shopify_app 13.0.0 → 14.0.0

data/Rakefile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'bundler/gem_tasks'
 require 'rake/testtask'
 

data/SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported versions
+
+### New features
+
+New features will only be added to the master branch and will not be made available in point releases.
+
+### Bug fixes
+
+Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
+
+### Security issues
+
+Only the latest release series will receive patches and new versions in case of a security issue.
+
+### Severe security issues
+
+For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
+
+## Reporting a bug
+
+All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
+Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
+
+## Disclosure Policy
+
+We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
+
+- Reply to all reports within one business day and triage within two business days (if applicable)
+- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
+- Award bounties within a week of resolution (excluding extenuating circumstances)
+- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
+
+**The following rules must be followed in order for any rewards to be paid:**
+
+- You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
+- You must not attempt to gain access to, or interact with, any shops other than those created by you.
+- The use of commercial scanners is prohibited (e.g., Nessus).
+- Rules for reporting must be followed.
+- Do not disclose any issues publicly before they have been resolved.
+- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
+- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
+- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
+- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
+- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
+- All content submitted by you to Shopify under this program is licensed under the MIT License.
+- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
+- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
+
+** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
+
+## Receiving Security Updates
+
+To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,6 +7,7 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated

data/app/controllers/shopify_app/callback_controller.rb

@@ -6,10 +6,22 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     def callback
-      if auth_hash
-        login_shop
+      unless auth_hash
+        return respond_with_error
+      end
+
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
 
-        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+        if redirect_for_user_token?
           return redirect_to(login_url_with_optional_shop)
         end
 
@@ -17,18 +29,31 @@ module ShopifyApp
         install_scripttags
         perform_after_authenticate_job
 
-        redirect_to return_address
+        redirect_to(return_address)
+      end
+    end
+
+    private
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
       else
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
 
-    private
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
 
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
 
     def auth_hash
@@ -40,9 +65,13 @@ module ShopifyApp
     end
 
     def associated_user
-      return unless auth_hash['extra'].present?
+      return unless auth_hash.dig('extra', 'associated_user').present?
+
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
+    end
 
-      auth_hash['extra']['associated_user']
+    def associated_user_id
+      associated_user && associated_user['id']
     end
 
     def token
@@ -63,9 +92,11 @@ module ShopifyApp
 
       session[:shopify_user] = associated_user
       if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
         session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
       else
         session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
       end
       session[:shopify_domain] = shop_name
       session[:user_session] = auth_hash&.extra&.session

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
-  class SessionsController < ActionController::Base # rubocop:disable Metrics/ClassLength
+  class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
 
     layout false, only: :new
@@ -29,7 +30,7 @@ module ShopifyApp
           shop: sanitized_shop_name,
           return_to: params[:return_to]
         ),
-        current_shopify_domain: current_shopify_domain
+        current_shopify_domain: current_shopify_domain,
       })
     end
 
@@ -91,6 +92,7 @@ module ShopifyApp
       end
     end
 
+    # rubocop:disable Lint/SuppressedException
     def set_user_tokens_option
       if shop_session.blank?
         session[:user_tokens] = false
@@ -110,6 +112,7 @@ module ShopifyApp
       session[:user_tokens] = false
     rescue StandardError
     end
+    # rubocop:enable Lint/SuppressedException
 
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -122,12 +125,12 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = params[:return_to] if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
     end
 
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
-      redirect_to return_address
+      redirect_to(return_address)
     end
 
     def enable_cookie_access
@@ -138,7 +141,7 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to "#{main_app.root_path}auth/shopify"
+      redirect_to("#{main_app.root_path}auth/shopify")
     end
 
     def authenticate_at_top_level
@@ -173,7 +176,7 @@ module ShopifyApp
             shop: sanitized_shop_name,
             return_to: session[:return_to]
           ),
-          current_shopify_domain: current_shopify_domain
+          current_shopify_domain: current_shopify_domain,
         }
       )
     end

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -1,14 +1,15 @@
+# frozen_string_literal: true
 module ShopifyApp
+  class MissingWebhookJobError < StandardError; end
+
   class WebhooksController < ActionController::Base
     include ShopifyApp::WebhookVerification
 
-    class ShopifyApp::MissingWebhookJobError < StandardError; end
-
     def receive
       params.permit!
-      job_args = {shop_domain: shop_domain, webhook: webhook_params.to_h}
+      job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head :no_content
+      head(:ok)
     end
 
     private
@@ -18,7 +19,7 @@ module ShopifyApp
     end
 
     def webhook_job_klass
-      webhook_job_klass_name.safe_constantize or raise ShopifyApp::MissingWebhookJobError
+      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
     end
 
     def webhook_job_klass_name(type = webhook_type)

