shopify_app 12.0.0 → 17.2.0

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
 module ShopifyApp
-  class SessionsController < ActionController::Base # rubocop:disable Metrics/ClassLength
+  class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
 
     layout false, only: :new
+
     after_action only: [:new, :create] do |controller|
       controller.response.headers.except!('X-Frame-Options')
     end
@@ -16,30 +18,35 @@ module ShopifyApp
     end
 
     def enable_cookies
-      return unless validate_shop
+      return unless validate_shop_presence
 
       render(:enable_cookies, layout: false, locals: {
         does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
         ),
         has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
         current_shopify_domain: current_shopify_domain,
       })
     end
 
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
-      validate_shop
+      validate_shop_presence
     end
 
     def granted_storage_access
-      return unless validate_shop
+      return unless validate_shop_presence
 
       session['shopify.granted_storage_access'] = true
 
-      params = { shop: @shop }
-      redirect_to("#{return_address}?#{params.to_query}")
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
     end
 
     def destroy
@@ -54,7 +61,9 @@ module ShopifyApp
       return render_invalid_shop_error unless sanitized_shop_name.present?
       session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
-      session[:return_to] = params[:return_to] if params[:return_to]
+      copy_return_to_param_to_session
+
+      set_user_tokens_option
 
       if user_agent_can_partition_cookies
         authenticate_with_partitioning
@@ -83,7 +92,38 @@ module ShopifyApp
       end
     end
 
-    def validate_shop
+    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
+    # setting check because session cookies are justified at top level
+    def shop_session_by_cookie
+      return unless session[:shop_id].present?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    end
+
+    # rubocop:disable Lint/SuppressedException
+    def set_user_tokens_option
+      current_shop_session = shop_session
+
+      if current_shop_session.blank?
+        session[:user_tokens] = false
+        return
+      end
+
+      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+
+      ShopifyAPI::Session.temp(
+        domain: current_shop_session.domain,
+        token: current_shop_session.token,
+        api_version: current_shop_session.api_version
+      ) do
+        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
+      end
+    rescue ActiveResource::UnauthorizedAccess
+      session[:user_tokens] = false
+    rescue StandardError
+    end
+    # rubocop:enable Lint/SuppressedException
+
+    def validate_shop_presence
       @shop = sanitized_shop_name
       unless @shop
         render_invalid_shop_error
@@ -93,9 +133,13 @@ module ShopifyApp
       true
     end
 
+    def copy_return_to_param_to_session
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+    end
+
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
-      redirect_to return_address
+      redirect_to(return_address)
     end
 
     def enable_cookie_access
@@ -106,7 +150,7 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to "#{main_app.root_path}auth/shopify"
+      redirect_to("#{main_app.root_path}auth/shopify")
     end
 
     def authenticate_at_top_level
@@ -133,10 +177,14 @@ module ShopifyApp
         layout: false,
         locals: {
           does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
           ),
           has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
+          app_target_url: granted_storage_access_path(
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
+          ),
           current_shopify_domain: current_shopify_domain,
         }
       )

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -1,14 +1,15 @@
+# frozen_string_literal: true
 module ShopifyApp
+  class MissingWebhookJobError < StandardError; end
+
   class WebhooksController < ActionController::Base
     include ShopifyApp::WebhookVerification
 
-    class ShopifyApp::MissingWebhookJobError < StandardError; end
-
     def receive
       params.permit!
-      job_args = {shop_domain: shop_domain, webhook: webhook_params.to_h}
+      job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head :no_content
+      head(:ok)
     end
 
     private
@@ -18,7 +19,7 @@ module ShopifyApp
     end
 
     def webhook_job_klass
-      webhook_job_klass_name.safe_constantize or raise ShopifyApp::MissingWebhookJobError
+      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
     end
 
     def webhook_job_klass_name(type = webhook_type)

