shopify_app 13.2.0 → 20.2.0

data/app/assets/javascripts/shopify_app/redirect.js

@@ -1,4 +1,7 @@
-(function() {
+//= require ./app_bridge_redirect.js
+//= require ./app_bridge_utils_3.1.1.js
+
+(function () {
   function redirect() {
     var redirectTargetElement = document.getElementById("redirection-target");
 
@@ -6,21 +9,14 @@
       return;
     }
 
-    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target);
 
-    if (window.top == window.self) {
-      // If the current window is the 'parent', change the URL by setting location.href
-      window.top.location.href = targetInfo.url;
-    } else {
-      // If the current window is the 'child', change the parent's URL with postMessage
-      normalizedLink = document.createElement('a');
-      normalizedLink.href = targetInfo.url;
+    var appBridgeUtils = window['app-bridge-utils'];
 
-      data = JSON.stringify({
-        message: 'Shopify.API.remoteRedirect',
-        data: {location: normalizedLink.href}
-      });
-      window.parent.postMessage(data, targetInfo.myshopifyUrl);
+    if (appBridgeUtils.isShopifyEmbedded()) {
+      window.appBridgeRedirect(targetInfo.url);
+    } else {
+      window.top.location.href = targetInfo.url;
     }
   }
 

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -1,3 +1,5 @@
+//= require ./app_bridge_redirect.js
+
 (function() {
   var ACCESS_GRANTED_STATUS = 'storage_access_granted';
   var ACCESS_DENIED_STATUS = 'storage_access_denied';
@@ -13,15 +15,7 @@
   StorageAccessHelper.prototype.redirectToAppTLD = function(storageAccessStatus) {
     var normalizedLink = document.createElement('a');
 
-    normalizedLink.href = this.setNormalizedLink(storageAccessStatus);
-
-    data = JSON.stringify({
-      message: 'Shopify.API.remoteRedirect',
-      data: {
-        location: normalizedLink.href,
-      }
-    });
-    window.parent.postMessage(data, this.redirectData.myshopifyUrl);
+    window.appBridgeRedirect(this.setNormalizedLink(storageAccessStatus));
   }
 
   StorageAccessHelper.prototype.redirectToAppsIndex = function() {
@@ -132,7 +126,8 @@
 
   /* ITP 2.0 solution: handles cookie partitioning */
   StorageAccessHelper.prototype.setUpHelper = function() {
-    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey + window.returnTo});
+    var shopifyData = document.body.dataset;
+    return new ITPHelper({redirectUrl: "https://" + shopifyData.shopOrigin + "/admin/apps/" + shopifyData.apiKey + shopifyData.returnTo});
   }
 
   StorageAccessHelper.prototype.setCookieAndRedirect = function() {

data/app/assets/javascripts/shopify_app/top_level_interaction.js

@@ -1,7 +1,7 @@
 (function() {
   function setUpTopLevelInteraction() {
     var TopLevelInteraction = new ITPHelper({
-      redirectUrl: window.redirectUrl,
+      redirectUrl: document.body.dataset.redirectUrl,
     });
 
     TopLevelInteraction.execute();

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,9 +7,13 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
+      include ShopifyApp::EnsureBilling
+
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session
+      after_action :add_top_level_redirection_headers
     end
   end
 end

