shopify_app 13.0.0 → 17.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (139) hide show
  1. checksums.yaml +4 -4
  2. data/.github/ISSUE_TEMPLATE/bug-report.md +63 -0
  3. data/.github/ISSUE_TEMPLATE/config.yml +1 -0
  4. data/.github/ISSUE_TEMPLATE/feature-request.md +33 -0
  5. data/.github/PULL_REQUEST_TEMPLATE.md +22 -0
  6. data/.github/workflows/build.yml +38 -0
  7. data/.github/workflows/release.yml +24 -0
  8. data/.github/workflows/rubocop.yml +22 -0
  9. data/.gitignore +0 -2
  10. data/.rubocop.yml +14 -6
  11. data/CHANGELOG.md +132 -0
  12. data/CONTRIBUTING.md +76 -0
  13. data/Gemfile +5 -0
  14. data/Gemfile.lock +256 -0
  15. data/README.md +72 -534
  16. data/Rakefile +1 -0
  17. data/SECURITY.md +59 -0
  18. data/app/assets/images/storage_access.svg +1 -2
  19. data/app/assets/javascripts/shopify_app/storage_access.js +2 -1
  20. data/app/assets/javascripts/shopify_app/top_level_interaction.js +1 -1
  21. data/app/controllers/concerns/shopify_app/authenticated.rb +1 -0
  22. data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb +26 -0
  23. data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
  24. data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb +32 -0
  25. data/app/controllers/shopify_app/authenticated_controller.rb +1 -0
  26. data/app/controllers/shopify_app/callback_controller.rb +105 -18
  27. data/app/controllers/shopify_app/extension_verification_controller.rb +2 -7
  28. data/app/controllers/shopify_app/sessions_controller.rb +22 -10
  29. data/app/controllers/shopify_app/webhooks_controller.rb +6 -5
  30. data/app/views/shopify_app/partials/_button_styles.html.erb +41 -36
  31. data/app/views/shopify_app/partials/_card_styles.html.erb +3 -3
  32. data/app/views/shopify_app/partials/_empty_state_styles.html.erb +28 -59
  33. data/app/views/shopify_app/partials/_form_styles.html.erb +56 -0
  34. data/app/views/shopify_app/partials/_layout_styles.html.erb +16 -1
  35. data/app/views/shopify_app/partials/_typography_styles.html.erb +6 -6
  36. data/app/views/shopify_app/sessions/enable_cookies.html.erb +2 -7
  37. data/app/views/shopify_app/sessions/new.html.erb +38 -110
  38. data/app/views/shopify_app/sessions/request_storage_access.html.erb +1 -1
  39. data/app/views/shopify_app/sessions/top_level_interaction.html.erb +21 -22
  40. data/config/locales/de.yml +11 -11
  41. data/config/locales/fi.yml +1 -1
  42. data/config/locales/nl.yml +7 -7
  43. data/config/locales/th.yml +4 -4
  44. data/config/locales/vi.yml +22 -0
  45. data/config/locales/zh-CN.yml +1 -1
  46. data/config/routes.rb +1 -0
  47. data/docs/Quickstart.md +15 -87
  48. data/docs/Releasing.md +18 -14
  49. data/docs/Upgrading.md +110 -0
  50. data/docs/shopify_app/authentication.md +124 -0
  51. data/docs/shopify_app/engine.md +82 -0
  52. data/docs/shopify_app/generators.md +127 -0
  53. data/docs/shopify_app/handling-access-scopes-changes.md +8 -0
  54. data/docs/shopify_app/script-tags.md +28 -0
  55. data/docs/shopify_app/session-repository.md +88 -0
  56. data/docs/shopify_app/testing.md +38 -0
  57. data/docs/shopify_app/webhooks.md +72 -0
  58. data/karma.conf.js +1 -1
  59. data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +5 -3
  60. data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +1 -0
  61. data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +2 -1
  62. data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +4 -4
  63. data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +5 -4
  64. data/lib/generators/shopify_app/add_webhook/templates/{webhook_job.rb → webhook_job.rb.tt} +5 -0
  65. data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +4 -3
  66. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +3 -3
  67. data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +10 -9
  68. data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +1 -1
  69. data/lib/generators/shopify_app/controllers/controllers_generator.rb +2 -1
  70. data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +31 -3
  71. data/lib/generators/shopify_app/home_controller/templates/home_controller.rb +2 -0
  72. data/lib/generators/shopify_app/home_controller/templates/index.html.erb +66 -16
  73. data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb +11 -0
  74. data/lib/generators/shopify_app/install/install_generator.rb +46 -11
