shopify_app 13.0.0 → 13.3.0

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated

data/app/controllers/shopify_app/callback_controller.rb

@@ -6,10 +6,22 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     def callback
-      if auth_hash
-        login_shop
+      unless auth_hash
+        return respond_with_error
+      end
+
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
 
-        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+        if redirect_for_user_token?
           return redirect_to(login_url_with_optional_shop)
         end
 
@@ -17,18 +29,31 @@ module ShopifyApp
         install_scripttags
         perform_after_authenticate_job
 
-        redirect_to return_address
+        redirect_to(return_address)
+      end
+    end
+
+    private
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
       else
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
 
-    private
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
 
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
 
     def auth_hash
@@ -45,6 +70,10 @@ module ShopifyApp
       auth_hash['extra']['associated_user']
     end
 
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
+
     def token
       auth_hash['credentials']['token']
     end
@@ -63,9 +92,11 @@ module ShopifyApp
 
       session[:shopify_user] = associated_user
       if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
         session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
       else
         session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
       end
       session[:shopify_domain] = shop_name
       session[:user_session] = auth_hash&.extra&.session

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
-  class SessionsController < ActionController::Base # rubocop:disable Metrics/ClassLength
+  class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
 
     layout false, only: :new
@@ -29,7 +30,7 @@ module ShopifyApp
           shop: sanitized_shop_name,
           return_to: params[:return_to]
         ),
-        current_shopify_domain: current_shopify_domain
+        current_shopify_domain: current_shopify_domain,
       })
     end
 
@@ -91,6 +92,7 @@ module ShopifyApp
       end
     end
 
+    # rubocop:disable Lint/SuppressedException
     def set_user_tokens_option
       if shop_session.blank?
         session[:user_tokens] = false
@@ -110,6 +112,7 @@ module ShopifyApp
       session[:user_tokens] = false
     rescue StandardError
     end
+    # rubocop:enable Lint/SuppressedException
 
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -122,12 +125,12 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = params[:return_to] if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
     end
 
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
-      redirect_to return_address
+      redirect_to(return_address)
     end
 
     def enable_cookie_access
@@ -138,7 +141,7 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to "#{main_app.root_path}auth/shopify"
+      redirect_to("#{main_app.root_path}auth/shopify")
     end
 
     def authenticate_at_top_level
@@ -173,7 +176,7 @@ module ShopifyApp
             shop: sanitized_shop_name,
             return_to: session[:return_to]
           ),
-          current_shopify_domain: current_shopify_domain
+          current_shopify_domain: current_shopify_domain,
         }
       )
     end

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -1,14 +1,15 @@
+# frozen_string_literal: true
 module ShopifyApp
+  class MissingWebhookJobError < StandardError; end
+
   class WebhooksController < ActionController::Base
     include ShopifyApp::WebhookVerification
 
-    class ShopifyApp::MissingWebhookJobError < StandardError; end
-
     def receive
       params.permit!
-      job_args = {shop_domain: shop_domain, webhook: webhook_params.to_h}
+      job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head :no_content
+      head(:ok)
     end
 
     private
@@ -18,7 +19,7 @@ module ShopifyApp
     end
 
     def webhook_job_klass
-      webhook_job_klass_name.safe_constantize or raise ShopifyApp::MissingWebhookJobError
+      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
     end
 
     def webhook_job_klass_name(type = webhook_type)

data/config/locales/fi.yml

@@ -15,6 +15,6 @@ fi:
   top_level_interaction_action: Jatka
   request_storage_access_heading: "%{app} edellyttää evästeiden käyttöä"
   request_storage_access_body: Näin sovellus voi todentaa sinut tallentamalla henkilötietosi
-    tilapäisesti. Napsauta Jatka ja salli evästeet sovelluksen käyttämiseksi.
+    tilapäisesti. Klikkaa Jatka ja salli evästeet sovelluksen käyttämiseksi.
   request_storage_access_footer: Evästeet vanhenevat 30 päivän kuluttua.
   request_storage_access_action: Jatka

data/config/locales/nl.yml

@@ -1,20 +1,20 @@
 ---
 nl:
-  logged_out: u bent afgemeld
+  logged_out: Je bent afgemeld
   could_not_log_in: Kon niet aanmelden bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
-  enable_cookies_body: U moet cookies in deze browser handmatig inschakelen om %{app}
+  enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}
     binnen Shopify te gebruiken.
-  enable_cookies_footer: Met cookies kan de app u verifiëren door uw voorkeuren en
+  enable_cookies_footer: Met cookies kan de app je verifiëren door je voorkeuren en
     persoonlijke informatie tijdelijk op te slaan. Ze vervallen na 30 dagen.
   enable_cookies_action: Schakel cookies in
-  top_level_interaction_heading: Uw browser moet %{app} verifiëren
-  top_level_interaction_body: Uw browser heeft apps nodig zoals %{app} om u toegang
-    te vragen tot cookies voordat Shopify het voor u kan openen.
+  top_level_interaction_heading: Je browser moet %{app} verifiëren
+  top_level_interaction_body: Je browser heeft apps nodig zoals %{app} om je toegang
+    te vragen tot cookies voordat Shopify het voor je kan openen.
   top_level_interaction_action: Doorgaan
   request_storage_access_heading: "%{app} heeft toegang tot cookies nodig"
-  request_storage_access_body: Hiermee kan de app u verifiëren door uw persoonlijke
+  request_storage_access_body: Hiermee kan de app je verifiëren door je persoonlijke
     gegevens tijdelijk op te slaan. Klik op Doorgaan en sta cookies toe om de app
     te gebruiken.
   request_storage_access_footer: Cookies verlopen na 30 dagen.