data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureAuthenticatedLinks
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_splash_page, if: :missing_expected_jwt?
+    end
+
+    private
+
+    def splash_page
+      splash_page_with_params(
+        return_to: request.fullpath,
+        shop: current_shopify_domain,
+        host: params[:host]
+      )
+    end
+
+    def splash_page_with_params(params)
+      uri = URI(root_path)
+      uri.query = params.compact.to_query
+      uri.to_s
+    end
+
+    def redirect_to_splash_page
+      redirect_to(splash_page)
+    rescue ::ShopifyApp::ShopifyDomainNotFound => error
+      Rails.logger.warn("[ShopifyApp::EnsureAuthenticatedLinks] Redirecting to login: [#{error.class}] "\
+        "Could not determine current shop domain")
+      redirect_to(ShopifyApp.configuration.login_url)
+    end
+
+    def missing_expected_jwt?
+      jwt_shopify_domain.blank?
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+    include ShopifyApp::RedirectForEmbedded
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      unless @shop
+        if embedded_param?
+          redirect_for_embedded
+        else
+          redirect_to(shop_login)
+        end
+      end
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        host: params[:host],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module ShopAccessScopesVerification
+    extend ActiveSupport::Concern
+    include ShopifyApp::RedirectForEmbedded
+
+    included do
+      before_action :login_on_scope_changes
+    end
+
+    protected
+
+    def login_on_scope_changes
+      if scopes_mismatch?
+        if embedded_param?
+          redirect_for_embedded
+        else
+          redirect_to(shop_login)
+        end
+      end
+    end
+
+    private
+
+    def scopes_mismatch?
+      ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(current_shopify_domain)
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    def shop_login
+      ShopifyApp::Utils.shop_login_url(shop: params[:shop], host: params[:host], return_to: request.fullpath)
+    end
+  end
+end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
     include ShopifyApp::Authenticated

data/app/controllers/shopify_app/callback_controller.rb

@@ -4,123 +4,102 @@ module ShopifyApp
   # Performs login after OAuth completes
   class CallbackController < ActionController::Base
     include ShopifyApp::LoginProtection
+    include ShopifyApp::EnsureBilling
 
     def callback
-      unless auth_hash
+      begin
+        filtered_params = request.parameters.symbolize_keys.slice(:code, :shop, :timestamp, :state, :host, :hmac)
+
+        auth_result = ShopifyAPI::Auth::Oauth.validate_auth_callback(
+          cookies: {
+            ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME =>
+              cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME],
+          },
+          auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(**filtered_params)
+        )
+      rescue
         return respond_with_error
       end
 
-      if jwt_request? && !valid_jwt_auth?
-        return respond_with_error
-      end
+      cookies.encrypted[auth_result[:cookie].name] = {
+        expires: auth_result[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_result[:cookie].value,
+      }
 
-      if jwt_request?
-        set_shopify_session
-        head(:ok)
-      else
-        reset_session_options
-        set_shopify_session
+      session[:shopify_user_id] = auth_result[:session].associated_user.id if auth_result[:session].online?
 
-        if redirect_for_user_token?
-          return redirect_to(login_url_with_optional_shop)
-        end
+      if start_user_token_flow?(auth_result[:session])
+        return respond_with_user_token_flow
+      end
 
-        install_webhooks
-        install_scripttags
-        perform_after_authenticate_job
+      perform_post_authenticate_jobs(auth_result[:session])
+      has_payment = check_billing(auth_result[:session])
 
-        redirect_to(return_address)
-      end
+      respond_successfully if has_payment
     end
 
     private
 
-    def respond_with_error
-      if jwt_request?
-        head(:unauthorized)
+    def respond_successfully
+      if ShopifyAPI::Context.embedded?
+        return_to = session.delete(:return_to) || ""
+        redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]) + return_to, allow_other_host: true)
       else
-        flash[:error] = I18n.t('could_not_log_in')
-        redirect_to(login_url_with_optional_shop)
+        redirect_to(return_address)
       end
     end
 
-    def redirect_for_user_token?
-      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
-    end
-
-    def jwt_request?
-      jwt_shopify_domain || jwt_shopify_user_id
-    end
-
-    def valid_jwt_auth?
-      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
-    end
-
-    def auth_hash
-      request.env['omniauth.auth']
+    def respond_with_error
+      flash[:error] = I18n.t("could_not_log_in")
+      redirect_to(login_url_with_optional_shop)
     end
 
-    def shop_name
-      auth_hash.uid
+    def respond_with_user_token_flow
+      redirect_to(login_url_with_optional_shop)
     end
 
-    def associated_user
-      return unless auth_hash['extra'].present?
+    def start_user_token_flow?(shopify_session)
+      return false unless ShopifyApp::SessionRepository.user_storage.present?
+      return false if shopify_session.online?
 