  75. data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +1 -1
  76. data/lib/generators/shopify_app/install/templates/flash_messages.js +0 -2
  77. data/lib/generators/shopify_app/install/templates/omniauth.rb +3 -1
  78. data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt +25 -0
  79. data/lib/generators/shopify_app/install/templates/shopify_provider.rb.tt +8 -0
  80. data/lib/generators/shopify_app/install/templates/user_agent.rb +2 -1
  81. data/lib/generators/shopify_app/products_controller/products_controller_generator.rb +19 -0
  82. data/lib/generators/shopify_app/products_controller/templates/products_controller.rb +8 -0
  83. data/lib/generators/shopify_app/routes/routes_generator.rb +1 -0
  84. data/lib/generators/shopify_app/routes/templates/routes.rb +10 -9
  85. data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +39 -7
  86. data/lib/generators/shopify_app/shop_model/templates/db/migrate/add_shop_access_scopes_column.erb +5 -0
  87. data/lib/generators/shopify_app/shop_model/templates/shop.rb +2 -1
  88. data/lib/generators/shopify_app/shopify_app_generator.rb +4 -3
  89. data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb +5 -0
  90. data/lib/generators/shopify_app/user_model/templates/user.rb +2 -1
  91. data/lib/generators/shopify_app/user_model/user_model_generator.rb +39 -7
  92. data/lib/generators/shopify_app/views/views_generator.rb +2 -1
  93. data/lib/shopify_app/access_scopes/noop_strategy.rb +13 -0
  94. data/lib/shopify_app/access_scopes/shop_strategy.rb +24 -0
  95. data/lib/shopify_app/access_scopes/user_strategy.rb +41 -0
  96. data/lib/shopify_app/configuration.rb +40 -8
  97. data/lib/shopify_app/controller_concerns/app_proxy_verification.rb +3 -3
  98. data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
  99. data/lib/shopify_app/controller_concerns/embedded_app.rb +3 -2
  100. data/lib/shopify_app/controller_concerns/localization.rb +1 -0
  101. data/lib/shopify_app/controller_concerns/login_protection.rb +74 -16
  102. data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
  103. data/lib/shopify_app/controller_concerns/webhook_verification.rb +3 -18
  104. data/lib/shopify_app/engine.rb +26 -0
  105. data/lib/shopify_app/jobs/scripttags_manager_job.rb +1 -1
  106. data/lib/shopify_app/jobs/webhooks_manager_job.rb +1 -1
  107. data/lib/shopify_app/managers/scripttags_manager.rb +4 -3
  108. data/lib/shopify_app/managers/webhooks_manager.rb +4 -3
  109. data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
  110. data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +2 -1
  111. data/lib/shopify_app/omniauth/omniauth_configuration.rb +64 -0
  112. data/lib/shopify_app/session/in_memory_session_store.rb +7 -3
  113. data/lib/shopify_app/session/in_memory_shop_session_store.rb +12 -0
  114. data/lib/shopify_app/session/in_memory_user_session_store.rb +12 -0
  115. data/lib/shopify_app/session/jwt.rb +63 -0
  116. data/lib/shopify_app/session/null_user_session_store.rb +22 -0
  117. data/lib/shopify_app/session/session_repository.rb +13 -16
  118. data/lib/shopify_app/session/session_storage.rb +1 -0
  119. data/lib/shopify_app/session/shop_session_storage.rb +21 -9
  120. data/lib/shopify_app/session/shop_session_storage_with_scopes.rb +58 -0
  121. data/lib/shopify_app/session/user_session_storage.rb +19 -8
  122. data/lib/shopify_app/session/user_session_storage_with_scopes.rb +58 -0
  123. data/lib/shopify_app/test_helpers/all.rb +2 -0
  124. data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
  125. data/lib/shopify_app/utils.rb +18 -5
  126. data/lib/shopify_app/version.rb +2 -1
  127. data/lib/shopify_app.rb +22 -5
  128. data/package.json +7 -8
  129. data/shopify_app.gemspec +13 -8
  130. data/translation.yml +1 -1
  131. data/yarn.lock +2120 -2168
  132. metadata +88 -16
  133. data/.github/ISSUE_TEMPLATE.md +0 -14
  134. data/.travis.yml +0 -27
  135. data/docs/install-on-dev-shop.png +0 -0
  136. data/docs/test-your-app.png +0 -0
  137. data/lib/generators/shopify_app/install/templates/shopify_app.rb +0 -15
  138. data/lib/generators/shopify_app/install/templates/shopify_provider.rb +0 -20
  139. data/package-lock.json +0 -7245
data/Rakefile CHANGED
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  require 'bundler/gem_tasks'
2
3
  require 'rake/testtask'
3
4
 
