shopify_app 13.2.0 → 20.2.0

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,97 +1,110 @@
 # frozen_string_literal: true
 
-require 'browser_sniffer'
+require "browser_sniffer"
 
 module ShopifyApp
   module LoginProtection
     extend ActiveSupport::Concern
     include ShopifyApp::Itp
-
-    class ShopifyDomainNotFound < StandardError; end
+    include ShopifyApp::SanitizedParams
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+      rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
     end
 
+    ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
+
     def activate_shopify_session
-      return redirect_to_login if current_shopify_session.blank?
-      clear_top_level_oauth_cookie
+      if current_shopify_session.blank?
+        signal_access_token_required
+        return redirect_to_login
+      end
+
+      unless current_shopify_session.scope.to_a.empty? ||
+          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
+
+        clear_shopify_session
+        return redirect_to_login
+      end
 
       begin
-        ShopifyAPI::Base.activate_session(current_shopify_session)
+        ShopifyAPI::Context.activate_session(current_shopify_session)
         yield
       ensure
-        ShopifyAPI::Base.clear_session
+        ShopifyAPI::Context.deactivate_session
       end
     end
 
     def current_shopify_session
       @current_shopify_session ||= begin
-        user_session || shop_session
+        cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
+        ShopifyAPI::Utils::SessionUtils.load_current_session(
+          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          cookies: { cookie_name => cookies.encrypted[cookie_name] },
+          is_online: user_session_expected?
+        )
+      rescue ShopifyAPI::Errors::CookieNotFoundError
+        nil
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        nil
       end
     end
 
-    def user_session
-      user_session_by_jwt || user_session_by_cookie
-    end
-
-    def user_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_user_id
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
-    end
+    def login_again_if_different_user_or_shop
+      return unless session_id_conflicts_with_params || session_shop_conflicts_with_params
 
-    def user_session_by_cookie
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+      clear_shopify_session
+      redirect_to_login
     end
 
-    def shop_session
-      shop_session_by_jwt || shop_session_by_cookie
+    def signal_access_token_required
+      response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
     end
 
-    def shop_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_domain
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
-    end
+    def jwt_expire_at
+      expire_at = request.env["jwt.expire_at"]
+      return unless expire_at
 
-    def shop_session_by_cookie
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
 
-    def login_again_if_different_user_or_shop
-      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-
-      end
+    def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
+      if request.xhr? && (ignore_response_code || response.code.to_i == 401)
+        # Make sure the shop is set in the redirection URL
+        unless params[:shop]
+          params[:shop] = if current_shopify_session
+            current_shopify_session.shop
+          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+            jwt_payload.shop
+          end
+        end
 
-      if current_shopify_session &&
-        params[:shop] && params[:shop].is_a?(String) &&
-        (current_shopify_session.domain != params[:shop])
-        clear_session = true
-      end
+        url ||= login_url_with_optional_shop
 
-      if clear_session
-        clear_shopify_session
-        redirect_to_login
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
       end
     end
 
     protected
 
     def jwt_shopify_domain
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
 
     def jwt_shopify_user_id
-      request.env['jwt.shopify_user_id']
+      request.env["jwt.shopify_user_id"]
+    end
+
+    def host
+      params[:host]
     end
 
     def redirect_to_login
       if request.xhr?
+        add_top_level_redirection_headers(ignore_response_code: true)
         head(:unauthorized)
       else
         if request.get?
@@ -100,7 +113,8 @@ module ShopifyApp
         else
           referer = URI(request.referer || "/")
           path = referer.path
-          query = "#{referer.query}&#{sanitized_params.to_query}"
+          query = Rack::Utils.parse_nested_query(referer.query)
+          query = query.merge(sanitized_params).to_query
         end
         session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
         redirect_to(login_url_with_optional_shop)
@@ -112,12 +126,16 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def handle_http_error(error)
+      if error.code == 401
+        close_session
+      else
+        raise error
+      end
+    end
+
     def clear_shopify_session
-      session[:shop_id] = nil
-      session[:user_id] = nil
-      session[:shopify_domain] = nil
-      session[:shopify_user] = nil
-      session[:user_session] = nil
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -145,65 +163,40 @@ module ShopifyApp
         query_params[:shop] ||= referer_sanitized_shop_name
       end
 
+      if params[:host].present?
+        query_params[:host] ||= host
+      end
+
       query_params[:top_level] = true if top_level
       query_params
     end
 
     def return_to_param_required?
-      native_params = %i[shop hmac timestamp locale protocol return_to]
-      request.path != '/' || sanitized_params.except(*native_params).any?
+      native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
+      request.path != "/" || sanitized_params.except(*native_params).any?
     end
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render('shopify_app/shared/redirect', layout: false,
-               locals: { url: url, current_shopify_domain: current_shopify_domain })
+        render("shopify_app/shared/redirect", layout: false,
+          locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
         redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name ||
-        jwt_shopify_domain ||
-        session[:shopify_domain]
+      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
 
       return shopify_domain if shopify_domain.present?
 
-      raise ShopifyDomainNotFound
-    end
-
-    def sanitized_shop_name
-      @sanitized_shop_name ||= sanitize_shop_param(params)
-    end
-
-    def referer_sanitized_shop_name
-      return unless request.referer.present?
-
-      @referer_sanitized_shop_name ||= begin
-        referer_uri = URI(request.referer)
-        query_params = Rack::Utils.parse_query(referer_uri.query)
-
-        sanitize_shop_param(query_params.with_indifferent_access)
-      end
-    end
-
-    def sanitize_shop_param(params)
-      return unless params[:shop].present?
-      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
-    end
-
-    def sanitized_params
-      request.query_parameters.clone.tap do |query_params|
-        if params[:shop].is_a?(String)
-          query_params[:shop] = sanitize_shop_param(params)
-        end
-      end
+      raise ::ShopifyApp::ShopifyDomainNotFound
     end
 
     def return_address
-      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
-      return_address_with_params(shop: current_shopify_domain)
+      return_address_with_params(shop: current_shopify_domain, host: host)
+    rescue ::ShopifyApp::ShopifyDomainNotFound, ::ShopifyApp::ShopifyHostNotFound
+      base_return_address
     end
 
     def base_return_address
@@ -219,5 +212,27 @@ module ShopifyApp
         .to_query
       uri.to_s
     end
+
+    private
+
+    def session_id_conflicts_with_params
+      shopify_session_id = current_shopify_session&.shopify_session_id
+      params[:session].present? && shopify_session_id.present? && params[:session] != shopify_session_id
+    end
+
+    def session_shop_conflicts_with_params
+      current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
+    end
+
+    def shop_session
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(sanitize_shop_param(params))
+    end
+
+    def user_session_expected?
+      return false if shop_session.nil?
+      return false if ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_session.shop)
+
+      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+    end
   end
 end

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module PayloadVerification
+    extend ActiveSupport::Concern
+
+    private
+
+    def shopify_hmac
+      request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
+    end
+
+    def hmac_valid?(data)
+      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
+
+      secrets.any? do |secret|
+        digest = OpenSSL::Digest.new("sha256")
+        ActiveSupport::SecurityUtils.secure_compare(
+          shopify_hmac,
+          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RedirectForEmbedded
+    include ShopifyApp::SanitizedParams
+
+    private
+
+    def embedded_redirect_url?
+      ShopifyApp.configuration.embedded_redirect_url.present?
+    end
+
+    def embedded_param?
+      embedded_redirect_url? && params[:embedded].present? && params[:embedded] == "1"
+    end
+
+    def redirect_for_embedded
+      # Don't actually redirect if we're already in the redirect route - we want the request to reach the FE
+      redirect_to(redirect_uri_for_embedded) unless request.path == ShopifyApp.configuration.embedded_redirect_url
+    end
+
+    def redirect_uri_for_embedded
+      redirect_query_params = {}
+      redirect_uri = "https://#{ShopifyAPI::Context.host_name}#{ShopifyApp.configuration.login_url}"
+      redirect_query_params[:shop] = sanitized_shop_name
+      redirect_query_params[:shop] ||= referer_sanitized_shop_name if referer_sanitized_shop_name.present?
+      redirect_query_params[:host] ||= params[:host] if params[:host].present?
+      redirect_uri = "#{redirect_uri}?#{redirect_query_params.to_query}" if redirect_query_params.present?
+
+      query_params = sanitized_params.except(:redirect_uri)
+      query_params[:redirectUri] = redirect_uri
+
+      "#{ShopifyApp.configuration.embedded_redirect_url}?#{query_params.to_query}"
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/sanitized_params.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module SanitizedParams
+    protected
+
+    def sanitized_shop_name
+      @sanitized_shop_name ||= sanitize_shop_param(params)
+    end
+
+    def referer_sanitized_shop_name
+      return unless request.referer.present?
+
+      @referer_sanitized_shop_name ||= begin
+        referer_uri = URI(request.referer)
+        query_params = Rack::Utils.parse_query(referer_uri.query)
+
+        sanitize_shop_param(query_params.with_indifferent_access)
+      end
+    end
+
+    def sanitize_shop_param(params)
+      return unless params[:shop].present?
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    def sanitized_params
+      parameters = request.post? ? request.request_parameters : request.query_parameters
+      parameters.clone.tap do |params_copy|
+        if params[:shop].is_a?(String)
+          params_copy[:shop] = sanitize_shop_param(params)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
+    include ShopifyApp::PayloadVerification
 
     included do
       skip_before_action :verify_authenticity_token, raise: false
@@ -15,25 +17,8 @@ module ShopifyApp
       return head(:unauthorized) unless hmac_valid?(data)
     end
 
-    def hmac_valid?(data)
-      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
-
-      secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
-
-        ActiveSupport::SecurityUtils.secure_compare(
-          shopify_hmac,
-          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
-        )
-      end
-    end
-
     def shop_domain
-      request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
-    end
-
-    def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request.headers["HTTP_X_SHOPIFY_SHOP_DOMAIN"]
     end
   end
 end

data/lib/shopify_app/engine.rb

@@ -1,24 +1,39 @@
 # frozen_string_literal: true
+
 module ShopifyApp
+  module RedactJobParams
+    private
+
+    def args_info(job)
+      log_disabled_classes = ["ShopifyApp::ScripttagsManagerJob", "ShopifyApp::WebhooksManagerJob"]
+      return "" if log_disabled_classes.include?(job.class.name)
+
+      super
+    end
+  end
+
   class Engine < Rails::Engine
-    engine_name 'shopify_app'
+    engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
     initializer "shopify_app.assets.precompile" do |app|
-      app.config.assets.precompile += %w[
-        shopify_app/redirect.js
-        shopify_app/top_level.js
-        shopify_app/enable_cookies.js
-        shopify_app/request_storage_access.js
-        storage_access.svg
-      ]
+      app.config.assets.precompile += ["shopify_app/redirect.js", "shopify_app/post_redirect.js",
+                                       "shopify_app/top_level.js", "shopify_app/enable_cookies.js",
+                                       "shopify_app/request_storage_access.js", "storage_access.svg",]
     end
 
     initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
+    end
 
-      if ShopifyApp.configuration.allow_jwt_authentication
-        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+    initializer "shopify_app.redact_job_params" do
+      ActiveSupport.on_load(:active_job) do
+        if ActiveJob::Base.respond_to?(:log_arguments?)
+          WebhooksManagerJob.log_arguments = false
+          ScripttagsManagerJob.log_arguments = false
+        elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
+          ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
+        end
       end
     end
   end

data/lib/shopify_app/errors.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class BillingError < StandardError
+    attr_accessor :message
+    attr_accessor :errors
+
+    def initialize(message, errors)
+      super(message)
+      @message = message
+      @errors = errors
+    end
+  end
+
+  class ConfigurationError < StandardError; end
+
+  class CreationFailed < StandardError; end
+
+  class EnvironmentError < StandardError; end
+
+  class InvalidAudienceError < StandardError; end
+
+  class InvalidDestinationError < StandardError; end
+
+  class InvalidInput < StandardError; end
+
+  class MismatchedHostsError < StandardError; end
+
+  class MissingWebhookJobError < StandardError; end
+
+  class ShopifyDomainNotFound < StandardError; end
+
+  class ShopifyHostNotFound < StandardError; end
+end

data/lib/shopify_app/jobs/scripttags_manager_job.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
     queue_as do
@@ -6,8 +7,7 @@ module ShopifyApp
     end
 
     def perform(shop_domain:, shop_token:, scripttags:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do
         manager = ScripttagsManager.new(scripttags, shop_domain)
         manager.create_scripttags
       end

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end
 
-    def perform(shop_domain:, shop_token:, webhooks:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
-        manager = WebhooksManager.new(webhooks)
-        manager.create_webhooks
+    def perform(shop_domain:, shop_token:, **)
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+        WebhooksManager.create_webhooks(session: session)
       end
     end
   end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManager
-    class CreationFailed < StandardError; end
-
     def self.queue(shop_domain, shop_token, scripttags)
       ShopifyApp::ScripttagsManagerJob.perform_later(
         shop_domain: shop_domain,
@@ -15,6 +14,7 @@ module ShopifyApp
     def self.build_src(scripttags, domain)
       scripttags.map do |tag|
         next tag unless tag[:src].respond_to?(:call)
+
         tag = tag.dup
         tag[:src] = tag[:src].call(domain)
         tag
@@ -44,7 +44,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
+        tag.delete if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -61,9 +61,15 @@ module ShopifyApp
     end
 
     def create_scripttag(attributes)
-      attributes.reverse_merge!(format: 'json')
-      scripttag = ShopifyAPI::ScriptTag.create(attributes)
-      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag = ShopifyAPI::ScriptTag.new
+      attributes.each { |key, value| scripttag.public_send("#{key}=", value) }
+
+      begin
+        scripttag.save!
+      rescue ShopifyAPI::Errors::HttpResponseError => e
+        raise ::ShopifyApp::CreationFailed, e.message
+      end
+
       scripttag
     end