shopify_app 13.0.1 → 13.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c32f23c198e7bfcc44d3557857c11194ce71f2dc8a1a42ff0d220569c4eb4599
-  data.tar.gz: cf430f7fb26c01592d68d5110a5690f290452ab18c5853dcc4602c5f1d5c0521
+  metadata.gz: e8f69498c3370637fc886cc8ca40f4a83262f6965249b703964eb79fff2d8bbf
+  data.tar.gz: 1d2e06d998ecdc4f864de34bb85b81354418af9c2c361d415a19757a29651962
 SHA512:
-  metadata.gz: 4af6eb8ff59c68d9bc1089c577d90d40cfa2997550331314e90f620580da62898000e2b7568616b077fa15080878d0e8ddc9a09160490dea3a4ce719f4e814cd
-  data.tar.gz: b3cf9731363e7df4b3cc78f057bd96204f25f9ab2832662e2cc7e98a3e52ad98ef68d142bcca6d9c96d232eac2cc1dbc2518a41d364f1470247100c2eddd92fc
+  metadata.gz: c6972f6068811592085cf2dcb2dadfefd6f7a95f7e1c46121e2c904fac5ab3d4527f5077cb223587be1704b271fccff483a859111bc66e390097953f0604c31b
+  data.tar.gz: d74aade09cf4bafaac2f4c4d7b9658738fbb469e5c02f6b9c7ee21dbd8ca427e94e9d5e737aa92aadab1deadf2707e6521e5e51f7786a542cfa8d7ae89f171b1

data/.rubocop.yml

@@ -2,9 +2,8 @@ inherit_gem:
     rubocop-shopify: rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.4
+  TargetRubyVersion: 2.7
   Exclude:
-    - 'lib/generators/**/*'
     - 'test/tmp/**/*'
 
 Style/MethodCallWithArgsParentheses:

data/.travis.yml

@@ -13,9 +13,10 @@ cache:
   yarn: true
 
 rvm:
-  - 2.4.3
-  - 2.5.0
-  - 2.6.2
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
 
 install:
   - bundle install

data/CHANGELOG.md

@@ -1,8 +1,16 @@
+13.1.0
+------
+* Adds the shop URL as a parameter when redirecting after the callback
+* Bump minimum Ruby version to 2.4
+* Bug fixes
+
 13.0.1
 ------
 * Small addition to WebhookJob to return if the shop is nil #952
 * Added Rubocop to the Repo #948
 * Added a WebhookVerification test helper #950
+* Fix for deprecation warning while loading session storage at startup
+* Changes that will allow future JWT authentication
 
 13.0.1
 ------

data/README.md

@@ -8,7 +8,7 @@ Shopify App
 
 Shopify Application Rails engine and generator
 
-#### NOTE : Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
+#### NOTE: Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
 
 Table of Contents
 -----------------
@@ -34,7 +34,7 @@ Introduction
 -----------
 Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
 
-*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete your files.*
+*Note: It's recommended to use this on a new Rails project so that the generator won't overwrite/delete your files.*
 
 Learn how to create and deploy a new Shopify App to Heroku with our [quickstart guide](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md), or dive in in less than 5 minutes with this quickstart video:
 
@@ -42,7 +42,7 @@ Learn how to create and deploy a new Shopify App to Heroku with our [quickstart
 
 Become a Shopify App Developer
 --------------------------------
-To become a Shopify App Developer you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
+To become a Shopify App Developer, you'll need a [Shopify Partner account.](http://shopify.com/partners) If you don't have a Shopify Partner account, head to http://shopify.com/partners to create one before you start.
 
 Once you have a Partner account, [create a new application in the Partner Dashboard](https://help.shopify.com/en/api/tools/partner-dashboard/your-apps) to get an API key and other API credentials.
 
@@ -50,7 +50,7 @@ To create an application for development set your new app's `App URL` to the URL
 
