shopify_app 13.3.0 → 14.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6666c7899ac8e3332bf950ce28d445e2fc40886c811631a4bfb3f1e446c286e0
-  data.tar.gz: f85b1b7ed7a77e2430ed955ed0f65bd30b5021d85614da8943332077a999d38e
+  metadata.gz: db65febc756d6f85ea5ee8f2d109e5e8fa8087ed4b1eaa3df2e1d0abfa33e95c
+  data.tar.gz: 74c591a7dc4f9f6d0fc88f5be084decd7746a6052a72698e34938caeb8b4ef49
 SHA512:
-  metadata.gz: 6582a20d5b5340e7259aef06660e0a2673f31cc0b9413d6d8fda0a7c7fa34982f7dc08cd69f78cad2a0d4e322aedddcc6e472ba368ac4066f1215dc5daaacc4d
-  data.tar.gz: c9bf293b825e474f3ef73353428309baa0c3536c7781597b58ca083fc03b587e210e05dbbdc398edf235b225a537dd3dd02bb612176625d42743a2ae1978aeec
+  metadata.gz: 76e46bf49ceb4d417df9e414c2bb957bff0726f8a1e54bcb87df36a19ec1efe7b32c71dda81b8f1d0425acfccedd375149c5e975ac7f7281d3bb62136d578b49
+  data.tar.gz: e2459eb498a8b220d888fc1412231b2ce736cd779a4cfac6aa9fa1ce61cbe111a17d2a89427d6e0e38e67a9b3c201a5c0cfcba63c624dcdc27dbd5d8417dd47c

data/.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,6 @@
+Before submitting the PR, please consider if any of the following are needed:
+
+- [ ] Update `CHANGELOG.md` if the changes would impact users
+- [ ] Update `README.md`, if appropriate.
+- [ ] Update any relevant pages in `docs/`, if necessary
+- [ ] For security fixes, the [Disclosure Policy](https://github.com/Shopify/shopify_app/blob/master/SECURITY.md#disclosure-policy) must be followed.

data/.travis.yml

@@ -13,7 +13,6 @@ cache:
   yarn: true
 
 rvm:
-  - 2.4
   - 2.5
   - 2.6
   - 2.7

data/CHANGELOG.md

@@ -1,3 +1,25 @@
+14.1.0
+------
+* Replace redirect calls to use App Bridge redirect functionality
+
+14.0.0
+------
+* Ruby 2.4 is no longer supported by this gem
+* Bump gemspec ruby dependency to 2.5
+* (Beta) Add `--with-session-token` flag to the Shopify App generator to create an app that is compatible with App Bridge Authentication
+
+13.5.0
+------
+* Add `signal_access_token_required` helper method for apps to indicate access token has expired and that a new one is required
+
+13.4.1
+------
+* Fix the version checks for the dependency on `shopify_api` to allow all of v9.X
+
+13.4.0
+------
+* Skip CSRF protection if a valid signed JWT token is present as we trust Shopify to be the only source that can sign it securely. [#994](https://github.com/Shopify/shopify_app/pull/994)
+
 13.3.0
 ------
 * Added Payload Verification module [#992](https://github.com/Shopify/shopify_app/pull/992)

data/README.md

@@ -58,8 +58,7 @@ $ rails new my_shopify_app
 $ cd my_shopify_app
 
 # Add the gem shopify_app to your Gemfile
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 Now we are ready to run any of the [generators](#generators) included with `shopify_app`. The following section explains the generators and what you can do with them.
@@ -75,7 +74,7 @@ Generators
 
