shopify_app 13.0.0 → 13.0.1

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
-
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
       self.class.build_src(required_scripttags, shop_domain)
     end
 
-    def is_required_scripttag?(scripttags, tag)
-      scripttags.map{ |w| w[:src] }.include? tag.src
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
 
     def create_scripttag(attributes)

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
 
     def destroy_webhooks
       ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
 
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
 
     private
 
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
 
     def create_webhook(attributes)

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SameSiteCookieMiddleware
     COOKIE_SEPARATOR = "\n"
@@ -19,7 +20,7 @@ module ShopifyApp
           .split(COOKIE_SEPARATOR)
           .compact
           .map do |cookie|
-            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
             cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
             cookie
           end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
 module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
   class InMemorySessionStore
     class EnvironmentError < StandardError; end
 
@@ -6,7 +9,7 @@ module ShopifyApp
       repo[id]
     end
 
-    def self.store(session, *args)
+    def self.store(session, *_args)
       id = SecureRandom.uuid
       repo[id] = session
       id
@@ -18,10 +21,11 @@ module ShopifyApp
 
     def self.repo
       if Rails.env.production?
-        raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
-          Please initialize ShopifyApp with a model that can store and retrieve sessions")
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
       end
       @@repo ||= {}
     end
   end
+  # rubocop:enable Style/ClassVars
 end

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -1,4 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
   end
 end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -1,4 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
   end
 end

data/lib/shopify_app/session/jwt.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+
+    def shopify_domain
+      payload && dest_host
+    end
+
+    def shopify_user_id
+      payload && payload['sub']
+    end
+
+    private
+
+    def payload
+      return unless @payload
+      return unless dest_host
+      return unless dest_host == iss_host
+      return unless @payload['aud'] == ShopifyApp.configuration.api_key
+
+      @payload
+    end
+
+    def set_payload
+      @payload, _ = parse_token_data(ShopifyApp.configuration.secret)
+      configuration_old_secret = @payload && ShopifyApp.configuration
+      @payload, _ = parse_token_data(ShopifyApp.configuration.old_secret) unless configuration_old_secret
+    end
+
+    def parse_token_data(secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::DecodeError, ::JWT::VerificationError, ::JWT::ExpiredSignature, ::JWT::ImmatureSignature
+      nil
+    end
+
+    def dest_host
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+
+    def iss_host
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['iss'])
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb

@@ -1,23 +1,12 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SessionRepository
     class ConfigurationError < StandardError; end
 
     class << self
-      def shop_storage=(storage)
-        @shop_storage = storage
+      attr_writer :shop_storage
 
-        unless storage.nil? || self.shop_storage.respond_to?(:store) && self.shop_storage.respond_to?(:retrieve)
-          raise ArgumentError, "shop storage must respond to :store and :retrieve"
-        end
-      end
-
-      def user_storage=(storage)
-        @user_storage = storage
-
-        unless storage.nil? || self.user_storage.respond_to?(:store) && self.user_storage.respond_to?(:retrieve)
-          raise ArgumentError, "user storage must respond to :store and :retrieve"
-        end
-      end
+      attr_writer :user_storage
 
       def retrieve_shop_session(id)
         shop_storage.retrieve(id)
@@ -27,6 +16,14 @@ module ShopifyApp
         user_storage.retrieve(id)
       end
 
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
+      end
+
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
+      end
+
       def store_shop_session(session)
         shop_storage.store(session)
       end
@@ -36,7 +33,7 @@ module ShopifyApp
       end
 
       def shop_storage
-        load_shop_storage || raise(ConfigurationError.new("ShopifySessionRepository.shop_storage is not configured!"))
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
       end
 
       def user_storage
@@ -51,7 +48,7 @@ module ShopifyApp
       end
 
       def load_user_storage
-        return unless @user_storage
+        return NullUserSessionStore unless @user_storage
         @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
       end
     end

data/lib/shopify_app/session/session_storage.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module SessionStorage
     extend ActiveSupport::Concern

data/lib/shopify_app/session/shop_session_storage.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module ShopSessionStorage
     extend ActiveSupport::Concern
@@ -8,7 +9,7 @@ module ShopifyApp
     end
 
     class_methods do
-      def store(auth_session, *args)
+      def store(auth_session, *_args)
         shop = find_or_initialize_by(shopify_domain: auth_session.domain)
         shop.shopify_token = auth_session.token
         shop.save!
@@ -16,14 +17,25 @@ module ShopifyApp
       end
 
       def retrieve(id)
-        return unless id
-        if shop = self.find_by(id: id)
-          ShopifyAPI::Session.new(
-            domain: shop.shopify_domain,
-            token: shop.shopify_token,
-            api_version: shop.api_version
-          )
-        end
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+
+      private
+
+      def construct_session(shop)
+        return unless shop
+
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+        )
       end
     end
   end

data/lib/shopify_app/session/user_session_storage.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module UserSessionStorage
     extend ActiveSupport::Concern
@@ -17,14 +18,24 @@ module ShopifyApp
       end
 