 Installation
 ------------
-To get started add `shopify_app` to your Gemfile and run `bundle install`:
+To get started, add `shopify_app` to your Gemfile and run `bundle install`:
 
 ``` sh
 # Create a new rails app
@@ -67,7 +67,7 @@ Now we are ready to run any of the [generators](#generators) included with `shop
 
 #### Rails Compatibility
 
-The lastest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
+The latest version of shopify_app is compatible with Rails `>= 5`. Use version `<= v7.2.8` if you need to work with Rails 4.
 
 
 Generators
@@ -94,7 +94,7 @@ SHOPIFY_API_SECRET=your api secret
 
 These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
 
-**You will need to load the ENV variables into your enviroment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
+**You will need to load the ENV variables into your environment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 
 ### Install Generator
 
@@ -108,12 +108,12 @@ $ rails generate shopify_app:install
 
 Other options include:
 * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
-* `scope` - the Oauth access scope required for your app, eg **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space, and can be supplied with or without double-quotes
+* `scope` - the Oauth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
 
-You can update any of these settings later on easily, the arguments are simply for convenience.
+You can update any of these settings later on easily; the arguments are simply for convenience.
 
 The generator adds ShopifyApp and the required initializers to the host Rails application.
 
@@ -126,7 +126,7 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
 
-This generator creates an example home controller and view which fetches and displays products using the Shopify API
+This generator creates an example home controller and view which fetches and displays products using the Shopify API.
 
 
 ### App Proxy Controller Generator
@@ -135,7 +135,7 @@ This generator creates an example home controller and view which fetches and dis
 $ rails generate shopify_app:app_proxy_controller
 ```
 
-This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI
+This optional generator, not included with the default generator, creates the app proxy controller to handle proxy requests to the app from your shop storefront, modifies 'config/routes.rb' with a namespace route, and an example view which displays current shop information using the LiquidAPI.
 
 ### Marketing Extension Generator
 
@@ -147,7 +147,7 @@ This will create a controller with the endpoints required to build a [marketing
 
 ### Controllers, Routes and Views
 
-The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
+The last group of generators are for your convenience if you want to start overriding code included as part of the Rails engine. For example, by default the engine provides a simple SessionController, if you run the `rails generate shopify_app:controllers` generator then this code gets copied out into your app so you can start adding to it. Routes and views follow the exact same pattern.
 
 Mounting the Engine
 -------------------
@@ -170,7 +170,7 @@ The engine may also be mounted at a nested route, for example:
 mount ShopifyApp::Engine, at: '/nested'
 ```
 
-This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First update the shopify_app initializer to include a custom `root_url` e.g.:
+This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First, update the shopify_app initializer to include a custom `root_url` e.g.:
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -216,7 +216,7 @@ Authentication
 
 ### Callback
 
-Upon completing the authentication flow Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
+Upon completing the authentication flow, Shopify calls the app at the `callback_path` mentioned before. If the app needs to do some extra work, it can define and configure the route to a custom callback controller, inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods. The default callback controller already provides the following behaviour:
 * Logging into the shop and resetting the session
 * [Installing Webhooks](https://github.com/Shopify/shopify_app#webhooksmanager)
 * [Setting Scripttags](https://github.com/Shopify/shopify_app#scripttagsmanager)
@@ -227,22 +227,22 @@ Upon completing the authentication flow Shopify calls the app at the `callback_p
 
 ### ShopifyApp::SessionRepository
 
-`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern, but can be overridden for custom implementation.
+`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session, *args)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. These methods are already implemented as part of the `ShopifyApp::SessionStorage` concern but can be overridden for custom implementation.
 
 #### Shop-based token storage
-Storing tokens on the store model means that any user login associated to the store will have equal access levels to whatever the original user granted the app.
+Storing tokens on the store model means that any user login associated with the store will have equal access levels to whatever the original user granted the app.
 ```sh
 $ rails generate shopify_app:shop_model
 ```
 This will generate a shop model which will be the storage for the tokens necessary for authentication.
 
 #### User-based token storage
-A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
+A more granular control over the level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed. Shop tokens must still be maintained if you are running background jobs so that you can make use of them when necessary.
 ```sh
 $ rails generate shopify_app:shop_model
 $ rails generate shopify_app:user_model
 ```
-This will generate a shop model and user model which will be the storage for the tokens necessary for authentication.
+This will generate a shop model and user model, which will be the storage for the tokens necessary for authentication.
 
 The current Shopify user will be stored in the rails session at `session[:shopify_user]`
 
@@ -276,7 +276,7 @@ For backwards compatibility, the engine still provides a controller called `Shop
 
 ### AfterAuthenticate Job
 
-If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job update your initializer as follows:
+If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -324,11 +324,11 @@ ShopifyApp.configure do |config|
 end
 ```
 
-When the oauth callback is completed successfully ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the oauth callback is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
-ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example if you register the webhook from above then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
+ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
 
-If you would like to namespace your jobs you may set `webhook_jobs_namespace` in the config. For example if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
+If you would like to namespace your jobs, you may set `webhook_jobs_namespace` in the config. For example, if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -366,9 +366,9 @@ class CustomWebhooksController < ApplicationController
 end
 ```
 
-The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application pointing to the controller and action to accept the webhook data from Shopify.
+The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application, pointing to the controller and action to accept the webhook data from Shopify.
 
-The WebhooksManager uses ActiveJob, if ActiveJob is not configured then by default Rails will run the jobs inline. However it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
+The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by default Rails will run the jobs inline. However, it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
 
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 
@@ -376,7 +376,7 @@ ShopifyApp can create webhooks for you using the `add_webhook` generator. This w
 rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
 ```
 
-where `-t` is the topic and `-a` is the address the webhook should be sent to.
+Where `-t` is the topic and `-a` is the address the webhook should be sent to.
 
