RubyGems - shopify_app - Versions diffs - 12.0.7 → 13.2.0 - Mend

shopify_app 12.0.7 → 13.2.0

Files changed (76) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5acb9f9fb1606515013edfda25f981c36cf5ab4323572764ba9715018056532
-  data.tar.gz: e5499e7186fa12f37e01f975d7b67ed6a846d67679b580846a7191b53d81b3d3
+  metadata.gz: 342e069a4f4d0d9bd824403f44cbcf25e398c8e869b4c31058199c7a13daca19
+  data.tar.gz: cebba3a407077d4dd86183b6aa4fe702593cfacb5de7f630305fefb7bf0ed545
 SHA512:
-  metadata.gz: c9e736b65bf5091c6ebdca30073653dde86abc131cd77747f872c0d42972bc35abdd406301e5a5eb0dd4f9273c66264c75b28e119d05d203e440038bb19250d3
-  data.tar.gz: 264ed359e7e07cf7b0947cbafad738cabf220e470872c663f18c2507c17c7d994316af275f1d28820d5624df03fabadf6f213475fb793b4fd024de514b636cf0
+  metadata.gz: 3d7e6c9dc9a521fe022f91e3c2761ff451a34fb67a61ebe3ac5888e5a19924d8eea912a9d644c4255ab0570c959ee8f56f6b30b98809b9d6bb9e09323f7bfec3
+  data.tar.gz: 67ed9dbc2897dce008f35c760251d64c708319a2171617692caedf01026b8366dd5f3ac9609d23c2ee8d196d2b90a34adce2bcf2974e7541bfa24a74a06c303b

data/.rubocop.yml CHANGED

@@ -1,10 +1,16 @@
-inherit_from:
-  - https://shopify.github.io/ruby-style-guide/rubocop.yml
+inherit_gem:
+    rubocop-shopify: rubocop.yml
-LineLength:
+AllCops:
+  TargetRubyVersion: 2.7
   Exclude:
-    - test/**/*
+    - 'test/tmp/**/*'
-Metrics/ClassLength:
+Style/MethodCallWithArgsParentheses:
   Exclude:
-    - test/**/*
+    - '**/Gemfile'
+Style/ClassAndModuleChildren:
+  Exclude:
+    - 'test/**/*'

data/.travis.yml CHANGED

@@ -13,9 +13,10 @@ cache:
   yarn: true
 rvm:
-  - 2.4.3
-  - 2.5.0
-  - 2.6.2
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
 install:
   - bundle install

data/CHANGELOG.md CHANGED

@@ -1,3 +1,36 @@
+13.2.0
+------
+* Get current shop domain from JWT header
+* Validate that the omniauth data matches the JWT data
+* Persist the token information to the session store
+13.1.1
+------
+* Update browser_sniffer to 1.2.2
+13.1.0
+------
+* Adds the shop URL as a parameter when redirecting after the callback
+* Bump minimum Ruby version to 2.4
+* Bug fixes
+13.0.1
+------
+* Small addition to WebhookJob to return if the shop is nil #952
+* Added Rubocop to the Repo #948
+* Added a WebhookVerification test helper #950
+* Fix for deprecation warning while loading session storage at startup
+* Changes that will allow future JWT authentication
+13.0.1
+------
+* fix for deprecation warning while loading session storage at startup
+13.0.0
+------
++ #887 Added concurrent user and shop session support (online/offline)
+  BREAKING, please see README for migration notes.
 12.0.7
 ------
 * Remove check for API_KEY in config that was throwing errors during install #919

data/Gemfile CHANGED

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
 source "https://rubygems.org"
 # Specify your gem's dependencies in shopify_app.gemspec
 gemspec
 gem 'rails-controller-testing', group: :test
+gem 'rubocop-shopify', require: false