       def retrieve(id)
-        return unless id
-        if user = find_by(id: id)
-          ShopifyAPI::Session.new(
-            domain: user.shopify_domain,
-            token: user.shopify_token,
-            api_version: user.api_version
-          )
-        end
+        user = find_by(id: id)
+        construct_session(user)
+      end
+
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+
+      private
+
+      def construct_session(user)
+        return unless user
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+        )
       end
     end
   end

data/lib/shopify_app/test_helpers/all.rb

@@ -0,0 +1 @@
+require 'shopify_app/test_helpers/webhook_verification_helper'

data/lib/shopify_app/test_helpers/webhook_verification_helper.rb

@@ -0,0 +1,16 @@
+module ShopifyApp
+  module TestHelpers
+    module WebhookVerificationHelper
+      def authorized_webhook_verification_headers!(params = {})
+        digest = OpenSSL::Digest.new('sha256')
+        secret = ShopifyApp.configuration.secret
+        valid_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, params.to_query)).strip
+        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = valid_hmac
+      end
+
+      def unauthorized_webhook_verification_headers!(params = {})
+        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = "invalid_hmac"
+      end
+    end
+  end
+end

data/lib/shopify_app/utils.rb

@@ -1,13 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   module Utils
-
     def self.sanitize_shop_domain(shop_domain)
+      myshopify_domain = ShopifyApp.configuration.myshopify_domain
       name = shop_domain.to_s.downcase.strip
-      name += ".#{ShopifyApp.configuration.myshopify_domain}" if !name.include?("#{ShopifyApp.configuration.myshopify_domain}") && !name.include?(".")
+      name += ".#{myshopify_domain}" if !name.include?(myshopify_domain.to_s) && !name.include?(".")
       name.sub!(%r|https?://|, '')
 
       u = URI("http://#{name}")
-      u.host if u.host&.match(/^[a-z0-9][a-z0-9\-]*[a-z0-9]\.#{Regexp.escape(ShopifyApp.configuration.myshopify_domain)}$/)
+      u.host if u.host&.match(/^[a-z0-9][a-z0-9\-]*[a-z0-9]\.#{Regexp.escape(myshopify_domain)}$/)
     rescue URI::InvalidURIError
       nil
     end
@@ -16,8 +17,8 @@ module ShopifyApp
       Rails.logger.info("[ShopifyAPI::ApiVersion] Fetching known Admin API Versions from Shopify...")
       ShopifyAPI::ApiVersion.fetch_known_versions
       Rails.logger.info("[ShopifyAPI::ApiVersion] Known API Versions: #{ShopifyAPI::ApiVersion.versions.keys}")
-      rescue ActiveResource::ConnectionError
-        logger.error( "[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
+    rescue ActiveResource::ConnectionError
+      logger.error("[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
     end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
-  VERSION = '13.0.0'.freeze
+  VERSION = '13.0.1'
 end

data/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "12.0.2",
+  "version": "13.0.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -1332,9 +1332,9 @@
       }
     },
     "acorn": {
-      "version": "6.3.0",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.3.0.tgz",
-      "integrity": "sha512-/czfa8BwS88b9gWQVhc8eknunSA2DoJpJyTQkhheIf5E48u1N0R4q/YxxsAeqRrmK9TQ/uYfgLDfZo91UlANIA==",
+      "version": "6.4.1",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.4.1.tgz",
+      "integrity": "sha512-ZVA9k326Nwrj3Cj9jlh3wGFutC2ZornPNARZwsNYqQYgN0EsV2d53w5RN/co65Ohn4sUAUtb1rSUAOD6XN9idA==",
       "dev": true
     },
     "after": {

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "13.0.0",
+  "version": "13.0.1",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -1,4 +1,5 @@
-$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+# frozen_string_literal: true
+$LOAD_PATH.push(File.expand_path('../lib', __FILE__))
 require "shopify_app/version"
 
 Gem::Specification.new do |s|
@@ -6,14 +7,17 @@ Gem::Specification.new do |s|
   s.version     = ShopifyApp::VERSION
   s.platform    = Gem::Platform::RUBY
   s.author      = "Shopify"
-  s.summary     = %q{This gem is used to get quickly started with the Shopify API}
+  s.summary     = 'This gem is used to get quickly started with the Shopify API'
 
   s.required_ruby_version = ">= 2.3.1"
 
+  s.metadata['allowed_push_host'] = 'https://rubygems.org'
+
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.0')
   s.add_runtime_dependency('rails', '> 5.2.1')
   s.add_runtime_dependency('shopify_api', '~> 9.0.2')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
+  s.add_runtime_dependency('jwt', '~> 2.2.1')
 
   s.add_development_dependency('rake')
   s.add_development_dependency('byebug')
@@ -26,7 +30,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency('mocha')
   s.add_development_dependency('webmock')
 
-  s.files         = `git ls-files`.split("\n").reject { |f| f.match(%r{^(test|example)/}) }
-  s.test_files    = `git ls-files -- {test}/*`.split("\n")
+  s.files         = %x(git ls-files).split("\n").reject { |f| f.match(%r{^(test|example)/}) }
+  s.test_files    = %x(git ls-files -- {test}/*).split("\n")
   s.require_paths = ["lib"]
 end