shopify_app 12.0.2 → 12.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd21d52fbb932f0fef8522975adfb22431ff103d7fa14e4591e0eb24bafeeaec
-  data.tar.gz: da650fd1de45574447c28dca6803adf49063e0c879a0eab7d71b2823d3d1f15c
+  metadata.gz: c5acb9f9fb1606515013edfda25f981c36cf5ab4323572764ba9715018056532
+  data.tar.gz: e5499e7186fa12f37e01f975d7b67ed6a846d67679b580846a7191b53d81b3d3
 SHA512:
-  metadata.gz: 04f13911597abebbc3e32bc72ac42f9cfe01e2370515935bac076ce9517a44767af1f6185260cbeaae6a5eb2f76f48eb19ff9f013d41504d144ba8b23fb7ca6a
-  data.tar.gz: 3474caf61956e3bd8c3b4ae37fb326403493e3391805b85f3962aa753e080b0dfc3c3f82173991b099b804784123d5bf6d108e99ab4f1795c16f4f4cdd1ba862
+  metadata.gz: c9e736b65bf5091c6ebdca30073653dde86abc131cd77747f872c0d42972bc35abdd406301e5a5eb0dd4f9273c66264c75b28e119d05d203e440038bb19250d3
+  data.tar.gz: 264ed359e7e07cf7b0947cbafad738cabf220e470872c663f18c2507c17c7d994316af275f1d28820d5624df03fabadf6f213475fb793b4fd024de514b636cf0

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+12.0.7
+------
+* Remove check for API_KEY in config that was throwing errors during install #919
+
+12.0.6
+------
+* Adds changelog information and README updates for 8.4.0 #916
+
+12.0.5
+------
+* Updating shopify_api gem to 9.0.1
+
+12.0.4
+------
+* Reverts reverted PR (#895) #897
+
+12.0.3
+------
+* Moves samesite middleware higher in the stack #898
+* Fix issue where not redirecting user to granted storage page casues infinite loop #900
+
 12.0.2
 ------
 * Reverts "Fix for return_to in safari after enable_cookies/granted_storage_access" introduced in 12.0.1
@@ -178,6 +199,7 @@ Added support for rotating Shopify access tokens:
 8.4.0
 ----
 * Fix embedded app session management in Safari 12.1
+  * Note that with this change we have extracted the callback action in its own controller. If you are relying on it, see the README for more details: https://github.com/Shopify/shopify_app#callback
 * Shop names passed to OAuth are no longer case sensitive
 
 8.3.2

data/README.md

@@ -91,7 +91,9 @@ SHOPIFY_API_KEY=your api key
 SHOPIFY_API_SECRET=your api secret
 ```
 
-These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code. 
+These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
+
+**You will need to load the ENV variables into your enviroment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 
 ### Install Generator
 
@@ -211,6 +213,17 @@ end
 Authentication
 --------------
 
+### Callback
+
+Upon completing the authentication flow Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+* Logging into the shop and resetting the session
+* [Installing Webhooks](https://github.com/Shopify/shopify_app#webhooksmanager)
+* [Setting Scripttags](https://github.com/Shopify/shopify_app#scripttagsmanager)
+* [Performing the AfterAuthenticate Job](https://github.com/Shopify/shopify_app#afterauthenticatejob)
+* Redirecting to the return address
+
+**Note that starting with version 8.4.0, we have extracted the callback logic in its own controller. If you are upgrading from a version older than 8.4.0 the callback action and related helper methods were defined in `ShopifyApp::SessionsController` ==> you will have to extend `ShopifyApp::CallbackController` instead and port your logic to the new controller.**
+
 ### ShopifyApp::SessionRepository
 
 `ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
@@ -287,6 +300,14 @@ bin/rails g shopify_app:add_after_authenticate_job
 
 If you want to perform that action only once, e.g. send a welcome email to the user when they install the app, you should make sure that this action is idempotent, meaning that it won't have an impact if run multiple times.
 
+API Versioning
+--------------
+
+Shopify's API is versioned, and you can [read about that process in the Shopify Developers documentation page](https://shopify.dev/concepts/about-apis/versioning).