-      auth_hash['extra']['associated_user']
+      update_user_access_scopes?
     end
 
-    def associated_user_id
-      associated_user && associated_user['id']
-    end
+    def update_user_access_scopes?
+      return true if session[:shopify_user_id].nil?
 
-    def token
-      auth_hash['credentials']['token']
+      user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
     end
 
-    def reset_session_options
-      request.session_options[:renew] = true
-      session.delete(:_csrf_token)
+    def user_access_scopes_strategy
+      ShopifyApp.configuration.user_access_scopes_strategy
     end
 
-    def set_shopify_session
-      session_store = ShopifyAPI::Session.new(
-        domain: shop_name,
-        token: token,
-        api_version: ShopifyApp.configuration.api_version
-      )
-
-      session[:shopify_user] = associated_user
-      if session[:shopify_user].present?
-        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
-      else
-        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
-      end
-      session[:shopify_domain] = shop_name
-      session[:user_session] = auth_hash&.extra&.session
+    def perform_post_authenticate_jobs(session)
+      install_webhooks(session)
+      install_scripttags(session)
+      perform_after_authenticate_job(session)
     end
 
-    def install_webhooks
+    def install_webhooks(session)
       return unless ShopifyApp.configuration.has_webhooks?
 
-      WebhooksManager.queue(
-        shop_name,
-        shop_session&.token || user_session.token,
-        ShopifyApp.configuration.webhooks
-      )
+      WebhooksManager.queue(session.shop, session.access_token)
     end
 
-    def install_scripttags
+    def install_scripttags(session)
       return unless ShopifyApp.configuration.has_scripttags?
 
       ScripttagsManager.queue(
-        shop_name,
-        shop_session&.token || user_session.token,
+        session.shop,
+        session.access_token,
         ShopifyApp.configuration.scripttags
       )
     end
 
-    def perform_after_authenticate_job
+    def perform_after_authenticate_job(session)
       config = ShopifyApp.configuration.after_authenticate_job
 
       return unless config && config[:job].present?
@@ -129,9 +108,9 @@ module ShopifyApp
       job = job.constantize if job.is_a?(String)
 
       if config[:inline] == true
-        job.perform_now(shop_domain: session[:shopify_domain])
+        job.perform_now(shop_domain: session.shop)
       else
-        job.perform_later(shop_domain: session[:shopify_domain])
+        job.perform_later(shop_domain: session.shop)
       end
     end
   end

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -2,19 +2,14 @@
 
 module ShopifyApp
   class ExtensionVerificationController < ActionController::Base
+    include ShopifyApp::PayloadVerification
     protect_from_forgery with: :null_session
     before_action :verify_request
 
     private
 
     def verify_request
-      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
-      request_body = request.body.read
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-
-      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
-      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+      head(:unauthorized) unless hmac_valid?(request.body.read)
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
+    include ShopifyApp::RedirectForEmbedded
 
     layout false, only: :new
 
     after_action only: [:new, :create] do |controller|
-      controller.response.headers.except!('X-Frame-Options')
+      controller.response.headers.except!("X-Frame-Options")
     end
 
     def new
@@ -17,41 +19,14 @@ module ShopifyApp
       authenticate
     end
 
-    def enable_cookies
-      return unless validate_shop_presence
-
-      render(:enable_cookies, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name,
-          return_to: params[:return_to]
-        ),
-        has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_target_url: granted_storage_access_path(
-          shop: sanitized_shop_name,
-          return_to: params[:return_to]
-        ),
-        current_shopify_domain: current_shopify_domain,
-      })
-    end
-
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
       validate_shop_presence
     end
 
