shopify_app 13.0.1 → 13.4.0

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,6 +7,7 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/shopify_app/callback_controller.rb

@@ -6,10 +6,22 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     def callback
-      if auth_hash
-        login_shop
+      unless auth_hash
+        return respond_with_error
+      end
+
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
 
-        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+        if redirect_for_user_token?
           return redirect_to(login_url_with_optional_shop)
         end
 
@@ -18,17 +30,30 @@ module ShopifyApp
         perform_after_authenticate_job
 
         redirect_to(return_address)
+      end
+    end
+
+    private
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
       else
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
 
-    private
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
 
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
 
     def auth_hash
@@ -45,6 +70,10 @@ module ShopifyApp
       auth_hash['extra']['associated_user']
     end
 
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
+
     def token
       auth_hash['credentials']['token']
     end
@@ -63,9 +92,11 @@ module ShopifyApp
 
       session[:shopify_user] = associated_user
       if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
         session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
       else
         session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
       end
       session[:shopify_domain] = shop_name
       session[:user_session] = auth_hash&.extra&.session

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -125,7 +125,7 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = params[:return_to] if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
     end
 
     def render_invalid_shop_error

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -9,7 +9,7 @@ module ShopifyApp
       params.permit!
       job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head(:no_content)
+      head(:ok)
     end
 
     private

data/config/locales/nl.yml

@@ -1,20 +1,20 @@
 ---
 nl:
-  logged_out: u bent afgemeld
+  logged_out: Je bent afgemeld
   could_not_log_in: Kon niet aanmelden bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
-  enable_cookies_body: U moet cookies in deze browser handmatig inschakelen om %{app}
+  enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}
     binnen Shopify te gebruiken.
-  enable_cookies_footer: Met cookies kan de app u verifiëren door uw voorkeuren en
+  enable_cookies_footer: Met cookies kan de app je verifiëren door je voorkeuren en
     persoonlijke informatie tijdelijk op te slaan. Ze vervallen na 30 dagen.
   enable_cookies_action: Schakel cookies in
-  top_level_interaction_heading: Uw browser moet %{app} verifiëren
-  top_level_interaction_body: Uw browser heeft apps nodig zoals %{app} om u toegang
-    te vragen tot cookies voordat Shopify het voor u kan openen.
+  top_level_interaction_heading: Je browser moet %{app} verifiëren
+  top_level_interaction_body: Je browser heeft apps nodig zoals %{app} om je toegang
+    te vragen tot cookies voordat Shopify het voor je kan openen.
   top_level_interaction_action: Doorgaan
   request_storage_access_heading: "%{app} heeft toegang tot cookies nodig"
-  request_storage_access_body: Hiermee kan de app u verifiëren door uw persoonlijke
+  request_storage_access_body: Hiermee kan de app je verifiëren door je persoonlijke
     gegevens tijdelijk op te slaan. Klik op Doorgaan en sta cookies toe om de app
     te gebruiken.
   request_storage_access_footer: Cookies verlopen na 30 dagen.

data/docs/Quickstart.md

@@ -1,7 +1,8 @@
 Quickstart
 ==========
 
-Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
+Get started building and deploying a new Shopify App to Heroku in just a few minutes.
+This guide assumes you have Ruby, Rails and PostgreSQL installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 
 1. New Rails App (with postgres)
 --------------------------------
@@ -26,15 +27,6 @@ Head to the Heroku dashboard and create a new app, or run the following commands
 CLI:
 ```sh
 $ heroku create name
-$ heroku git:remote -a name
-```
-
-Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
-
-web:
-```sh
-# https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appname.git
 ```
 
 3. Create a new App in the Shopify Partner dashboard
@@ -48,11 +40,10 @@ $ git remote add heroku git@heroku.com:appname.git
 4. Add ShopifyApp to Gemfile
 ----------------------------
 
-Run these commands to add the `shopify_app` Gem to your app:
+Run this command to add the `shopify_app` Gem to your app:
 
 ```sh
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 **Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
@@ -64,14 +55,13 @@ Generate the code for your app by running these commands:
 
