shopify_app 12.0.0 → 17.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (145) hide show
  1. checksums.yaml +4 -4
  2. data/.github/CODEOWNERS +1 -0
  3. data/.github/ISSUE_TEMPLATE/bug-report.md +63 -0
  4. data/.github/ISSUE_TEMPLATE/config.yml +1 -0
  5. data/.github/ISSUE_TEMPLATE/feature-request.md +33 -0
  6. data/.github/PULL_REQUEST_TEMPLATE.md +22 -0
  7. data/.github/workflows/build.yml +41 -0
  8. data/.github/workflows/release.yml +24 -0
  9. data/.github/workflows/rubocop.yml +22 -0
  10. data/.gitignore +0 -2
  11. data/.rubocop.yml +14 -6
  12. data/CHANGELOG.md +180 -0
  13. data/CONTRIBUTING.md +76 -0
  14. data/Gemfile +5 -0
  15. data/Gemfile.lock +257 -0
  16. data/README.md +72 -487
  17. data/Rakefile +1 -0
  18. data/SECURITY.md +59 -0
  19. data/app/assets/images/storage_access.svg +1 -2
  20. data/app/assets/javascripts/shopify_app/itp_helper.js +6 -6
  21. data/app/assets/javascripts/shopify_app/storage_access.js +37 -7
  22. data/app/assets/javascripts/shopify_app/top_level_interaction.js +1 -1
  23. data/app/controllers/concerns/shopify_app/authenticated.rb +2 -1
  24. data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb +26 -0
  25. data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
  26. data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb +32 -0
  27. data/app/controllers/shopify_app/authenticated_controller.rb +1 -0
  28. data/app/controllers/shopify_app/callback_controller.rb +113 -23
  29. data/app/controllers/shopify_app/extension_verification_controller.rb +2 -7
  30. data/app/controllers/shopify_app/sessions_controller.rb +62 -14
  31. data/app/controllers/shopify_app/webhooks_controller.rb +6 -5
  32. data/app/views/shopify_app/partials/_button_styles.html.erb +41 -36
  33. data/app/views/shopify_app/partials/_card_styles.html.erb +3 -3
  34. data/app/views/shopify_app/partials/_empty_state_styles.html.erb +28 -59
  35. data/app/views/shopify_app/partials/_form_styles.html.erb +56 -0
  36. data/app/views/shopify_app/partials/_layout_styles.html.erb +16 -1
  37. data/app/views/shopify_app/partials/_typography_styles.html.erb +6 -6
  38. data/app/views/shopify_app/sessions/enable_cookies.html.erb +3 -8
  39. data/app/views/shopify_app/sessions/new.html.erb +38 -110
  40. data/app/views/shopify_app/sessions/request_storage_access.html.erb +2 -2
  41. data/app/views/shopify_app/sessions/top_level_interaction.html.erb +21 -22
  42. data/config/locales/de.yml +11 -11
  43. data/config/locales/fi.yml +1 -1
  44. data/config/locales/nl.yml +8 -8
  45. data/config/locales/pt-BR.yml +1 -1
  46. data/config/locales/th.yml +4 -4
  47. data/config/locales/vi.yml +22 -0
  48. data/config/locales/zh-CN.yml +1 -1
  49. data/config/routes.rb +1 -0
  50. data/docs/Quickstart.md +15 -87
  51. data/docs/Releasing.md +18 -14
  52. data/docs/Troubleshooting.md +129 -4
  53. data/docs/Upgrading.md +126 -0
  54. data/docs/shopify_app/authentication.md +124 -0
  55. data/docs/shopify_app/engine.md +82 -0
  56. data/docs/shopify_app/generators.md +127 -0
  57. data/docs/shopify_app/handling-access-scopes-changes.md +14 -0
  58. data/docs/shopify_app/script-tags.md +28 -0
  59. data/docs/shopify_app/session-repository.md +88 -0
  60. data/docs/shopify_app/testing.md +38 -0
  61. data/docs/shopify_app/webhooks.md +72 -0
  62. data/karma.conf.js +1 -1
  63. data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +5 -3
  64. data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +1 -0
  65. data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +2 -1
  66. data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +4 -8
  67. data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +5 -4
  68. data/lib/generators/shopify_app/add_webhook/templates/{webhook_job.rb → webhook_job.rb.tt} +5 -0
  69. data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +4 -3
  70. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +3 -3
  71. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +10 -9
  72. data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +1 -1
  73. data/lib/generators/shopify_app/controllers/controllers_generator.rb +2 -1
  74. data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +31 -3
  75. data/lib/generators/shopify_app/home_controller/templates/home_controller.rb +2 -0
  76. data/lib/generators/shopify_app/home_controller/templates/index.html.erb +66 -16
  77. data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb +11 -0
  78. data/lib/generators/shopify_app/install/install_generator.rb +46 -11
  79. data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +1 -1
  80. data/lib/generators/shopify_app/install/templates/flash_messages.js +0 -2
  81. data/lib/generators/shopify_app/install/templates/omniauth.rb +3 -1
  82. data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt +25 -0
