shopify_app 13.2.0 → 20.2.0

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -1,31 +1,59 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
-require 'rails/generators/active_record'
+
+require "rails/generators/base"
+require "rails/generators/active_record"
 
 module ShopifyApp
   module Generators
     class UserModelGenerator < Rails::Generators::Base
       include Rails::Generators::Migration
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
+
+      class_option :new_shopify_cli_app, type: :boolean, default: false
 
       def create_user_model
-        copy_file('user.rb', 'app/models/user.rb')
+        copy_file("user.rb", "app/models/user.rb")
       end
 
       def create_user_migration
-        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
+        migration_template("db/migrate/create_users.erb", "db/migrate/create_users.rb")
+      end
+
+      def create_scopes_storage_in_user_model
+        scopes_column_prompt = <<~PROMPT
+          It is highly recommended that apps record the access scopes granted by \
+          merchants during app installation. See app/models/user.rb to modify how \
+          access scopes are stored and retrieved.
+
+          [WARNING] You will need to update the access_scopes accessors in the User model \
+          to allow shopify_app to store and retrieve scopes when going through OAuth.
+
+          The following migration will add an `access_scopes` column to the User model. \
+          Do you want to include this migration? [y/n]
+        PROMPT
+
+        if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
+          migration_template(
+            "db/migrate/add_user_access_scopes_column.erb",
+            "db/migrate/add_user_access_scopes_column.rb"
+          )
+        end
       end
 
       def update_shopify_app_initializer
-        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
+        gsub_file("config/initializers/shopify_app.rb", "ShopifyApp::InMemoryUserSessionStore", "User")
       end
 
       def create_user_fixtures
-        copy_file('users.yml', 'test/fixtures/users.yml')
+        copy_file("users.yml", "test/fixtures/users.yml")
       end
 
       private
 
+      def new_shopify_cli_app?
+        options["new_shopify_cli_app"]
+      end
+
       def rails_migration_version
         Rails.version.match(/\d\.\d/)[0]
       end

data/lib/generators/shopify_app/views/views_generator.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
@@ -8,21 +9,21 @@ module ShopifyApp
 
       def create_views
         views.each do |view|
-          copy_file view
+          copy_file(view)
         end
       end
 
       private
 
       def views
-        files_within_root('.', 'app/views/**/*.*')
+        files_within_root(".", "app/views/**/*.*")
       end
 
       def files_within_root(prefix, glob)
         root = "#{self.class.source_root}/#{prefix}"
 
         Dir["#{root}/#{glob}"].sort.map do |full_path|
-          full_path.sub(root, '.').gsub('/./', '/')
+          full_path.sub(root, ".").gsub("/./", "/")
         end
       end
     end

data/lib/shopify_app/access_scopes/noop_strategy.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class NoopStrategy
+      class << self
+        def update_access_scopes?(*_args)
+          false
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/shop_strategy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class ShopStrategy
+      class << self
+        def update_access_scopes?(shop_domain)
+          shop_access_scopes = shop_access_scopes(shop_domain)
+          configuration_access_scopes != shop_access_scopes
+        end
+
+        private
+
+        def shop_access_scopes(shop_domain)
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.scope
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.shop_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module AccessScopes
+    class UserStrategy
+      class << self
+        def update_access_scopes?(user_id: nil, shopify_user_id: nil)
+          return update_access_scopes_for_user_id?(user_id) if user_id
+          return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
+
+          raise(::ShopifyApp::InvalidInput,
+            "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
+        end
+
+        private
+
+        def update_access_scopes_for_user_id?(user_id)
+          user_access_scopes = user_access_scopes_by_user_id(user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def update_access_scopes_for_shopify_user_id?(shopify_user_id)
+          user_access_scopes = user_access_scopes_by_shopify_user_id(shopify_user_id)
+          configuration_access_scopes != user_access_scopes
+        end
+
+        def user_access_scopes_by_user_id(user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.scope
+        end
+
+        def user_access_scopes_by_shopify_user_id(shopify_user_id)
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope
+        end
+
+        def configuration_access_scopes
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.user_access_scopes)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
@@ -9,6 +10,8 @@ module ShopifyApp
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope
+    attr_writer :shop_access_scopes
+    attr_writer :user_access_scopes
     attr_accessor :embedded_app
     alias_method  :embedded_app?, :embedded_app
     attr_accessor :webhooks
@@ -16,9 +19,13 @@ module ShopifyApp
     attr_accessor :after_authenticate_job
     attr_accessor :api_version
 
+    attr_accessor :reauth_on_access_scope_changes
+
     # customise urls
     attr_accessor :root_url
     attr_writer :login_url
+    attr_writer :login_callback_url
+    attr_accessor :embedded_redirect_url
 
