shopify_app 13.0.0 → 16.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (106) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE.md +5 -0
  3. data/.github/PULL_REQUEST_TEMPLATE.md +6 -0
  4. data/.github/workflows/build.yml +38 -0
  5. data/.github/workflows/rubocop.yml +22 -0
  6. data/.gitignore +0 -2
  7. data/.rubocop.yml +14 -6
  8. data/CHANGELOG.md +95 -0
  9. data/Gemfile +5 -0
  10. data/Gemfile.lock +252 -0
  11. data/README.md +83 -45
  12. data/Rakefile +1 -0
  13. data/SECURITY.md +59 -0
  14. data/app/assets/images/storage_access.svg +1 -2
  15. data/app/assets/javascripts/shopify_app/storage_access.js +2 -1
  16. data/app/assets/javascripts/shopify_app/top_level_interaction.js +1 -1
  17. data/app/controllers/concerns/shopify_app/authenticated.rb +1 -0
  18. data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
  19. data/app/controllers/shopify_app/authenticated_controller.rb +1 -0
  20. data/app/controllers/shopify_app/callback_controller.rb +77 -15
  21. data/app/controllers/shopify_app/extension_verification_controller.rb +2 -7
  22. data/app/controllers/shopify_app/sessions_controller.rb +24 -7
  23. data/app/controllers/shopify_app/webhooks_controller.rb +6 -5
  24. data/app/views/shopify_app/partials/_button_styles.html.erb +41 -36
  25. data/app/views/shopify_app/partials/_card_styles.html.erb +3 -3
  26. data/app/views/shopify_app/partials/_empty_state_styles.html.erb +28 -59
  27. data/app/views/shopify_app/partials/_form_styles.html.erb +56 -0
  28. data/app/views/shopify_app/partials/_layout_styles.html.erb +16 -1
  29. data/app/views/shopify_app/partials/_typography_styles.html.erb +6 -6
  30. data/app/views/shopify_app/sessions/enable_cookies.html.erb +2 -7
  31. data/app/views/shopify_app/sessions/new.html.erb +38 -110
  32. data/app/views/shopify_app/sessions/request_storage_access.html.erb +1 -1
  33. data/app/views/shopify_app/sessions/top_level_interaction.html.erb +21 -22
  34. data/config/locales/fi.yml +1 -1
  35. data/config/locales/nl.yml +7 -7
  36. data/config/locales/th.yml +4 -4
  37. data/config/routes.rb +1 -0
  38. data/docs/Quickstart.md +7 -17
  39. data/docs/Releasing.md +16 -14
  40. data/karma.conf.js +1 -1
  41. data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +5 -3
  42. data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +1 -0
  43. data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +2 -1
  44. data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +4 -4
  45. data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +5 -4
  46. data/lib/generators/shopify_app/add_webhook/templates/{webhook_job.rb → webhook_job.rb.tt} +5 -0
  47. data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +4 -3
  48. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +3 -3
  49. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +10 -9
  50. data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +1 -1
  51. data/lib/generators/shopify_app/controllers/controllers_generator.rb +2 -1
  52. data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +22 -3
  53. data/lib/generators/shopify_app/home_controller/templates/index.html.erb +67 -17
  54. data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb +10 -0
  55. data/lib/generators/shopify_app/install/install_generator.rb +11 -10
  56. data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +1 -1
  57. data/lib/generators/shopify_app/install/templates/flash_messages.js +0 -2
  58. data/lib/generators/shopify_app/install/templates/omniauth.rb +2 -1
  59. data/lib/generators/shopify_app/install/templates/{shopify_app.rb → shopify_app.rb.tt} +4 -3
  60. data/lib/generators/shopify_app/install/templates/user_agent.rb +2 -1