  83. data/lib/generators/shopify_app/install/templates/shopify_provider.rb.tt +8 -0
  84. data/lib/generators/shopify_app/install/templates/user_agent.rb +2 -1
  85. data/lib/generators/shopify_app/products_controller/products_controller_generator.rb +19 -0
  86. data/lib/generators/shopify_app/products_controller/templates/products_controller.rb +8 -0
  87. data/lib/generators/shopify_app/routes/routes_generator.rb +1 -0
  88. data/lib/generators/shopify_app/routes/templates/routes.rb +10 -9
  89. data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +39 -7
  90. data/lib/generators/shopify_app/shop_model/templates/db/migrate/add_shop_access_scopes_column.erb +5 -0
  91. data/lib/generators/shopify_app/shop_model/templates/shop.rb +2 -1
  92. data/lib/generators/shopify_app/shopify_app_generator.rb +4 -3
  93. data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb +5 -0
  94. data/lib/generators/shopify_app/user_model/templates/user.rb +2 -1
  95. data/lib/generators/shopify_app/user_model/user_model_generator.rb +39 -7
  96. data/lib/generators/shopify_app/views/views_generator.rb +2 -1
  97. data/lib/shopify_app/access_scopes/noop_strategy.rb +13 -0
  98. data/lib/shopify_app/access_scopes/shop_strategy.rb +24 -0
  99. data/lib/shopify_app/access_scopes/user_strategy.rb +41 -0
  100. data/lib/shopify_app/configuration.rb +46 -11
  101. data/lib/shopify_app/controller_concerns/app_proxy_verification.rb +3 -3
  102. data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
  103. data/lib/shopify_app/controller_concerns/embedded_app.rb +3 -2
  104. data/lib/shopify_app/controller_concerns/localization.rb +1 -0
  105. data/lib/shopify_app/controller_concerns/login_protection.rb +105 -30
  106. data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
  107. data/lib/shopify_app/controller_concerns/webhook_verification.rb +3 -18
  108. data/lib/shopify_app/engine.rb +27 -1
  109. data/lib/shopify_app/jobs/scripttags_manager_job.rb +1 -1
  110. data/lib/shopify_app/jobs/webhooks_manager_job.rb +1 -1
  111. data/lib/shopify_app/managers/scripttags_manager.rb +4 -3
  112. data/lib/shopify_app/managers/webhooks_manager.rb +4 -3
  113. data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
  114. data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +19 -45
  115. data/lib/shopify_app/omniauth/omniauth_configuration.rb +64 -0
  116. data/lib/shopify_app/session/in_memory_session_store.rb +7 -3
  117. data/lib/shopify_app/session/in_memory_shop_session_store.rb +16 -0
  118. data/lib/shopify_app/session/in_memory_user_session_store.rb +16 -0
  119. data/lib/shopify_app/session/jwt.rb +63 -0
  120. data/lib/shopify_app/session/null_user_session_store.rb +22 -0
  121. data/lib/shopify_app/session/session_repository.rb +36 -14
  122. data/lib/shopify_app/session/session_storage.rb +1 -10
  123. data/lib/shopify_app/session/shop_session_storage.rb +42 -0
  124. data/lib/shopify_app/session/shop_session_storage_with_scopes.rb +58 -0
  125. data/lib/shopify_app/session/user_session_storage.rb +42 -0
  126. data/lib/shopify_app/session/user_session_storage_with_scopes.rb +58 -0
  127. data/lib/shopify_app/test_helpers/all.rb +2 -0
  128. data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
  129. data/lib/shopify_app/utils.rb +18 -5
  130. data/lib/shopify_app/version.rb +2 -1
  131. data/lib/shopify_app.rb +24 -5
  132. data/package.json +8 -9
  133. data/shopify_app.gemspec +15 -10
  134. data/translation.yml +1 -1
  135. data/yarn.lock +2120 -2168
  136. metadata +94 -20
  137. data/.github/ISSUE_TEMPLATE.md +0 -14
  138. data/.travis.yml +0 -27
  139. data/docs/install-on-dev-shop.png +0 -0
  140. data/docs/test-your-app.png +0 -0
  141. data/lib/generators/shopify_app/install/templates/shopify_app.rb +0 -15
  142. data/lib/generators/shopify_app/install/templates/shopify_provider.rb +0 -20
  143. data/lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb +0 -23
  144. data/lib/shopify_app/session/storage_strategies/user_storage_strategy.rb +0 -24
  145. data/package-lock.json +0 -7224
@@ -0,0 +1,24 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ module PayloadVerification
4
+ extend ActiveSupport::Concern
5
+
6
+ private
7
+
8
+ def shopify_hmac
9
+ request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
10
+ end
11
+
12
+ def hmac_valid?(data)
13
+ secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
14
+
15
+ secrets.any? do |secret|
16
+ digest = OpenSSL::Digest.new('sha256')
17
+ ActiveSupport::SecurityUtils.secure_compare(
18
+ shopify_hmac,
19
+ Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
20
+ )
21
+ end
22
+ end
23
+ end
24
+ end
@@ -1,6 +1,8 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  module WebhookVerification
3
4
  extend ActiveSupport::Concern
5
+ include ShopifyApp::PayloadVerification
4
6
 