 ```sh
 # Use the keys from your app you created in the partners area
-$ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
+$ rails generate shopify_app
 $ git add .
 $ git commit -m 'generated shopify app'
 ```
 
-If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
-
-We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
+Your API key and secret are read from environment variables. Refer to the main
+README for further details on how to set this up.
 
 6. Deploy your app
 ---------

data/docs/Releasing.md

@@ -3,6 +3,7 @@ Releasing ShopifyApp
 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
 2. Create a pull request with the following changes:
   * Update the version of ShopifyApp in lib/shopify_app/version.rb
+  * Update the version of shopify_app in package.json
   * Add a CHANGELOG entry for the new release with the date
   * Change the title of the PR to something like: "Packaging for release X.Y.Z"
 3. Merge your pull request

data/lib/generators/shopify_app/install/install_generator.rb

@@ -46,7 +46,7 @@ module ShopifyApp
           copy_file('shopify_app.js', 'app/javascript/shopify_app/shopify_app.js')
           copy_file('flash_messages.js', 'app/javascript/shopify_app/flash_messages.js')
           copy_file('shopify_app_index.js', 'app/javascript/shopify_app/index.js')
-          append_to_file('app/javascript/packs/application.js', 'require("shopify_app")')
+          append_to_file('app/javascript/packs/application.js', "require(\"shopify_app\")\n")
         else
           copy_file('shopify_app.js', 'app/assets/javascripts/shopify_app.js')
           copy_file('flash_messages.js', 'app/assets/javascripts/flash_messages.js')

data/lib/generators/shopify_app/install/templates/flash_messages.js

@@ -20,7 +20,5 @@ if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
         isError: true,
       }).dispatch(Toast.Action.SHOW);
     }
-
-    document.removeEventListener(eventName, flash)
   });
 }

data/lib/generators/shopify_app/install/templates/{shopify_app.rb → shopify_app.rb.tt}

@@ -8,7 +8,7 @@ ShopifyApp.configure do |config|
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
-  config.shop_session_repository = 'ShopifyApp::InMemoryShopSessionStore'
+  config.shop_session_repository = 'Shop'
 end
 
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb

@@ -30,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
 
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -30,9 +30,13 @@ module ShopifyApp
         Rails.version.match(/\d\.\d/)[0]
       end
 
-      # for generating a timestamp when using `create_migration`
-      def self.next_migration_number(dir)
-        ActiveRecord::Generators::Base.next_migration_number(dir)
+      class << self
+        private :next_migration_number
+
+        # for generating a timestamp when using `create_migration`
+        def next_migration_number(dir)
+          ActiveRecord::Generators::Base.next_migration_number(dir)
+        end
       end
     end
   end

data/lib/shopify_app.rb

@@ -4,6 +4,7 @@ require 'shopify_app/version'
 # deps
 require 'shopify_api'
 require 'omniauth-shopify-oauth2'
+require 'redirect_safely'
 
 module ShopifyApp
   def self.rails6?
@@ -26,12 +27,14 @@ module ShopifyApp
   require 'shopify_app/utils'
 
   # controller concerns
+  require 'shopify_app/controller_concerns/csrf_protection'
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
   require 'shopify_app/controller_concerns/login_protection'
   require 'shopify_app/controller_concerns/embedded_app'
-  require 'shopify_app/controller_concerns/webhook_verification'
+  require 'shopify_app/controller_concerns/payload_verification'
   require 'shopify_app/controller_concerns/app_proxy_verification'
+  require 'shopify_app/controller_concerns/webhook_verification'
 
   # jobs
   require 'shopify_app/jobs/webhooks_manager_job'
@@ -42,6 +45,7 @@ module ShopifyApp
   require 'shopify_app/managers/scripttags_manager'
 
   # middleware
+  require 'shopify_app/middleware/jwt_middleware'
   require 'shopify_app/middleware/same_site_cookie_middleware'
 
   # session

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -2,7 +2,6 @@
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
-
     included do
       skip_before_action :verify_authenticity_token, raise: false
       before_action :verify_proxy_request

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+
+    private
+
+    def valid_session_token?
+      request.env['jwt.shopify_domain']
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -83,17 +83,11 @@ module ShopifyApp
     protected
 
     def jwt_shopify_domain
-      return unless jwt
-      @jwt_shopify_domain ||= JWT.new(jwt).shopify_domain
+      request.env['jwt.shopify_domain']
     end
 
     def jwt_shopify_user_id
-      return unless jwt
-      @jwt_user_id ||= JWT.new(jwt).shopify_user_id
-    end
-
-    def jwt
-      @jwt ||= authenticate_with_http_token { |token| token }
+      request.env['jwt.shopify_user_id']
     end
 
     def redirect_to_login
@@ -108,7 +102,7 @@ module ShopifyApp
           path = referer.path
           query = "#{referer.query}&#{sanitized_params.to_query}"
         end
-        session[:return_to] = "#{path}?#{query}"
+        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
       end
     end
@@ -139,7 +133,7 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
-      return_to = session[:return_to] || params[:return_to]
+      return_to = RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
 
       if return_to.present? && return_to_param_required?
         query_params[:return_to] = return_to
@@ -170,7 +164,10 @@ module ShopifyApp
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name || session[:shopify_domain]
+      shopify_domain = sanitized_shop_name ||
+        jwt_shopify_domain ||
+        session[:shopify_domain]
+
       return shopify_domain if shopify_domain.present?
 
       raise ShopifyDomainNotFound
@@ -205,11 +202,16 @@ module ShopifyApp
     end
 
     def return_address
+      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
+      return_address_with_params(shop: current_shopify_domain)
+    end
+
+    def base_return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
 
     def return_address_with_params(params)
-      uri = URI(return_address)
+      uri = URI(base_return_address)
       uri.query = CGI.parse(uri.query.to_s)
         .symbolize_keys
         .transform_values { |v| v.one? ? v.first : v }