data/app/views/shopify_app/partials/_button_styles.html.erb

@@ -1,6 +1,5 @@
 <style>
   .Polaris-Button {
-    fill:#637381;
     position:relative;
     display:-webkit-inline-box;
     display:-ms-inline-flexbox;
@@ -15,12 +14,14 @@
     min-width:3.6rem;
     margin:0;
     padding:0.7rem 1.6rem;
-    background:linear-gradient(to bottom, white, #f9fafb);
-    border:1px solid #c4cdd5;
-    box-shadow:0 1px 0 0 rgba(22, 29, 37, 0.05);
-    border-radius:3px;
+    background-color:#ffffff;
+    border:1px solid #babfc3;
+    border-top-color: #c9cccf;
+    border-bottom-color: #babfc4;
+    box-shadow:0 1px 0 0 rgba(0, 0, 0, 0.05);
+    border-radius:4px;
     line-height:1;
-    color:#212b36;
+    color:#202223;
     text-align:center;
     cursor:pointer;
     -webkit-user-select:none;
@@ -29,30 +30,44 @@
     user-select:none;
     text-decoration:none;
     transition-property:background, border, box-shadow;
-    transition-duration:200ms;
+    transition-duration:100ms;
     transition-timing-function:cubic-bezier(0.64, 0, 0.35, 1);
   }
 
   .Polaris-Button:hover {
-    background:linear-gradient(to bottom, #f9fafb, #f4f6f8);
-    border-color:#c4cdd5;
+    background-color:#f6f6f7;
   }
 
   .Polaris-Button:focus {
-    border-color:#5c6ac4;
     outline:0;
-    box-shadow:0 0 0 1px #5c6ac4;
+  }
+
+  .Polaris-Button:focus:after {
+    box-shadow:0 0 0 .2rem #448fff;
+  }
+
+  .Polaris-Button:after {
+    content:'';
+    position:absolute;
+    z-index:1;
+    top:-.2rem;
+    right:-.2rem;
+    bottom:-.2rem;
+    left:-.2rem;
+    display:block;
+    pointer-events:none;
+    box-shadow:0 0 0 -.2rem #448fff;
+    transition:box-shadow 100ms cubic-bezier(0.64, 0, 0.35, 1);
+    border-radius:5px;
   }
 
   .Polaris-Button:active {
-    background:linear-gradient(to bottom, #f4f6f8, #f4f6f8);
-    border-color:#c4cdd5;
-    box-shadow:0 0 0 0 transparent, inset 0 1px 1px 0 rgba(99, 115, 129, 0.1), inset 0 1px 4px 0 rgba(99, 115, 129, 0.2);
+    background-color:#f1f2f3);
   }
 
   .Polaris-Button__Content {
-    font-size:1.5rem;
-    font-weight:400;
+    font-size:1.4rem;
+    font-weight:500;
     line-height:1.6rem;
     text-transform:initial;
     letter-spacing:initial;
@@ -70,35 +85,25 @@
     min-height:1px;
   }
 
-  @media (min-width: 40em) {
-    .Polaris-Button__Content {
-      font-size:1.4rem;
-    }
-  }
-
   .Polaris-Button--primary {
-    background:linear-gradient(to bottom, #6371c7, #5563c1);
-    border-color:#3f4eae;
-    box-shadow:inset 0 1px 0 0 #6774c8, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 0 0 transparent;
+    background-color:#008060;
+    border-color:transparent;
+    border-width:0;
     color:white;
-    fill:white;
   }
 
   .Polaris-Button--primary:hover {
-    background:linear-gradient(to bottom, #5c6ac4, #4959bd);
-    border-color:#3f4eae;
+    background-color:#006e52;
+    border-color:transparent;
     color:white;
-    text-decoration:none;
   }
 
-  .Polaris-Button--primary:focus {
-    border-color:#202e78;
-    box-shadow:inset 0 1px 0 0 #6f7bcb, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 0 1px #202e78;
+  .Polaris-Button--primary:active {
+    background-color:#005e46;
+    border-color:transparent;
   }
 
-  .Polaris-Button--primary:active {
-    background:linear-gradient(to bottom, #3f4eae, #3f4eae);
-    border-color:#38469b;
-    box-shadow:inset 0 0 0 0 transparent, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 1px 0 #38469b;
+  .Polaris-Button--sizeLarge {
+    padding:1.1rem 2.4rem;
   }
 </style>

data/app/views/shopify_app/partials/_card_styles.html.erb

@@ -11,7 +11,7 @@
 
   @media (min-width: 30.625em) {
     .Polaris-Card {
-      border-radius:3px;
+      border-radius:8px;
     }
   }
 
@@ -24,10 +24,10 @@
   }
 
   .Polaris-Card__Section + .Polaris-Card__Section {
-    border-top:1px solid #dfe3e8;
+    border-top:.1rem solid #e4e5e7;
   }
 
   .Polaris-Card__Section--subdued {
-    background-color:#f9fafb;
+    background-color:#fafbfb;
   }
 </style>

data/app/views/shopify_app/partials/_empty_state_styles.html.erb

@@ -11,8 +11,8 @@
     -ms-flex-align:center;
     align-items:center;
     width:100%;
-    margin:2rem auto 0 auto;
-    padding:2rem 0;
+    margin:0 auto;
+    padding:2rem 0 6rem;
     max-width:99.8rem;
   }
 
@@ -24,33 +24,22 @@
   }
 
   .Polaris-EmptyState__Section {
-    position:relative;
     display:-webkit-box;
     display:-ms-flexbox;
     display:flex;
     -webkit-box-orient:vertical;
-    -webkit-box-direction:normal;
-    -ms-flex-direction:column;
-    flex-direction:column;
+    -webkit-box-direction:reverse;
+    -ms-flex-direction:column-reverse;
+    flex-direction:column-reverse;
     -webkit-box-flex:1;
     -ms-flex:1 1 auto;
     flex:1 1 auto;
+    -webkit-box-align:center;
+    -ms-flex-align:center;
+    align-items:center;
     width:100%;
   }
 
-  @media (min-width: 46.5em) {
-    .Polaris-EmptyState__Section {
-      left:2rem;
-      -webkit-box-orient:horizontal;
-      -webkit-box-direction:normal;
-      -ms-flex-direction:row;
-      flex-direction:row;
-      -webkit-box-align:center;
-      -ms-flex-align:center;
-      align-items:center;
-    }
-  }
-
   .Polaris-EmptyState__ImageContainer,
   .Polaris-EmptyState__DetailsContainer {
     -webkit-box-flex:1;
@@ -58,6 +47,7 @@
     flex:1 1 auto;
     padding:0;
     margin:0; 
+    text-align:center;
   }
 
   @media (min-width: 46.5em) {
@@ -68,37 +58,32 @@
     }
   }
 
-  @media (max-width: 30.625em) {
-    .Polaris-EmptyState__ImageContainer,
-    .Polaris-EmptyState__DetailsContainer {
-      overflow-x:hidden;
-    }
-  }
-
   .Polaris-EmptyState__Details {
-    position:relative;
-    z-index:10;
-    padding:0 1.6rem;
-    width:33.6rem;
-  }
-
-  @media (min-width: 30.625em) {
-    .Polaris-EmptyState__Details {
-      padding:0;
-    }
+    max-width:40rem;
+    display:-webkit-box;
+    display:-ms-flexbox;
+    display: flex;
+    -webkit-box-orient:vertical;
+    -webkit-box-direction:normal;
+    -ms-flex-direction:column;
+    flex-direction: column;
+    -webkit-box-align:center;
+    -ms-flex-align:center;
+    align-items: center;
   }
 
   .Polaris-EmptyState__Content {
-    font-size:1.6rem;
+    margin-top: 1.6rem;
+    font-size:1.5rem;
     font-weight:400;
-    line-height:2.4rem;
-    color:#637381;
+    line-height:2rem;
+    color:#6d7175;
+    padding-bottom: .8rem;
   }
 
   @media (min-width: 40em) {
     .Polaris-EmptyState__Content {
-      font-size:2rem;
-      line-height:2.8rem;
+      font-size:1.4rem;
     }
   }
 
@@ -107,23 +92,7 @@
   }
 
   .Polaris-EmptyState__Image {
-    display: none;
-  }
-
-  @media (min-width: 30.625em) {
-    .Polaris-EmptyState__Image {
-      display: block;
-      margin-left:-60%;
-      margin-top:-30%;
-      width:200%;
-    }
-  }
-
-  @media (min-width: 46.5em) {
-    .Polaris-EmptyState__Image {
-      margin-top:0;
-      margin-left:-90%;
-      width:200%;
-    } 
+    margin: 0;
+    width: auto;
   }
 </style>