5
7
  included do
6
8
  skip_before_action :verify_authenticity_token, raise: false
@@ -11,28 +13,11 @@ module ShopifyApp
11
13
 
12
14
  def verify_request
13
15
  data = request.raw_post
14
- return head :unauthorized unless hmac_valid?(data)
15
- end
16
-
17
- def hmac_valid?(data)
18
- secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
19
-
20
- secrets.any? do |secret|
21
- digest = OpenSSL::Digest.new('sha256')
22
-
23
- ActiveSupport::SecurityUtils.secure_compare(
24
- shopify_hmac,
25
- Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
26
- )
27
- end
16
+ return head(:unauthorized) unless hmac_valid?(data)
28
17
  end
29
18
 
30
19
  def shop_domain
31
20
  request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
32
21
  end
33
-
34
- def shopify_hmac
35
- request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
36
- end
37
22
  end
38
23
  end
@@ -1,4 +1,15 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
3
+ module RedactJobParams
4
+ private
5
+
6
+ def args_info(job)
7
+ log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
8
+ return "" if log_disabled_classes.include?(job.class.name)
9
+ super
10
+ end
11
+ end
12
+
2
13
  class Engine < Rails::Engine
3
14
  engine_name 'shopify_app'
4
15
  isolate_namespace ShopifyApp
@@ -14,7 +25,22 @@ module ShopifyApp
14
25
  end
15
26
 
