RubyGems - shopify_app - Versions diffs - 13.0.0 → 18.0.2 - Mend

shopify_app 13.0.0 → 18.0.2

Files changed (145) hide show

data/docs/Releasing.md CHANGED Viewed

@@ -1,17 +1,21 @@
-Releasing ShopifyApp
+# Releasing ShopifyApp
-1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
-2. Create a pull request with the following changes:
-  * Update the version of ShopifyApp in lib/shopify_app/version.rb
-  * Add a CHANGELOG entry for the new release with the date
-  * Change the title of the PR to something like: "Packaging for release X.Y.Z"
-3. Merge your pull request
-4. Pull from master so you have the latest version of the shopify_app
-5. Tag the HEAD with the version (Leave REV blank for HEAD or provide a SHA)
-  $ git tag vX.Y.Z
-6. Push out your tags
-  $ git push --tags
-7. Use Shipit to build and push the gem
+1. Make the code changes in a separate PR that doesn't modify the version.
+1. After that is merged, check the Semantic Versioning page for info on how to version the new release: http://semver.org
+1. Create a pull request with the following changes:
+    - Update the version of ShopifyApp in lib/shopify_app/version.rb
+    - Update the version of shopify_app in package.json
+    - Run `bundle` to update `Gemfile.lock`
+    - Add a CHANGELOG entry for the new release with the date
+    - Change the title of the PR to something like: "Packaging for release X.Y.Z"
+1. Merge your pull request
+1. Checkout and pull from master so you have the latest version of the shopify_app
+1. Tag the HEAD with the version
+    ```bash
+    $ git tag -f vX.Y.Z && git push --tags --force
+    ```
+1. Check that Create Release workflow successfully runs
+1. Use Shipit to build and push the gem
-If you see an error like 'You need to create the vX.Y.X tag first', clear GIT
+If you see an error like 'You need to create the vX.Y.X tag first', clear git
 cache in Shipit settings

