RubyGems - shopify_app - Versions diffs - 12.0.7 → 13.2.0 - Mend

shopify_app 12.0.7 → 13.2.0

Files changed (76) hide show

data/lib/shopify_app/controller_concerns/webhook_verification.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -11,7 +12,7 @@ module ShopifyApp
     def verify_request
       data = request.raw_post
-      return head :unauthorized unless hmac_valid?(data)
+      return head(:unauthorized) unless hmac_valid?(data)
     end
     def hmac_valid?(data)

data/lib/shopify_app/engine.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Engine < Rails::Engine
     engine_name 'shopify_app'
@@ -15,6 +16,10 @@ module ShopifyApp
     initializer "shopify_app.middleware" do |app|
       app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+      if ShopifyApp.configuration.allow_jwt_authentication
+        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+      end
     end
   end
 end

data/lib/shopify_app/jobs/scripttags_manager_job.rb CHANGED

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.scripttags_manager_queue_name
     end

data/lib/shopify_app/jobs/webhooks_manager_job.rb CHANGED

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end

data/lib/shopify_app/managers/scripttags_manager.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
       @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
       self.class.build_src(required_scripttags, shop_domain)
     end
-    def is_required_scripttag?(scripttags, tag)
-      scripttags.map{ |w| w[:src] }.include? tag.src
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
     def create_scripttag(attributes)

data/lib/shopify_app/managers/webhooks_manager.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
     def destroy_webhooks
       ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
     private
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
     def create_webhook(attributes)

data/lib/shopify_app/middleware/jwt_middleware.rb ADDED

@@ -0,0 +1,41 @@
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+      token = extract_token(env)
+      return call_next(env) unless token
+      set_env_variables(token, env)
+      call_next(env)
+    end
+    private
+    def call_next(env)
+      @app.call(env)
+    end
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SameSiteCookieMiddleware
     COOKIE_SEPARATOR = "\n"
@@ -19,7 +20,7 @@ module ShopifyApp
           .split(COOKIE_SEPARATOR)
           .compact
           .map do |cookie|
-            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
             cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
             cookie
           end

data/lib/shopify_app/session/in_memory_session_store.rb CHANGED

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
 module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
   class InMemorySessionStore
     class EnvironmentError < StandardError; end
@@ -6,7 +9,7 @@ module ShopifyApp
       repo[id]
     end
-    def self.store(session, *args)
+    def self.store(session, *_args)
       id = SecureRandom.uuid
       repo[id] = session
       id
@@ -18,10 +21,11 @@ module ShopifyApp
     def self.repo
       if Rails.env.production?
-        raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
-          Please initialize ShopifyApp with a model that can store and retrieve sessions")
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
       end
       @@repo ||= {}
     end
   end
+  # rubocop:enable Style/ClassVars
 end

data/lib/shopify_app/session/in_memory_shop_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
+  end
+end

data/lib/shopify_app/session/jwt.rb ADDED

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    class InvalidDestinationError < StandardError; end
+    class MismatchedHostsError < StandardError; end
+    class InvalidAudienceError < StandardError; end
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+    def shopify_domain
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+    def shopify_user_id
+      @payload && @payload['sub']
+    end
+    private
+    def set_payload
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
+    end
+    def parse_token_data(secret, old_secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::VerificationError
+      raise unless old_secret
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+    end
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+      payload
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb ADDED

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb CHANGED

@@ -1,33 +1,55 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SessionRepository
     class ConfigurationError < StandardError; end
     class << self
-      def storage=(storage)
-        @storage = storage
+      attr_writer :shop_storage
-        unless storage.nil? || self.storage.respond_to?(:store) && self.storage.respond_to?(:retrieve)
-          raise ArgumentError, "storage must respond to :store and :retrieve"
-        end
+      attr_writer :user_storage
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
       end
-      def retrieve(id)
-        storage.retrieve(id)
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
       end
-      def store(session, *args)
-        storage.store(session, *args)
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
       end
-      def storage
-        load_storage || raise(ConfigurationError.new("ShopifySessionRepository.storage is not configured!"))
+      def store_shop_session(session)
+        shop_storage.store(session)
+      end
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
+      end
+      def user_storage
+        load_user_storage
       end
       private
-      def load_storage
-        return unless @storage
-        @storage.respond_to?(:safe_constantize) ? @storage.safe_constantize : @storage
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+      def load_user_storage
+        return NullUserSessionStore unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
       end
     end
   end

data/lib/shopify_app/session/session_storage.rb CHANGED

@@ -1,20 +1,11 @@
+# frozen_string_literal: true
 module ShopifyApp
   module SessionStorage
     extend ActiveSupport::Concern
     included do
-      if ShopifyApp.configuration.per_user_tokens?
-        extend ShopifyApp::SessionStorage::UserStorageStrategy
-      else
-        extend ShopifyApp::SessionStorage::ShopStorageStrategy
-      end
       validates :shopify_token, presence: true
       validates :api_version, presence: true
-      validates :shopify_domain, presence: true,
-        if: Proc.new {|_| ShopifyApp.configuration.per_user_tokens? }
-      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false },
-        if: Proc.new {|_| !ShopifyApp.configuration.per_user_tokens? }
     end
     def with_shopify_session(&block)

data/lib/shopify_app/session/shop_session_storage.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module ShopSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+    class_methods do
+      def store(auth_session, *_args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+      def retrieve(id)
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+      private
+      def construct_session(shop)
+        return unless shop
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module UserSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+    included do
+      validates :shopify_domain, presence: true
+    end
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+      def retrieve(id)
+        user = find_by(id: id)
+        construct_session(user)
+      end
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+      private
+      def construct_session(user)
+        return unless user
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+        )
+      end
+    end
+  end
+end