16
27
  initializer "shopify_app.middleware" do |app|
17
- app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
28
+ app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
29
+
30
+ if ShopifyApp.configuration.allow_jwt_authentication
31
+ app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
32
+ end
33
+ end
34
+
35
+ initializer "shopify_app.redact_job_params" do
36
+ ActiveSupport.on_load(:active_job) do
37
+ if ActiveJob::Base.respond_to?(:log_arguments?)
38
+ WebhooksManagerJob.log_arguments = false
39
+ ScripttagsManagerJob.log_arguments = false
40
+ elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
41
+ ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
42
+ end
43
+ end
18
44
  end
19
45
  end
20
46
  end
@@ -1,6 +1,6 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class ScripttagsManagerJob < ActiveJob::Base
3
-
4
4
  queue_as do
5
5
  ShopifyApp.configuration.scripttags_manager_queue_name
6
6
  end
@@ -1,6 +1,6 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class WebhooksManagerJob < ActiveJob::Base
3
-
4
4
  queue_as do
5
5
  ShopifyApp.configuration.webhooks_manager_queue_name
6
6
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class ScripttagsManager
3
4
  class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
43
44
  def destroy_scripttags
44
45
  scripttags = expanded_scripttags
45
46
  ShopifyAPI::ScriptTag.all.each do |tag|
46
- ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
47
+ ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
47
48
  end
48
49
 
49
50
  @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
55
56
  self.class.build_src(required_scripttags, shop_domain)
56
57
  end
57
58
 
58
- def is_required_scripttag?(scripttags, tag)
59
- scripttags.map{ |w| w[:src] }.include? tag.src
59
+ def required_scripttag?(scripttags, tag)
60
+ scripttags.map { |w| w[:src] }.include?(tag.src)
60
61
  end
61
62
 
62
63
  def create_scripttag(attributes)
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class WebhooksManager
3
4
  class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
31
32
 
32
33
  def destroy_webhooks
33
34
  ShopifyAPI::Webhook.all.to_a.each do |webhook|
34
- ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
35
+ ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
35
36
  end
36
37
 
37
38
  @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
39
40
 
40
41
  private
41
42
 
42
- def is_required_webhook?(webhook)
43
- required_webhooks.map{ |w| w[:address] }.include? webhook.address
43
+ def required_webhook?(webhook)
44
+ required_webhooks.map { |w| w[:address] }.include?(webhook.address)
44
45
  end
45
46
 
46
47
  def create_webhook(attributes)
@@ -0,0 +1,42 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class JWTMiddleware
4
+ TOKEN_REGEX = /^Bearer\s+(.*?)$/
5
+
6
+ def initialize(app)
7
+ @app = app
8
+ end
9
+
10
+ def call(env)
11
+ return call_next(env) unless authorization_header(env)
12
+
13
+ token = extract_token(env)
14
+ return call_next(env) unless token
15
+
16
+ set_env_variables(token, env)
17
+ call_next(env)
18
+ end
19
+
20
+ private
21
+
22
+ def call_next(env)
23
+ @app.call(env)
24
+ end
25
+
26
+ def authorization_header(env)
27
+ env['HTTP_AUTHORIZATION']
28
+ end
29
+
30
+ def extract_token(env)
31
+ match = authorization_header(env).match(TOKEN_REGEX)
32
+ match && match[1]
33
+ end
34
+
35
+ def set_env_variables(token, env)
36
+ jwt = ShopifyApp::JWT.new(token)
37
+
38
+ env['jwt.shopify_domain'] = jwt.shopify_domain
39
+ env['jwt.shopify_user_id'] = jwt.shopify_user_id
40
+ end
41
+ end
42
+ end
@@ -1,60 +1,34 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class SameSiteCookieMiddleware
4
+ COOKIE_SEPARATOR = "\n"
5
+
3
6
  def initialize(app)
4
7
  @app = app
5
8
  end
6
9
 
7
10
  def call(env)
8
- _status, headers, _body = @app.call(env)
9
- ensure
11
+ status, headers, body = @app.call(env)
10
12
  user_agent = env['HTTP_USER_AGENT']
11
13
 