data/config/locales/fi.yml

@@ -15,6 +15,6 @@ fi:
   top_level_interaction_action: Jatka
   request_storage_access_heading: "%{app} edellyttää evästeiden käyttöä"
   request_storage_access_body: Näin sovellus voi todentaa sinut tallentamalla henkilötietosi
-    tilapäisesti. Napsauta Jatka ja salli evästeet sovelluksen käyttämiseksi.
+    tilapäisesti. Klikkaa Jatka ja salli evästeet sovelluksen käyttämiseksi.
   request_storage_access_footer: Evästeet vanhenevat 30 päivän kuluttua.
   request_storage_access_action: Jatka

data/config/locales/nl.yml

@@ -1,20 +1,20 @@
 ---
 nl:
-  logged_out: u bent afgemeld
+  logged_out: Je bent afgemeld
   could_not_log_in: Kon niet aanmelden bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
-  enable_cookies_body: U moet cookies in deze browser handmatig inschakelen om %{app}
+  enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}
     binnen Shopify te gebruiken.
-  enable_cookies_footer: Met cookies kan de app u verifiëren door uw voorkeuren en
+  enable_cookies_footer: Met cookies kan de app je verifiëren door je voorkeuren en
     persoonlijke informatie tijdelijk op te slaan. Ze vervallen na 30 dagen.
   enable_cookies_action: Schakel cookies in
-  top_level_interaction_heading: Uw browser moet %{app} verifiëren
-  top_level_interaction_body: Uw browser heeft apps nodig zoals %{app} om u toegang
-    te vragen tot cookies voordat Shopify het voor u kan openen.
+  top_level_interaction_heading: Je browser moet %{app} verifiëren
+  top_level_interaction_body: Je browser heeft apps nodig zoals %{app} om je toegang
+    te vragen tot cookies voordat Shopify het voor je kan openen.
   top_level_interaction_action: Doorgaan
   request_storage_access_heading: "%{app} heeft toegang tot cookies nodig"
-  request_storage_access_body: Hiermee kan de app u verifiëren door uw persoonlijke
+  request_storage_access_body: Hiermee kan de app je verifiëren door je persoonlijke
     gegevens tijdelijk op te slaan. Klik op Doorgaan en sta cookies toe om de app
     te gebruiken.
   request_storage_access_footer: Cookies verlopen na 30 dagen.

data/config/routes.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 ShopifyApp::Engine.routes.draw do
   controller :sessions do
     get 'login' => :new, :as => :login

data/docs/Quickstart.md

@@ -1,7 +1,8 @@
 Quickstart
 ==========
 
-Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
+Get started building and deploying a new Shopify App to Heroku in just a few minutes.
+This guide assumes you have Ruby, Rails and PostgreSQL installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 
 1. New Rails App (with postgres)
 --------------------------------
@@ -26,15 +27,6 @@ Head to the Heroku dashboard and create a new app, or run the following commands
 CLI:
 ```sh
 $ heroku create name
-$ heroku git:remote -a name
-```
-
-Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
-
-web:
-```sh
-# https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appname.git
 ```
 
 3. Create a new App in the Shopify Partner dashboard
@@ -48,11 +40,10 @@ $ git remote add heroku git@heroku.com:appname.git
 4. Add ShopifyApp to Gemfile
 ----------------------------
 
-Run these commands to add the `shopify_app` Gem to your app:
+Run this command to add the `shopify_app` Gem to your app:
 
 ```sh
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 **Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
@@ -64,14 +55,13 @@ Generate the code for your app by running these commands:
 
 ```sh
 # Use the keys from your app you created in the partners area
-$ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
+$ rails generate shopify_app
 $ git add .
 $ git commit -m 'generated shopify app'
 ```
 
-If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
-
-We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
+Your API key and secret are read from environment variables. Refer to the main
+README for further details on how to set this up.
 
 6. Deploy your app
 ---------

data/docs/Releasing.md

@@ -3,6 +3,7 @@ Releasing ShopifyApp
 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
 2. Create a pull request with the following changes:
   * Update the version of ShopifyApp in lib/shopify_app/version.rb
+  * Update the version of shopify_app in package.json
   * Add a CHANGELOG entry for the new release with the date
   * Change the title of the PR to something like: "Packaging for release X.Y.Z"
 3. Merge your pull request

data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rails/generators/base'
 
 module ShopifyApp
@@ -6,7 +7,7 @@ module ShopifyApp
       source_root File.expand_path('../templates', __FILE__)
 
       hook_for :test_framework, as: :job, in: :rails do |instance, generator|
-        instance.invoke generator, [ instance.send(:job_file_name) ]
+        instance.invoke(generator, [instance.send(:job_file_name)])
       end
 
       def init_after_authenticate_config
@@ -23,12 +24,13 @@ module ShopifyApp
         )
 
         unless initializer.include?(after_authenticate_job_config)
-          shell.say("Error adding after_authenticate_job to config. Add this line manually: #{after_authenticate_job_config}", :red)
+          shell.say("Error adding after_authenticate_job to config. Add this line manually: "\
+                    "#{after_authenticate_job_config}", :red)
         end
       end
 
       def add_after_authenticate_job
-        template 'after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb"
+        template('after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb")
       end
 
       private