data/config/routes.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 ShopifyApp::Engine.routes.draw do
   controller :sessions do
     get 'login' => :new, :as => :login

data/docs/Quickstart.md

@@ -1,7 +1,8 @@
 Quickstart
 ==========
 
-Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
+Get started building and deploying a new Shopify App to Heroku in just a few minutes.
+This guide assumes you have Ruby, Rails and PostgreSQL installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 
 1. New Rails App (with postgres)
 --------------------------------
@@ -26,15 +27,6 @@ Head to the Heroku dashboard and create a new app, or run the following commands
 CLI:
 ```sh
 $ heroku create name
-$ heroku git:remote -a name
-```
-
-Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
-
-web:
-```sh
-# https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appname.git
 ```
 
 3. Create a new App in the Shopify Partner dashboard
@@ -64,14 +56,13 @@ Generate the code for your app by running these commands:
 
 ```sh
 # Use the keys from your app you created in the partners area
-$ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
+$ rails generate shopify_app
 $ git add .
 $ git commit -m 'generated shopify app'
 ```
 
-If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
-
-We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
+Your API key and secret are read from environment variables. Refer to the main
+README for further details on how to set this up.
 
 6. Deploy your app
 ---------

data/docs/Releasing.md

@@ -3,6 +3,7 @@ Releasing ShopifyApp
 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
 2. Create a pull request with the following changes:
   * Update the version of ShopifyApp in lib/shopify_app/version.rb
+  * Update the version of shopify_app in package.json
   * Add a CHANGELOG entry for the new release with the date
   * Change the title of the PR to something like: "Packaging for release X.Y.Z"
 3. Merge your pull request

data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 
 module ShopifyApp
@@ -6,7 +7,7 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
 
       hook_for :test_framework, as: :job, in: :rails do |instance, generator|
-        instance.invoke generator, [ instance.send(:job_file_name) ]
+        instance.invoke(generator, [instance.send(:job_file_name)])
       end
 
       def init_after_authenticate_config
@@ -23,12 +24,13 @@ module ShopifyApp
         )
 
         unless initializer.include?(after_authenticate_job_config)
-          shell.say("Error adding after_authenticate_job to config. Add this line manually: #{after_authenticate_job_config}", :red)
+          shell.say("Error adding after_authenticate_job to config. Add this line manually: "\
+                    "#{after_authenticate_job_config}", :red)
         end
       end
 
       def add_after_authenticate_job
-        template 'after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb"
+        template('after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb")
       end
 
       private

data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module Shopify
   class AfterAuthenticateJob < ActiveJob::Base
     def perform(shop_domain:)

data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 
 module ShopifyApp
@@ -6,7 +7,7 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
 
       def generate_app_extension
-        template "marketing_activities_controller.rb", "app/controllers/marketing_activities_controller.rb"
+        template("marketing_activities_controller.rb", "app/controllers/marketing_activities_controller.rb")
         generate_routes
       end
 

data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb

@@ -3,7 +3,7 @@
 class MarketingActivitiesController < ShopifyApp::ExtensionVerificationController
   def preload_form_data
     preload_data = {
-      "form_data": {}
+      "form_data": {},
     }
     render(json: preload_data, status: :ok)
   end
@@ -31,14 +31,14 @@ class MarketingActivitiesController < ShopifyApp::ExtensionVerificationControlle
         "preview_url": placeholder_img,
         "content_type": "text/html",
         "width": 360,
-        "height": 200
+        "height": 200,
       },
       "mobile": {
         "preview_url": placeholder_img,
         "content_type": "text/html",
         "width": 360,
-        "height": 200
-      }
+        "height": 200,
+      },
     }
     render(json: preview_response, status: :ok)
   end

data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 
 module ShopifyApp
@@ -8,7 +9,7 @@ module ShopifyApp
       class_option :address, type: :string, aliases: "-a", required: true
 
       hook_for :test_framework, as: :job, in: :rails do |instance, generator|
-        instance.invoke generator, [ instance.send(:job_file_name) ]
+        instance.invoke(generator, [instance.send(:job_file_name)])
       end
 
       def init_webhook_config
@@ -32,14 +33,14 @@ module ShopifyApp
         initializer = load_initializer
 
         unless initializer.include?(webhook_config)
-          shell.say "Error adding webhook to config. Add this line manually: #{webhook_config}", :red
+          shell.say("Error adding webhook to config. Add this line manually: #{webhook_config}", :red)
         end
       end
 
       def add_webhook_job
         @job_file_name = job_file_name + '_job'
-        @job_class_name  = @job_file_name.classify
-        template 'webhook_job.rb', "app/jobs/#{@job_file_name}.rb"
+        @job_class_name = @job_file_name.classify
+        template('webhook_job.rb', "app/jobs/#{@job_file_name}.rb")
       end
 
       private