data/docs/Troubleshooting.md CHANGED Viewed

@@ -1,7 +1,27 @@
-Troubleshooting Shopify App
-===========
+# Troubleshooting Shopify App
-### Generator shopify_app:install hangs
+#### Table of contents
+[Generators](#generators)
+  * [The `shopify_app:install` generator hangs](#the-shopifyappinstall-generator-hangs)
+[Rails](#rails)
+  * [Known issues with Rails `v6.1`](#known-issues-with-rails-v61)
+[App installation](#app-installation)
+  * [My app won't install](#my-app-wont-install)
+  * [My app keeps redirecting to login](#my-app-keeps-redirecting-to-login)
+  * [My app returns 401 during oauth](#my-app-returns-401-during-oauth)
+[JWT session tokens](#jwt-session-tokens)
+  * [My app is still using cookies to authenticate](#my-app-is-still-using-cookies-to-authenticate)
+  * [My app can't make requests to the Shopify API](#my-app-cant-make-requests-to-the-shopify-api)
+[Migrating to App Bridge 2.0](#migrating-to-app-bridge-2.0)
+## Generators
+### The shopify_app:install generator hangs
 Rails uses spring by default to speed up development. To run the generator, spring has to be stopped:
@@ -11,6 +31,129 @@ $ bundle exec spring stop
 Run shopify_app generator again.
-### App installation fails with 'The page you’re looking for could not be found' if the app was installed before
+## Rails
+### Known issues with Rails `v6.1`
+If you recently upgraded your application's `Rails::Application` configuration to load the default configuration for Rails `v6.1`, then you will need to update the following `cookies_same_site_protection` ActionDispatch configuration.
+```diff
+# config/application.rb
+require_relative 'boot'
+require 'rails/all'
+Bundler.require(*Rails.groups)
+module AppName
+  class Application < Rails::Application
++    config.load_defaults 6.1
++    config.action_dispatch.cookies_same_site_protection = :none
+    ...
+  end
+end
+```
+As of Rails `v6.1`, the same-site cookie protection setting defaults  to `Lax`. This does not allow an embedded app to make cross-domain requests in the Shopify Admin.
+Alternatively, you can upgrade to [`v17.2.0` of the shopify_app gem](/docs/Upgrading.md#upgrading-to-v1720).
+## App installation
+### My app won't install
+#### App installation fails with 'The page you’re looking for could not be found' if the app was installed before
 This issue can occur when the session (the model you set as `ShopifyApp::SessionRepository.storage`) isn't deleted when the user uninstalls your app. A possible fix for this is listening to the `app/uninstalled` webhook and deleting the corresponding session in the webhook handler.
+### My app returns 401 during oauth
+If your local dev env uses the `cookie_store` session storage strategy, you may encounter 401 errors during oauth due to a race condition between asset requests and `/auth/shopify`. You should be able to work around for local testing by using a different browser or session storage strategy.  [Read more about the status of this issue](https://github.com/Shopify/shopify_app/issues/1269).
+## JWT session tokens
+### My app is still using cookies to authenticate
+#### `shopify_app` gem version
+Ensure the app is using shopify_app gem v13.x.x+. See [*Upgrading to `v13.0.0`*](/docs/Upgrading.md#upgrading-to-v1300).
+#### `shopify_app` gem Rails configuration
+Edit `config/initializer/shopify_app.rb` and ensure the following configurations are set:
+```diff
++ config.embedded_app = true
++ config.allow_jwt_authentication = true
++ config.allow_cookie_authentication = false
+# This line should already exist if you're using shopify_app gem 13.x.x+
++ config.shop_session_repository = 'Shop'
+```
+#### Inspect server logs
+If you have checked the configurations above, and the app is still using cookies, then it is possible that the `shopify_app` gem defaulted to relying on cookies. This would happen when your browser allows third-party cookies and a session token was not successfully found as part of your request.
+In this case, check the server logs to see if the session token was invalid:
+```los
+[ShopifyApp::JWT] Failed to validate JWT: [JWT::<Error>] <Failure message>
+```
+*Example*
+```
+[ShopifyApp::JWT] Failed to validate JWT: [JWT::ImmatureSignature] Signature nbf has not been reached
+```
+**Note:** In a local development environment, you may want to temporarily update your `Gemfile` to point to a local instance of the `shopify_app` library instad of an installed gem. This will enable you to use a debugging tool like `byebug` to debug the library.
+```diff
+- gem 'shopify_app', '~> 14.2'
++ gem 'shopify_app', path: '/path/to/shopify_app'
+```
+### My app can't make requests to the Shopify API
+> **Note:** Session tokens cannot be used to make authenticated requests to the Shopify API. Learn more about authenticating your backend requests to Shopify APIs at [Shopify API authentication](https://shopify.dev/concepts/about-apis/authentication).
+#### The Shopify API returns `401 Unauthorized`
+If your app uses [user-based token storage](/docs/shopify_app/session-repository.md#user-based-token-storage), then your app is configured to use **online** access tokens (see [API access modes](https://shopify.dev/concepts/about-apis/authentication#api-access-modes) to learn the difference between "online" and "offline" access tokens ). Unlike offline access tokens, online access tokens expire daily and cannot be used to make authenticated requests to the Shopify API once they expire.
+Converting your app to use session tokens means that your app will most likely not go through the OAuth flow as often as it did when relying on cookie sessions. Since the online access tokens stored in your app's database are refreshed during OAuth, this may cause your app's user session repository to use expired online access tokens.
+If the Shopify API  returns `401 Unauthorized`, handle this error on your app by redirecting the user to your login path to start the OAuth flow. As a result, your app will be given a new online access token for the current user.
+> **Note:** The following are examples to common app configurations. Your specific use-case may differ.
+##### Example solution
+Add the following line to your app's unauthorized response handler:
+```diff
++ redirect_to(ShopifyApp.configuration.login_url, shop: current_shopify_domain)
+```
+_Example:_ If your embedded app cannot handle server-side XHR redirects, then configure your app's unauthorized response handler to set a response header:
+```
+X-Shopify-API-Request-Failure-Unauthorized: true
+```
+Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+## Migrating to App Bridge 2.0
+In order to upgrade your embedded app to the latest App Bridge 2.0 version, please refer to the [migration guide](https://shopify.dev/tutorials/migrate-your-app-to-app-bridge-2).
+To ensure that your app's embedded layout doesn't import App Bridge 2.0 before fully migrating, make the following change to bind it to v1.x.
+```diff
+ - <script src="https://unpkg.com/@shopify/app-bridge"></script>
+ + <script src="https://unpkg.com/@shopify/app-bridge@1"></script>
+```

data/docs/Upgrading.md ADDED Viewed

@@ -0,0 +1,126 @@
+# Upgrading
+This file documents important changes needed to upgrade your app's Shopify App version to a new major version.
+#### Table of contents
+[Upgrading to `v17.2.0`](#upgrading-to-v1720)
+[Upgrading to `v13.0.0`](#upgrading-to-v1300)
+[Upgrading to `v11.7.0`](#upgrading-to-v1170)
+[Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
+## Upgrading to `v17.2.0`
+### Different SameSite cookie attribute behaviour
+To support Rails  `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
+```diff
+# same_site_cookie_middleware.rb
+- cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
++ cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
+```
+By default, Rails `v6.1` configures `SameSite=Lax` on all cookies that don't specify this attribute.
+## Upgrading to `v13.0.0`
+Version 13.0.0 adds the ability to use both user and shop sessions, concurrently. This however involved a large
+change to how session stores work. Here are the steps to migrate to 13.x
+### Changes to `config/initializers/shopify_app.rb`
+- *REMOVE* `config.per_user_tokens = [true|false]` this is no longer needed
+- *CHANGE* `config.session_repository = 'Shop'` To  `config.shop_session_repository = 'Shop'`
+- *ADD (optional)*  User Session Storage `config.user_session_repository = 'User'`
+### Shop Model Changes (normally `app/models/shop.rb`)
+-  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
+### Changes to the @shop_session instance variable (normally in `app/controllers/*.rb`)
+- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
+### Changes to Rails `session`
+- *CHANGE* `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
+### Changes to `ShopifyApp::LoginProtection`
+`ShopifyApp::LoginProtection`
+- CHANGE if you are using `ShopifyApp::LoginProtection#shopify_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+- CHANGE if you are using `ShopifyApp::LoginProtection#clear_shop_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#clear_shopify_session`
+### Notes
+You do not need a user model; a shop session is fine for most applications.
+---
+## Upgrading to `v11.7.0`
+### Session storage method signature breaking change
+If you override `def self.store(auth_session)` method in your session storage model (e.g. Shop), the method signature has changed to `def self.store(auth_session, *args)` in order to support user-based token storage. Please update your method signature to include the second argument.
+---
+## Upgrading from `v8.6` to `v9.0.0`
+### Configuration change
+Add an API version configuration in `config/initializers/shopify_app.rb`
+Set this to the version you want to run against by default. See [Shopify API docs](https://help.shopify.com/en/api/versioning) for versions available.
+```ruby
+config.api_version = '2019-04'
+```
+### Session storage change
+You will need to add an `api_version` method to your session storage object.  The default implementation for this is.
+```ruby
+def api_version
+  ShopifyApp.configuration.api_version
+end
+```
+### Generated file change
+`embedded_app.html.erb` the usage of `shop_session.url` needs to be changed to `shop_session.domain`
+```erb
+<script type="text/javascript">
+  ShopifyApp.init({
+    apiKey: "<%= ShopifyApp.configuration.api_key %>",
+    shopOrigin: "<%= "https://#{ @shop_session.url }" if @shop_session %>",
+    debug: false,
+    forceRedirect: true
+  });
+</script>
+```
+is changed to
+```erb
+<script type="text/javascript">
+  ShopifyApp.init({
+    apiKey: "<%= ShopifyApp.configuration.api_key %>",
+    shopOrigin: "<%= "https://#{ @shop_session.domain }" if @shop_session %>",
+    debug: false,
+    forceRedirect: true
+  });
+</script>
+```
+### ShopifyAPI changes
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
+[dashboard]:https://partners.shopify.com
+[app-bridge]:https://help.shopify.com/en/api/embedded-apps/app-bridge

data/docs/shopify_app/authentication.md ADDED Viewed

@@ -0,0 +1,124 @@
+# Authentication
+The Shopify App gem implements [OAuth 2.0](https://shopify.dev/tutorials/authenticate-with-oauth) to get [access tokens](https://shopify.dev/concepts/about-apis/authentication#api-access-modes). These are used to authenticate requests made by the app to the Shopify API.
+By default, the gem generates an embedded app frontend that uses [Shopify App Bridge](https://shopify.dev/tools/app-bridge) to fetch [session tokens](https://shopify.dev/concepts/apps/building-embedded-apps-using-session-tokens). Session tokens are used by the embedded app to make authenticated requests to the app backend.
+See [*Authenticate an embedded app using session tokens*](https://shopify.dev/tutorials/authenticate-your-app-using-session-tokens) to learn more.
+> ⚠️ Be sure you understand the differences between the types of authentication schemes before reading this guide.
+#### Table of contents
+[OAuth callback](#oauth-callback)
+[Run jobs after the OAuth flow](#run-jobs-after-the-oauth-flow)
+[Rotate API credentials](#rotate-api-credentials)
+[Available authentication mixins](#available-authentication-mixins)
+  * [`ShopifyApp::Authenticated`](#shopifyappauthenticated)
+  * [`ShopifyApp::EnsureAuthenticatedLinks`](#shopifyappensureauthenticatedlinks)
+## OAuth callback
+>️ **Note:** In Shopify App version 8.4.0, we have extracted the callback logic in its own controller. If you are upgrading from a version older than 8.4.0 the callback action and related helper methods were defined in `ShopifyApp::SessionsController` ==> you will have to extend `ShopifyApp::CallbackController` instead and port your logic to the new controller.
+Upon completing the OAuth flow, Shopify calls the app at the `callback_path`. If the app needs to do some extra work, it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+* Logging into the shop and resetting the session
+* [Installing Webhooks](/docs/shopify_app/webhooks.md)
+* [Setting Scripttags](/docs/shopify_app/script-tags.md)
+* [Run jobs after the OAuth flow](#run-jobs-after-the-oauth-flow)
+* Redirecting to the return address
+## Run jobs after the OAuth flow
+See [`ShopifyApp::AfterAuthenticateJob`](/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb).
+If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:
+```ruby
+ShopifyApp.configure do |config|
+  config.after_authenticate_job = { job: "Shopify::AfterAuthenticateJob" }
+end
+```
+The job can be configured as either a class or a class name string.
+If you need the job to run synchronously add the `inline` flag:
+```ruby
+ShopifyApp.configure do |config|
+  config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: true }
+end
+```
+We've also provided a generator which creates a skeleton job and updates the initializer for you:
+```
+bin/rails g shopify_app:add_after_authenticate_job
+```
+If you want to perform that action only once, e.g. send a welcome email to the user when they install the app, you should make sure that this action is idempotent, meaning that it won't have an impact if run multiple times.
+## Rotate API credentials
+If your Shopify secret key is leaked, you can use the RotateShopifyTokenJob to perform [API Credential Rotation](https://help.shopify.com/en/api/getting-started/authentication/oauth/api-credential-rotation).
+Before running the job, you'll need to generate a new secret key from your Shopify Partner dashboard, and update the `/config/initializers/shopify_app.rb` to hold your new and old secret keys:
+```ruby
+config.secret = Rails.application.secrets.shopify_secret
+config.old_secret = Rails.application.secrets.old_shopify_secret
+```
+We've provided a generator which creates the job and an example rake task:
+```sh
+bin/rails g shopify_app:rotate_shopify_token_job
+```
+The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token.rake` and is provided strictly for example purposes. It might not work with your application out of the box without some configuration.
+```ruby
+strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+```
+> **Note:** If you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/initializers/omniauth.rb`:
+## Available authentication mixins
+### `ShopifyApp::Authenticated`
+The engine provides a [`ShopifyApp::Authenticated`](/app/controllers/concerns/shopify_app/authenticated.rb) concern which should be included in any controller that is intended to be behind Shopify OAuth. It adds `before_action`s to ensure that the user is authenticated and will redirect to the Shopify login page if not. It is best practice to include this concern in a base controller inheriting from your `ApplicationController`, from which all controllers that require Shopify authentication inherit.
+*Example:*
+```rb
+class AuthenticatedController < ApplicationController
+  include ShopifyApp::Authenticated
+end
+class ApiController < AuthenticatedController
+  # Actions in this controller are protected
+end
+```
+For backwards compatibility, the engine still provides a controller called `ShopifyApp::AuthenticatedController` which includes the `ShopifyApp::Authenticated` concern. Note that it inherits directly from `ActionController::Base`, so you will not be able to share functionality between it and your application's `ApplicationController`.
+### `ShopifyApp::EnsureAuthenticatedLinks`
+The [`ShopifyApp::EnsureAuthenticatedLinks`](/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb) concern helps authenticate users that access protected pages of your app directly.
+Include this concern in your app's `AuthenticatedController` if your app uses session tokens with [Turbolinks](https://github.com/turbolinks/turbolinks). It adds a `before_action` filter that detects whether a session token is present or not. If a session token is not found, the user is redirected to your app's splash page path (`root_path`) along with `return_to` and `shop` parameters.
+*Example:*
+```rb
+class AuthenticatedController < ApplicationController
+  include ShopifyApp::EnsureAuthenticatedLinks
+  include ShopifyApp::Authenticated
+end
+```
+See [Authenticate server-side rendered embedded apps using Rails and Turbolinks](https://shopify.dev/tutorials/authenticate-server-side-rendered-embedded-apps-using-rails-and-turbolinks) for more information.