RubyGems - shopify_app - Versions diffs - 12.0.7 → 13.2.0 - Mend

shopify_app 12.0.7 → 13.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb CHANGED

@@ -28,7 +28,7 @@
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
-      shop_origin: (@shop_session.domain if @shop_session),
+      shop_origin: (@current_shopify_session.domain if @current_shopify_session),
       debug: Rails.env.development?
     } ) %>

data/lib/generators/shopify_app/install/templates/omniauth.rb CHANGED

@@ -1,2 +1,3 @@
-Rails.application.config.middleware.use OmniAuth::Builder do
+# frozen_string_literal: true
+Rails.application.config.middleware.use(OmniAuth::Builder) do
 end

data/lib/generators/shopify_app/install/templates/{shopify_app.rb → shopify_app.rb.tt} RENAMED

@@ -8,7 +8,7 @@ ShopifyApp.configure do |config|
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
-  config.session_repository = 'ShopifyApp::InMemorySessionStore'
+  config.shop_session_repository = 'Shop'
 end
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/generators/shopify_app/install/templates/shopify_provider.rb CHANGED

@@ -4,7 +4,6 @@ provider :shopify,
   ShopifyApp.configuration.api_key,
   ShopifyApp.configuration.secret,
   scope: ShopifyApp.configuration.scope,
-  per_user_permissions: ShopifyApp.configuration.per_user_tokens,
   setup: lambda { |env|
     strategy = env['omniauth.strategy']
@@ -17,4 +16,5 @@ provider :shopify,
     strategy.options[:client_options][:site] = shop
     strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+    strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
   }

data/lib/generators/shopify_app/install/templates/user_agent.rb CHANGED

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 module ShopifyAPI
   class Base < ActiveResource::Base
-    self.headers['User-Agent'] << " | ShopifyApp/#{ShopifyApp::VERSION}"
+    headers['User-Agent'] << " | ShopifyApp/#{ShopifyApp::VERSION}"
   end
 end

data/lib/generators/shopify_app/routes/routes_generator.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 module ShopifyApp

data/lib/generators/shopify_app/routes/templates/routes.rb CHANGED

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
-  controller :sessions do
-    get 'login' => :new, :as => :login
-    post 'login' => :create, :as => :authenticate
-    get 'auth/shopify/callback' => :callback
-    get 'logout' => :destroy, :as => :logout
-  end
+controller :sessions do
+  get 'login' => :new, :as => :login
+  post 'login' => :create, :as => :authenticate
+  get 'auth/shopify/callback' => :callback
+  get 'logout' => :destroy, :as => :logout
+end
-  namespace :webhooks do
-    post ':type' => :receive
-  end
+namespace :webhooks do
+  post ':type' => :receive
+end

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 require 'rails/generators/active_record'
@@ -8,19 +9,19 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
       def create_shop_model
-        copy_file 'shop.rb', 'app/models/shop.rb'
+        copy_file('shop.rb', 'app/models/shop.rb')
       end
       def create_shop_migration
-        migration_template 'db/migrate/create_shops.erb', 'db/migrate/create_shops.rb'
+        migration_template('db/migrate/create_shops.erb', 'db/migrate/create_shops.rb')
       end
       def update_shopify_app_initializer
-        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'Shop'
+        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryShopSessionStore', 'Shop')
       end
       def create_shop_fixtures
-        copy_file 'shops.yml', 'test/fixtures/shops.yml'
+        copy_file('shops.yml', 'test/fixtures/shops.yml')
       end
       private
@@ -29,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/generators/shopify_app/shop_model/templates/shop.rb CHANGED

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 class Shop < ActiveRecord::Base
-  include ShopifyApp::SessionStorage
+  include ShopifyApp::ShopSessionStorage
   def api_version
     ShopifyApp.configuration.api_version

data/lib/generators/shopify_app/shopify_app_generator.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module Generators
     class ShopifyAppGenerator < Rails::Generators::Base
@@ -7,10 +8,10 @@ module ShopifyApp
       end
       def run_all_generators
-        generate "shopify_app:install #{@opts.join(' ')}"
-        generate "shopify_app:shop_model"
+        generate("shopify_app:install #{@opts.join(' ')}")
+        generate("shopify_app:shop_model")
         generate("shopify_app:authenticated_controller")
-        generate "shopify_app:home_controller"
+        generate("shopify_app:home_controller")
       end
     end
   end