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -33,22 +40,24 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
-    # allow enabling of same site none on cookies
-    attr_writer :enable_same_site_none
-
-    # allow enabling jwt headers for authentication
-    attr_accessor :allow_jwt_authentication
+    # takes a ShopifyApp::BillingConfiguration object
+    attr_accessor :billing
 
     def initialize
-      @root_url = '/'
-      @myshopify_domain = 'myshopify.com'
+      @root_url = "/"
+      @myshopify_domain = "myshopify.com"
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
+      @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
     end
 
     def login_url
-      @login_url || File.join(@root_url, 'login')
+      @login_url || File.join(@root_url, "login")
+    end
+
+    def login_callback_url
+      # Not including @root_url to keep historic behaviour
+      @login_callback_url || File.join("auth/shopify/callback")
     end
 
     def user_session_repository=(klass)
@@ -67,6 +76,18 @@ module ShopifyApp
       ShopifyApp::SessionRepository.shop_storage
     end
 
+    def shop_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+
+      ShopifyApp::AccessScopes::ShopStrategy
+    end
+
+    def user_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+
+      ShopifyApp::AccessScopes::UserStrategy
+    end
+
     def has_webhooks?
       webhooks.present?
     end
@@ -75,8 +96,34 @@ module ShopifyApp
       scripttags.present?
     end
 
-    def enable_same_site_none
-      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
+    def requires_billing?
+      billing.present?
+    end
+
+    def shop_access_scopes
+      @shop_access_scopes || scope
+    end
+
+    def user_access_scopes
+      @user_access_scopes || scope
+    end
+  end
+
+  class BillingConfiguration
+    INTERVAL_ONE_TIME = "ONE_TIME"
+    INTERVAL_EVERY_30_DAYS = "EVERY_30_DAYS"
+    INTERVAL_ANNUAL = "ANNUAL"
+
+    attr_reader :charge_name
+    attr_reader :amount
+    attr_reader :currency_code
+    attr_reader :interval
+
+    def initialize(charge_name:, amount:, interval:, currency_code: "USD")
+      @charge_name = charge_name
+      @amount = amount
+      @currency_code = currency_code
+      @interval = interval
     end
   end
 

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
-
     included do
       skip_before_action :verify_authenticity_token, raise: false
       before_action :verify_proxy_request
@@ -17,7 +17,7 @@ module ShopifyApp
     def query_string_valid?(query_string)
       query_hash = Rack::Utils.parse_query(query_string)
 
-      signature = query_hash.delete('signature')
+      signature = query_hash.delete("signature")
       return false if signature.nil?
 
       ActiveSupport::SecurityUtils.secure_compare(
@@ -27,10 +27,10 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
-        OpenSSL::Digest.new('sha256'),
+        OpenSSL::Digest.new("sha256"),
         ShopifyApp.configuration.secret,
         sorted_params
       )

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+
+    private
+
+    def valid_session_token?
+      request.env["jwt.shopify_domain"]
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,20 +1,23 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
 
+    include ShopifyApp::FrameAncestors
+
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
-        layout('embedded_app')
+        layout("embedded_app")
       end
     end
 
     private
 
     def set_esdk_headers
-      response.set_header('P3P', 'CP="Not used"')
-      response.headers.except!('X-Frame-Options')
+      response.set_header("P3P", 'CP="Not used"')
+      response.headers.except!("X-Frame-Options")
     end
   end
 end