data/SECURITY.md ADDED
@@ -0,0 +1,59 @@
1
+ # Security Policy
2
+
3
+ ## Supported versions
4
+
5
+ ### New features
6
+
7
+ New features will only be added to the master branch and will not be made available in point releases.
8
+
9
+ ### Bug fixes
10
+
11
+ Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
12
+
13
+ ### Security issues
14
+
15
+ Only the latest release series will receive patches and new versions in case of a security issue.
16
+
17
+ ### Severe security issues
18
+
19
+ For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
20
+
21
+ ### Unsupported Release Series
22
+
23
+ When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
24
+
25
+ ## Reporting a bug
26
+
27
+ All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
28
+ Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
29
+
30
+ ## Disclosure Policy
31
+
32
+ We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
33
+
34
+ - Reply to all reports within one business day and triage within two business days (if applicable)
35
+ - Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
36
+ - Award bounties within a week of resolution (excluding extenuating circumstances)
37
+ - Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
38
+
39
+ **The following rules must be followed in order for any rewards to be paid:**
40
+
41
+ - You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
42
+ - You must not attempt to gain access to, or interact with, any shops other than those created by you.
43
+ - The use of commercial scanners is prohibited (e.g., Nessus).
44
+ - Rules for reporting must be followed.
45
+ - Do not disclose any issues publicly before they have been resolved.
46
+ - Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
47
+ - Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
48
+ - You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
49
+ - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
50
+ - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
51
+ - All content submitted by you to Shopify under this program is licensed under the MIT License.
52
+ - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
53
+ - Failure to follow any of the foregoing rules will disqualify you from participating in this program.
54
+
55
+ ** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
56
+
57
+ ## Receiving Security Updates
58
+
59
+ To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)
@@ -1,2 +1 @@
1
- <?xml version="1.0" encoding="UTF-8"?>
2
- <svg enable-background="new 0 0 1920 1080" version="1.1" viewBox="0 0 1920 1080" xml:space="preserve" xmlns="http://www.w3.org/2000/svg"><polygon points="1345 330.75 1345 437.24 1224.7 437.24 1224.7 676.56 873.52 676.56 874.04 643.85 1203.2 330.23" fill="#fff"/><path d="m1095.7 677.54c-18.553 0.074-37.107 0.163-55.66 0.126-18.553 0.056-37.107-0.188-55.66-0.233l-13.915-0.063-13.915 0.044-27.83 0.094c-18.553 0.128-37.107-5e-3 -55.66-0.056l-1.266-3e-3 3e-3 -1.259 0.047-22.532-0.093-22.532-0.068-11.266 6e-3 -11.266 0.019-22.532h2.703l0.111 22.532c0.053 7.511 0.06 15.022 0.038 22.532l-0.094 45.065-1.407-1.407c18.553 7e-3 37.107-0.041 55.66 0.086l27.83 0.131 13.915 0.066 13.915-0.028c18.553-8e-3 37.107-0.151 55.66-0.019 18.553 0.099 37.107 0.049 55.66-0.181v2.701z" fill="#0C1238"/><path d="m1225 677.54c-9.24 0.123-18.48 0.187-27.72 0.077l-13.86-0.213c-2.31-0.051-4.62-0.023-6.93 1e-3l-6.93 0.062c-9.24 0.156-18.48 0.076-27.72-0.054-2.31-0.034-4.62 1e-3 -6.93 2e-3l-6.93 0.121c-4.62 0.062-9.24-2e-3 -13.86 3e-3v-2.703c4.62-0.048 9.24-0.165 13.86-0.157l6.93 0.025c2.31 0.027 4.62 0.088 6.93 0.076 9.24-0.024 18.48-0.031 27.72 0.145 4.62 0.038 9.24 0.163 13.86 0.126l13.86-0.081c4.62-0.04 9.24 0.088 13.86 0.101 2.31 0.047 4.62-0.048 6.93-0.065 2.31-0.026 