RubyGems - shopify_app - Versions diffs - 12.0.7 → 13.2.0 - Mend

shopify_app 12.0.7 → 13.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (76) hide show

data/lib/shopify_app/controller_concerns/webhook_verification.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -11,7 +12,7 @@ module ShopifyApp
     def verify_request
       data = request.raw_post
-      return head :unauthorized unless hmac_valid?(data)
+      return head(:unauthorized) unless hmac_valid?(data)
     end
     def hmac_valid?(data)

data/lib/shopify_app/engine.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Engine < Rails::Engine
     engine_name 'shopify_app'
@@ -15,6 +16,10 @@ module ShopifyApp
     initializer "shopify_app.middleware" do |app|
       app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+      if ShopifyApp.configuration.allow_jwt_authentication
+        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+      end
     end
   end
 end

data/lib/shopify_app/jobs/scripttags_manager_job.rb CHANGED

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.scripttags_manager_queue_name
     end

data/lib/shopify_app/jobs/webhooks_manager_job.rb CHANGED

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end

data/lib/shopify_app/managers/scripttags_manager.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
       @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
       self.class.build_src(required_scripttags, shop_domain)
     end
-    def is_required_scripttag?(scripttags, tag)
-      scripttags.map{ |w| w[:src] }.include? tag.src
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
     def create_scripttag(attributes)

data/lib/shopify_app/managers/webhooks_manager.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
     def destroy_webhooks
       ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
     private
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
     def create_webhook(attributes)

data/lib/shopify_app/middleware/jwt_middleware.rb ADDED

@@ -0,0 +1,41 @@
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+      token = extract_token(env)
+      return call_next(env) unless token
+      set_env_variables(token, env)
+      call_next(env)
+    end
+    private
+    def call_next(env)
+      @app.call(env)
+    end
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb CHANGED

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SameSiteCookieMiddleware
     COOKIE_SEPARATOR = "\n"
@@ -19,7 +20,7 @@ module ShopifyApp
           .split(COOKIE_SEPARATOR)
           .compact
           .map do |cookie|
-            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
             cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
             cookie
           end

data/lib/shopify_app/session/in_memory_session_store.rb CHANGED

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
 module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
   class InMemorySessionStore
     class EnvironmentError < StandardError; end
@@ -6,7 +9,7 @@ module ShopifyApp
       repo[id]
     end
-    def self.store(session, *args)
+    def self.store(session, *_args)
       id = SecureRandom.uuid
       repo[id] = session
       id
@@ -18,10 +21,11 @@ module ShopifyApp
     def self.repo
       if Rails.env.production?
-        raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
-          Please initialize ShopifyApp with a model that can store and retrieve sessions")
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
       end
       @@repo ||= {}
     end
   end
+  # rubocop:enable Style/ClassVars
 end

data/lib/shopify_app/session/in_memory_shop_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
+  end
+end

data/lib/shopify_app/session/jwt.rb ADDED

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    class InvalidDestinationError < StandardError; end
+    class MismatchedHostsError < StandardError; end
+    class InvalidAudienceError < StandardError; end
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+    def shopify_domain
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+    def shopify_user_id
+      @payload && @payload['sub']
+    end
+    private
+    def set_payload
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
+    end
+    def parse_token_data(secret, old_secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::VerificationError
+      raise unless old_secret
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+    end
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+      payload
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb ADDED

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb CHANGED

@@ -1,33 +1,55 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SessionRepository
     class ConfigurationError < StandardError; end
     class << self
-      def storage=(storage)
-        @storage = storage
+      attr_writer :shop_storage
-        unless storage.nil? || self.storage.respond_to?(:store) && self.storage.respond_to?(:retrieve)
-          raise ArgumentError, "storage must respond to :store and :retrieve"
-        end
+      attr_writer :user_storage
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
       end
-      def retrieve(id)
-        storage.retrieve(id)
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
       end
-      def store(session, *args)
-        storage.store(session, *args)
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
       end
-      def storage
-        load_storage || raise(ConfigurationError.new("ShopifySessionRepository.storage is not configured!"))
+      def store_shop_session(session)
+        shop_storage.store(session)
+      end
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
+      end
+      def user_storage
+        load_user_storage
       end
       private
-      def load_storage
-        return unless @storage
-        @storage.respond_to?(:safe_constantize) ? @storage.safe_constantize : @storage
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+      def load_user_storage
+        return NullUserSessionStore unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
       end
     end
   end

data/lib/shopify_app/session/session_storage.rb CHANGED

@@ -1,20 +1,11 @@
+# frozen_string_literal: true
 module ShopifyApp
   module SessionStorage
     extend ActiveSupport::Concern
     included do
-      if ShopifyApp.configuration.per_user_tokens?
-        extend ShopifyApp::SessionStorage::UserStorageStrategy
-      else
-        extend ShopifyApp::SessionStorage::ShopStorageStrategy
-      end
       validates :shopify_token, presence: true
       validates :api_version, presence: true
-      validates :shopify_domain, presence: true,
-        if: Proc.new {|_| ShopifyApp.configuration.per_user_tokens? }
-      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false },
-        if: Proc.new {|_| !ShopifyApp.configuration.per_user_tokens? }
     end
     def with_shopify_session(&block)

data/lib/shopify_app/session/shop_session_storage.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module ShopSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+    class_methods do
+      def store(auth_session, *_args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+      def retrieve(id)
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+      private
+      def construct_session(shop)
+        return unless shop
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module UserSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+    included do
+      validates :shopify_domain, presence: true
+    end
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+      def retrieve(id)
+        user = find_by(id: id)
+        construct_session(user)
+      end
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+      private
+      def construct_session(user)
+        return unless user
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+        )
+      end
+    end
+  end
+end