 ### Default Generator
 
-The default generator will run the `install`, `shop`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
+The default generator will run the `install`, `shop`, `authenticated_controller`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
 
 ```sh
 $ rails generate shopify_app
@@ -124,6 +123,16 @@ $ rails generate shopify_app:home_controller
 
 This generator creates an example home controller and view which fetches and displays products using the Shopify API.
 
+Options include:
+* __[beta]__ `with-session-token`: This flag generates an unauthenticated home_controller and a protected sample products_controller. It also creates a home view that leverages a session token to fetch products from your products_controller. Use this flag if you plan to build a single-page application or to secure your app using JWT session tokens (e.g. `--with-session-token` or `--with-session-token true`). 
+
+### Products Controller Generator
+
+```sh
+$ rails generate shopify_app:products_controller
+```
+
+This generator creates an example products API controller to fetch products using the Shopify API.
 
 ### App Proxy Controller Generator
 

data/app/assets/javascripts/shopify_app/app_bridge_redirect.js

@@ -0,0 +1,18 @@
+(function(window) {
+  function appBridgeRedirect(url) {
+    var AppBridge = window['app-bridge'];
+    var createApp = AppBridge.default;
+    var Redirect = AppBridge.actions.Redirect;
+    var app = createApp({
+      apiKey: window.apiKey,
+      shopOrigin: window.shopOrigin.replace(/^https:\/\//, ''),
+    });
+  
+    var normalizedLink = document.createElement('a');
+    normalizedLink.href = url;
+  
+    Redirect.create(app).dispatch(Redirect.Action.REMOTE, normalizedLink.href);
+  }
+
+  window.appBridgeRedirect = appBridgeRedirect;
+})(window);

data/app/assets/javascripts/shopify_app/redirect.js

@@ -1,3 +1,5 @@
+//= require ./app_bridge_redirect.js
+
 (function() {
   function redirect() {
     var redirectTargetElement = document.getElementById("redirection-target");
@@ -12,15 +14,8 @@
       // If the current window is the 'parent', change the URL by setting location.href
       window.top.location.href = targetInfo.url;
     } else {
-      // If the current window is the 'child', change the parent's URL with postMessage
-      normalizedLink = document.createElement('a');
-      normalizedLink.href = targetInfo.url;
-
-      data = JSON.stringify({
-        message: 'Shopify.API.remoteRedirect',
-        data: {location: normalizedLink.href}
-      });
-      window.parent.postMessage(data, targetInfo.myshopifyUrl);
+      // If the current window is the 'child', change the parent's URL with App Bridge Redirect
+      window.appBridgeRedirect(targetInfo.url);
     }
   }
 

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -1,3 +1,5 @@
+//= require ./app_bridge_redirect.js
+
 (function() {
   var ACCESS_GRANTED_STATUS = 'storage_access_granted';
   var ACCESS_DENIED_STATUS = 'storage_access_denied';
@@ -11,17 +13,7 @@
   }
 
   StorageAccessHelper.prototype.redirectToAppTLD = function(storageAccessStatus) {
-    var normalizedLink = document.createElement('a');
-
-    normalizedLink.href = this.setNormalizedLink(storageAccessStatus);
-
-    data = JSON.stringify({
-      message: 'Shopify.API.remoteRedirect',
-      data: {
-        location: normalizedLink.href,
-      }
-    });
-    window.parent.postMessage(data, this.redirectData.myshopifyUrl);
+    window.appBridgeRedirect(this.setNormalizedLink(storageAccessStatus));
   }
 
   StorageAccessHelper.prototype.redirectToAppsIndex = function() {

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -7,6 +7,7 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

data/app/controllers/shopify_app/callback_controller.rb

@@ -65,9 +65,9 @@ module ShopifyApp
     end
 
     def associated_user
-      return unless auth_hash['extra'].present?
+      return unless auth_hash.dig('extra', 'associated_user').present?
 
-      auth_hash['extra']['associated_user']
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
     end
 
     def associated_user_id

data/app/views/shopify_app/sessions/enable_cookies.html.erb

@@ -5,6 +5,12 @@
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
+  <script src="https://unpkg.com/@shopify/app-bridge@^1"></script>
+  <script>
+    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
+    window.shopOrigin = "https://<%= @shop %>";
+    window.returnTo = "<%= params[:return_to] %>"
+  </script>
   <%= render 'shopify_app/partials/layout_styles' %>
   <%= render 'shopify_app/partials/typography_styles' %>
   <%= render 'shopify_app/partials/card_styles' %>
@@ -14,12 +20,6 @@
       display: none;
     }
   </style>
-  <script>
-    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
-    window.shopOrigin = "https://<%= @shop %>";
-    window.returnTo = "<%= params[:return_to] %>"
-  </script>
-
   <%= javascript_include_tag('shopify_app/enable_cookies', crossorigin: 'anonymous', integrity: true) %>
 </head>
 <body>

data/app/views/shopify_app/sessions/request_storage_access.html.erb

@@ -5,6 +5,11 @@
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
+  <script src="https://unpkg.com/@shopify/app-bridge@^1"></script>
+  <script>
+    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
+    window.shopOrigin = "https://<%= current_shopify_domain %>";
+  </script>
   <%= render 'shopify_app/partials/layout_styles' %>
   <%= render 'shopify_app/partials/typography_styles' %>
   <%= render 'shopify_app/partials/card_styles' %>

data/app/views/shopify_app/shared/redirect.html.erb

@@ -1,10 +1,15 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="<%= I18n.locale %>">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
+  <script src="https://unpkg.com/@shopify/app-bridge@^1"></script>
+  <script>
+    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
+    window.shopOrigin = "https://<%= current_shopify_domain %>";
+  </script>
   <%= javascript_include_tag('shopify_app/redirect', crossorigin: 'anonymous', integrity: true) %>
 </head>
 <body>

data/docs/Quickstart.md

@@ -40,11 +40,10 @@ $ heroku create name
 4. Add ShopifyApp to Gemfile
 ----------------------------
 
-Run these commands to add the `shopify_app` Gem to your app:
+Run this command to add the `shopify_app` Gem to your app:
 