data/README.md CHANGED

@@ -8,7 +8,7 @@ Shopify App
 Shopify Application Rails engine and generator
-#### NOTE : Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
+#### NOTE: Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
 Table of Contents
 -----------------
@@ -25,6 +25,7 @@ Table of Contents
 - [AppProxyVerification](#appproxyverification)
 - [Troubleshooting](#troubleshooting)
 - [Testing an embedded app outside the Shopify admin](#testing-an-embedded-app-outside-the-shopify-admin)
+- [Migration to 13.0.0](#migrating-to-1300)
 - [Questions or problems?](#questions-or-problems-)
 - [Rails 6 Compatibility](#rails-6-compatibility)
 - [Upgrading from 8.6 to 9.0.0](#upgrading-from-86-to-900)
@@ -33,7 +34,7 @@ Introduction
 -----------
 Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
-*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete your files.*
+*Note: It's recommended to use this on a new Rails project so that the generator won't overwrite/delete your files.*
 Learn how to create and deploy a new Shopify App to Heroku with our [quickstart guide](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md), or dive in in less than 5 minutes with this quickstart video:
@@ -41,15 +42,15 @@ Learn how to create and deploy a new Shopify App to Heroku with our [quickstart
 Become a Shopify App Developer
 --------------------------------
-To become a Shopify App Developer you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
+To become a Shopify App Developer, you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
-Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
+Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
-To create an application for development set your new app's `App URL` to the URL provided by [your tunnel](#app-tunneling), ensuring that you use `https://`. If you are not planning to embed your app inside the Shopify admin or receive webhooks, set your redirect URL to `http://localhost:3000/` and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`.
+To create an application for development set your new app's `App URL` to the URL provided by [your tunnel](#app-tunneling), ensuring that you use `https://`. If you are not planning to embed your app inside the Shopify admin or receive webhooks, set your redirect URL to `http://localhost:3000/` and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`.
 Installation
 ------------
-To get started add `shopify_app` to your Gemfile and run `bundle install`:
+To get started, add `shopify_app` to your Gemfile and run `bundle install`:
 ``` sh
 # Create a new rails app
@@ -66,7 +67,7 @@ Now we are ready to run any of the [generators](#generators) included with `shop
 #### Rails Compatibility
-The lastest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
+The latest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
 Generators
@@ -80,7 +81,7 @@ The default generator will run the `install`, `shop`, and `home_controller` gene
 $ rails generate shopify_app
 ```
-After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
+After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
 ### API Keys
@@ -93,7 +94,7 @@ SHOPIFY_API_SECRET=your api secret
 These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
-**You will need to load the ENV variables into your enviroment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
+**You will need to load the ENV variables into your environment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 ### Install Generator
@@ -107,12 +108,12 @@ $ rails generate shopify_app:install
 Other options include:
 * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
-* `scope` - the Oauth access scope required for your app, eg **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space, and can be supplied with or without double-quotes
+* `scope` - the Oauth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
-You can update any of these settings later on easily, the arguments are simply for convenience.
+You can update any of these settings later on easily; the arguments are simply for convenience.
 The generator adds ShopifyApp and the required initializers to the host Rails application.
@@ -125,7 +126,7 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
-This generator creates an example home controller and view which fetches and displays products using the Shopify API
+This generator creates an example home controller and view which fetches and displays products using the Shopify API.
 ### App Proxy Controller Generator
@@ -134,7 +135,7 @@ This generator creates an example home controller and view which fetches and dis
 $ rails generate shopify_app:app_proxy_controller
 ```
-This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI
+This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI.
 ### Marketing Extension Generator
@@ -146,7 +147,7 @@ This will create a controller with the endpoints required to build a [marketing
 ### Controllers, Routes and Views
-The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
+The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example, by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
 Mounting the Engine
 -------------------
@@ -169,7 +170,7 @@ The engine may also be mounted at a nested route, for example:
 mount ShopifyApp::Engine, at: '/nested'
 ```
-This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First update the shopify_app initializer to include a custom `root_url` e.g.:
+This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First, update the shopify_app initializer to include a custom `root_url` e.g.:
 ```ruby
 ShopifyApp.configure do |config|
@@ -215,7 +216,7 @@ Authentication
 ### Callback
-Upon completing the authentication flow Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+Upon completing the authentication flow, Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work, it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
 * Logging into the shop and resetting the session
 * [Installing Webhooks](https://github.com/Shopify/shopify_app#webhooksmanager)
 * [Setting Scripttags](https://github.com/Shopify/shopify_app#scripttagsmanager)
@@ -226,44 +227,45 @@ Upon completing the authentication flow Shopify calls the app at the `callback_p
 ### ShopifyApp::SessionRepository
-`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
-If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. For multi-server environments, implement one of the following token-storage strategies.
+`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern but can be overridden for custom implementation.
 #### Shop-based token storage
-Storing tokens on the store model means that any user login associated to the store will have equal access levels to whatever the original user granted the app.
+Storing tokens on the store model means that any user login associated with the store will have equal access levels to whatever the original user granted the app.
 ```sh
 $ rails generate shopify_app:shop_model
 ```
 This will generate a shop model which will be the storage for the tokens necessary for authentication.
 #### User-based token storage
-A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed.
+A more granular control over the level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
 ```sh
+$ rails generate shopify_app:shop_model
 $ rails generate shopify_app:user_model
 ```
-This will generate a user model which will be the storage for the tokens necessary for authentication.
