shopify_app 13.2.0 → 14.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 342e069a4f4d0d9bd824403f44cbcf25e398c8e869b4c31058199c7a13daca19
-  data.tar.gz: cebba3a407077d4dd86183b6aa4fe702593cfacb5de7f630305fefb7bf0ed545
+  metadata.gz: eb6669e0b864299f689103042e4c59cb4ddc7e53481b559275b64accc6e390b9
+  data.tar.gz: 9e3481e24e1e44ef799ac573025e532814acff362d0c9ea3f44b3e4000a68037
 SHA512:
-  metadata.gz: 3d7e6c9dc9a521fe022f91e3c2761ff451a34fb67a61ebe3ac5888e5a19924d8eea912a9d644c4255ab0570c959ee8f56f6b30b98809b9d6bb9e09323f7bfec3
-  data.tar.gz: 67ed9dbc2897dce008f35c760251d64c708319a2171617692caedf01026b8366dd5f3ac9609d23c2ee8d196d2b90a34adce2bcf2974e7541bfa24a74a06c303b
+  metadata.gz: 13f7898748c764d9093d8479ce61a3b1f2d5e9d3ebf7b04a952af7587ef243f9c785c3573c45a915a909a6b9d6cb15ea0d63ab34ed424c45401419f331aa141d
+  data.tar.gz: ba8649d90387c3c5c8050ad69923a9e56509955016c5d8bfd955e8870bf0d55f6ed3956dc1643e2f11aa655730e82504e7c28a472a7fcc542a4977b76169ebf4

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,6 @@
+Before submitting the PR, please consider if any of the following are needed:
+
+- [ ] Update `CHANGELOG.md` if the changes would impact users
+- [ ] Update `README.md`, if appropriate.
+- [ ] Update any relevant pages in `docs/`, if necessary
+- [ ] For security fixes, the [Disclosure Policy](https://github.com/Shopify/shopify_app/blob/master/SECURITY.md#disclosure-policy) must be followed.

data/.github/workflows/rubocop.yml

@@ -0,0 +1,28 @@
+name: RuboCop
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.7
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+    - name: Cache gems
+      uses: actions/cache@v1
+      with:
+        path: vendor/bundle
+        key: ${{ runner.os }}-rubocop-${{ hashFiles('**/Gemfile.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-rubocop-
+    - name: Install gems
+      run: |
+        bundle config path vendor/bundle
+        bundle config set without 'default development test'
+        bundle install --jobs 4 --retry 3
+    - name: Run RuboCop
+      run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -5,6 +5,7 @@ AllCops:
   TargetRubyVersion: 2.7
   Exclude:
     - 'test/tmp/**/*'
+    - 'vendor/bundle/**/*'
 
 Style/MethodCallWithArgsParentheses:
   Exclude:

data/.travis.yml

@@ -13,7 +13,6 @@ cache:
   yarn: true
 
 rvm:
-  - 2.4
   - 2.5
   - 2.6
   - 2.7

data/CHANGELOG.md

@@ -1,3 +1,26 @@
+14.0.0
+------
+* Ruby 2.4 is no longer supported by this gem
+* Bump gemspec ruby dependency to 2.5
+* (Beta) Add `--with-session-token` flag to the Shopify App generator to create an app that is compatible with App Bridge Authentication
+
+13.5.0
+------
+* Add `signal_access_token_required` helper method for apps to indicate access token has expired and that a new one is required
+
+13.4.1
+------
+* Fix the version checks for the dependency on `shopify_api` to allow all of v9.X
+
+13.4.0
+------
+* Skip CSRF protection if a valid signed JWT token is present as we trust Shopify to be the only source that can sign it securely. [#994](https://github.com/Shopify/shopify_app/pull/994)
+
+13.3.0
+------
+* Added Payload Verification module [#992](https://github.com/Shopify/shopify_app/pull/992)
+* Add concern to check for valid shop domains in the unauthenticated controller
+
 13.2.0
 ------
 * Get current shop domain from JWT header

data/Gemfile

@@ -6,4 +6,6 @@ gemspec
 
 gem 'rails-controller-testing', group: :test
 
-gem 'rubocop-shopify', require: false
+group :rubocop do
+  gem 'rubocop-shopify', require: false
+end

data/README.md

@@ -32,7 +32,7 @@ Table of Contents
 
 Introduction
 -----------
-Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
+Get started with the [Shopify Admin API](https://help.shopify.com/en/api/getting-started) faster; This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via OAuth (other authentication methods are not supported).
 