 ```sh
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 
 **Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`

data/docs/Releasing.md

@@ -1,18 +1,18 @@
 Releasing ShopifyApp
 
 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
-2. Create a pull request with the following changes:
-  * Update the version of ShopifyApp in lib/shopify_app/version.rb
-  * Update the version of shopify_app in package.json
-  * Add a CHANGELOG entry for the new release with the date
-  * Change the title of the PR to something like: "Packaging for release X.Y.Z"
-3. Merge your pull request
-4. Pull from master so you have the latest version of the shopify_app
-5. Tag the HEAD with the version (Leave REV blank for HEAD or provide a SHA)
-  $ git tag vX.Y.Z
-6. Push out your tags
-  $ git push --tags
-7. Use Shipit to build and push the gem
+1. Create a pull request with the following changes:
+    - Update the version of ShopifyApp in lib/shopify_app/version.rb
+    - Update the version of shopify_app in package.json
+    - Add a CHANGELOG entry for the new release with the date
+    - Change the title of the PR to something like: "Packaging for release X.Y.Z"
+1. Merge your pull request
+1. Checkout and pull from master so you have the latest version of the shopify_app
+1. Tag the HEAD with the version 
+```bash
+$ git tag -f vX.Y.Z && git push --tags --force
+```
+1. Use Shipit to build and push the gem
 
 If you see an error like 'You need to create the vX.Y.X tag first', clear GIT
 cache in Shipit settings

data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb

@@ -7,7 +7,7 @@ module ShopifyApp
     class AuthenticatedControllerGenerator < Rails::Generators::Base
       source_root File.expand_path('../templates', __FILE__)
 
-      def create_home_controller
+      def create_authenticated_controller
         template('authenticated_controller.rb', 'app/controllers/authenticated_controller.rb')
       end
     end

data/lib/generators/shopify_app/home_controller/home_controller_generator.rb

@@ -6,21 +6,39 @@ module ShopifyApp
     class HomeControllerGenerator < Rails::Generators::Base
       source_root File.expand_path('../templates', __FILE__)
 
