails.env.development? || Rails.env.test? ? 'false' : 'true' %>
 ```
 
+Migrating to 13.0.0
+-------------------
+
+Version 13.0.0 adds the ability to use both user and shop sessions, concurrently. This however involved a large
+change to how session stores work. Here are the steps to migrate to 13.x
+
+### Changes to `config/initializers/shopify_app.rb`
+- *REMOVE* `config.per_user_tokens = [true|false]` this is no longer needed
+- *CHANGE* `config.session_repository = 'Shop'` To  `config.shop_session_repository = 'Shop'`
+- *ADD (optional)*  User Session Storage `config.user_session_repository = 'User'`
+
+### Shop Model Changes (normally `app/models/shop.rb`)
+-  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
+
+### Changes to `ShopifyApp::LoginProtection`
+`ShopifyApp::LoginProtection`
+
+if you are using `ShopifyApp::LoginProtection#shop_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+
+### Notes
+You do not need a user model, a shop session is fine for most applications.
+
 Questions or problems?
 ----------------------
 
 - [Ask questions!](https://ecommerce.shopify.com/c/shopify-apis-and-technology)
 - [Read the docs!](https://help.shopify.com/api/guides)
+- And don't forget to check the [Changelog](https://github.com/Shopify/shopify_app/blob/master/CHANGELOG.md) too!
 
 Upgrading to 11.7.0
 ---------------------------

data/app/assets/javascripts/shopify_app/itp_helper.js

@@ -4,31 +4,31 @@
     this.itpAction = document.getElementById('TopLevelInteractionButton');
     this.redirectUrl = opts.redirectUrl;
   }
-  
+
   ITPHelper.prototype.redirect = function() {
     sessionStorage.setItem('shopify.top_level_interaction', true);
     window.location.href = this.redirectUrl;
   }
-  
+
   ITPHelper.prototype.userAgentIsAffected = function() {
     return Boolean(document.hasStorageAccess);
   }
-  
+
   ITPHelper.prototype.canPartitionCookies = function() {
     var versionRegEx = /Version\/12\.0\.?\d? Safari/;
     return versionRegEx.test(navigator.userAgent);
   }
-  
+
   ITPHelper.prototype.setUpContent = function(onClick) {
     this.itpContent.style.display = 'block';
     this.itpAction.addEventListener('click', this.redirect.bind(this));
   }
-  
+
   ITPHelper.prototype.execute = function() {
     if (!this.itpContent) {
       return;
     }
-  
+
     if (this.userAgentIsAffected()) {
       this.setUpContent();
     } else {

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -28,18 +28,47 @@
     window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
   }
 
-  StorageAccessHelper.prototype.redirectToAppHome = function() {
-    window.location.href = this.redirectData.appHomeUrl;
+  StorageAccessHelper.prototype.redirectToAppTargetUrl = function() {
+    window.location.href = this.redirectData.appTargetUrl;
+  }
+
+  StorageAccessHelper.prototype.sameSiteNoneIncompatible = function(ua) {
+    return ua.includes("iPhone OS 12_") || ua.includes("iPad; CPU OS 12_") || //iOS 12
+    (ua.includes("UCBrowser/")
+        ? this.isOlderUcBrowser(ua) //UC Browser < 12.13.2
+        : (ua.includes("Chrome/5") || ua.includes("Chrome/6"))) ||
+    ua.includes("Chromium/5") || ua.includes("Chromium/6") ||
+    (ua.includes(" OS X 10_14_") &&
+        ((ua.includes("Version/") && ua.includes("Safari")) || //Safari on MacOS 10.14
+        ua.endsWith("(KHTML, like Gecko)"))); //Web view on MacOS 10.14
+  }
+
+  StorageAccessHelper.prototype.isOlderUcBrowser = function(ua) {
+    var match = ua.match(/UCBrowser\/(\d+)\.(\d+)\.(\d+)\./);
+    if (!match) return false;
+    var major = parseInt(match[1]);
+    var minor = parseInt(match[2]);
+    var build = parseInt(match[3]);
+    if (major != 12) return major < 12;
+    if (minor != 13) return minor < 13;
+    return build < 2;
+  }
+
+  StorageAccessHelper.prototype.setCookie = function(value) {
+    if(!this.sameSiteNoneIncompatible(navigator.userAgent)) {
+      value += '; secure; SameSite=None'
+    }
+    document.cookie = value;
   }
 
   StorageAccessHelper.prototype.grantedStorageAccess = function() {
     try {
       sessionStorage.setItem('shopify.granted_storage_access', true);
-      document.cookie = 'shopify.granted_storage_access=true';
+      this.setCookie('shopify.granted_storage_access=true');
       if (!document.cookie) {
         throw 'Cannot set third-party cookie.'
       }
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } catch (error) {
       console.warn('Third party cookies may be blocked.', error);
       this.redirectToAppTLD(ACCESS_DENIED_STATUS);
@@ -61,7 +90,7 @@
   StorageAccessHelper.prototype.handleHasStorageAccess = function() {
     if (sessionStorage.getItem('shopify.granted_storage_access')) {
       // If app was classified by ITP and used Storage Access API to acquire access
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } else {
       // If app has not been classified by ITP and still has storage access
       this.redirectToAppTLD(ACCESS_GRANTED_STATUS);
@@ -107,7 +136,7 @@
   }
 
   StorageAccessHelper.prototype.setCookieAndRedirect = function() {
-    document.cookie = "shopify.cookies_persist=true";
+    this.setCookie('shopify.cookies_persist=true');
     var helper = this.setUpHelper();
     helper.redirect();
   }

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -9,7 +9,7 @@ module ShopifyApp
       include ShopifyApp::LoginProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
-      around_action :shopify_session
+      around_action :activate_shopify_session
     end
   end
 end

data/app/controllers/shopify_app/callback_controller.rb

@@ -8,6 +8,11 @@ module ShopifyApp
     def callback
       if auth_hash
         login_shop
+
+        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+          return redirect_to(login_url_with_optional_shop)
+        end
+
         install_webhooks
         install_scripttags
         perform_after_authenticate_job
@@ -55,16 +60,15 @@ module ShopifyApp
         token: token,
         api_version: ShopifyApp.configuration.api_version
       )
-      session[:shopify] = ShopifyApp::SessionRepository.store(session_store, user: associated_user)
-      session[:shopify_domain] = shop_name
-      session[:shopify_user] = associated_user
 
-      if ShopifyApp.configuration.per_user_tokens?
-        # Adds the user_session to the session to determine if the logged in user has changed
-        user_session = auth_hash&.extra&.session
-        raise IndexError, "Missing user session signature" if user_session.nil?
-        session[:user_session] = user_session
+      session[:shopify_user] = associated_user
+      if session[:shopify_user].present?
+        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
+      else
+        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
       end
+      session[:shopify_domain] = shop_name
+      session[:user_session] = auth_hash&.extra&.session
     end
 
     def install_webhooks
@@ -72,7 +76,7 @@ module ShopifyApp
 
       WebhooksManager.queue(
         shop_name,
-        token,
+        shop_session&.token || user_session.token,
         ShopifyApp.configuration.webhooks
       )
     end
@@ -82,7 +86,7 @@ module ShopifyApp
 
       ScripttagsManager.queue(
         shop_name,
-        token,
+        shop_session&.token || user_session.token,
         ShopifyApp.configuration.scripttags
       )
     end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -3,6 +3,7 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     layout false, only: :new
+
     after_action only: [:new, :create] do |controller|
       controller.response.headers.except!('X-Frame-Options')
     end
@@ -16,30 +17,35 @@ module ShopifyApp
     end
 
     def enable_cookies
-      return unless validate_shop
+      return unless validate_shop_presence
 
       render(:enable_cookies, layout: false, locals: {
         does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
         ),
         has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-        current_shopify_domain: current_shopify_domain,
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        current_shopify_domain: current_shopify_domain
       })
     end
 
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
-      validate_shop
+      validate_shop_presence
     end
 
     def granted_storage_access
-      return unless validate_shop
+      return unless validate_shop_presence
 
       session['shopify.granted_storage_access'] = true
 
-      params = { shop: @shop }
-      redirect_to("#{return_address}?#{params.to_query}")
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
     end
 
     def destroy
@@ -54,7 +60,9 @@ module ShopifyApp
       return render_invalid_shop_error unless sanitized_shop_name.present?
       session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
-      session[:return_to] = params[:return_to] if params[:return_to]
+      copy_return_to_param_to_session
+
+      set_user_tokens_option
 
       if user_agent_can_partition_cookies
         authenticate_with_partitioning
@@ -83,7 +91,27 @@ module ShopifyApp
       end
     end
 
-    def validate_shop
+    def set_user_tokens_option
+      if shop_session.blank?
+        session[:user_tokens] = false
+        return
+      end
+
+      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+
+      ShopifyAPI::Session.temp(
+        domain: shop_session.domain,
+        token: shop_session.token,
+        api_version: shop_session.api_version
+      ) do
+        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
+      end
+    rescue ActiveResource::UnauthorizedAccess
+      session[:user_tokens] = false
+    rescue StandardError
+    end
+
+    def validate_shop_presence
       @shop = sanitized_shop_name
       unless @shop
         render_invalid_shop_error
@@ -93,6 +121,10 @@ module ShopifyApp
       true
     end
 
+    def copy_return_to_param_to_session
+      session[:return_to] = params[:return_to] if params[:return_to]
+    end
+
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
       redirect_to return_address
@@ -133,11 +165,15 @@ module ShopifyApp
         layout: false,
         locals: {
           does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
           ),
           has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-          current_shopify_domain: current_shopify_domain,
+          app_target_url: granted_storage_access_path(
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
+          ),
+          current_shopify_domain: current_shopify_domain
         }
       )
     end