 *Note: It's recommended to use this on a new Rails project so that the generator won't overwrite/delete your files.*
 
@@ -58,8 +58,7 @@ $ rails new my_shopify_app
 $ cd my_shopify_app
 
 # Add the gem shopify_app to your Gemfile
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 Now we are ready to run any of the [generators](#generators) included with `shopify_app`. The following section explains the generators and what you can do with them.
@@ -75,7 +74,7 @@ Generators
 
 ### Default Generator
 
-The default generator will run the `install`, `shop`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
+The default generator will run the `install`, `shop`, `authenticated_controller`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
 
 ```sh
 $ rails generate shopify_app
@@ -99,16 +98,12 @@ These values can be found on the "App Setup" page in the [Shopify Partners Dashb
 ### Install Generator
 
 ```sh
-$ rails generate shopify_app:install
-
-# or optionally with arguments:
-
 $ rails generate shopify_app:install
 ```
 
-Other options include:
+Options include:
 * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
-* `scope` - the Oauth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
+* `scope` - the OAuth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
@@ -128,6 +123,16 @@ $ rails generate shopify_app:home_controller
 
 This generator creates an example home controller and view which fetches and displays products using the Shopify API.
 
+Options include:
+* __[beta]__ `with-session-token`: This flag generates an unauthenticated home_controller and a protected sample products_controller. It also creates a home view that leverages a session token to fetch products from your products_controller. Use this flag if you plan to build a single-page application or to secure your app using JWT session tokens (e.g. `--with-session-token` or `--with-session-token true`). 
+
+### Products Controller Generator
+
+```sh
+$ rails generate shopify_app:products_controller
+```
+
+This generator creates an example products API controller to fetch products using the Shopify API.
 
 ### App Proxy Controller Generator
 
@@ -143,7 +148,7 @@ This optional generator, not included with the default generator, creates the ap
 $ rails generate shopify_app:add_marketing_activity_extension
 ```
 
-This will create a controller with the endpoints required to build a [marketing activities extension](https://help.shopify.com/en/api/embedded-apps/app-extensions/shopify-admin/marketing-activities). The extension will be generated with a base url at `/marketing_activities`, which should also be configured in partners.
+This will create a controller with the endpoints required to build a [marketing activities extension](https://help.shopify.com/en/api/embedded-apps/app-extensions/shopify-admin/marketing-activities). The extension will be generated with a base URL at `/marketing_activities`, which should also be configured in partners.
 
 ### Controllers, Routes and Views
 
@@ -324,7 +329,7 @@ ShopifyApp.configure do |config|
 end
 ```
 
-When the oauth callback is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the OAuth callback is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
 ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
 
@@ -368,7 +373,7 @@ end
 
 The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application, pointing to the controller and action to accept the webhook data from Shopify.
 
-The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by default Rails will run the jobs inline. However, it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
+The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by default Rails will run the jobs inline. However, it is highly recommended to configure a proper background processing queue like Sidekiq or Resque in production.
 
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 
@@ -459,7 +464,7 @@ class ReviewsController < ApplicationController
 end
 ```
 
-Create your app proxy url in the [Shopify Partners' Dashboard][dashboard], making sure to point it to `https://your_app_website.com/app_proxy`.
+Create your app proxy URL in the [Shopify Partners' Dashboard][dashboard], making sure to point it to `https://your_app_website.com/app_proxy`.
 ![Creating an App Proxy](/images/app-proxy-screenshot.png)
 