data/lib/shopify_app/controller_concerns/ensure_billing.rb

@@ -0,0 +1,243 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureBilling
+    extend ActiveSupport::Concern
+
+    RECURRING_INTERVALS = [BillingConfiguration::INTERVAL_EVERY_30_DAYS, BillingConfiguration::INTERVAL_ANNUAL]
+
+    included do
+      before_action :check_billing, if: :billing_required?
+      rescue_from ::ShopifyApp::BillingError, with: :handle_billing_error
+    end
+
+    private
+
+    def check_billing(session = current_shopify_session)
+      return true if session.blank? || !billing_required?
+
+      confirmation_url = nil
+
+      if has_active_payment?(session)
+        has_payment = true
+      else
+        has_payment = false
+        confirmation_url = request_payment(session)
+      end
+
+      unless has_payment
+        if request.xhr?
+          add_top_level_redirection_headers(url: confirmation_url, ignore_response_code: true)
+          head(:unauthorized)
+        else
+          redirect_to(confirmation_url, allow_other_host: true)
+        end
+      end
+
+      has_payment
+    end
+
+    def billing_required?
+      ShopifyApp.configuration.requires_billing?
+    end
+
+    def handle_billing_error(error)
+      logger.info("#{error.message}: #{error.errors}")
+      redirect_to_login
+    end
+
+    def has_active_payment?(session)
+      if recurring?
+        has_subscription?(session)
+      else
+        has_one_time_payment?(session)
+      end
+    end
+
+    def has_subscription?(session)
+      response = run_query(session: session, query: RECURRING_PURCHASES_QUERY)
+      subscriptions = response.body["data"]["currentAppInstallation"]["activeSubscriptions"]
+
+      subscriptions.each do |subscription|
+        if subscription["name"] == ShopifyApp.configuration.billing.charge_name &&
+            (!Rails.env.production? || !subscription["test"])
+
+          return true
+        end
+      end
+
+      false
+    end
+
+    def has_one_time_payment?(session)
+      purchases = nil
+      end_cursor = nil
+
+      loop do
+        response = run_query(session: session, query: ONE_TIME_PURCHASES_QUERY, variables: { endCursor: end_cursor })
+        purchases = response.body["data"]["currentAppInstallation"]["oneTimePurchases"]
+
+        purchases["edges"].each do |purchase|
+          node = purchase["node"]
+
+          if node["name"] == ShopifyApp.configuration.billing.charge_name &&
+              (!Rails.env.production? || !node["test"]) &&
+              node["status"] == "ACTIVE"
+
+            return true
+          end
+        end
+
+        end_cursor = purchases["pageInfo"]["endCursor"]
+        break unless purchases["pageInfo"]["hasNextPage"]
+      end
+
+      false
+    end
+
+    def request_payment(session)
+      shop = session.shop
+      host = Base64.encode64("#{shop}/admin")
+      return_url = "https://#{ShopifyAPI::Context.host_name}?shop=#{shop}&host=#{host}"
+
+      if recurring?
+        data = request_recurring_payment(session: session, return_url: return_url)
+        data = data["data"]["appSubscriptionCreate"]
+      else
+        data = request_one_time_payment(session: session, return_url: return_url)
+        data = data["data"]["appPurchaseOneTimeCreate"]
+      end
+
+      raise BillingError.new("Error while billing the store", data["userErrors"]) unless data["userErrors"].empty?
+
+      data["confirmationUrl"]
+    end
+
+    def request_recurring_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: RECURRING_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          lineItems: {
+            plan: {
+              appRecurringPricingDetails: {
+                interval: ShopifyApp.configuration.billing.interval,
+                price: {
+                  amount: ShopifyApp.configuration.billing.amount,
+                  currencyCode: ShopifyApp.configuration.billing.currency_code,
+                },
+              },
+            },
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def request_one_time_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: ONE_TIME_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          price: {
+            amount: ShopifyApp.configuration.billing.amount,
+            currencyCode: ShopifyApp.configuration.billing.currency_code,
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def recurring?
+      RECURRING_INTERVALS.include?(ShopifyApp.configuration.billing.interval)
+    end
+
+    def run_query(session:, query:, variables: nil)
+      client = ShopifyAPI::Clients::Graphql::Admin.new(session: session)
+
+      response = client.query(query: query, variables: variables)
+
+      raise BillingError.new("Error while billing the store", []) unless response.ok?
+      raise BillingError.new("Error while billing the store", response.body["errors"]) if response.body["errors"]
+
+      response
+    end
+
+    RECURRING_PURCHASES_QUERY = <<~'QUERY'
+      query appSubscription {
+        currentAppInstallation {
+          activeSubscriptions {
+            name, test
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASES_QUERY = <<~'QUERY'
+      query appPurchases($endCursor: String) {
+        currentAppInstallation {
+          oneTimePurchases(first: 250, sortKey: CREATED_AT, after: $endCursor) {
+            edges {
+              node {
+                name, test, status
+              }
+            }
+            pageInfo {
+              hasNextPage, endCursor
+            }
+          }
+        }
+      }
+    QUERY
+
+    RECURRING_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $lineItems: [AppSubscriptionLineItemInput!]!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appSubscriptionCreate(
+          name: $name
+          lineItems: $lineItems
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $price: MoneyInput!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appPurchaseOneTimeCreate(
+          name: $name
+          price: $price
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+  end
+end

data/lib/shopify_app/controller_concerns/frame_ancestors.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module FrameAncestors
+    extend ActiveSupport::Concern
+
+    included do
+      content_security_policy do |policy|
+        policy.frame_ancestors(-> do
+          domain_host = current_shopify_domain || "*.#{::ShopifyApp.configuration.myshopify_domain}"
+          "https://#{domain_host} https://admin.shopify.com"
+        end)
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -9,15 +9,15 @@ module ShopifyApp
       return unless ShopifyApp.configuration.embedded_app?
       return unless user_agent_can_partition_cookies
 
-      session['shopify.cookies_persist'] = true
+      session["shopify.cookies_persist"] = true
     end
 
     def set_top_level_oauth_cookie
-      session['shopify.top_level_oauth'] = true
+      session["shopify.top_level_oauth"] = true
     end
 
     def clear_top_level_oauth_cookie
-      session.delete('shopify.top_level_oauth')
+      session.delete("shopify.top_level_oauth")
     end
 
     def user_agent_is_mobile

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern