shopify_app 13.0.0 → 13.3.0

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,14 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
-
     included do
       skip_before_action :verify_authenticity_token, raise: false
       before_action :verify_proxy_request
     end
 
     def verify_proxy_request
-      return head :forbidden unless query_string_valid?(request.query_string)
+      return head(:forbidden) unless query_string_valid?(request.query_string)
     end
 
     private
@@ -26,7 +26,7 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
         OpenSSL::Digest.new('sha256'),

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,11 +1,12 @@
+# frozen_string_literal: true
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
 
     included do
       if ShopifyApp.configuration.embedded_app?
-        after_action :set_esdk_headers
-        layout 'embedded_app'
+        after_action(:set_esdk_headers)
+        layout('embedded_app')
       end
     end
 

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -11,7 +11,7 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
+      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
     end
 
     def activate_shopify_session
@@ -27,20 +27,38 @@ module ShopifyApp
     end
 
     def current_shopify_session
-      if session[:user_id].present?
-        @current_shopify_session ||= user_session
-      else
-        @current_shopify_session ||= shop_session
+      @current_shopify_session ||= begin
+        user_session || shop_session
       end
     end
 
     def user_session
-      return if session[:user_id].blank?
+      user_session_by_jwt || user_session_by_cookie
+    end
+
+    def user_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_user_id
+      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
+    end
+
+    def user_session_by_cookie
+      return unless session[:user_id].present?
       ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
     end
 
     def shop_session
-      return if session[:shop_id].blank?
+      shop_session_by_jwt || shop_session_by_cookie
+    end
+
+    def shop_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_domain
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
+    end
+
+    def shop_session_by_cookie
+      return unless session[:shop_id].present?
       ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
     end
 
@@ -50,7 +68,9 @@ module ShopifyApp
 
       end
 
-      if current_shopify_session && params[:shop] && params[:shop].is_a?(String) && (current_shopify_session.domain != params[:shop])
+      if current_shopify_session &&
+        params[:shop] && params[:shop].is_a?(String) &&
+        (current_shopify_session.domain != params[:shop])
         clear_session = true
       end
 
@@ -62,9 +82,17 @@ module ShopifyApp
 
     protected
 
+    def jwt_shopify_domain
+      request.env['jwt.shopify_domain']
+    end
+
+    def jwt_shopify_user_id
+      request.env['jwt.shopify_user_id']
+    end
+
     def redirect_to_login
       if request.xhr?
-        head :unauthorized
+        head(:unauthorized)
       else
         if request.get?
           path = request.path
@@ -74,7 +102,7 @@ module ShopifyApp
           path = referer.path
           query = "#{referer.query}&#{sanitized_params.to_query}"
         end
-        session[:return_to] = "#{path}?#{query}"
+        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
@@ -105,7 +133,7 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
-      return_to = session[:return_to] || params[:return_to]
+      return_to = RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
 
       if return_to.present? && return_to_param_required?
         query_params[:return_to] = return_to
@@ -128,14 +156,18 @@ module ShopifyApp
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render 'shopify_app/shared/redirect', layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }
+        render('shopify_app/shared/redirect', layout: false,
+               locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
-        redirect_to url
+        redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name || session[:shopify_domain]
+      shopify_domain = sanitized_shop_name ||
+        jwt_shopify_domain ||
+        session[:shopify_domain]
+
       return shopify_domain if shopify_domain.present?
 
       raise ShopifyDomainNotFound
@@ -170,11 +202,16 @@ module ShopifyApp
     end
 
     def return_address
+      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
+      return_address_with_params(shop: current_shopify_domain)
+    end
+
+    def base_return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
 
     def return_address_with_params(params)
-      uri = URI(return_address)
+      uri = URI(base_return_address)
       uri.query = CGI.parse(uri.query.to_s)
         .symbolize_keys
         .transform_values { |v| v.one? ? v.first : v }

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module PayloadVerification
+    extend ActiveSupport::Concern
+
+    private
+
+    def shopify_hmac
+      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+    end
+
+    def hmac_valid?(data)
+      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
+
+      secrets.any? do |secret|
+        digest = OpenSSL::Digest.new('sha256')
+        ActiveSupport::SecurityUtils.secure_compare(
+          shopify_hmac,
+          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
+    include ShopifyApp::PayloadVerification
 
     included do
       skip_before_action :verify_authenticity_token, raise: false
@@ -11,28 +13,11 @@ module ShopifyApp
 
     def verify_request
       data = request.raw_post
-      return head :unauthorized unless hmac_valid?(data)
-    end
-
-    def hmac_valid?(data)
-      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
-
-      secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
-
-        ActiveSupport::SecurityUtils.secure_compare(
-          shopify_hmac,
-          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
-        )
-      end
+      return head(:unauthorized) unless hmac_valid?(data)
     end
 
     def shop_domain
       request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
     end
-
-    def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-    end
   end
 end

data/lib/shopify_app/engine.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class Engine < Rails::Engine
     engine_name 'shopify_app'
@@ -15,6 +16,10 @@ module ShopifyApp
 
     initializer "shopify_app.middleware" do |app|
       app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+
+      if ShopifyApp.configuration.allow_jwt_authentication
+        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+      end
     end
   end
 end

data/lib/shopify_app/jobs/scripttags_manager_job.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
-
     queue_as do
       ShopifyApp.configuration.scripttags_manager_queue_name
     end

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,6 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
-
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
       self.class.build_src(required_scripttags, shop_domain)
     end
 
-    def is_required_scripttag?(scripttags, tag)
-      scripttags.map{ |w| w[:src] }.include? tag.src
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
 
     def create_scripttag(attributes)

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
 
     def destroy_webhooks
       ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
 
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
 
     private
 
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
 
     def create_webhook(attributes)

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+
+      token = extract_token(env)
+      return call_next(env) unless token
+
+      set_env_variables(token, env)
+      call_next(env)
+    end
+
+    private
+
+    def call_next(env)
+      @app.call(env)
+    end
+
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class SameSiteCookieMiddleware
     COOKIE_SEPARATOR = "\n"
@@ -19,7 +20,7 @@ module ShopifyApp
           .split(COOKIE_SEPARATOR)
           .compact
           .map do |cookie|
-            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
             cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
             cookie
           end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
 module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
   class InMemorySessionStore
     class EnvironmentError < StandardError; end
 
@@ -6,7 +9,7 @@ module ShopifyApp
       repo[id]
     end
 
-    def self.store(session, *args)
+    def self.store(session, *_args)
       id = SecureRandom.uuid
       repo[id] = session
       id
@@ -18,10 +21,11 @@ module ShopifyApp
 
     def self.repo
       if Rails.env.production?
-        raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
-          Please initialize ShopifyApp with a model that can store and retrieve sessions")
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
       end
       @@repo ||= {}
     end
   end
+  # rubocop:enable Style/ClassVars
 end

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -1,4 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
   end
 end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -1,4 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
   end
 end