 App Bridge
@@ -529,8 +534,10 @@ change to how session stores work. Here are the steps to migrate to 13.x
 ### Changes to `ShopifyApp::LoginProtection`
 `ShopifyApp::LoginProtection`
 
-if you are using `ShopifyApp::LoginProtection#shop_session` in your code, it will need to be
+- CHANGE if you are using `ShopifyApp::LoginProtection#shopify_session` in your code, it will need to be
 changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+- CHANGE if you are using `ShopifyApp::LoginProtection#clear_shop_session` in your code, it will need to be
+changed to `ShopifyApp::LoginProtection#clear_shopify_session`
 
 ### Notes
 You do not need a user model; a shop session is fine for most applications.
@@ -571,7 +578,7 @@ Upgrading from 8.6 to 9.0.0
 
 ### Configuration change
 
-Add an api version configuration in `config/initializers/shopify_app.rb`
+Add an API version configuration in `config/initializers/shopify_app.rb`
 Set this to the version you want to run against by default. See [Shopify API docs](https://help.shopify.com/en/api/versioning) for versions available.
 ```ruby
 config.api_version = '2019-04'
@@ -617,7 +624,7 @@ is changed to
 
 ### ShopifyAPI changes
 
-You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with api versioning.
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 
 [dashboard]:https://partners.shopify.com
 [app-bridge]:https://help.shopify.com/en/api/embedded-apps/app-bridge

data/SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported versions
+
+### New features
+
+New features will only be added to the master branch and will not be made available in point releases.
+
+### Bug fixes
+
+Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
+
+### Security issues
+
+Only the latest release series will receive patches and new versions in case of a security issue.
+
+### Severe security issues
+
+For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
+
+## Reporting a bug
+
+All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
+Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
+
+## Disclosure Policy
+
+We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
+
+- Reply to all reports within one business day and triage within two business days (if applicable)
+- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
+- Award bounties within a week of resolution (excluding extenuating circumstances)
+- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
+
+**The following rules must be followed in order for any rewards to be paid:**
+
+- You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
+- You must not attempt to gain access to, or interact with, any shops other than those created by you.
+- The use of commercial scanners is prohibited (e.g., Nessus).
+- Rules for reporting must be followed.
+- Do not disclose any issues publicly before they have been resolved.
+- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
+- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
+- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
+- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
+- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
+- All content submitted by you to Shopify under this program is licensed under the MIT License.
+- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
+- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
+
+** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
+
+## Receiving Security Updates
+
+To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,6 +7,7 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/shopify_app/callback_controller.rb

@@ -65,9 +65,9 @@ module ShopifyApp
     end
 
     def associated_user
-      return unless auth_hash['extra'].present?
+      return unless auth_hash.dig('extra', 'associated_user').present?
 
-      auth_hash['extra']['associated_user']
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
     end
 
     def associated_user_id
@@ -92,9 +92,11 @@ module ShopifyApp
 
       session[:shopify_user] = associated_user
       if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
         session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
       else
         session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
       end
       session[:shopify_domain] = shop_name
       session[:user_session] = auth_hash&.extra&.session

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/config/locales/nl.yml

@@ -1,6 +1,6 @@
 ---
 nl:
-  logged_out: je bentafgemeld
+  logged_out: Je bent afgemeld
   could_not_log_in: Kon niet aanmelden bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}

data/docs/Quickstart.md

@@ -1,7 +1,8 @@
 Quickstart
 ==========
 
-Get started building and deploying a new Shopify App to Heroku in just a few minutes. This guide assumes you have Ruby/Rails installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
+Get started building and deploying a new Shopify App to Heroku in just a few minutes.
+This guide assumes you have Ruby, Rails and PostgreSQL installed on your computer already; if you haven't done that already start with [this guide.](https://guides.rubyonrails.org/v5.0/getting_started.html#installing-rails)
 
 1. New Rails App (with postgres)
 --------------------------------
@@ -26,15 +27,6 @@ Head to the Heroku dashboard and create a new app, or run the following commands
 CLI:
 ```sh
 $ heroku create name
-$ heroku git:remote -a name
-```
-
-Once you have created an app on Heroku, we need to let Git know where the Heroku server is so we can deploy to it later. Copy the app's name from your Heroku dashboard and substitute `appname.git` with the name you chose earlier:
-
-web:
-```sh
-# https://dashboard.heroku.com/new
-$ git remote add heroku git@heroku.com:appname.git
 ```
 
 3. Create a new App in the Shopify Partner dashboard
@@ -48,11 +40,10 @@ $ git remote add heroku git@heroku.com:appname.git
 4. Add ShopifyApp to Gemfile
 ----------------------------
 
-Run these commands to add the `shopify_app` Gem to your app:
+Run this command to add the `shopify_app` Gem to your app:
 