 ScripttagsManager
 -----------------
@@ -475,7 +475,7 @@ see [TROUBLESHOOTING.md](https://github.com/Shopify/shopify_app/blob/master/docs
 Using Test Helpers inside your Application
 -----------------------------------------
 
-A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly in side you app `test/controllers/webhook_verification_test.rb`.
+A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly inside your app `test/controllers/webhook_verification_test.rb`.
 
 ```ruby
     require 'test_helper'
@@ -484,7 +484,7 @@ A test helper that will allow you to test `ShopifyApp::WebhookVerification` in t
     require 'shopify_app/test_helpers/webhook_verification_helper'
 ```
 
-or you can require in your `test/test_helper.rb`
+Or you can require in your `test/test_helper.rb`.
 
 ```ruby
   ENV['RAILS_ENV'] ||= 'test'
@@ -521,7 +521,7 @@ change to how session stores work. Here are the steps to migrate to 13.x
 -  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
 
 ### Changes to the @shop_session instance variable (normally in `app/controllers/*.rb`)
-- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`
+- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
 
 ### Changes to Rails `session`
 - *CHANGE* `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
@@ -533,7 +533,7 @@ if you are using `ShopifyApp::LoginProtection#shop_session` in your code, it wil
 changed to `ShopifyApp::LoginProtection#activate_shopify_session`
 
 ### Notes
-You do not need a user model, a shop session is fine for most applications.
+You do not need a user model; a shop session is fine for most applications.
 
 Questions or problems?
 ----------------------
@@ -579,7 +579,7 @@ config.api_version = '2019-04'
 
 ### Session storage change
 
-You will need to add an `api_version` method to you session storage object.  The default implementation for this is.
+You will need to add an `api_version` method to your session storage object.  The default implementation for this is.
 ```ruby
 def api_version
   ShopifyApp.configuration.api_version

data/config/locales/nl.yml

@@ -1,20 +1,20 @@
 ---
 nl:
-  logged_out: u bent afgemeld
+  logged_out: je bentafgemeld
   could_not_log_in: Kon niet aanmelden bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
-  enable_cookies_body: U moet cookies in deze browser handmatig inschakelen om %{app}
+  enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}
     binnen Shopify te gebruiken.
-  enable_cookies_footer: Met cookies kan de app u verifiëren door uw voorkeuren en
+  enable_cookies_footer: Met cookies kan de app je verifiëren door je voorkeuren en
     persoonlijke informatie tijdelijk op te slaan. Ze vervallen na 30 dagen.
   enable_cookies_action: Schakel cookies in
-  top_level_interaction_heading: Uw browser moet %{app} verifiëren
-  top_level_interaction_body: Uw browser heeft apps nodig zoals %{app} om u toegang
-    te vragen tot cookies voordat Shopify het voor u kan openen.
+  top_level_interaction_heading: Je browser moet %{app} verifiëren
+  top_level_interaction_body: Je browser heeft apps nodig zoals %{app} om je toegang
+    te vragen tot cookies voordat Shopify het voor je kan openen.
   top_level_interaction_action: Doorgaan
   request_storage_access_heading: "%{app} heeft toegang tot cookies nodig"
-  request_storage_access_body: Hiermee kan de app u verifiëren door uw persoonlijke
+  request_storage_access_body: Hiermee kan de app je verifiëren door je persoonlijke
     gegevens tijdelijk op te slaan. Klik op Doorgaan en sta cookies toe om de app
     te gebruiken.
   request_storage_access_footer: Cookies verlopen na 30 dagen.

data/lib/generators/shopify_app/install/install_generator.rb

@@ -46,7 +46,7 @@ module ShopifyApp
           copy_file('shopify_app.js', 'app/javascript/shopify_app/shopify_app.js')
           copy_file('flash_messages.js', 'app/javascript/shopify_app/flash_messages.js')
           copy_file('shopify_app_index.js', 'app/javascript/shopify_app/index.js')
-          append_to_file('app/javascript/packs/application.js', 'require("shopify_app")')
+          append_to_file('app/javascript/packs/application.js', "require(\"shopify_app\")\n")
         else
           copy_file('shopify_app.js', 'app/assets/javascripts/shopify_app.js')
           copy_file('flash_messages.js', 'app/assets/javascripts/flash_messages.js')