4.62-0.07 6.93-0.169v2.703z" fill="#0C1238"/><path d="m871.68 561.78l-0.13-115.72 0.07-115.72 1e-3 -1.414 1.411 3e-3 117.9 0.228 117.9-0.138 58.951-0.061 58.951 0.072 117.9 0.09 1.218 1e-3 4e-3 1.221 0.156 53.426-0.026 53.426h-2.703l-0.154-53.426 0.04-53.426 1.466 1.466-235.8-0.148-117.9-0.193-117.9 0.087 1.212-1.212-0.084 115.72c-0.058 19.286 0.032 38.573 0.074 57.859l0.15 57.859h-2.705z" fill="#0C1238"/><g fill="#E6E8F0"><circle cx="891.37" cy="344.49" r="6.812"/><circle cx="912.86" cy="345.01" r="6.812"/><circle cx="934.34" cy="345.54" r="6.812"/><path d="m1202.7 352.87h-186.64c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h186.64c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" stroke="#F0F3F5" stroke-miterlimit="10"/><rect x="1288.6" y="339.25" width="17.816" height="13.624"/><path d="m1327.4 352.87h-15.816c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h15.816c0.552 0 1 0.448 1 1v11.624c0 0.552-0.447 1-1 1z"/></g><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="8"><path d="m1098.3 576.8c-24.295 0-43.99-19.695-43.99-43.99v-29.485c0-2.209 1.791-4 4-4h79.98c2.209 0 4 1.791 4 4v29.485c0 24.295-19.695 43.99-43.99 43.99z"/><path d="m1066 499.33v-12.41c0-17.804 14.433-32.237 32.237-32.237s32.237 14.433 32.237 32.237v12.41"/></g><circle cx="1098.3" cy="529.08" r="8.966" fill="#8891EA"/><line x1="1098.3" x2="1098.3" y1="529.08" y2="546.68" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="8"/><polygon points="1416.1 676.19 1358 748.57 1416.1 749.77 1225 749.77 1225 659.42 1416.1 437.19" fill="#fff"/><path d="m1415.2 497.07l-0.12-59.83 1.472 1.472-95.89-0.052-47.945-0.135c-15.982-0.023-31.963-0.14-47.945-0.085l1.2-1.2 0.139 78.077c0.086 26.026 4e-3 52.052-0.039 78.077l-0.076 78.077c0.056 26.026 0.201 52.052 0.145 78.077l-1.368-1.368 38.25 0.017v2.703l-38.251 0.1-1.444 4e-3 -6e-3 -1.454c-0.102-26.026-0.045-52.052-0.026-78.077l0.068-78.077 0.067-78.077 0.191-78.077 3e-3 -1.15h1.147l47.945-0.013 47.945-0.051 95.89 0.089 1.121 1e-3 4e-3 1.125 0.226 59.83h-2.703z" fill="#0C1238"/><path d="m1417.9 518.33c0.051 19.268 0.165 38.536 0.128 57.804l-0.022 28.902-0.134 28.902-0.134 28.902 0.061 28.902 0.087 28.902 0.046 14.451-0.034 14.451-3e-3 1.353-1.347-3e-3c-22.64-0.042-45.28-0.192-67.919-0.118l-33.96 0.144-33.96-0.025v-2.703l33.96-0.143 33.96 0.01c11.32 0.049 22.64 0.1 33.96 0.078l33.96-2e-3 -1.409 1.409c-0.03-19.268 0.125-38.536 0.178-57.804l0.103-28.902-0.051-28.902-0.051-28.902 0.081-28.902c0.128-19.268-0.116-38.536-0.204-57.804h2.704z" fill="#0C1238"/><path d="m1400.3 458.72h-160.44c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h160.44c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" fill="#E6E8F0" stroke="#F0F3F5" stroke-miterlimit="10"/><path d="m1238.5 467.44c13.587-0.084 27.173-0.121 40.76-0.055l20.38 0.141c6.793 0.061 13.587-0.03 20.38-0.038 13.587-0.116 27.173-0.022 40.76 0.038 6.793 0.029 13.587-0.022 20.38-0.082 6.793-0.046 13.587 0 20.38-5e-3v1.802c-13.587 0.111-27.173 0.144-40.76 0.036-13.587 2e-3 -27.173 0.027-40.76-0.09-6.793-0.025-13.587-0.117-20.38-0.088l-20.38 0.054c-6.793 0.022-13.587-0.048-20.38-0.067-6.793-7e-3 -13.587 0.107-20.38 0.154v-1.8z" fill="#E6E8F0"/><path d="m891.69 362.56c36.392-0.084 72.784-0.121 109.18-0.055l54.588 0.141c18.196 0.062 36.392-0.034 54.588-0.043l218.35-0.043v1.802c-36.392 0.111-72.784 0.144-109.18 0.036l-109.18-0.09-54.588-0.088-54.588 0.054-54.588-0.067-54.588 0.154v-1.801z" fill="#E6E8F0"/><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="6"><path d="m1320.6 638.41c-17.878 0-32.371-14.493-32.371-32.371v-21.697c0-1.626 1.318-2.943 2.943-2.943h58.854c1.626 0 2.943 1.318 2.943 2.943v21.697c1e-3 17.878-14.491 32.371-32.369 32.371z"/><path d="m1296.9 581.4v-9.132c0-13.101 10.62-23.722 23.722-23.722 