 ```sh
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 **Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`
@@ -64,14 +55,13 @@ Generate the code for your app by running these commands:
 
 ```sh
 # Use the keys from your app you created in the partners area
-$ rails generate shopify_app --api_key <shopify_api_key> --secret <shopify_api_secret>
+$ rails generate shopify_app
 $ git add .
 $ git commit -m 'generated shopify app'
 ```
 
-If you forget to set your keys or redirect uri above, you will find them in the shopify_app initializer at: `/config/initializers/shopify_app.rb`.
-
-We recommend adding a gem or utilizing environment variables (`.env`) to handle your keys before releasing your app. [Learn more about using environment variables.](https://www.honeybadger.io/blog/ruby-guide-environment-variables/)
+Your API key and secret are read from environment variables. Refer to the main
+README for further details on how to set this up.
 
 6. Deploy your app
 ---------

data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb

@@ -7,7 +7,7 @@ module ShopifyApp
     class AuthenticatedControllerGenerator < Rails::Generators::Base
       source_root File.expand_path('../templates', __FILE__)
 
-      def create_home_controller
+      def create_authenticated_controller
         template('authenticated_controller.rb', 'app/controllers/authenticated_controller.rb')
       end
     end

data/lib/generators/shopify_app/home_controller/home_controller_generator.rb

@@ -6,21 +6,39 @@ module ShopifyApp
     class HomeControllerGenerator < Rails::Generators::Base
       source_root File.expand_path('../templates', __FILE__)
 
+      class_option :with_session_token, type: :boolean, default: false
+
       def create_home_controller
-        template('home_controller.rb', 'app/controllers/home_controller.rb')
+        @with_session_token = options['with_session_token']
+
+        template(home_controller_template, 'app/controllers/home_controller.rb')
+      end
+
+      def create_products_controller
+        generate("shopify_app:products_controller") if with_session_token?
       end
 
       def create_home_index_view
-        copy_file('index.html.erb', 'app/views/home/index.html.erb')
+        template('index.html.erb', 'app/views/home/index.html.erb')
       end
 
       def add_home_index_route
         route("root :to => 'home#index'")
       end
 
+      private
+
       def embedded_app?
         ShopifyApp.configuration.embedded_app?
       end
+
+      def with_session_token?
+        @with_session_token
+      end
+
+      def home_controller_template
+        with_session_token? ? 'unauthenticated_home_controller.rb' : 'home_controller.rb'
+      end
     end
   end
 end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -1,21 +1,71 @@
-<h2>Products</h2>
+<!DOCTYPE html>
+<html lang="<%= I18n.locale %>">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link
+      rel="stylesheet"
+      href="https://unpkg.com/@shopify/polaris@4.25.0/styles.min.css"
+      />
+<% if @with_session_token %>    <script>
+      document.addEventListener("DOMContentLoaded", async function() {
+        var SessionToken = window["app-bridge"].actions.SessionToken
+        var app = window.app;
 
-<ul>
-  <% @products.each do |product| %>
-    <li><%= link_to product.title, "https://#{@current_shopify_session.domain}/admin/products/#{product.id}", target: "_top" %></li>
-  <% end %>
-</ul>
+        app.dispatch(
+          SessionToken.request(),
+        );
 