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb

@@ -30,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
 
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -30,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
 
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -108,7 +108,7 @@ module ShopifyApp
           path = referer.path
           query = "#{referer.query}&#{sanitized_params.to_query}"
         end
-        session[:return_to] = "#{path}?#{query}"
+        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
@@ -205,11 +205,16 @@ module ShopifyApp
     end
 
     def return_address
+      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
+      return_address_with_params(shop: current_shopify_domain)
+    end
+
+    def base_return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
 
     def return_address_with_params(params)
-      uri = URI(return_address)
+      uri = URI(base_return_address)
       uri.query = CGI.parse(uri.query.to_s)
         .symbolize_keys
         .transform_values { |v| v.one? ? v.first : v }

data/lib/shopify_app/session/jwt.rb

@@ -1,48 +1,61 @@
 # frozen_string_literal: true
 module ShopifyApp
   class JWT
+    class InvalidDestinationError < StandardError; end
+    class MismatchedHostsError < StandardError; end
+    class InvalidAudienceError < StandardError; end
+
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+
     def initialize(token)
       @token = token
       set_payload
     end
 
     def shopify_domain
-      payload && dest_host
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
     end
 
     def shopify_user_id
-      payload && payload['sub']
+      @payload && @payload['sub']
     end
 
     private
 
-    def payload
-      return unless @payload
-      return unless dest_host
-      return unless dest_host == iss_host
-      return unless @payload['aud'] == ShopifyApp.configuration.api_key
-
-      @payload
-    end
-
     def set_payload
-      @payload, _ = parse_token_data(ShopifyApp.configuration.secret)
-      configuration_old_secret = @payload && ShopifyApp.configuration
-      @payload, _ = parse_token_data(ShopifyApp.configuration.old_secret) unless configuration_old_secret
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
     end
 
-    def parse_token_data(secret)
+    def parse_token_data(secret, old_secret)
       ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
-    rescue ::JWT::DecodeError, ::JWT::VerificationError, ::JWT::ExpiredSignature, ::JWT::ImmatureSignature
-      nil
-    end
+    rescue ::JWT::VerificationError
+      raise unless old_secret
 
-    def dest_host
-      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
     end
 
-    def iss_host
-      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['iss'])
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+
+      payload
     end
   end
 end

data/lib/shopify_app/test_helpers/all.rb

@@ -1 +1,2 @@
+# frozen_string_literal: true
 require 'shopify_app/test_helpers/webhook_verification_helper'

data/lib/shopify_app/test_helpers/webhook_verification_helper.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   module TestHelpers
     module WebhookVerificationHelper
@@ -8,7 +9,7 @@ module ShopifyApp
         @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = valid_hmac
       end
 
-      def unauthorized_webhook_verification_headers!(params = {})
+      def unauthorized_webhook_verification_headers!
         @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = "invalid_hmac"
       end
     end

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '13.0.1'
+  VERSION = '13.1.0'
 end

data/shopify_app.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |s|
   s.author      = "Shopify"
   s.summary     = 'This gem is used to get quickly started with the Shopify API'
 
-  s.required_ruby_version = ">= 2.3.1"
+  s.required_ruby_version = ">= 2.4"
 
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 13.0.1
+  version: 13.1.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-14 00:00:00.000000000 Z
+date: 2020-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -301,7 +301,7 @@ files:
 - lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb
 - lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb
 - lib/generators/shopify_app/add_webhook/add_webhook_generator.rb
-- lib/generators/shopify_app/add_webhook/templates/webhook_job.rb
+- lib/generators/shopify_app/add_webhook/templates/webhook_job.rb.tt
 - lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb
 - lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb
 - lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb
@@ -319,7 +319,7 @@ files:
 - lib/generators/shopify_app/install/templates/omniauth.rb
 - lib/generators/shopify_app/install/templates/session_store.rb
 - lib/generators/shopify_app/install/templates/shopify_app.js
-- lib/generators/shopify_app/install/templates/shopify_app.rb
+- lib/generators/shopify_app/install/templates/shopify_app.rb.tt
 - lib/generators/shopify_app/install/templates/shopify_app_index.js
 - lib/generators/shopify_app/install/templates/shopify_provider.rb
 - lib/generators/shopify_app/install/templates/user_agent.rb
@@ -385,7 +385,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.1
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="