-    def granted_storage_access
-      return unless validate_shop_presence
-
-      session['shopify.granted_storage_access'] = true
-
-      copy_return_to_param_to_session
-
-      redirect_to(return_address_with_params({ shop: @shop }))
-    end
-
     def destroy
       reset_session
-      flash[:notice] = I18n.t('.logged_out')
+      flash[:notice] = I18n.t(".logged_out")
       redirect_to(login_url_with_optional_shop)
     end
 
@@ -59,60 +34,39 @@ module ShopifyApp
 
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
-      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
       copy_return_to_param_to_session
 
-      set_user_tokens_option
-
-      if user_agent_can_partition_cookies
-        authenticate_with_partitioning
-      else
-        authenticate_normally
-      end
-    end
-
-    def authenticate_normally
-      if request_storage_access?
-        redirect_to_request_storage_access
-      elsif authenticate_in_context?
-        authenticate_in_context
-      else
-        authenticate_at_top_level
-      end
-    end
-
-    def authenticate_with_partitioning
-      if session['shopify.cookies_persist']
-        clear_top_level_oauth_cookie
-        authenticate_in_context
+      if embedded_redirect_url?
+        if embedded_param?
+          redirect_for_embedded
+        else
+          start_oauth
+        end
+      elsif top_level?
+        start_oauth
       else
-        set_top_level_oauth_cookie
-        enable_cookie_access
+        redirect_auth_to_top_level
       end
     end
 
-    # rubocop:disable Lint/SuppressedException
-    def set_user_tokens_option
-      if shop_session.blank?
-        session[:user_tokens] = false
-        return
-      end
+    def start_oauth
+      callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, "")
 
-      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+      auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
+        shop: sanitized_shop_name,
+        redirect_path: "/#{callback_url}",
+        is_online: user_session_expected?
+      )
+      cookies.encrypted[auth_attributes[:cookie].name] = {
+        expires: auth_attributes[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_attributes[:cookie].value,
+      }
 
-      ShopifyAPI::Session.temp(
-        domain: shop_session.domain,
-        token: shop_session.token,
-        api_version: shop_session.api_version
-      ) do
-        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
-      end
-    rescue ActiveResource::UnauthorizedAccess
-      session[:user_tokens] = false
-    rescue StandardError
+      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
     end
-    # rubocop:enable Lint/SuppressedException
 
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -125,60 +79,22 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], "/") if params[:return_to]
     end
 
     def render_invalid_shop_error
-      flash[:error] = I18n.t('invalid_shop_url')
+      flash[:error] = I18n.t("invalid_shop_url")
       redirect_to(return_address)
     end
 
-    def enable_cookie_access
-      fullpage_redirect_to(enable_cookies_path(
-        shop: sanitized_shop_name,
-        return_to: session[:return_to]
-      ))
-    end
-
-    def authenticate_in_context
-      redirect_to("#{main_app.root_path}auth/shopify")
-    end
-
-    def authenticate_at_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
-    end
-
-    def authenticate_in_context?
+    def top_level?
       return true unless ShopifyApp.configuration.embedded_app?
-      params[:top_level]
-    end
-
-    def request_storage_access?
-      return false unless ShopifyApp.configuration.embedded_app?
-      return false if params[:top_level]
-      return false if user_agent_is_mobile
-      return false if user_agent_is_pos
 
-      !session['shopify.granted_storage_access']
+      !params[:top_level].nil?
     end
 
-    def redirect_to_request_storage_access
-      render(
-        :request_storage_access,
-        layout: false,
-        locals: {
-          does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name,
-            return_to: session[:return_to]
-          ),
-          has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_target_url: granted_storage_access_path(
-            shop: sanitized_shop_name,
-            return_to: session[:return_to]
-          ),
-          current_shopify_domain: current_shopify_domain,
-        }
-      )
+    def redirect_auth_to_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
   end
 end