-<hr>
+        // Save a session token for future requests
+        window.sessionToken = await new Promise((resolve) => {
+          app.subscribe(SessionToken.ActionType.RESPOND, (data) => {
+            resolve(data.sessionToken || "");
+          });
+        });
 
-<h2>Webhooks</h2>
+        var fetchProducts = function() {
+          var headers = new Headers({ "Authorization": "Bearer " + window.sessionToken });
+          return fetch("/products", { headers })
+            .then(response => response.json())
+            .then(data => {
+              var products = data.products;
 
-<% if @webhooks.present? %>
-  <ul>
-    <% @webhooks.each do |webhook| %>
-      <li><%= webhook.topic %> : <%= webhook.address %></li>
-    <% end %>
-  </ul>
-<% else %>
-  <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
-<% end %>
+              if (products === undefined || products.length == 0) {
+                document.getElementById("products").innerHTML = "<br>No products to display.";
+              } else {
+                var list = "";
+                products.forEach((product) => {
+                  var link = `<a target="_top" href="https://<%%= @shop_origin %>/admin/products/${product.id}">`
+                  list += "<li>" + link + product.title + "</a></li>";
+                });
+                document.getElementById("products").innerHTML = "<ul>" + list + "</ul>";
+              }
+            });
+        }();
+      });
+    </script>
+<% end %>  </head>
+  <body>
+    <h2>Products</h2>
+<% if @with_session_token %>    <div id="products"><br>Loading...</div><% else %>
+    <ul>
+      <%% @products.each do |product| %>
+        <li><%%= link_to product.title, "https://#{@current_shopify_session.domain}/admin/products/#{product.id}", target: "_top" %></li>
+      <%% end %>
+    </ul>
+
+    <hr>
+
+    <h2>Webhooks</h2>
+
+    <%% if @webhooks.present? %>
+      <ul>
+        <%% @webhooks.each do |webhook| %>
+          <li><%%= webhook.topic %> : <%%= webhook.address %></li>
+        <%% end %>
+      </ul>
+    <%% else %>
+      <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
+    <%% end %><% end %>
+  </body>
+</html>

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class HomeController < ApplicationController
+  include ShopifyApp::EmbeddedApp
+  include ShopifyApp::RequireKnownShop
+
+  def index
+    @shop_origin = current_shopify_domain
+  end
+end

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -28,7 +28,7 @@
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
-      shop_origin: (@current_shopify_session.domain if @current_shopify_session),
+      shop_origin: @shop_origin || (@current_shopify_session.domain if @current_shopify_session),
       debug: Rails.env.development?
     } ) %>
 

data/lib/generators/shopify_app/install/templates/flash_messages.js

@@ -20,7 +20,5 @@ if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
         isError: true,
       }).dispatch(Toast.Action.SHOW);
     }
-
-    document.removeEventListener(eventName, flash)
   });
 }

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -9,6 +9,7 @@ ShopifyApp.configure do |config|
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
   config.shop_session_repository = 'Shop'
+  config.allow_jwt_authentication = true
 end
 
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/generators/shopify_app/products_controller/products_controller_generator.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'rails/generators/base'
+
+module ShopifyApp
+  module Generators
+    class ProductsControllerGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def create_products_controller
+        template('products_controller.rb', 'app/controllers/products_controller.rb')
+      end
+
+      def add_products_route
+        route("get '/products', :to => 'products#index'")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/products_controller/templates/products_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class ProductsController < AuthenticatedController
+  def index
+    @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
+    render(json: { products: @products })
+  end
+end

data/lib/generators/shopify_app/shopify_app_generator.rb

@@ -11,7 +11,7 @@ module ShopifyApp
         generate("shopify_app:install #{@opts.join(' ')}")
         generate("shopify_app:shop_model")
         generate("shopify_app:authenticated_controller")
-        generate("shopify_app:home_controller")
+        generate("shopify_app:home_controller #{@opts.join(' ')}")
       end
     end
   end

data/lib/shopify_app.rb

@@ -27,12 +27,14 @@ module ShopifyApp
   require 'shopify_app/utils'
 