13.101 0 23.722 10.621 23.722 23.722v9.132"/></g><circle cx="1320.6" cy="604.5" r="5.88" fill="#8891EA"/><line x1="1320.6" x2="1320.6" y1="603.3" y2="616.25" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="6"/><path d="m966.35 697.36l-0.029 13.745c-0.01 1.145 0.011 2.291-0.023 3.436l-0.124 3.436c-0.103 2.291 0.022 4.582 0.121 6.872l-1.912-1.912c10.168-0.857 20.337-0.478 30.505-0.36 5.084 0.104 10.168 0.133 15.252 0.178 5.084 6e-3 10.168 0.199 15.252 0.287l7.626 0.168 7.626 0.264c2.542 0.09 5.084 0.032 7.626 0.023 2.542-0.035 5.084 0.047 7.626 0.065 10.168 0.377 20.337-0.052 30.505 0.201l7.626 0.04c2.542 6e-3 5.084-0.283 7.626-0.394 5.084-0.14 10.168-0.184 15.252-0.268 5.084-0.072 10.168-0.071 15.252-0.204 2.542-0.07 5.084-0.088 7.626-0.118 2.542-0.019 5.084 0.1 7.626 0.143 10.168 0.462 20.337-0.303 30.505 0.192 2.542 0.145 5.084 0.163 7.626 0.139 2.542 0 5.084-0.038 7.626-0.099l15.252-0.314v3.936l-15.252 0.106c-5.084 0.024-10.168 0.012-15.252 0.3-10.168 0.483-20.337-0.281-30.505-0.213-20.337-1.165-40.673 0.704-61.01-0.137-2.542 0.117-5.084 0.33-7.626 0.382-2.542 0.092-5.084 0.173-7.626-0.018s-5.084-0.219-7.626-0.183c-2.542-2e-3 -5.084 0.099-7.626 0.081-2.542-0.027-5.084 0.026-7.626-0.066-1.271-0.039-2.542-0.079-3.813-0.09-1.271-0.022-2.542-0.05-3.813 0.018-2.542 0.097-5.084 0.355-7.626 0.327-1.271-0.037-2.542-0.06-3.813-0.12l-3.813-0.238c-2.542-0.162-5.084-0.324-7.626-0.268-2.542 0.109-5.084-0.092-7.626-0.222-2.542-0.112-5.084-0.326-7.626-0.371-2.542-0.094-5.084-0.061-7.626-0.038-5.084 0.101-10.168 0.266-15.252 0.414-2.542 0.071-5.084 0.122-7.626 0.123l-7.626-0.19-1.598-0.04 0.032-1.527c0.047-2.291 0.153-4.582 9e-3 -6.872l-0.162-3.436c-0.047-1.145-0.04-2.291-0.062-3.436l-0.186-13.745h3.934z" fill="#E6E8F0"/><path d="m1434.8 722.88l16.096 0.019 8.048 0.01c2.683 0.018 5.365-0.029 8.048 0.05l-1.89 1.89c0.07-3.44 0.218-6.88 0.086-10.32l-0.312-10.32c-0.261-6.88-0.364-13.76-0.339-20.639l0.314-41.279c0.052-6.88 0.033-13.76 0.144-20.639l0.275-20.639c0.057-6.88 0.274-13.76 0.375-20.639 0.058-6.88-0.069-13.76 0.033-20.639l0.226-20.639-0.071-10.32-0.046-5.16 0.032-5.16 0.11-20.639c0.012-3.44 0.045-6.88-0.068-10.32-0.149-3.44-0.261-6.88-0.361-10.32l-0.328-41.279c-0.074-6.88-0.188-13.76-0.211-20.639 0.028-6.88 0.177-13.76 0.261-20.639l1.77 1.77c-4.37-0.095-8.74 1e-3 -13.111 1e-3l-13.111 0.063c-4.37 1e-3 -8.74 0.084-13.111 0.016l-13.111-0.231c-4.37-0.118-8.74-0.058-13.111-0.055-4.37-4e-3 -8.74 0.077-13.111 0.113l-26.221 0.29v-3.936l26.221-0.107 13.111-0.052c4.37-0.026 8.74 2e-3 13.111-0.14l13.111-0.262c4.37-0.066 8.74 0.04 13.111 0.051l26.221 0.283 2.211 0.024-0.016 2.172c-0.049 6.88-0.045 13.76-0.139 20.639-0.152 6.88-0.325 13.76-0.304 20.639l0.499 41.279c-0.024 1.72-0.037 3.44-0.138 5.16l-0.297 5.16c-0.137 3.44-0.045 6.88 0.01 10.32 0.12 6.88 0.479 13.76 0.59 20.639 0.273 6.88-0.127 13.76-0.227 20.639-0.014 6.88 0.146 13.76 0.091 20.639 0.051 6.88-0.202 13.76-0.162 20.639 0.04 3.44 0.226 6.88 0.324 10.32 0.061 3.44 4e-3 6.88-0.082 10.32l-0.356 10.32c-0.047 1.72-0.141 3.44-0.149 5.16l2e-3 5.16c-0.012 1.72 0.032 3.44-0.026 5.16l-0.164 5.16-0.335 10.32c-0.306 13.76 0.065 27.519 0.289 41.279 0.074 3.44 0.091 6.88 0.13 10.32 0.059 3.44-0.071 6.88-0.098 10.32l-0.153 10.32c-0.053 1.72 0.021 3.44 0.049 5.16l0.139 5.16 0.044 1.627-1.73 0.06c-2.683 0.093-5.365 0.065-8.048 0.1l-8.048 0.061-16.096 0.121v-3.941z" fill="#E6E8F0"/></svg>
1
+ <svg width="140" height="140" fill="none" xmlns="http://www.w3.org/2000/svg"><path fill-rule="evenodd" clip-rule="evenodd" d="M79 55a9 9 0 00-18 0v8h18v-8zm6 8v-8a15 15 0 00-30 0v8h-5a2 2 0 00-2 2v20a15 15 0 0015 15h14a15 15 0 0015-15V65a2 2 0 00-2-2h-5zM70 90a3 3 0 01-3-3V75a3 3 0 116 0v12a3 3 0 01-3 3z" fill="#8C9196"/></svg>
@@ -132,7 +132,8 @@
132
132
 
