shopify_app 12.0.4 → 13.0.1

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 class User < ActiveRecord::Base
-  include ShopifyApp::SessionStorage
+  include ShopifyApp::UserSessionStorage
 
   def api_version
     ShopifyApp.configuration.api_version

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 require 'rails/generators/active_record'
 
@@ -8,19 +9,19 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
 
       def create_user_model
-        copy_file 'user.rb', 'app/models/user.rb'
+        copy_file('user.rb', 'app/models/user.rb')
       end
 
       def create_user_migration
-        migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
+        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
       end
 
       def update_shopify_app_initializer
-        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'User'
+        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
       end
 
       def create_user_fixtures
-        copy_file 'users.yml', 'test/fixtures/users.yml'
+        copy_file('users.yml', 'test/fixtures/users.yml')
       end
 
       private

data/lib/generators/shopify_app/views/views_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 
 module ShopifyApp

data/lib/shopify_app.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'shopify_app/version'
 
 # deps
@@ -44,9 +45,13 @@ module ShopifyApp
   require 'shopify_app/middleware/same_site_cookie_middleware'
 
   # session
-  require 'shopify_app/session/storage_strategies/shop_storage_strategy'
-  require 'shopify_app/session/storage_strategies/user_storage_strategy'
-  require 'shopify_app/session/session_storage'
-  require 'shopify_app/session/session_repository'
   require 'shopify_app/session/in_memory_session_store'
+  require 'shopify_app/session/in_memory_shop_session_store'
+  require 'shopify_app/session/in_memory_user_session_store'
+  require 'shopify_app/session/jwt'
+  require 'shopify_app/session/null_user_session_store'
+  require 'shopify_app/session/session_repository'
+  require 'shopify_app/session/session_storage'
+  require 'shopify_app/session/shop_session_storage'
+  require 'shopify_app/session/user_session_storage'
 end

data/lib/shopify_app/configuration.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Configuration
-
     # Shopify App settings. These values should match the configuration
     # for the app in your Shopify Partners page. Change your settings in
     # `config/initializers/shopify_app.rb`
@@ -14,14 +14,11 @@ module ShopifyApp
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
-    attr_reader :session_repository
-    attr_accessor :per_user_tokens
-    alias_method :per_user_tokens?, :per_user_tokens
     attr_accessor :api_version
 
     # customise urls
     attr_accessor :root_url
-    attr_accessor :login_url
+    attr_writer :login_url
 
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -37,14 +34,16 @@ module ShopifyApp
     attr_accessor :webhook_jobs_namespace
 
     # allow enabling of same site none on cookies
-    attr_accessor :enable_same_site_none
+    attr_writer :enable_same_site_none
+
+    # allow enabling jwt headers for authentication
+    attr_accessor :allow_jwt_authentication
 
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @per_user_tokens = false
       @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
     end
 
@@ -52,9 +51,20 @@ module ShopifyApp
       @login_url || File.join(@root_url, 'login')
     end
 
-    def session_repository=(klass)
-      @session_repository = klass
-      ShopifyApp::SessionRepository.storage = klass
+    def user_session_repository=(klass)
+      ShopifyApp::SessionRepository.user_storage = klass
+    end
+
+    def user_session_repository
+      ShopifyApp::SessionRepository.user_storage
+    end
+
+    def shop_session_repository=(klass)
+      ShopifyApp::SessionRepository.shop_storage = klass
+    end
+
+    def shop_session_repository
+      ShopifyApp::SessionRepository.shop_storage
     end
 
     def has_webhooks?

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -8,7 +9,7 @@ module ShopifyApp
     end
 
     def verify_proxy_request
-      return head :forbidden unless query_string_valid?(request.query_string)
+      return head(:forbidden) unless query_string_valid?(request.query_string)
     end
 
     private
@@ -26,7 +27,7 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
         OpenSSL::Digest.new('sha256'),

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
 
     included do
       if ShopifyApp.configuration.embedded_app?
-        after_action :set_esdk_headers
-        layout 'embedded_app'
+        after_action(:set_esdk_headers)
+        layout('embedded_app')
       end
     end
 

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -11,56 +11,94 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
+      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
     end
 
-    def shopify_session
-      return redirect_to_login unless shop_session
+    def activate_shopify_session
+      return redirect_to_login if current_shopify_session.blank?
       clear_top_level_oauth_cookie
 
       begin
-        ShopifyAPI::Base.activate_session(shop_session)
+        ShopifyAPI::Base.activate_session(current_shopify_session)
         yield
       ensure
         ShopifyAPI::Base.clear_session
       end
     end
 
-    def shop_session
-      if ShopifyApp.configuration.per_user_tokens?
-        return unless session[:shopify_user]
-        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
-      else
-        return unless session[:shopify]
-        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+    def current_shopify_session
+      @current_shopify_session ||= begin
+        user_session || shop_session
       end
     end
 
+    def user_session
+      user_session_by_jwt || user_session_by_cookie
+    end
+
+    def user_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_user_id
+      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
+    end
+
+    def user_session_by_cookie
+      return unless session[:user_id].present?
+      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    end
+
+    def shop_session
+      shop_session_by_jwt || shop_session_by_cookie
+    end
+
+    def shop_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_domain
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
+    end
+
+    def shop_session_by_cookie
+      return unless session[:shop_id].present?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    end
+
     def login_again_if_different_user_or_shop
-      if ShopifyApp.configuration.per_user_tokens?
-        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        clear_session = session[:user_session] != params[:session] # current user is different from stored user
 
-        if valid_session_data && sessions_do_not_match
-          clear_session = true
-        end
       end
 
-      if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+      if current_shopify_session &&
+        params[:shop] && params[:shop].is_a?(String) &&
+        (current_shopify_session.domain != params[:shop])
         clear_session = true
       end
 
       if clear_session
-        clear_shop_session
+        clear_shopify_session
         redirect_to_login
       end
     end
 
     protected
 
+    def jwt_shopify_domain
+      return unless jwt
+      @jwt_shopify_domain ||= JWT.new(jwt).shopify_domain
+    end
+
+    def jwt_shopify_user_id
+      return unless jwt
+      @jwt_user_id ||= JWT.new(jwt).shopify_user_id
+    end
+
+    def jwt
+      @jwt ||= authenticate_with_http_token { |token| token }
+    end
+
     def redirect_to_login
       if request.xhr?
-        head :unauthorized
+        head(:unauthorized)
       else
         if request.get?
           path = request.path
@@ -76,12 +114,13 @@ module ShopifyApp
     end
 
     def close_session
-      clear_shop_session
+      clear_shopify_session
       redirect_to(login_url_with_optional_shop)
     end
 
-    def clear_shop_session
-      session[:shopify] = nil
+    def clear_shopify_session
+      session[:shop_id] = nil
+      session[:user_id] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
       session[:user_session] = nil
@@ -123,9 +162,10 @@ module ShopifyApp
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render 'shopify_app/shared/redirect', layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }
+        render('shopify_app/shared/redirect', layout: false,
+               locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
-        redirect_to url
+        redirect_to(url)
       end
     end
 

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -11,7 +12,7 @@ module ShopifyApp
 
     def verify_request
       data = request.raw_post
-      return head :unauthorized unless hmac_valid?(data)
+      return head(:unauthorized) unless hmac_valid?(data)
     end
 
     def hmac_valid?(data)

data/lib/shopify_app/engine.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Engine < Rails::Engine
     engine_name 'shopify_app'

data/lib/shopify_app/jobs/scripttags_manager_job.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
-
     queue_as do
       ShopifyApp.configuration.scripttags_manager_queue_name
     end

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
-
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
       self.class.build_src(required_scripttags, shop_domain)
     end
 
-    def is_required_scripttag?(scripttags, tag)
-      scripttags.map{ |w| w[:src] }.include? tag.src
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
 
     def create_scripttag(attributes)

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
 
     def destroy_webhooks
       ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
 
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
 
     private
 
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
 
     def create_webhook(attributes)

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SameSiteCookieMiddleware
     COOKIE_SEPARATOR = "\n"
@@ -11,14 +12,15 @@ module ShopifyApp
       user_agent = env['HTTP_USER_AGENT']
 
       if headers && headers['Set-Cookie'] &&
-          !SameSiteCookieMiddleware.same_site_none_incompatible?(user_agent) &&
-          ShopifyApp.configuration.enable_same_site_none
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
 
         set_cookies = headers['Set-Cookie']
           .split(COOKIE_SEPARATOR)
           .compact
           .map do |cookie|
-            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
             cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
             cookie
           end
@@ -28,40 +30,5 @@ module ShopifyApp
 
       [status, headers, body]
     end
-
-    def self.same_site_none_incompatible?(user_agent)
-      sniffer = BrowserSniffer.new(user_agent)
-
-      webkit_same_site_bug?(sniffer) || drops_unrecognized_same_site_cookies?(sniffer)
-    rescue
-      true
-    end
-
-    def self.webkit_same_site_bug?(sniffer)
-      (sniffer.os == :ios && sniffer.os_version.match(/^([0-9]|1[12])[\.\_]/)) ||
-        (sniffer.os == :mac && sniffer.browser == :safari && sniffer.os_version.match(/^10[\.\_]14/))
-    end
-
-    def self.drops_unrecognized_same_site_cookies?(sniffer)
-      (chromium_based?(sniffer) && sniffer.major_browser_version >= 51 && sniffer.major_browser_version <= 66) ||
-        (uc_browser?(sniffer) && !uc_browser_version_at_least?(sniffer: sniffer, major: 12, minor: 13, build: 2))
-    end
-
-    def self.chromium_based?(sniffer)
-      sniffer.browser_name.downcase.match(/chrom(e|ium)/)
-    end
-
-    def self.uc_browser?(sniffer)
-      sniffer.user_agent.downcase.match(/uc\s?browser/)
-    end
-
-    def self.uc_browser_version_at_least?(sniffer:, major:, minor:, build:)
-      digits = sniffer.browser_version.split('.').map(&:to_i)
-      return false unless digits.count >= 3
-
-      return digits[0] > major if digits[0] != major
-      return digits[1] > minor if digits[1] != minor
-      digits[2] >= build
-    end
   end
 end