   # controller concerns
+  require 'shopify_app/controller_concerns/csrf_protection'
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
   require 'shopify_app/controller_concerns/login_protection'
   require 'shopify_app/controller_concerns/embedded_app'
-  require 'shopify_app/controller_concerns/webhook_verification'
+  require 'shopify_app/controller_concerns/payload_verification'
   require 'shopify_app/controller_concerns/app_proxy_verification'
+  require 'shopify_app/controller_concerns/webhook_verification'
 
   # jobs
   require 'shopify_app/jobs/webhooks_manager_job'

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -2,7 +2,6 @@
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
-
     included do
       skip_before_action :verify_authenticity_token, raise: false
       before_action :verify_proxy_request

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+
+    private
+
+    def valid_session_token?
+      request.env['jwt.shopify_domain']
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -14,6 +14,8 @@ module ShopifyApp
       rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
     end
 
+    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+
     def activate_shopify_session
       return redirect_to_login if current_shopify_session.blank?
       clear_top_level_oauth_cookie
@@ -80,6 +82,10 @@ module ShopifyApp
       end
     end
 
+    def signal_access_token_required
+      response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, true)
+    end
+
     protected
 
     def jwt_shopify_domain
@@ -204,6 +210,8 @@ module ShopifyApp
     def return_address
       return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
       return_address_with_params(shop: current_shopify_domain)
+    rescue ShopifyDomainNotFound
+      base_return_address
     end
 
     def base_return_address

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module PayloadVerification
+    extend ActiveSupport::Concern
+
+    private
+
+    def shopify_hmac
+      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+    end
+
+    def hmac_valid?(data)
+      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
+
+      secrets.any? do |secret|
+        digest = OpenSSL::Digest.new('sha256')
+        ActiveSupport::SecurityUtils.secure_compare(
+          shopify_hmac,
+          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -2,6 +2,7 @@
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
+    include ShopifyApp::PayloadVerification
 
     included do
       skip_before_action :verify_authenticity_token, raise: false
@@ -15,25 +16,8 @@ module ShopifyApp
       return head(:unauthorized) unless hmac_valid?(data)
     end
 
-    def hmac_valid?(data)
-      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
-
-      secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
-
-        ActiveSupport::SecurityUtils.secure_compare(
-          shopify_hmac,
-          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
-        )
-      end
-    end
-
     def shop_domain
       request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
     end
-
-    def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-    end
   end
 end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class JWTMiddleware
     TOKEN_REGEX = /^Bearer\s+(.*?)$/

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '13.2.0'
+  VERSION = '14.0.0'
 end