12
- if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
13
- ShopifyApp.configuration.enable_same_site_none
14
-
15
- cookies = headers['Set-Cookie'].split("\n").compact
16
-
17
- cookies.each do |cookie|
18
- unless cookie.include?("; SameSite")
19
- headers['Set-Cookie'] = headers['Set-Cookie'].gsub("#{cookie}", "#{cookie}; secure; SameSite=None")
14
+ if headers && headers['Set-Cookie'] &&
15
+ BrowserSniffer.new(user_agent).same_site_none_compatible? &&
16
+ ShopifyApp.configuration.enable_same_site_none &&
17
+ Rack::Request.new(env).ssl?
18
+
19
+ set_cookies = headers['Set-Cookie']
20
+ .split(COOKIE_SEPARATOR)
21
+ .compact
22
+ .map do |cookie|
23
+ cookie << '; Secure' unless cookie =~ /;\s*secure/i
24
+ cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
25
+ cookie
20
26
  end
21
- end
22
- end
23
- end
24
27
 
25
- def self.same_site_none_incompatible?(user_agent)
26
- sniffer = BrowserSniffer.new(user_agent)
27
-
28
- webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
29
- rescue
30
- true
31
- end
32
-
33
- def self.webkit_same_site_bug?(sniffer)
34
- (sniffer.os == :ios && sniffer.os_version.match?(/^([0-9]|1[12])[\.\_]/)) ||
35
- (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match?(/^10[\.\_]14/))
36
- end
37
-
38
- def self.drops_unrecognized_same_site_cookies?(sniffer)
39
- (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
40
- (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
41
- end
42
-
43
- def self.chromium_based?(sniffer)
44
- sniffer.browser_name.downcase.match?(/chrom(e|ium)/)
45
- end
46
-
47
- def self.uc_browser?(sniffer)
48
- sniffer.user_agent.downcase.match?(/uc\s?browser/)
49
- end
50
-
51
- def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
52
- digits = sniffer.browser_version.split('.').map(&:to_i)
53
- return false unless digits.count >= 3
28
+ headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
29
+ end
54
30
 
55
- return digits[0] > major if digits[0] != major
56
- return digits[1] > minor if digits[1] != minor
57
- digits[2] >= build
31
+ [status, headers, body]
58
32
  end
59
33
  end
60
34
  end
@@ -0,0 +1,64 @@
1
+ # frozen_string_literal: true
2
+
3
+ module ShopifyApp
4
+ class OmniAuthConfiguration
5
+ attr_reader :strategy, :request
6
+ attr_writer :client_options_site, :scopes, :per_user_permissions
7
+
8
+ def initialize(strategy, request)
9
+ @strategy = strategy
10
+ @request = request
11
+ end
12
+
13
+ def build_options
14
+ strategy.options[:client_options][:site] = client_options_site
15
+ strategy.options[:scope] = scopes
16
+ strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
17
+ strategy.options[:per_user_permissions] = request_online_tokens?
18
+ end
19
+
20
+ private
21
+
22
+ def request_online_tokens?
23
+ return @per_user_permissions unless @per_user_permissions.nil?
24
+ default_request_online_tokens?
25
+ end
26
+
27
+ def scopes
28
+ @scopes || default_scopes
29
+ end
30
+
31
+ def client_options_site
32
+ @client_options_site || default_client_options_site
33
+ end
34
+
35
+ def default_scopes
36
+ if request_online_tokens?
37
+ ShopifyApp.configuration.user_access_scopes
38
+ else
39
+ ShopifyApp.configuration.shop_access_scopes
40
+ end
41
+ end
42
+
43
+ def default_client_options_site
44
+ return '' unless shop_domain.present?
45
+ "https://#{shopify_auth_params[:shop]}"
46
+ end
47
+
48
+ def default_request_online_tokens?
49
+ strategy.session[:user_tokens] && !update_shop_scopes?
50
+ end
51
+
52
+ def update_shop_scopes?
53
+ ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_domain)
54
+ end
55
+
56
+ def shop_domain
57
+ request.params['shop'] || (shopify_auth_params && shopify_auth_params['shop'])
58
+ end
59
+
60
+ def shopify_auth_params
61
+ strategy.session['shopify.omniauth_params']&.with_indifferent_access
62
+ end
63
+ end
64
+ end
@@ -1,4 +1,7 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
3
+ # rubocop:disable Style/ClassVars
4
+ # Class var repo is needed here in order to share data between the 2 child classes.
2
5
  class InMemorySessionStore
3
6
  class EnvironmentError < StandardError; end
4
7
 
@@ -6,7 +9,7 @@ module ShopifyApp
6
9
  repo[id]
7
10
  end
8
11
 
9
- def self.store(session, *args)
12
+ def self.store(session, *_args)
10
13
  id = SecureRandom.uuid
11
14
  repo[id] = session
12
15
  id
@@ -18,10 +21,11 @@ module ShopifyApp
18
21
 
19
22
  def self.repo
20
23
  if Rails.env.production?
21
- raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
22
- Please initialize ShopifyApp with a model that can store and retrieve sessions")
24
+ raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
25
+ Please initialize ShopifyApp with a model that can store and retrieve sessions"
23
26
  end
24
27
  @@repo ||= {}
25
28
  end
26
29
  end
30
+ # rubocop:enable Style/ClassVars
27
31
  end
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class InMemoryShopSessionStore < InMemorySessionStore
4
+ class << self
5
+ def store(session, *args)
6
+ id = super
7
+ repo[session.domain] = session
8
+ id
9
+ end
10
+
11
+ def retrieve_by_shopify_domain(shopify_domain)
12
+ repo[shopify_domain]
13
+ end
14
+ end
15
+ end
16
+ end
@@ -0,0 +1,16 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class InMemoryUserSessionStore < InMemorySessionStore
4
+ class << self
5
+ def store(session, user)
6
+ id = super
7
+ repo[user.shopify_user_id] = session
8
+ id
9
+ end
10
+
11
+ def retrieve_by_shopify_user_id(user_id)
12
+ repo[user_id]
13
+ end
14
+ end
15
+ end
16
+ end
@@ -0,0 +1,63 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class JWT
4
+ class InvalidDestinationError < StandardError; end
5
+
6
+ class MismatchedHostsError < StandardError; end
7
+
8
+ class InvalidAudienceError < StandardError; end
9
+
10
+ WARN_EXCEPTIONS = [
11
+ ::JWT::DecodeError,
12
+ ::JWT::ExpiredSignature,
13
+ ::JWT::ImmatureSignature,
14
+ ::JWT::VerificationError,
15
+ InvalidAudienceError,
16
+ InvalidDestinationError,
17
+ MismatchedHostsError,
18
+ ]
19
+
20
+ def initialize(token)
21
+ @token = token
22
+ set_payload
23
+ end
24
+
25
+ def shopify_domain
26
+ @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
27
+ end
28
+
29
+ def shopify_user_id
30
+ @payload['sub'].to_i if @payload && @payload['sub']
31
+ end
32
+
33
+ private
34
+
35
+ def set_payload
36
+ payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
37
+ @payload = validate_payload(payload)
38
+ rescue *WARN_EXCEPTIONS => error
39
+ Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
40
+ nil
41
+ end
42
+
43
+ def parse_token_data(secret, old_secret)
44
+ ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
45
+ rescue ::JWT::VerificationError
46
+ raise unless old_secret
47
+
48
+ ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
49
+ end
50
+
51
+ def validate_payload(payload)
52
+ dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
53
+ iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
54
+ api_key = ShopifyApp.configuration.api_key
55
+
56
+ raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
57
+ raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
58
+ raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
59
+
60
+ payload
61
+ end
62
+ end
63
+ end