  61. data/lib/generators/shopify_app/products_controller/products_controller_generator.rb +19 -0
  62. data/lib/generators/shopify_app/products_controller/templates/products_controller.rb +8 -0
  63. data/lib/generators/shopify_app/routes/routes_generator.rb +1 -0
  64. data/lib/generators/shopify_app/routes/templates/routes.rb +10 -9
  65. data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +12 -7
  66. data/lib/generators/shopify_app/shop_model/templates/shop.rb +1 -0
  67. data/lib/generators/shopify_app/shopify_app_generator.rb +4 -3
  68. data/lib/generators/shopify_app/user_model/templates/user.rb +1 -0
  69. data/lib/generators/shopify_app/user_model/user_model_generator.rb +12 -7
  70. data/lib/generators/shopify_app/views/views_generator.rb +2 -1
  71. data/lib/shopify_app/configuration.rb +15 -8
  72. data/lib/shopify_app/controller_concerns/app_proxy_verification.rb +3 -3
  73. data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
  74. data/lib/shopify_app/controller_concerns/embedded_app.rb +3 -2
  75. data/lib/shopify_app/controller_concerns/itp.rb +2 -0
  76. data/lib/shopify_app/controller_concerns/localization.rb +1 -0
  77. data/lib/shopify_app/controller_concerns/login_protection.rb +85 -17
  78. data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
  79. data/lib/shopify_app/controller_concerns/webhook_verification.rb +3 -18
  80. data/lib/shopify_app/engine.rb +26 -0
  81. data/lib/shopify_app/jobs/scripttags_manager_job.rb +1 -1
  82. data/lib/shopify_app/jobs/webhooks_manager_job.rb +1 -1
  83. data/lib/shopify_app/managers/scripttags_manager.rb +4 -3
  84. data/lib/shopify_app/managers/webhooks_manager.rb +4 -3
  85. data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
  86. data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +2 -1
  87. data/lib/shopify_app/session/in_memory_session_store.rb +7 -3
  88. data/lib/shopify_app/session/in_memory_shop_session_store.rb +10 -0
  89. data/lib/shopify_app/session/in_memory_user_session_store.rb +10 -0
  90. data/lib/shopify_app/session/jwt.rb +63 -0
  91. data/lib/shopify_app/session/null_user_session_store.rb +22 -0
  92. data/lib/shopify_app/session/session_repository.rb +13 -16
  93. data/lib/shopify_app/session/session_storage.rb +1 -0
  94. data/lib/shopify_app/session/shop_session_storage.rb +21 -9
  95. data/lib/shopify_app/session/user_session_storage.rb +19 -8
  96. data/lib/shopify_app/test_helpers/all.rb +2 -0
  97. data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
  98. data/lib/shopify_app/utils.rb +6 -5
  99. data/lib/shopify_app/version.rb +2 -1
  100. data/lib/shopify_app.rb +12 -5
  101. data/package.json +7 -8
  102. data/shopify_app.gemspec +12 -7
  103. data/yarn.lock +2098 -2115
  104. metadata +56 -12
  105. data/.travis.yml +0 -27
  106. data/package-lock.json +0 -7245
@@ -1,6 +1,6 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class ScripttagsManagerJob < ActiveJob::Base
3
-
4
4
  queue_as do
5
5
  ShopifyApp.configuration.scripttags_manager_queue_name
6
6
  end
@@ -1,6 +1,6 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class WebhooksManagerJob < ActiveJob::Base
3
-
4
4
  queue_as do
5
5
  ShopifyApp.configuration.webhooks_manager_queue_name
6
6
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class ScripttagsManager
3
4
  class CreationFailed < StandardError; end
@@ -43,7 +44,7 @@ module ShopifyApp
43
44
  def destroy_scripttags
44
45
  scripttags = expanded_scripttags
45
46
  ShopifyAPI::ScriptTag.all.each do |tag|
46
- ShopifyAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
47
+ ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
47
48
  end
48
49
 