data/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "13.0.0",
+  "version": "13.6.0",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
@@ -53,12 +53,6 @@
             "minimist": "^1.2.0"
           }
         },
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        },
         "ms": {
           "version": "2.1.2",
           "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
@@ -78,14 +72,6 @@
         "lodash": "^4.17.13",
         "source-map": "^0.5.0",
         "trim-right": "^1.0.1"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@babel/helper-annotate-as-pure": {
@@ -151,14 +137,6 @@
         "@babel/helper-function-name": "^7.1.0",
         "@babel/types": "^7.5.5",
         "lodash": "^4.17.13"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@babel/helper-explode-assignable-expression": {
@@ -230,14 +208,6 @@
         "@babel/template": "^7.4.4",
         "@babel/types": "^7.5.5",
         "lodash": "^4.17.13"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@babel/helper-optimise-call-expression": {
@@ -262,14 +232,6 @@
       "dev": true,
       "requires": {
         "lodash": "^4.17.13"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@babel/helper-remap-async-to-generator": {
@@ -598,14 +560,6 @@
       "requires": {
         "@babel/helper-plugin-utils": "^7.0.0",
         "lodash": "^4.17.13"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@babel/plugin-transform-classes": {
@@ -1056,12 +1010,6 @@
             "ms": "^2.1.1"
           }
         },
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        },
         "ms": {
           "version": "2.1.2",
           "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
@@ -1079,14 +1027,6 @@
         "esutils": "^2.0.2",
         "lodash": "^4.17.13",
         "to-fast-properties": "^2.0.0"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@sinonjs/commons": {
@@ -1117,14 +1057,6 @@
         "@sinonjs/commons": "^1.3.0",
         "array-from": "^2.1.1",
         "lodash": "^4.17.15"
-      },
-      "dependencies": {
-        "lodash": {
-          "version": "4.17.15",
-          "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-          "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
-          "dev": true
-        }
       }
     },
     "@sinonjs/text-encoding": {
@@ -2600,9 +2532,9 @@
       "dev": true
     },
     "elliptic": {
-      "version": "6.5.1",
-      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.1.tgz",
-      "integrity": "sha512-xvJINNLbTeWQjrl6X+7eQCrIy/YPv5XCpKW6kB5mKvtnGILoLDcySuwomfdzt0BMdLNVnuRNTuzKNHj0bva1Cg==",
+      "version": "6.5.3",
+      "resolved": "https://registry.npmjs.org/elliptic/-/elliptic-6.5.3.tgz",
+      "integrity": "sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==",
       "dev": true,
       "requires": {
         "bn.js": "^4.4.0",
@@ -4579,9 +4511,9 @@
       }
     },
     "lodash": {
-      "version": "4.17.15",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
-      "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
+      "version": "4.17.19",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz",
+      "integrity": "sha512-JNvd8XER9GQX0v2qJgsaN/mzFCNA5BRe/j8JN9d+tWyGLSodKQHKFicdwNYzWwI3wjRnaKPsGj1XkBjx/F96DQ==",
       "dev": true
     },
     "log-symbols": {

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "13.2.0",
+  "version": "14.0.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -9,13 +9,13 @@ Gem::Specification.new do |s|
   s.author      = "Shopify"
   s.summary     = 'This gem is used to get quickly started with the Shopify API'
 
-  s.required_ruby_version = ">= 2.4"
+  s.required_ruby_version = ">= 2.5"
 
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
   s.add_runtime_dependency('rails', '> 5.2.1')
-  s.add_runtime_dependency('shopify_api', '~> 9.1.0')
+  s.add_runtime_dependency('shopify_api', '~> 9.1')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
   s.add_runtime_dependency('jwt', '~> 2.2.1')
   s.add_runtime_dependency('redirect_safely', '~> 1.0')

data/yarn.lock

@@ -1293,9 +1293,9 @@ bluebird@^3.3.0, bluebird@^3.5.5:
   integrity sha512-5am6HnnfN+urzt4yfg7IgTbotDjIT/u8AJpEt0sIU9FtXfVeezXAPKswrG+xKUCOYAINpSdgZVDU6QFh+cuH3w==
 
 bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0:
-  version "4.11.8"
-  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f"
-  integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==
+  version "4.11.9"
+  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.9.tgz#26d556829458f9d1e81fc48952493d0ba3507828"
+  integrity sha512-E6QoYqCKZfgatHTdHzs1RRKP7ip4vvm+EyRUeE2RF0NblwVvb0p6jSVeNTOFxPn26QXN2o6SMfNxKp6kU8zQaw==
 
 body-parser@^1.16.1:
   version "1.19.0"
@@ -2039,9 +2039,9 @@ electron-to-chromium@^1.3.247:
   integrity sha512-wGt+OivF1C1MPwaSv3LJ96ebNbLAWlx3HndivDDWqwIVSQxmhL17Y/YmwUdEMtS/bPyommELt47Dct0/VZNQBQ==
 