133
133
  /* ITP 2.0 solution: handles cookie partitioning */
134
134
  StorageAccessHelper.prototype.setUpHelper = function() {
135
- return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey + window.returnTo});
135
+ var shopifyData = document.body.dataset;
136
+ return new ITPHelper({redirectUrl: shopifyData.shopOrigin + "/admin/apps/" + shopifyData.apiKey + shopifyData.returnTo});
136
137
  }
137
138
 
138
139
  StorageAccessHelper.prototype.setCookieAndRedirect = function() {
@@ -1,7 +1,7 @@
1
1
  (function() {
2
2
  function setUpTopLevelInteraction() {
3
3
  var TopLevelInteraction = new ITPHelper({
4
- redirectUrl: window.redirectUrl,
4
+ redirectUrl: document.body.dataset.redirectUrl,
5
5
  });
6
6
 
7
7
  TopLevelInteraction.execute();
@@ -7,6 +7,7 @@ module ShopifyApp
7
7
  included do
8
8
  include ShopifyApp::Localization
9
9
  include ShopifyApp::LoginProtection
10
+ include ShopifyApp::CsrfProtection
10
11
  include ShopifyApp::EmbeddedApp
11
12
  before_action :login_again_if_different_user_or_shop
12
13
  around_action :activate_shopify_session
@@ -0,0 +1,26 @@
1
+ # frozen_string_literal: true
2
+
3
+ module ShopifyApp
4
+ module EnsureAuthenticatedLinks
5
+ extend ActiveSupport::Concern
6
+
7
+ included do
8
+ before_action :redirect_to_splash_page, if: :missing_expected_jwt?
9
+ end
10
+
11
+ private
12
+
13
+ def redirect_to_splash_page
14
+ splash_page_path = root_path(return_to: request.fullpath, shop: current_shopify_domain)
15
+ redirect_to(splash_page_path)
16
+ rescue ShopifyApp::LoginProtection::ShopifyDomainNotFound => error
17
+ Rails.logger.warn("[ShopifyApp::EnsureAuthenticatedLinks] Redirecting to login: [#{error.class}] "\
18
+ "Could not determine current shop domain")
19
+ redirect_to(ShopifyApp.configuration.login_url)
20
+ end
21
+
22
+ def missing_expected_jwt?
23
+ jwt_shopify_domain.blank?
24
+ end
25
+ end
26
+ end
@@ -0,0 +1,39 @@
1
+ # frozen_string_literal: true
2
+
3
+ module ShopifyApp
4
+ module RequireKnownShop
5
+ extend ActiveSupport::Concern
6
+
7
+ included do
8
+ before_action :check_shop_domain
9
+ before_action :check_shop_known
10
+ end
11
+
12
+ def current_shopify_domain
13
+ return if params[:shop].blank?
14
+ @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
15
+ end
16
+
17
+ private
18
+
19
+ def check_shop_domain
20
+ redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
21
+ end
22
+
23
+ def check_shop_known
24
+ @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
25
+ redirect_to(shop_login) unless @shop
26
+ end
27
+
28
+ def shop_login
29
+ url = URI(ShopifyApp.configuration.login_url)
30
+
31
+ url.query = URI.encode_www_form(
32
+ shop: params[:shop],
33
+ return_to: request.fullpath,
34
+ )
35
+
36
+ url.to_s
37
+ end
38
+ end
39
+ end
@@ -0,0 +1,32 @@
1
+ # frozen_string_literal: true
2
+
3
+ module ShopifyApp
4
+ module ShopAccessScopesVerification
5
+ extend ActiveSupport::Concern
6
+
7
+ included do
8
+ before_action :login_on_scope_changes
9
+ end
10
+
11
+ protected
12
+
13
+ def login_on_scope_changes
14
+ redirect_to(shop_login) if scopes_mismatch?
15
+ end
16
+
17
+ private
18
+
19
+ def scopes_mismatch?
20
+ ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(current_shopify_domain)
21
+ end
22
+
23
+ def current_shopify_domain
24
+ return if params[:shop].blank?
25
+ ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
26
+ end
27
+
28
+ def shop_login
29
+ ShopifyApp::Utils.shop_login_url(shop: params[:shop], return_to: request.fullpath)
30
+ end
31
+ end
32
+ end
@@ -1,3 +1,4 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
3
  class AuthenticatedController < ActionController::Base
3
4
  include ShopifyApp::Authenticated
@@ -6,29 +6,96 @@ module ShopifyApp
6
6
  include ShopifyApp::LoginProtection
7
7
 