data/lib/generators/shopify_app/user_model/templates/user.rb CHANGED

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 class User < ActiveRecord::Base
-  include ShopifyApp::SessionStorage
+  include ShopifyApp::UserSessionStorage
   def api_version
     ShopifyApp.configuration.api_version

data/lib/generators/shopify_app/user_model/user_model_generator.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 require 'rails/generators/active_record'
@@ -8,19 +9,19 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
       def create_user_model
-        copy_file 'user.rb', 'app/models/user.rb'
+        copy_file('user.rb', 'app/models/user.rb')
       end
       def create_user_migration
-        migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
+        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
       end
       def update_shopify_app_initializer
-        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'User'
+        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
       end
       def create_user_fixtures
-        copy_file 'users.yml', 'test/fixtures/users.yml'
+        copy_file('users.yml', 'test/fixtures/users.yml')
       end
       private
@@ -29,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/generators/shopify_app/views/views_generator.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 module ShopifyApp

data/lib/shopify_app.rb CHANGED

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
 require 'shopify_app/version'
 # deps
 require 'shopify_api'
 require 'omniauth-shopify-oauth2'
+require 'redirect_safely'
 module ShopifyApp
   def self.rails6?
@@ -41,12 +43,17 @@ module ShopifyApp
   require 'shopify_app/managers/scripttags_manager'
   # middleware
+  require 'shopify_app/middleware/jwt_middleware'
   require 'shopify_app/middleware/same_site_cookie_middleware'
   # session
-  require 'shopify_app/session/storage_strategies/shop_storage_strategy'
-  require 'shopify_app/session/storage_strategies/user_storage_strategy'
-  require 'shopify_app/session/session_storage'
-  require 'shopify_app/session/session_repository'
   require 'shopify_app/session/in_memory_session_store'
+  require 'shopify_app/session/in_memory_shop_session_store'
+  require 'shopify_app/session/in_memory_user_session_store'
+  require 'shopify_app/session/jwt'
+  require 'shopify_app/session/null_user_session_store'
+  require 'shopify_app/session/session_repository'
+  require 'shopify_app/session/session_storage'
+  require 'shopify_app/session/shop_session_storage'
+  require 'shopify_app/session/user_session_storage'
 end

data/lib/shopify_app/configuration.rb CHANGED

@@ -1,11 +1,11 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
     # for the app in your Shopify Partners page. Change your settings in
     # `config/initializers/shopify_app.rb`
     attr_accessor :application_name
-    attr_accessor  :api_key
+    attr_accessor :api_key
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope
@@ -14,14 +14,11 @@ module ShopifyApp
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
-    attr_reader :session_repository
-    attr_accessor :per_user_tokens
-    alias_method :per_user_tokens?, :per_user_tokens
     attr_accessor :api_version
     # customise urls
     attr_accessor :root_url
-    attr_accessor :login_url
+    attr_writer :login_url
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -37,14 +34,16 @@ module ShopifyApp
     attr_accessor :webhook_jobs_namespace
     # allow enabling of same site none on cookies
-    attr_accessor :enable_same_site_none
+    attr_writer :enable_same_site_none
+    # allow enabling jwt headers for authentication
+    attr_accessor :allow_jwt_authentication
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @per_user_tokens = false
       @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
     end
@@ -52,9 +51,20 @@ module ShopifyApp
       @login_url || File.join(@root_url, 'login')
     end
-    def session_repository=(klass)
-      @session_repository = klass
-      ShopifyApp::SessionRepository.storage = klass
+    def user_session_repository=(klass)
+      ShopifyApp::SessionRepository.user_storage = klass
+    end
+    def user_session_repository
+      ShopifyApp::SessionRepository.user_storage
+    end
+    def shop_session_repository=(klass)
+      ShopifyApp::SessionRepository.shop_storage = klass
+    end
+    def shop_session_repository
+      ShopifyApp::SessionRepository.shop_storage
     end
     def has_webhooks?