49
50
  @current_scripttags = nil
@@ -55,8 +56,8 @@ module ShopifyApp
55
56
  self.class.build_src(required_scripttags, shop_domain)
56
57
  end
57
58
 
58
- def is_required_scripttag?(scripttags, tag)
59
- scripttags.map{ |w| w[:src] }.include? tag.src
59
+ def required_scripttag?(scripttags, tag)
60
+ scripttags.map { |w| w[:src] }.include?(tag.src)
60
61
  end
61
62
 
62
63
  def create_scripttag(attributes)
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class WebhooksManager
3
4
  class CreationFailed < StandardError; end
@@ -31,7 +32,7 @@ module ShopifyApp
31
32
 
32
33
  def destroy_webhooks
33
34
  ShopifyAPI::Webhook.all.to_a.each do |webhook|
34
- ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
35
+ ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
35
36
  end
36
37
 
37
38
  @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
39
40
 
40
41
  private
41
42
 
42
- def is_required_webhook?(webhook)
43
- required_webhooks.map{ |w| w[:address] }.include? webhook.address
43
+ def required_webhook?(webhook)
44
+ required_webhooks.map { |w| w[:address] }.include?(webhook.address)
44
45
  end
45
46
 
46
47
  def create_webhook(attributes)
@@ -0,0 +1,42 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class JWTMiddleware
4
+ TOKEN_REGEX = /^Bearer\s+(.*?)$/
5
+
6
+ def initialize(app)
7
+ @app = app
8
+ end
9
+
10
+ def call(env)
11
+ return call_next(env) unless authorization_header(env)
12
+
13
+ token = extract_token(env)
14
+ return call_next(env) unless token
15
+
16
+ set_env_variables(token, env)
17
+ call_next(env)
18
+ end
19
+
20
+ private
21
+
22
+ def call_next(env)
23
+ @app.call(env)
24
+ end
25
+
26
+ def authorization_header(env)
27
+ env['HTTP_AUTHORIZATION']
28
+ end
29
+
30
+ def extract_token(env)
31
+ match = authorization_header(env).match(TOKEN_REGEX)
32
+ match && match[1]
33
+ end
34
+
35
+ def set_env_variables(token, env)
36
+ jwt = ShopifyApp::JWT.new(token)
37
+
38
+ env['jwt.shopify_domain'] = jwt.shopify_domain
39
+ env['jwt.shopify_user_id'] = jwt.shopify_user_id
40
+ end
41
+ end
42
+ end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class SameSiteCookieMiddleware
3
4
  COOKIE_SEPARATOR = "\n"
@@ -19,7 +20,7 @@ module ShopifyApp
19
20
  .split(COOKIE_SEPARATOR)
20
21
  .compact
21
22
  .map do |cookie|
22
- cookie << '; Secure' if not cookie =~ /;\s*secure/i
23
+ cookie << '; Secure' unless cookie =~ /;\s*secure/i
23
24
  cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
24
25
  cookie
25
26
  end
@@ -1,4 +1,7 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
3
+ # rubocop:disable Style/ClassVars
4
+ # Class var repo is needed here in order to share data between the 2 child classes.
2
5
  class InMemorySessionStore
3
6
  class EnvironmentError < StandardError; end
4
7
 
@@ -6,7 +9,7 @@ module ShopifyApp
6
9
  repo[id]
7
10
  end
8
11
 
9
- def self.store(session, *args)
12
+ def self.store(session, *_args)
10
13
  id = SecureRandom.uuid
11
14
  repo[id] = session
12
15
  id
@@ -18,10 +21,11 @@ module ShopifyApp
18
21
 
19
22
  def self.repo
20
23
  if Rails.env.production?
21
- raise EnvironmentError.new("Cannot use InMemorySessionStore in a Production environment. \
22
- Please initialize ShopifyApp with a model that can store and retrieve sessions")
24
+ raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
25
+ Please initialize ShopifyApp with a model that can store and retrieve sessions"
23
26
  end
24
27
  @@repo ||= {}
25
28
  end
26
29
  end
30
+ # rubocop:enable Style/ClassVars
27
31
  end
@@ -1,4 +1,14 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class InMemoryShopSessionStore < InMemorySessionStore
4
+ def self.store(session, *args)
5
+ id = super
6
+ repo[session.domain] = session
7
+ id
8
+ end
9
+
10
+ def self.retrieve_by_shopify_domain(shopify_domain)
11
+ repo[shopify_domain]
12
+ end
3
13
  end
4
14
  end
@@ -1,4 +1,14 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class InMemoryUserSessionStore < InMemorySessionStore
4
+ def self.store(session, user)
5
+ id = super
6
+ repo[user.shopify_user_id] = session
7
+ id
8
+ end
9
+
10
+ def self.retrieve_by_shopify_user_id(user_id)
11
+ repo[user_id]
12
+ end
3
13
  end
4
14
  end
@@ -0,0 +1,63 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class JWT
4
+ class InvalidDestinationError < StandardError; end
5
+
6
+ class MismatchedHostsError < StandardError; end
7
+
8
+ class InvalidAudienceError < StandardError; end
9
+
10
+ WARN_EXCEPTIONS = [
11
+ ::JWT::DecodeError,
12
+ ::JWT::ExpiredSignature,
13
+ ::JWT::ImmatureSignature,
14
+ ::JWT::VerificationError,
15
+ InvalidAudienceError,
16
+ InvalidDestinationError,
17
+ MismatchedHostsError,
18
+ ]
19
+
20
+ def initialize(token)
21
+ @token = token
22
+ set_payload
23
+ end
24
+
25
+ def shopify_domain
26
+ @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
27
+ end
28
+
29
+ def shopify_user_id
30
+ @payload['sub'].to_i if @payload && @payload['sub']
31
+ end
32
+
33
+ private
34
+
35
+ def set_payload
36
+ payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
37
+ @payload = validate_payload(payload)
38
+ rescue *WARN_EXCEPTIONS => error
39
+ Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
40
+ nil
41
+ end
42
+
43
+ def parse_token_data(secret, old_secret)
44
+ ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
45
+ rescue ::JWT::VerificationError
46
+ raise unless old_secret
47
+
48
+ ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
49
+ end
50
+
51
+ def validate_payload(payload)
52
+ dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
53
+ iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
54
+ api_key = ShopifyApp.configuration.api_key
55
+
56
+ raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
57
+ raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
58
+ raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
59
+
60
+ payload
61
+ end
62
+ end
63
+ end
@@ -0,0 +1,22 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ class NullUserSessionStore
4
+ class << self
5
+ def retrieve(_)
6
+ nil
7
+ end
8
+
9
+ def store(_, _)
10
+ raise SessionRepository::ConfigurationError, 'user_storage is not configured'
11
+ end
12
+
13
+ def retrieve_by_shopify_user_id(_)
14
+ nil
15
+ end
16
+
17
+ def blank?
18
+ true
19
+ end
20
+ end
21
+ end
22
+ end
@@ -1,23 +1,12 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class SessionRepository
3
4
  class ConfigurationError < StandardError; end
4
5
 
5
6
  class << self
6
- def shop_storage=(storage)
7
- @shop_storage = storage
7
+ attr_writer :shop_storage
8
8
 
9
- unless storage.nil? || self.shop_storage.respond_to?(:store) && self.shop_storage.respond_to?(:retrieve)
10
- raise ArgumentError, "shop storage must respond to :store and :retrieve"
11
- end
12
- end
13
-
14
- def user_storage=(storage)
15
- @user_storage = storage
16
-
17
- unless storage.nil? || self.user_storage.respond_to?(:store) && self.user_storage.respond_to?(:retrieve)
18
- raise ArgumentError, "user storage must respond to :store and :retrieve"
19
- end
20
- end
9
+ attr_writer :user_storage
21
10
 
22
11
  def retrieve_shop_session(id)
23
12
  shop_storage.retrieve(id)
@@ -27,6 +16,14 @@ module ShopifyApp
27
16
  user_storage.retrieve(id)
28
17
  end
29
18
 
19
+ def retrieve_shop_session_by_shopify_domain(shopify_domain)
20
+ shop_storage.retrieve_by_shopify_domain(shopify_domain)
21
+ end
22
+
23
+ def retrieve_user_session_by_shopify_user_id(user_id)
24
+ user_storage.retrieve_by_shopify_user_id(user_id)
25
+ end
26
+
30
27
  def store_shop_session(session)
31
28
  shop_storage.store(session)
32
29
  end
@@ -36,7 +33,7 @@ module ShopifyApp
36
33
  end
37
34
 