8
8
  def callback
9
- if auth_hash
10
- login_shop
9
+ return respond_with_error if invalid_request?
11
10
 
12
- if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
13
- return redirect_to(login_url_with_optional_shop)
14
- end
11
+ store_access_token_and_build_session
15
12
 
16
- install_webhooks
17
- install_scripttags
18
- perform_after_authenticate_job
13
+ if start_user_token_flow?
14
+ return respond_with_user_token_flow
15
+ end
16
+
17
+ perform_post_authenticate_jobs
18
+
19
+ respond_successfully
20
+ end
21
+
22
+ private
23
+
24
+ def respond_successfully
25
+ if jwt_request?
26
+ head(:ok)
27
+ else
28
+ redirect_to(return_address)
29
+ end
30
+ end
31
+
32
+ def respond_with_user_token_flow
33
+ redirect_to(login_url_with_optional_shop)
34
+ end
35
+
36
+ def store_access_token_and_build_session
37
+ if native_browser_request?
38
+ reset_session_options
39
+ end
40
+ set_shopify_session
41
+ end
42
+
43
+ def invalid_request?
44
+ return true unless auth_hash
45
+
46
+ jwt_request? && !valid_jwt_auth?
47
+ end
48
+
49
+ def native_browser_request?
50
+ !jwt_request?
51
+ end
52
+
53
+ def perform_post_authenticate_jobs
54
+ install_webhooks
55
+ install_scripttags
56
+ perform_after_authenticate_job
57
+ end
19
58
 
20
- redirect_to return_address
59
+ def respond_with_error
60
+ if jwt_request?
61
+ head(:unauthorized)
21
62
  else
22
63
  flash[:error] = I18n.t('could_not_log_in')
23
64
  redirect_to(login_url_with_optional_shop)
24
65
  end
25
66
  end
26
67
 
27
- private
68
+ # Override user_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
69
+ # setting check because session cookies are justified at top level
70
+ def user_session_by_cookie
71
+ return unless session[:user_id].present?
72
+ ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
73
+ end
28
74
 
29
- def login_shop
30
- reset_session_options
31
- set_shopify_session
75
+ def start_user_token_flow?
76
+ if jwt_request?
77
+ false
78
+ else
79
+ return false unless ShopifyApp::SessionRepository.user_storage.present?
80
+ update_user_access_scopes?
81
+ end
82
+ end
83
+
84
+ def update_user_access_scopes?
85
+ return true if user_session.blank?
86
+ user_access_scopes_strategy.update_access_scopes?(user_id: session[:user_id])
87
+ end
88
+
89
+ def user_access_scopes_strategy
90
+ ShopifyApp.configuration.user_access_scopes_strategy
91
+ end
92
+
93
+ def jwt_request?
94
+ jwt_shopify_domain || jwt_shopify_user_id
95
+ end
96
+
97
+ def valid_jwt_auth?
98
+ auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
32
99
  end
33
100
 
34
101
  def auth_hash
@@ -39,16 +106,33 @@ module ShopifyApp
39
106
  auth_hash.uid
40
107
  end
41
108
 
109
+ def offline_access_token
110
+ ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_name)&.token
111
+ end
112
+
113
+ def online_access_token
114
+ ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(associated_user_id)&.token
115
+ end
116
+
42
117
  def associated_user
43
- return unless auth_hash['extra'].present?
118
+ return unless auth_hash.dig('extra', 'associated_user').present?
119
+
120
+ auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
121
+ end
44
122
 
45
- auth_hash['extra']['associated_user']
123
+ def associated_user_id
124
+ associated_user && associated_user['id']
46
125
  end
47
126
 
48
127
  def token
49
128
  auth_hash['credentials']['token']
50
129
  end
51
130
 
131
+ def access_scopes
132
+ return unless auth_hash['extra']['scope']
133
+ auth_hash['extra']['scope']
134
+ end
135
+
52
136
  def reset_session_options
53
137
  request.session_options[:renew] = true
54
138
  session.delete(:_csrf_token)
@@ -58,14 +142,17 @@ module ShopifyApp
58
142
  session_store = ShopifyAPI::Session.new(
59
143
  domain: shop_name,
60
144
  token: token,
61
- api_version: ShopifyApp.configuration.api_version
145
+ api_version: ShopifyApp.configuration.api_version,
146
+ access_scopes: access_scopes
62
147
  )
63
148
 