+This will generate a shop model and user model, which will be the storage for the tokens necessary for authentication.
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
-In this mode, The `self.store(auth_session, *args)` will be invoked with a Shopify User object hash, which is then used to store the token as part of a user record, rather than a store record.
-This will change the type of token that Shopify returns and it will only be valid for a short time. Read more about `Online access` [here](https://help.shopify.com/api/getting-started/authentication/oauth). Note that this means you won't be able to use this token to respond to Webhooks.
+Read more about Online vs. Offline access [here](https://help.shopify.com/api/getting-started/authentication/oauth).
 #### Migrating from shop-based to user-based token strategy
-After running the generator, ensure that configuration settings are successfully changed:
+1. Run the `user_model` generator as mentioned above.
+2. Ensure that both your `Shop` model and `User` model includes the necessary concerns `ShopifyApp::ShopSessionStorage` and `ShopifyApp::UserSessionStorage`.
+3. Make changes to 2 initializer files as shown below:
 ```ruby
 # In the `omniauth.rb` initializer:
 provider :shopify,
-  ShopifyApp.configuration.api_key,
-  ShopifyApp.configuration.secret,
-  scope: ShopifyApp.configuration.scope,
-  per_user_permissions: true
+  ...
+  setup: lambda { |env|
+    ...
+    # Add this line
+    strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
+    ...
+  }
 # In the `shopify_app.rb` initializer:
-config.session_repository = 'User'
-config.per_user_tokens = true
+config.shop_session_repository = {YOUR_SHOP_MODEL_CLASS}
+config.user_session_repository = {YOUR_USER_MODEL_CLASS}
 ```
 ### Authenticated
@@ -274,7 +276,7 @@ For backwards compatibility, the engine still provides a controller called `Shop
 ### AfterAuthenticate Job
-If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job update your initializer as follows:
+If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:
 ```ruby
 ShopifyApp.configure do |config|
@@ -322,11 +324,11 @@ ShopifyApp.configure do |config|
 end
 ```
-When the oauth callback is completed successfully ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the oauth callback is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
-ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example if you register the webhook from above then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
+ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
-If you would like to namespace your jobs you may set `webhook_jobs_namespace` in the config. For example if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
+If you would like to namespace your jobs, you may set `webhook_jobs_namespace` in the config. For example, if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
 ```ruby
 ShopifyApp.configure do |config|
@@ -364,9 +366,9 @@ class CustomWebhooksController < ApplicationController
 end
 ```
-The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application pointing to the controller and action to accept the webhook data from Shopify.
+The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application, pointing to the controller and action to accept the webhook data from Shopify.
-The WebhooksManager uses ActiveJob, if ActiveJob is not configured then by default Rails will run the jobs inline. However it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
+The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by default Rails will run the jobs inline. However, it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
@@ -374,7 +376,7 @@ ShopifyApp can create webhooks for you using the `add_webhook` generator. This w
 rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
 ```
-where `-t` is the topic and `-a` is the address the webhook should be sent to.
+Where `-t` is the topic and `-a` is the address the webhook should be sent to.
 ScripttagsManager
 -----------------
@@ -429,7 +431,7 @@ strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
 App Tunneling
 -------------
-Your local app needs to be accessible from the public Internet in order to install it on a Shopify store, to use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks.
+Your local app needs to be accessible from the public Internet in order to install it on a Shopify store, to use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks.
 Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), or [Hookbin](https://hookbin.com/) to make your development environment accessible to the internet.
@@ -470,6 +472,31 @@ Troubleshooting
 see [TROUBLESHOOTING.md](https://github.com/Shopify/shopify_app/blob/master/docs/Troubleshooting.md)
+Using Test Helpers inside your Application
+-----------------------------------------
+A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly inside your app `test/controllers/webhook_verification_test.rb`.
+```ruby
+    require 'test_helper'
+    require 'action_controller'
+    require 'action_controller/base'
+    require 'shopify_app/test_helpers/webhook_verification_helper'
+```
+Or you can require in your `test/test_helper.rb`.
+```ruby
+  ENV['RAILS_ENV'] ||= 'test'
+  require_relative '../config/environment'
+  require 'rails/test_help'
+  require 'byebug'
+  require 'shopify_app/test_helpers/all'
+```
+With `lib/shopify_app/test_helpers/all'` more tests can be added and will only need to be required in once in your library.
 Testing an embedded app outside the Shopify admin
 -------------------------------------------------
@@ -479,6 +506,35 @@ By default, loading your embedded app will redirect to the Shopify admin, with t
 forceRedirect: <%= Rails.env.development? || Rails.env.test? ? 'false' : 'true' %>
 ```
+Migrating to 13.0.0
+-------------------
+Version 13.0.0 adds the ability to use both user and shop sessions, concurrently. This however involved a large
+change to how session stores work. Here are the steps to migrate to 13.x
+### Changes to `config/initializers/shopify_app.rb`
+- *REMOVE* `config.per_user_tokens = [true|false]` this is no longer needed
+- *CHANGE* `config.session_repository = 'Shop'` To  `config.shop_session_repository = 'Shop'`
+- *ADD (optional)*  User Session Storage `config.user_session_repository = 'User'`
+### Shop Model Changes (normally `app/models/shop.rb`)
+-  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
+### Changes to the @shop_session instance variable (normally in `app/controllers/*.rb`)
+- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
+### Changes to Rails `session`
+- *CHANGE* `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
+### Changes to `ShopifyApp::LoginProtection`
+`ShopifyApp::LoginProtection`
+if you are using `ShopifyApp::LoginProtection#shop_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+### Notes
+You do not need a user model; a shop session is fine for most applications.
 Questions or problems?
 ----------------------
@@ -523,7 +579,7 @@ config.api_version = '2019-04'
 ### Session storage change
-You will need to add an `api_version` method to you session storage object.  The default implementation for this is.
+You will need to add an `api_version` method to your session storage object.  The default implementation for this is.
 ```ruby
 def api_version
   ShopifyApp.configuration.api_version

