RubyGems - shopify_app - Versions diffs - 13.5.0 - Mend

shopify_app 13.5.0

Files changed (156) hide show

checksums.yaml +7 -0
data/.babelrc +5 -0
data/.github/CODEOWNERS +1 -0
data/.github/ISSUE_TEMPLATE.md +14 -0
data/.github/PULL_REQUEST_TEMPLATE.md +6 -0
data/.github/probots.yml +2 -0
data/.github/workflows/rubocop.yml +28 -0
data/.gitignore +16 -0
data/.nvmrc +1 -0
data/.rubocop.yml +17 -0
data/.ruby-version +1 -0
data/.travis.yml +28 -0
data/CHANGELOG.md +505 -0
data/Gemfile +11 -0
data/LICENSE +19 -0
data/README.md +620 -0
data/Rakefile +7 -0
data/SECURITY.md +59 -0
data/app/assets/images/storage_access.svg +2 -0
data/app/assets/javascripts/shopify_app/enable_cookies.js +3 -0
data/app/assets/javascripts/shopify_app/itp_helper.js +40 -0
data/app/assets/javascripts/shopify_app/partition_cookies.js +8 -0
data/app/assets/javascripts/shopify_app/redirect.js +33 -0
data/app/assets/javascripts/shopify_app/request_storage_access.js +3 -0
data/app/assets/javascripts/shopify_app/storage_access.js +153 -0
data/app/assets/javascripts/shopify_app/storage_access_redirect.js +17 -0
data/app/assets/javascripts/shopify_app/top_level.js +2 -0
data/app/assets/javascripts/shopify_app/top_level_interaction.js +11 -0
data/app/controllers/concerns/shopify_app/authenticated.rb +16 -0
data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
data/app/controllers/shopify_app/authenticated_controller.rb +8 -0
data/app/controllers/shopify_app/callback_controller.rb +140 -0
data/app/controllers/shopify_app/extension_verification_controller.rb +15 -0
data/app/controllers/shopify_app/sessions_controller.rb +184 -0
data/app/controllers/shopify_app/webhooks_controller.rb +37 -0
data/app/views/shopify_app/partials/_button_styles.html.erb +104 -0
data/app/views/shopify_app/partials/_card_styles.html.erb +33 -0
data/app/views/shopify_app/partials/_empty_state_styles.html.erb +129 -0
data/app/views/shopify_app/partials/_layout_styles.html.erb +167 -0
data/app/views/shopify_app/partials/_typography_styles.html.erb +35 -0
data/app/views/shopify_app/sessions/enable_cookies.html.erb +75 -0
data/app/views/shopify_app/sessions/new.html.erb +123 -0
data/app/views/shopify_app/sessions/request_storage_access.html.erb +68 -0
data/app/views/shopify_app/sessions/top_level_interaction.html.erb +64 -0
data/app/views/shopify_app/shared/redirect.html.erb +23 -0
data/config/locales/cs.yml +23 -0
data/config/locales/da.yml +20 -0
data/config/locales/de.yml +22 -0
data/config/locales/en.yml +15 -0
data/config/locales/es.yml +22 -0
data/config/locales/fi.yml +20 -0
data/config/locales/fr.yml +23 -0
data/config/locales/hi.yml +23 -0
data/config/locales/it.yml +21 -0
data/config/locales/ja.yml +17 -0
data/config/locales/ko.yml +19 -0
data/config/locales/ms.yml +22 -0
data/config/locales/nb.yml +21 -0
data/config/locales/nl.yml +21 -0
data/config/locales/pl.yml +21 -0
data/config/locales/pt-BR.yml +21 -0
data/config/locales/pt-PT.yml +22 -0
data/config/locales/sv.yml +21 -0
data/config/locales/th.yml +20 -0
data/config/locales/tr.yml +22 -0
data/config/locales/zh-CN.yml +16 -0
data/config/locales/zh-TW.yml +16 -0
data/config/routes.rb +23 -0
data/docs/Quickstart.md +93 -0
data/docs/Releasing.md +18 -0
data/docs/Troubleshooting.md +16 -0
data/docs/install-on-dev-shop.png +0 -0
data/docs/test-your-app.png +0 -0
data/images/app-proxy-screenshot.png +0 -0
data/karma.conf.js +44 -0
data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +47 -0
data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +11 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +40 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +62 -0
data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +69 -0
data/lib/generators/shopify_app/add_webhook/templates/webhook_job.rb.tt +13 -0
data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +26 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +8 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +11 -0
data/lib/generators/shopify_app/app_proxy_controller/templates/index.html.erb +19 -0
data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +15 -0