64
149
  session[:shopify_user] = associated_user
65
150
  if session[:shopify_user].present?
151
+ session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
66
152
  session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
67
153
  else
68
154
  session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
155
+ session[:user_id] = nil if user_session && user_session.domain != shop_name
69
156
  end
70
157
  session[:shopify_domain] = shop_name
71
158
  session[:user_session] = auth_hash&.extra&.session
@@ -76,7 +163,7 @@ module ShopifyApp
76
163
 
77
164
  WebhooksManager.queue(
78
165
  shop_name,
79
- shop_session&.token || user_session.token,
166
+ offline_access_token || online_access_token,
80
167
  ShopifyApp.configuration.webhooks
81
168
  )
82
169
  end
@@ -86,7 +173,7 @@ module ShopifyApp
86
173
 
87
174
  ScripttagsManager.queue(
88
175
  shop_name,
89
- shop_session&.token || user_session.token,
176
+ offline_access_token || online_access_token,
90
177
  ShopifyApp.configuration.scripttags
91
178
  )
92
179
  end
@@ -2,19 +2,14 @@
2
2
 
3
3
  module ShopifyApp
4
4
  class ExtensionVerificationController < ActionController::Base
5
+ include ShopifyApp::PayloadVerification
5
6
  protect_from_forgery with: :null_session
6
7
  before_action :verify_request
7
8
 
8
9
  private
9
10
 
10
11
  def verify_request
11
- hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
12
- request_body = request.body.read
13
- secret = ShopifyApp.configuration.secret
14
- digest = OpenSSL::Digest.new('sha256')
15
-
16
- expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
17
- head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
12
+ head(:unauthorized) unless hmac_valid?(request.body.read)
18
13
  end
19
14
  end
20
15
  end
@@ -1,5 +1,6 @@
1
+ # frozen_string_literal: true
1
2
  module ShopifyApp
2
- class SessionsController < ActionController::Base # rubocop:disable Metrics/ClassLength
3
+ class SessionsController < ActionController::Base
3
4
  include ShopifyApp::LoginProtection
4
5
 
5
6
  layout false, only: :new
@@ -29,7 +30,7 @@ module ShopifyApp
29
30
  shop: sanitized_shop_name,
30
31
  return_to: params[:return_to]
31
32
  ),
32
- current_shopify_domain: current_shopify_domain
33
+ current_shopify_domain: current_shopify_domain,
33
34
  })
34
35
  end
35
36
 
@@ -91,8 +92,18 @@ module ShopifyApp
91
92
  end
92
93
  end
93
94
 
95
+ # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
96
+ # setting check because session cookies are justified at top level
97
+ def shop_session_by_cookie
98
+ return unless session[:shop_id].present?
99
+ ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
100
+ end
101
+
102
+ # rubocop:disable Lint/SuppressedException
94
103
  def set_user_tokens_option
95
- if shop_session.blank?
104
+ current_shop_session = shop_session
105
+
106
+ if current_shop_session.blank?
96
107
  session[:user_tokens] = false
97
108
  return
98
109
  end
@@ -100,9 +111,9 @@ module ShopifyApp
100
111
  session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
101
112
 
102
113
  ShopifyAPI::Session.temp(
103
- domain: shop_session.domain,
104
- token: shop_session.token,
105
- api_version: shop_session.api_version
114
+ domain: current_shop_session.domain,
115
+ token: current_shop_session.token,
116
+ api_version: current_shop_session.api_version
106
117
  ) do
107
118
  ShopifyAPI::Metafield.find(:token_validity_bogus_check)
108
119
  end
@@ -110,6 +121,7 @@ module ShopifyApp
110
121
  session[:user_tokens] = false
111
122
  rescue StandardError
112
123
  end
124
+ # rubocop:enable Lint/SuppressedException
113
125
 
114
126
  def validate_shop_presence
115
127
  @shop = sanitized_shop_name
@@ -122,12 +134,12 @@ module ShopifyApp
122
134
  end
123
135
 
124
136
  def copy_return_to_param_to_session
125
- session[:return_to] = params[:return_to] if params[:return_to]
137
+ session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
126
138
  end
127
139
 
128
140
  def render_invalid_shop_error
129
141
  flash[:error] = I18n.t('invalid_shop_url')
130
- redirect_to return_address
142
+ redirect_to(return_address)
131
143
  end
132
144
 
133
145
  def enable_cookie_access
@@ -138,7 +150,7 @@ module ShopifyApp
138
150
  end
139
151
 
140
152
  def authenticate_in_context
141
- redirect_to "#{main_app.root_path}auth/shopify"
153
+ redirect_to("#{main_app.root_path}auth/shopify")
142
154
  end
143
155
 
144
156
  def authenticate_at_top_level
@@ -173,7 +185,7 @@ module ShopifyApp
173
185
  shop: sanitized_shop_name,
174
186
  return_to: session[:return_to]
175
187
  ),
176
- current_shopify_domain: current_shopify_domain
188
+ current_shopify_domain: current_shopify_domain,
177
189
  }
178
190
  )
179
191
  end