 elliptic@^6.0.0:
-  version "6.5.1"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.1.tgz#c380f5f909bf1b9b4428d028cd18d3b0efd6b52b"
-  integrity sha512-xvJINNLbTeWQjrl6X+7eQCrIy/YPv5XCpKW6kB5mKvtnGILoLDcySuwomfdzt0BMdLNVnuRNTuzKNHj0bva1Cg==
+  version "6.5.3"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.3.tgz#cb59eb2efdaf73a0bd78ccd7015a62ad6e0f93d6"
+  integrity sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==
   dependencies:
     bn.js "^4.4.0"
     brorand "^1.0.1"
@@ -3202,9 +3202,9 @@ locate-path@^3.0.0:
     path-exists "^3.0.0"
 
 lodash@^4.17.11, lodash@^4.17.13, lodash@^4.17.14, lodash@^4.17.15:
-  version "4.17.15"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.15.tgz#b447f6670a0455bbfeedd11392eff330ea097548"
-  integrity sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==
+  version "4.17.19"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.19.tgz#e48ddedbe30b3321783c5b4301fbd353bc1e4a4b"
+  integrity sha512-JNvd8XER9GQX0v2qJgsaN/mzFCNA5BRe/j8JN9d+tWyGLSodKQHKFicdwNYzWwI3wjRnaKPsGj1XkBjx/F96DQ==
 
 log-symbols@2.2.0:
   version "2.2.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 13.2.0
+  version: 14.0.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-07 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: '9.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: '9.1'
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -243,7 +243,9 @@ files:
 - ".babelrc"
 - ".github/CODEOWNERS"
 - ".github/ISSUE_TEMPLATE.md"
+- ".github/PULL_REQUEST_TEMPLATE.md"
 - ".github/probots.yml"
+- ".github/workflows/rubocop.yml"
 - ".gitignore"
 - ".nvmrc"
 - ".rubocop.yml"
@@ -254,6 +256,7 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - app/assets/images/storage_access.svg
 - app/assets/javascripts/shopify_app/enable_cookies.js
 - app/assets/javascripts/shopify_app/itp_helper.js
@@ -265,6 +268,7 @@ files:
 - app/assets/javascripts/shopify_app/top_level.js
 - app/assets/javascripts/shopify_app/top_level_interaction.js
 - app/controllers/concerns/shopify_app/authenticated.rb
+- app/controllers/concerns/shopify_app/require_known_shop.rb
 - app/controllers/shopify_app/authenticated_controller.rb
 - app/controllers/shopify_app/callback_controller.rb
 - app/controllers/shopify_app/extension_verification_controller.rb
@@ -326,6 +330,7 @@ files:
 - lib/generators/shopify_app/home_controller/home_controller_generator.rb
 - lib/generators/shopify_app/home_controller/templates/home_controller.rb
 - lib/generators/shopify_app/home_controller/templates/index.html.erb
+- lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb
 - lib/generators/shopify_app/install/install_generator.rb
 - lib/generators/shopify_app/install/templates/_flash_messages.html.erb
 - lib/generators/shopify_app/install/templates/embedded_app.html.erb
@@ -337,6 +342,8 @@ files:
 - lib/generators/shopify_app/install/templates/shopify_app_index.js
 - lib/generators/shopify_app/install/templates/shopify_provider.rb
 - lib/generators/shopify_app/install/templates/user_agent.rb
+- lib/generators/shopify_app/products_controller/products_controller_generator.rb
+- lib/generators/shopify_app/products_controller/templates/products_controller.rb
 - lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb
 - lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake
 - lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb
@@ -355,10 +362,12 @@ files:
 - lib/shopify_app.rb
 - lib/shopify_app/configuration.rb
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
+- lib/shopify_app/controller_concerns/csrf_protection.rb
 - lib/shopify_app/controller_concerns/embedded_app.rb
 - lib/shopify_app/controller_concerns/itp.rb
 - lib/shopify_app/controller_concerns/localization.rb
 - lib/shopify_app/controller_concerns/login_protection.rb
+- lib/shopify_app/controller_concerns/payload_verification.rb
 - lib/shopify_app/controller_concerns/webhook_verification.rb
 - lib/shopify_app/engine.rb
 - lib/shopify_app/jobs/scripttags_manager_job.rb
@@ -400,7 +409,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="