+
+Since shopify_app gem version 1.11.0, the included shopify_api gem has also been updated to allow you to easily set and switch what version of the Shopify API you want your app or service to use, as well as surface warnings to Rails apps about [deprecated endpoints, GraphQL fields and more](https://shopify.dev/concepts/about-apis/versioning#deprecation-practices).
+
+See the [shopify_api gem README](https://github.com/Shopify/shopify_api/) for more details.
 
 WebhooksManager
 ---------------
@@ -463,6 +484,7 @@ Questions or problems?
 
 - [Ask questions!](https://ecommerce.shopify.com/c/shopify-apis-and-technology)
 - [Read the docs!](https://help.shopify.com/api/guides)
+- And don't forget to check the [Changelog](https://github.com/Shopify/shopify_app/blob/master/CHANGELOG.md) too!
 
 Upgrading to 11.7.0
 ---------------------------

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -28,8 +28,8 @@
     window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
   }
 
-  StorageAccessHelper.prototype.redirectToAppHome = function() {
-    window.location.href = this.redirectData.appHomeUrl;
+  StorageAccessHelper.prototype.redirectToAppTargetUrl = function() {
+    window.location.href = this.redirectData.appTargetUrl;
   }
 
   StorageAccessHelper.prototype.sameSiteNoneIncompatible = function(ua) {
@@ -68,7 +68,7 @@
       if (!document.cookie) {
         throw 'Cannot set third-party cookie.'
       }
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } catch (error) {
       console.warn('Third party cookies may be blocked.', error);
       this.redirectToAppTLD(ACCESS_DENIED_STATUS);
@@ -90,7 +90,7 @@
   StorageAccessHelper.prototype.handleHasStorageAccess = function() {
     if (sessionStorage.getItem('shopify.granted_storage_access')) {
       // If app was classified by ITP and used Storage Access API to acquire access
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } else {
       // If app has not been classified by ITP and still has storage access
       this.redirectToAppTLD(ACCESS_GRANTED_STATUS);

data/app/controllers/shopify_app/sessions_controller.rb

@@ -20,11 +20,15 @@ module ShopifyApp
 
       render(:enable_cookies, layout: false, locals: {
         does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
         ),
         has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-        current_shopify_domain: current_shopify_domain,
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        current_shopify_domain: current_shopify_domain
       })
     end
 
@@ -38,8 +42,9 @@ module ShopifyApp
 
       session['shopify.granted_storage_access'] = true
 
-      params = { shop: @shop }
-      redirect_to("#{return_address}?#{params.to_query}")
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
     end
 
     def destroy
@@ -54,7 +59,7 @@ module ShopifyApp
       return render_invalid_shop_error unless sanitized_shop_name.present?
       session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
-      session[:return_to] = params[:return_to] if params[:return_to]
+      copy_return_to_param_to_session
 
       if user_agent_can_partition_cookies
         authenticate_with_partitioning
@@ -93,6 +98,10 @@ module ShopifyApp
       true
     end
 
+    def copy_return_to_param_to_session
+      session[:return_to] = params[:return_to] if params[:return_to]
+    end
+
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
       redirect_to return_address
@@ -133,11 +142,15 @@ module ShopifyApp
         layout: false,
         locals: {
           does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
           ),
           has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-          current_shopify_domain: current_shopify_domain,
+          app_target_url: granted_storage_access_path(
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
+          ),
+          current_shopify_domain: current_shopify_domain
         }
       )
     end

data/app/views/shopify_app/sessions/enable_cookies.html.erb

@@ -32,7 +32,7 @@
           myshopifyUrl: "https://#{current_shopify_domain}",
           hasStorageAccessUrl: "#{has_storage_access_url}",
           doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-          appHomeUrl: "#{app_home_url}"
+          appTargetUrl: "#{app_target_url}"
         },
       },
     )

data/app/views/shopify_app/sessions/request_storage_access.html.erb

@@ -24,7 +24,7 @@
                       myshopifyUrl: "https://#{current_shopify_domain}",
                       hasStorageAccessUrl: "#{has_storage_access_url}",
                       doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-                      appHomeUrl: "#{app_home_url}"
+                      appTargetUrl: "#{app_target_url}"
                   },
               },
               )

data/lib/shopify_app/configuration.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     # for the app in your Shopify Partners page. Change your settings in
     # `config/initializers/shopify_app.rb`
     attr_accessor :application_name
-    attr_accessor :api_key
+    attr_accessor  :api_key
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -100,8 +100,10 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
-      if session[:return_to] && return_to_param_required?
-        query_params[:return_to] = session[:return_to]
+      return_to = session[:return_to] || params[:return_to]
+
+      if return_to.present? && return_to_param_required?
+        query_params[:return_to] = return_to
       end
 
       has_referer_shop_name = referer_sanitized_shop_name.present?
@@ -165,5 +167,15 @@ module ShopifyApp
     def return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
+
+    def return_address_with_params(params)
+      uri = URI(return_address)
+      uri.query = CGI.parse(uri.query.to_s)
+        .symbolize_keys
+        .transform_values { |v| v.one? ? v.first : v }
+        .merge(params)
+        .to_query
+      uri.to_s
+    end
   end
 end

data/lib/shopify_app/engine.rb

@@ -14,7 +14,7 @@ module ShopifyApp
     end
 
     initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_before(ActionDispatch::Cookies, ShopifyApp::SameSiteCookieMiddleware)
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
     end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -1,60 +1,33 @@
 module ShopifyApp
   class SameSiteCookieMiddleware
+    COOKIE_SEPARATOR = "\n"
+
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      _status, headers, _body = @app.call(env)
-    ensure
+      status, headers, body = @app.call(env)
       user_agent = env['HTTP_USER_AGENT']
 
-      if headers && headers['Set-Cookie'] && !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
-          ShopifyApp.configuration.enable_same_site_none
-
-        cookies = headers['Set-Cookie'].split("\n").compact
-
-        cookies.each do |cookie|
-          unless cookie.include?("; SameSite")
-            headers['Set-Cookie'] = headers['Set-Cookie'].gsub(cookie, "#{cookie}; secure; SameSite=None")
+      if headers && headers['Set-Cookie'] &&
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
+
+        set_cookies = headers['Set-Cookie']
+          .split(COOKIE_SEPARATOR)
+          .compact
+          .map do |cookie|
+            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie
           end
-        end
-      end
-    end
 
-    def self.same_site_none_incompatible?(user_agent)
-      sniffer = BrowserSniffer.new(user_agent)
-
-      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
-    rescue
-      true
-    end
-
-    def self.webkit_same_site_bug?(sniffer)
-      (sniffer.os == :ios && sniffer.os_version.match(/^([0-9]|1[12])[\.\_]/)) ||
-        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match(/^10[\.\_]14/))
-    end
-
-    def self.drops_unrecognized_same_site_cookies?(sniffer)
-      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
-        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
-    end
-
-    def self.chromium_based?(sniffer)
-      sniffer.browser_name.downcase.match(/chrom(e|ium)/)
-    end
-
-    def self.uc_browser?(sniffer)
-      sniffer.user_agent.downcase.match(/uc\s?browser/)
-    end
-
-    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
-      digits = sniffer.browser_version.split('.').map(&:to_i)
-      return false unless digits.count >= 3
+        headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
+      end
 
-      return digits[0] > major if digits[0] != major
-      return digits[1] > minor if digits[1] != minor
-      digits[2] >= build
+      [status, headers, body]
     end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '12.0.2'.freeze
+  VERSION = '12.0.7'.freeze
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "12.0.2",
+  "version": "12.0.5",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -10,9 +10,9 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = ">= 2.3.1"
 
-  s.add_runtime_dependency('browser_sniffer', '~> 1.1.3')
+  s.add_runtime_dependency('browser_sniffer', '~> 1.2.0')
   s.add_runtime_dependency('rails', '> 5.2.1')
-  s.add_runtime_dependency('shopify_api', '~> 9.0')
+  s.add_runtime_dependency('shopify_api', '~> 9.0.1')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.0')
 
   s.add_development_dependency('rake')
@@ -29,4 +29,4 @@ Gem::Specification.new do |s|
   s.files         = `git ls-files`.split("\n").reject { |f| f.match(%r{^(test|example)/}) }
   s.test_files    = `git ls-files -- {test}/*`.split("\n")
   s.require_paths = ["lib"]
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 12.0.2
+  version: 12.0.7
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-11 00:00:00.000000000 Z
+date: 2020-03-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.3
+        version: 1.2.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.0'
+        version: 9.0.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.0'
+        version: 9.0.1
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement