RubyGems - shopify_app - Versions diffs - 13.0.0 → 16.0.0 - Mend

shopify_app 13.0.0 → 16.0.0

Files changed (106) hide show

data/app/controllers/shopify_app/authenticated_controller.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated

data/app/controllers/shopify_app/callback_controller.rb CHANGED Viewed

@@ -6,29 +6,85 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
     def callback
-      if auth_hash
-        login_shop
+      return respond_with_error if invalid_request?
-        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
-          return redirect_to(login_url_with_optional_shop)
-        end
+      store_access_token_and_build_session
-        install_webhooks
-        install_scripttags
-        perform_after_authenticate_job
+      if start_user_token_flow?
+        return respond_with_user_token_flow
+      end
+      perform_post_authenticate_jobs
-        redirect_to return_address
+      respond_successfully
+    end
+    private
+    def respond_successfully
+      if jwt_request?
+        head(:ok)
       else
+        redirect_to(return_address)
+      end
+    end
+    def respond_with_user_token_flow
+      Rails.logger.debug("[ShopifyApp::CallbackController] Redirecting for user token...")
+      redirect_to(login_url_with_optional_shop)
+    end
+    def store_access_token_and_build_session
+      if native_browser_request?
+        Rails.logger.debug("[ShopifyApp::CallbackController] Not a JWT request. Resetting session options...")
+        reset_session_options
+      else
+        Rails.logger.debug("[ShopifyApp::CallbackController] JWT request detected. Setting shopify session...")
+      end
+      set_shopify_session
+    end
+    def invalid_request?
+      return true unless auth_hash
+      jwt_request? && !valid_jwt_auth?
+    end
+    def native_browser_request?
+      !jwt_request?
+    end
+    def perform_post_authenticate_jobs
+      install_webhooks
+      install_scripttags
+      perform_after_authenticate_job
+    end
+    def respond_with_error
+      if jwt_request?
+        Rails.logger.debug("[ShopifyApp::CallbackController] Invalid JWT auth detected.")
+        head(:unauthorized)
+      else
+        Rails.logger.debug("[ShopifyApp::CallbackController] Invalid non JWT auth detected.")
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
-    private
+    def start_user_token_flow?
+      if jwt_request?
+        false
+      else
+        ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+      end
+    end
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
     def auth_hash
@@ -40,9 +96,13 @@ module ShopifyApp
     end
     def associated_user
-      return unless auth_hash['extra'].present?
+      return unless auth_hash.dig('extra', 'associated_user').present?
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
+    end
-      auth_hash['extra']['associated_user']
+    def associated_user_id
+      associated_user && associated_user['id']
     end
     def token
@@ -63,9 +123,11 @@ module ShopifyApp
       session[:shopify_user] = associated_user
       if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
         session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
       else
         session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
       end
       session[:shopify_domain] = shop_name
       session[:user_session] = auth_hash&.extra&.session

data/app/controllers/shopify_app/extension_verification_controller.rb CHANGED Viewed

@@ -2,19 +2,14 @@
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
     private
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb CHANGED Viewed

@@ -1,5 +1,6 @@
+# frozen_string_literal: true
 module ShopifyApp
-  class SessionsController < ActionController::Base # rubocop:disable Metrics/ClassLength
+  class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
     layout false, only: :new
@@ -9,14 +10,19 @@ module ShopifyApp
     end
     def new
-      authenticate if sanitized_shop_name.present?
+      if sanitized_shop_name.present?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Sanitized shop name present. Authenticating...")
+        authenticate
+      end
     end
     def create
+      Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating...")
       authenticate
     end
     def enable_cookies
+      Rails.logger.debug("[ShopifyApp::SessionsController] Enabling cookies...")
       return unless validate_shop_presence
       render(:enable_cookies, layout: false, locals: {
@@ -29,7 +35,7 @@ module ShopifyApp
           shop: sanitized_shop_name,
           return_to: params[:return_to]
         ),
-        current_shopify_domain: current_shopify_domain
+        current_shopify_domain: current_shopify_domain,
       })
     end
@@ -39,6 +45,7 @@ module ShopifyApp
     end
     def granted_storage_access
+      Rails.logger.debug("[ShopifyApp::SessionsController] Granted storage access.")
       return unless validate_shop_presence
       session['shopify.granted_storage_access'] = true
@@ -49,6 +56,7 @@ module ShopifyApp
     end
     def destroy
+      Rails.logger.debug("[ShopifyApp::SessionsController] Resetting session.")
       reset_session
       flash[:notice] = I18n.t('.logged_out')
       redirect_to(login_url_with_optional_shop)
@@ -65,18 +73,23 @@ module ShopifyApp
       set_user_tokens_option
       if user_agent_can_partition_cookies
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating with partitioning...")
         authenticate_with_partitioning
       else
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating normally...")
         authenticate_normally
       end
     end
     def authenticate_normally
       if request_storage_access?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Redirecting to request storage access...")
         redirect_to_request_storage_access
       elsif authenticate_in_context?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating in context...")
         authenticate_in_context
       else
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating at top level...")
         authenticate_at_top_level
       end
     end
@@ -91,8 +104,10 @@ module ShopifyApp
       end
     end
+    # rubocop:disable Lint/SuppressedException
     def set_user_tokens_option
       if shop_session.blank?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Shop session is blank.")
         session[:user_tokens] = false
         return
       end
@@ -110,10 +125,12 @@ module ShopifyApp
       session[:user_tokens] = false
     rescue StandardError
     end
+    # rubocop:enable Lint/SuppressedException
     def validate_shop_presence
       @shop = sanitized_shop_name
       unless @shop
+        Rails.logger.debug("[ShopifyApp::SessionsController] Invalid shop detected.")
         render_invalid_shop_error
         return false
       end
@@ -122,12 +139,12 @@ module ShopifyApp
     end
     def copy_return_to_param_to_session
-      session[:return_to] = params[:return_to] if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
     end
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
-      redirect_to return_address
+      redirect_to(return_address)
     end
     def enable_cookie_access
@@ -138,7 +155,7 @@ module ShopifyApp
     end
     def authenticate_in_context
-      redirect_to "#{main_app.root_path}auth/shopify"
+      redirect_to("#{main_app.root_path}auth/shopify")
     end
     def authenticate_at_top_level
@@ -173,7 +190,7 @@ module ShopifyApp
             shop: sanitized_shop_name,
             return_to: session[:return_to]
           ),
-          current_shopify_domain: current_shopify_domain
+          current_shopify_domain: current_shopify_domain,
         }
       )
     end

data/app/controllers/shopify_app/webhooks_controller.rb CHANGED Viewed

@@ -1,14 +1,15 @@
+# frozen_string_literal: true
 module ShopifyApp
+  class MissingWebhookJobError < StandardError; end
   class WebhooksController < ActionController::Base
     include ShopifyApp::WebhookVerification
-    class ShopifyApp::MissingWebhookJobError < StandardError; end
     def receive
       params.permit!
-      job_args = {shop_domain: shop_domain, webhook: webhook_params.to_h}
+      job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head :no_content
+      head(:ok)
     end
     private
@@ -18,7 +19,7 @@ module ShopifyApp
     end
     def webhook_job_klass
-      webhook_job_klass_name.safe_constantize or raise ShopifyApp::MissingWebhookJobError
+      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
     end
     def webhook_job_klass_name(type = webhook_type)

data/app/views/shopify_app/partials/_button_styles.html.erb CHANGED Viewed

@@ -1,6 +1,5 @@
 <style>
   .Polaris-Button {
-    fill:#637381;
     position:relative;
     display:-webkit-inline-box;
     display:-ms-inline-flexbox;
@@ -15,12 +14,14 @@
     min-width:3.6rem;
     margin:0;
     padding:0.7rem 1.6rem;
-    background:linear-gradient(to bottom, white, #f9fafb);
-    border:1px solid #c4cdd5;
-    box-shadow:0 1px 0 0 rgba(22, 29, 37, 0.05);
-    border-radius:3px;
+    background-color:#ffffff;
+    border:1px solid #babfc3;
+    border-top-color: #c9cccf;
+    border-bottom-color: #babfc4;
+    box-shadow:0 1px 0 0 rgba(0, 0, 0, 0.05);
+    border-radius:4px;
     line-height:1;
-    color:#212b36;
+    color:#202223;
     text-align:center;
     cursor:pointer;
     -webkit-user-select:none;
@@ -29,30 +30,44 @@
     user-select:none;
     text-decoration:none;
     transition-property:background, border, box-shadow;
-    transition-duration:200ms;
+    transition-duration:100ms;
     transition-timing-function:cubic-bezier(0.64, 0, 0.35, 1);
   }
   .Polaris-Button:hover {
-    background:linear-gradient(to bottom, #f9fafb, #f4f6f8);
-    border-color:#c4cdd5;
+    background-color:#f6f6f7;
   }
   .Polaris-Button:focus {
-    border-color:#5c6ac4;
     outline:0;
-    box-shadow:0 0 0 1px #5c6ac4;
+  }
+  .Polaris-Button:focus:after {
+    box-shadow:0 0 0 .2rem #448fff;
+  }
+  .Polaris-Button:after {
+    content:'';
+    position:absolute;
+    z-index:1;
+    top:-.2rem;
+    right:-.2rem;
+    bottom:-.2rem;
+    left:-.2rem;
+    display:block;
+    pointer-events:none;
+    box-shadow:0 0 0 -.2rem #448fff;
+    transition:box-shadow 100ms cubic-bezier(0.64, 0, 0.35, 1);
+    border-radius:5px;
   }
   .Polaris-Button:active {
-    background:linear-gradient(to bottom, #f4f6f8, #f4f6f8);
-    border-color:#c4cdd5;
-    box-shadow:0 0 0 0 transparent, inset 0 1px 1px 0 rgba(99, 115, 129, 0.1), inset 0 1px 4px 0 rgba(99, 115, 129, 0.2);
+    background-color:#f1f2f3);
   }
   .Polaris-Button__Content {
-    font-size:1.5rem;
-    font-weight:400;
+    font-size:1.4rem;
+    font-weight:500;
     line-height:1.6rem;
     text-transform:initial;
     letter-spacing:initial;
@@ -70,35 +85,25 @@
     min-height:1px;
   }
-  @media (min-width: 40em) {
-    .Polaris-Button__Content {
-      font-size:1.4rem;
-    }
-  }
   .Polaris-Button--primary {
-    background:linear-gradient(to bottom, #6371c7, #5563c1);
-    border-color:#3f4eae;
-    box-shadow:inset 0 1px 0 0 #6774c8, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 0 0 transparent;
+    background-color:#008060;
+    border-color:transparent;
+    border-width:0;
     color:white;
-    fill:white;
   }
   .Polaris-Button--primary:hover {
-    background:linear-gradient(to bottom, #5c6ac4, #4959bd);
-    border-color:#3f4eae;
+    background-color:#006e52;
+    border-color:transparent;
     color:white;
-    text-decoration:none;
   }
-  .Polaris-Button--primary:focus {
-    border-color:#202e78;
-    box-shadow:inset 0 1px 0 0 #6f7bcb, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 0 1px #202e78;
+  .Polaris-Button--primary:active {
+    background-color:#005e46;
+    border-color:transparent;
   }
-  .Polaris-Button--primary:active {
-    background:linear-gradient(to bottom, #3f4eae, #3f4eae);
-    border-color:#38469b;
-    box-shadow:inset 0 0 0 0 transparent, 0 1px 0 0 rgba(22, 29, 37, 0.05), 0 0 1px 0 #38469b;
+  .Polaris-Button--sizeLarge {
+    padding:1.1rem 2.4rem;
   }
 </style>

data/app/views/shopify_app/partials/_card_styles.html.erb CHANGED Viewed

@@ -11,7 +11,7 @@
   @media (min-width: 30.625em) {
     .Polaris-Card {
-      border-radius:3px;
+      border-radius:8px;
     }
   }
@@ -24,10 +24,10 @@
   }
   .Polaris-Card__Section + .Polaris-Card__Section {
-    border-top:1px solid #dfe3e8;
+    border-top:.1rem solid #e4e5e7;
   }
   .Polaris-Card__Section--subdued {
-    background-color:#f9fafb;
+    background-color:#fafbfb;
   }
 </style>