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -8,7 +9,7 @@ module ShopifyApp
     end
     def verify_proxy_request
-      return head :forbidden unless query_string_valid?(request.query_string)
+      return head(:forbidden) unless query_string_valid?(request.query_string)
     end
     private
@@ -26,7 +27,7 @@ module ShopifyApp
     end
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
       OpenSSL::HMAC.hexdigest(
         OpenSSL::Digest.new('sha256'),

data/lib/shopify_app/controller_concerns/embedded_app.rb CHANGED

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
     included do
       if ShopifyApp.configuration.embedded_app?
-        after_action :set_esdk_headers
-        layout 'embedded_app'
+        after_action(:set_esdk_headers)
+        layout('embedded_app')
       end
     end

data/lib/shopify_app/controller_concerns/localization.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb CHANGED

@@ -11,56 +11,88 @@ module ShopifyApp
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
+      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
     end
-    def shopify_session
-      return redirect_to_login unless shop_session
+    def activate_shopify_session
+      return redirect_to_login if current_shopify_session.blank?
       clear_top_level_oauth_cookie
       begin
-        ShopifyAPI::Base.activate_session(shop_session)
+        ShopifyAPI::Base.activate_session(current_shopify_session)
         yield
       ensure
         ShopifyAPI::Base.clear_session
       end
     end
-    def shop_session
-      if ShopifyApp.configuration.per_user_tokens?
-        return unless session[:shopify_user]
-        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
-      else
-        return unless session[:shopify]
-        @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+    def current_shopify_session
+      @current_shopify_session ||= begin
+        user_session || shop_session
       end
     end
+    def user_session
+      user_session_by_jwt || user_session_by_cookie
+    end
+    def user_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_user_id
+      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
+    end
+    def user_session_by_cookie
+      return unless session[:user_id].present?
+      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    end
+    def shop_session
+      shop_session_by_jwt || shop_session_by_cookie
+    end
+    def shop_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_domain
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
+    end
+    def shop_session_by_cookie
+      return unless session[:shop_id].present?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    end
     def login_again_if_different_user_or_shop
-      if ShopifyApp.configuration.per_user_tokens?
-        valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
+      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-        if valid_session_data && sessions_do_not_match
-          clear_session = true
-        end
       end
-      if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
+      if current_shopify_session &&
+        params[:shop] && params[:shop].is_a?(String) &&
+        (current_shopify_session.domain != params[:shop])
         clear_session = true
       end
       if clear_session
-        clear_shop_session
+        clear_shopify_session
         redirect_to_login
       end
     end
     protected
+    def jwt_shopify_domain
+      request.env['jwt.shopify_domain']
+    end
+    def jwt_shopify_user_id
+      request.env['jwt.shopify_user_id']
+    end
     def redirect_to_login
       if request.xhr?
-        head :unauthorized
+        head(:unauthorized)
       else
         if request.get?
           path = request.path
@@ -70,18 +102,19 @@ module ShopifyApp
           path = referer.path
           query = "#{referer.query}&#{sanitized_params.to_query}"
         end
-        session[:return_to] = "#{path}?#{query}"
+        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
     def close_session
-      clear_shop_session
+      clear_shopify_session
       redirect_to(login_url_with_optional_shop)
     end
-    def clear_shop_session
-      session[:shopify] = nil
+    def clear_shopify_session
+      session[:shop_id] = nil
+      session[:user_id] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
       session[:user_session] = nil
@@ -100,7 +133,7 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
-      return_to = session[:return_to] || params[:return_to]
+      return_to = RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
       if return_to.present? && return_to_param_required?
         query_params[:return_to] = return_to
@@ -123,14 +156,18 @@ module ShopifyApp
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render 'shopify_app/shared/redirect', layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }
+        render('shopify_app/shared/redirect', layout: false,
+               locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
-        redirect_to url
+        redirect_to(url)
       end
     end
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name || session[:shopify_domain]
+      shopify_domain = sanitized_shop_name ||
+        jwt_shopify_domain ||
+        session[:shopify_domain]
       return shopify_domain if shopify_domain.present?
       raise ShopifyDomainNotFound
@@ -165,11 +202,16 @@ module ShopifyApp
     end
     def return_address
+      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
+      return_address_with_params(shop: current_shopify_domain)
+    end
+    def base_return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
     def return_address_with_params(params)
-      uri = URI(return_address)
+      uri = URI(base_return_address)
       uri.query = CGI.parse(uri.query.to_s)
         .symbolize_keys
         .transform_values { |v| v.one? ? v.first : v }