38
35
  def shop_storage
39
- load_shop_storage || raise(ConfigurationError.new("ShopifySessionRepository.shop_storage is not configured!"))
36
+ load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
40
37
  end
41
38
 
42
39
  def user_storage
@@ -51,7 +48,7 @@ module ShopifyApp
51
48
  end
52
49
 
53
50
  def load_user_storage
54
- return unless @user_storage
51
+ return NullUserSessionStore unless @user_storage
55
52
  @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
56
53
  end
57
54
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  module SessionStorage
3
4
  extend ActiveSupport::Concern
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  module ShopSessionStorage
3
4
  extend ActiveSupport::Concern
@@ -8,7 +9,7 @@ module ShopifyApp
8
9
  end
9
10
 
10
11
  class_methods do
11
- def store(auth_session, *args)
12
+ def store(auth_session, *_args)
12
13
  shop = find_or_initialize_by(shopify_domain: auth_session.domain)
13
14
  shop.shopify_token = auth_session.token
14
15
  shop.save!
@@ -16,14 +17,25 @@ module ShopifyApp
16
17
  end
17
18
 
18
19
  def retrieve(id)
19
- return unless id
20
- if shop = self.find_by(id: id)
21
- ShopifyAPI::Session.new(
22
- domain: shop.shopify_domain,
23
- token: shop.shopify_token,
24
- api_version: shop.api_version
25
- )
26
- end
20
+ shop = find_by(id: id)
21
+ construct_session(shop)
22
+ end
23
+
24
+ def retrieve_by_shopify_domain(domain)
25
+ shop = find_by(shopify_domain: domain)
26
+ construct_session(shop)
27
+ end
28
+
29
+ private
30
+
31
+ def construct_session(shop)
32
+ return unless shop
33
+
34
+ ShopifyAPI::Session.new(
35
+ domain: shop.shopify_domain,
36
+ token: shop.shopify_token,
37
+ api_version: shop.api_version,
38
+ )
27
39
  end
28
40
  end
29
41
  end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  module UserSessionStorage
3
4
  extend ActiveSupport::Concern
@@ -17,14 +18,24 @@ module ShopifyApp
17
18
  end
18
19
 
19
20
  def retrieve(id)
20
- return unless id
21
- if user = find_by(id: id)
22
- ShopifyAPI::Session.new(
23
- domain: user.shopify_domain,
24
- token: user.shopify_token,
25
- api_version: user.api_version
26
- )
27
- end
21
+ user = find_by(id: id)
22
+ construct_session(user)
23
+ end
24
+
25
+ def retrieve_by_shopify_user_id(user_id)
26
+ user = find_by(shopify_user_id: user_id)
27
+ construct_session(user)
28
+ end
29
+
30
+ private
31
+
32
+ def construct_session(user)
33
+ return unless user
34
+ ShopifyAPI::Session.new(
35
+ domain: user.shopify_domain,
36
+ token: user.shopify_token,
37
+ api_version: user.api_version,
38
+ )
28
39
  end
29
40
  end
30
41
  end
@@ -0,0 +1,2 @@
1
+ # frozen_string_literal: true
2
+ require 'shopify_app/test_helpers/webhook_verification_helper'
@@ -0,0 +1,17 @@
1
+ # frozen_string_literal: true
2
+ module ShopifyApp
3
+ module TestHelpers
4
+ module WebhookVerificationHelper
5
+ def authorized_webhook_verification_headers!(params = {})
6
+ digest = OpenSSL::Digest.new('sha256')
7
+ secret = ShopifyApp.configuration.secret
8
+ valid_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, params.to_query)).strip
9
+ @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = valid_hmac
10
+ end
11
+
12
+ def unauthorized_webhook_verification_headers!
13
+ @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = "invalid_hmac"
14
+ end
15
+ end
16
+ end
17
+ end