+      class_option :with_session_token, type: :boolean, default: false
+
       def create_home_controller
-        template('home_controller.rb', 'app/controllers/home_controller.rb')
+        @with_session_token = options['with_session_token']
+
+        template(home_controller_template, 'app/controllers/home_controller.rb')
+      end
+
+      def create_products_controller
+        generate("shopify_app:products_controller") if with_session_token?
       end
 
       def create_home_index_view
-        copy_file('index.html.erb', 'app/views/home/index.html.erb')
+        template('index.html.erb', 'app/views/home/index.html.erb')
       end
 
       def add_home_index_route
         route("root :to => 'home#index'")
       end
 
+      private
+
       def embedded_app?
         ShopifyApp.configuration.embedded_app?
       end
+
+      def with_session_token?
+        @with_session_token
+      end
+
+      def home_controller_template
+        with_session_token? ? 'unauthenticated_home_controller.rb' : 'home_controller.rb'
+      end
     end
   end
 end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -1,21 +1,71 @@
-<h2>Products</h2>
+<!DOCTYPE html>
+<html lang="<%= I18n.locale %>">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link
+      rel="stylesheet"
+      href="https://unpkg.com/@shopify/polaris@4.25.0/styles.min.css"
+      />
+<% if @with_session_token %>    <script>
+      document.addEventListener("DOMContentLoaded", async function() {
+        var SessionToken = window["app-bridge"].actions.SessionToken
+        var app = window.app;
 
-<ul>
-  <% @products.each do |product| %>
-    <li><%= link_to product.title, "https://#{@current_shopify_session.domain}/admin/products/#{product.id}", target: "_top" %></li>
-  <% end %>
-</ul>
+        app.dispatch(
+          SessionToken.request(),
+        );
 
-<hr>
+        // Save a session token for future requests
+        window.sessionToken = await new Promise((resolve) => {
+          app.subscribe(SessionToken.ActionType.RESPOND, (data) => {
+            resolve(data.sessionToken || "");
+          });
+        });
 
-<h2>Webhooks</h2>
+        var fetchProducts = function() {
+          var headers = new Headers({ "Authorization": "Bearer " + window.sessionToken });
+          return fetch("/products", { headers })
+            .then(response => response.json())
+            .then(data => {
+              var products = data.products;
 
-<% if @webhooks.present? %>
-  <ul>
-    <% @webhooks.each do |webhook| %>
-      <li><%= webhook.topic %> : <%= webhook.address %></li>
-    <% end %>
-  </ul>
-<% else %>
-  <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
-<% end %>
+              if (products === undefined || products.length == 0) {
+                document.getElementById("products").innerHTML = "<br>No products to display.";
+              } else {
+                var list = "";
+                products.forEach((product) => {
+                  var link = `<a target="_top" href="https://<%%= @shop_origin %>/admin/products/${product.id}">`
+                  list += "<li>" + link + product.title + "</a></li>";
+                });
+                document.getElementById("products").innerHTML = "<ul>" + list + "</ul>";
+              }
+            });
+        }();
+      });
+    </script>
+<% end %>  </head>
+  <body>
+    <h2>Products</h2>
+<% if @with_session_token %>    <div id="products"><br>Loading...</div><% else %>
+    <ul>
+      <%% @products.each do |product| %>
+        <li><%%= link_to product.title, "https://#{@current_shopify_session.domain}/admin/products/#{product.id}", target: "_top" %></li>
+      <%% end %>
+    </ul>
+
+    <hr>
+
+    <h2>Webhooks</h2>
+
+    <%% if @webhooks.present? %>
+      <ul>
+        <%% @webhooks.each do |webhook| %>
+          <li><%%= webhook.topic %> : <%%= webhook.address %></li>
+        <%% end %>
+      </ul>
+    <%% else %>
+      <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
+    <%% end %><% end %>
+  </body>
+</html>

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class HomeController < ApplicationController
+  include ShopifyApp::EmbeddedApp
+  include ShopifyApp::RequireKnownShop
+
+  def index
+    @shop_origin = current_shopify_domain
+  end
+end

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -28,7 +28,7 @@
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
-      shop_origin: (@current_shopify_session.domain if @current_shopify_session),
+      shop_origin: @shop_origin || (@current_shopify_session.domain if @current_shopify_session),
       debug: Rails.env.development?
     } ) %>