data/Rakefile CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'bundler/gem_tasks'
 require 'rake/testtask'

data/app/controllers/concerns/shopify_app/authenticated.rb CHANGED

@@ -9,7 +9,7 @@ module ShopifyApp
       include ShopifyApp::LoginProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
-      around_action :shopify_session
+      around_action :activate_shopify_session
     end
   end
 end

data/app/controllers/shopify_app/authenticated_controller.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated

data/app/controllers/shopify_app/callback_controller.rb CHANGED

@@ -6,24 +6,54 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
     def callback
-      if auth_hash
-        login_shop
+      unless auth_hash
+        return respond_with_error
+      end
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
+        if redirect_for_user_token?
+          return redirect_to(login_url_with_optional_shop)
+        end
         install_webhooks
         install_scripttags
         perform_after_authenticate_job
-        redirect_to return_address
+        redirect_to(return_address)
+      end
+    end
+    private
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
       else
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
-    private
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
     def auth_hash
@@ -40,6 +70,10 @@ module ShopifyApp
       auth_hash['extra']['associated_user']
     end
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
     def token
       auth_hash['credentials']['token']
     end
@@ -55,16 +89,15 @@ module ShopifyApp
         token: token,
         api_version: ShopifyApp.configuration.api_version
       )
-      session[:shopify] = ShopifyApp::SessionRepository.store(session_store, user: associated_user)
-      session[:shopify_domain] = shop_name
-      session[:shopify_user] = associated_user
-      if ShopifyApp.configuration.per_user_tokens?
-        # Adds the user_session to the session to determine if the logged in user has changed
-        user_session = auth_hash&.extra&.session
-        raise IndexError, "Missing user session signature" if user_session.nil?
-        session[:user_session] = user_session
+      session[:shopify_user] = associated_user
+      if session[:shopify_user].present?
+        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
+      else
+        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
       end
+      session[:shopify_domain] = shop_name
+      session[:user_session] = auth_hash&.extra&.session
     end
     def install_webhooks
@@ -72,7 +105,7 @@ module ShopifyApp
       WebhooksManager.queue(
         shop_name,
-        token,
+        shop_session&.token || user_session.token,
         ShopifyApp.configuration.webhooks
       )
     end
@@ -82,7 +115,7 @@ module ShopifyApp
       ScripttagsManager.queue(
         shop_name,
-        token,
+        shop_session&.token || user_session.token,
         ShopifyApp.configuration.scripttags
       )
     end