data/lib/generators/shopify_app/authenticated_controller/templates/authenticated_controller.rb +5 -0
data/lib/generators/shopify_app/controllers/controllers_generator.rb +30 -0
data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +26 -0
data/lib/generators/shopify_app/home_controller/templates/home_controller.rb +8 -0
data/lib/generators/shopify_app/home_controller/templates/index.html.erb +21 -0
data/lib/generators/shopify_app/install/install_generator.rb +83 -0
data/lib/generators/shopify_app/install/templates/_flash_messages.html.erb +3 -0
data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +41 -0
data/lib/generators/shopify_app/install/templates/flash_messages.js +24 -0
data/lib/generators/shopify_app/install/templates/omniauth.rb +3 -0
data/lib/generators/shopify_app/install/templates/session_store.rb +4 -0
data/lib/generators/shopify_app/install/templates/shopify_app.js +15 -0
data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt +15 -0
data/lib/generators/shopify_app/install/templates/shopify_app_index.js +2 -0
data/lib/generators/shopify_app/install/templates/shopify_provider.rb +20 -0
data/lib/generators/shopify_app/install/templates/user_agent.rb +6 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb +16 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake +17 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb +42 -0
data/lib/generators/shopify_app/routes/routes_generator.rb +32 -0
data/lib/generators/shopify_app/routes/templates/routes.rb +12 -0
data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +43 -0
data/lib/generators/shopify_app/shop_model/templates/db/migrate/create_shops.erb +15 -0
data/lib/generators/shopify_app/shop_model/templates/shop.rb +8 -0
data/lib/generators/shopify_app/shop_model/templates/shops.yml +3 -0
data/lib/generators/shopify_app/shopify_app_generator.rb +18 -0
data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb +16 -0
data/lib/generators/shopify_app/user_model/templates/user.rb +8 -0
data/lib/generators/shopify_app/user_model/templates/users.yml +4 -0
data/lib/generators/shopify_app/user_model/user_model_generator.rb +43 -0
data/lib/generators/shopify_app/views/views_generator.rb +30 -0
data/lib/shopify_app.rb +61 -0
data/lib/shopify_app/configuration.rb +94 -0
data/lib/shopify_app/controller_concerns/app_proxy_verification.rb +38 -0
data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
data/lib/shopify_app/controller_concerns/embedded_app.rb +20 -0
data/lib/shopify_app/controller_concerns/itp.rb +45 -0
data/lib/shopify_app/controller_concerns/localization.rb +23 -0
data/lib/shopify_app/controller_concerns/login_protection.rb +231 -0
data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
data/lib/shopify_app/controller_concerns/webhook_verification.rb +23 -0
data/lib/shopify_app/engine.rb +25 -0
data/lib/shopify_app/jobs/scripttags_manager_job.rb +16 -0
data/lib/shopify_app/jobs/webhooks_manager_job.rb +16 -0
data/lib/shopify_app/managers/scripttags_manager.rb +78 -0
data/lib/shopify_app/managers/webhooks_manager.rb +62 -0
data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +34 -0
data/lib/shopify_app/session/in_memory_session_store.rb +31 -0
data/lib/shopify_app/session/in_memory_shop_session_store.rb +14 -0
data/lib/shopify_app/session/in_memory_user_session_store.rb +14 -0
data/lib/shopify_app/session/jwt.rb +61 -0
data/lib/shopify_app/session/null_user_session_store.rb +22 -0
data/lib/shopify_app/session/session_repository.rb +56 -0
data/lib/shopify_app/session/session_storage.rb +20 -0
data/lib/shopify_app/session/shop_session_storage.rb +42 -0
data/lib/shopify_app/session/user_session_storage.rb +42 -0
data/lib/shopify_app/test_helpers/all.rb +2 -0
data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
data/lib/shopify_app/utils.rb +24 -0
data/lib/shopify_app/version.rb +4 -0
data/package-lock.json +7177 -0
data/package.json +28 -0
data/service.yml +7 -0
data/shipit.rubygems.yml +4 -0
data/shopify_app.gemspec +37 -0
data/translation.yml +7 -0
data/webpack.config.js +24 -0
data/yarn.lock +5263 -0
metadata +420 -0

data/lib/shopify_app/jobs/scripttags_manager_job.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ScripttagsManagerJob < ActiveJob::Base
+    queue_as do
+      ShopifyApp.configuration.scripttags_manager_queue_name
+    end
+    def perform(shop_domain:, shop_token:, scripttags:)
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = ScripttagsManager.new(scripttags, shop_domain)
+        manager.create_scripttags
+      end
+    end
+  end
+end

data/lib/shopify_app/jobs/webhooks_manager_job.rb ADDED

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class WebhooksManagerJob < ActiveJob::Base
+    queue_as do
+      ShopifyApp.configuration.webhooks_manager_queue_name
+    end
+    def perform(shop_domain:, shop_token:, webhooks:)
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = WebhooksManager.new(webhooks)
+        manager.create_webhooks
+      end
+    end
+  end
+end

data/lib/shopify_app/managers/scripttags_manager.rb ADDED

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ScripttagsManager
+    class CreationFailed < StandardError; end
+    def self.queue(shop_domain, shop_token, scripttags)
+      ShopifyApp::ScripttagsManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        # Procs cannot be serialized so we interpolate now, if necessary
+        scripttags: build_src(scripttags, shop_domain)
+      )
+    end
+    def self.build_src(scripttags, domain)
+      scripttags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+    attr_reader :required_scripttags, :shop_domain
+    def initialize(scripttags, shop_domain)
+      @required_scripttags = scripttags
+      @shop_domain = shop_domain
+    end
+    def recreate_scripttags!
+      destroy_scripttags
+      create_scripttags
+    end
+    def create_scripttags
+      return unless required_scripttags.present?
+      expanded_scripttags.each do |scripttag|
+        create_scripttag(scripttag) unless scripttag_exists?(scripttag[:src])
+      end
+    end
+    def destroy_scripttags
+      scripttags = expanded_scripttags
+      ShopifyAPI::ScriptTag.all.each do |tag|
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
+      end
+      @current_scripttags = nil
+    end
+    private
+    def expanded_scripttags
+      self.class.build_src(required_scripttags, shop_domain)
+    end
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
+    end
+    def create_scripttag(attributes)
+      attributes.reverse_merge!(format: 'json')
+      scripttag = ShopifyAPI::ScriptTag.create(attributes)
+      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag
+    end
+    def scripttag_exists?(src)
+      current_scripttags[src]
+    end
+    def current_scripttags
+      @current_scripttags ||= ShopifyAPI::ScriptTag.all.index_by(&:src)
+    end
+  end
+end

data/lib/shopify_app/managers/webhooks_manager.rb ADDED

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class WebhooksManager
+    class CreationFailed < StandardError; end
+    def self.queue(shop_domain, shop_token, webhooks)
+      ShopifyApp::WebhooksManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        webhooks: webhooks
+      )
+    end
+    attr_reader :required_webhooks
+    def initialize(webhooks)
+      @required_webhooks = webhooks
+    end
+    def recreate_webhooks!
+      destroy_webhooks
+      create_webhooks
+    end
+    def create_webhooks
+      return unless required_webhooks.present?
+      required_webhooks.each do |webhook|
+        create_webhook(webhook) unless webhook_exists?(webhook[:topic])
+      end
+    end
+    def destroy_webhooks
+      ShopifyAPI::Webhook.all.to_a.each do |webhook|
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
+      end
+      @current_webhooks = nil
+    end
+    private
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
+    end
+    def create_webhook(attributes)
+      attributes.reverse_merge!(format: 'json')
+      webhook = ShopifyAPI::Webhook.create(attributes)
+      raise CreationFailed, webhook.errors.full_messages.to_sentence unless webhook.persisted?
+      webhook
+    end
+    def webhook_exists?(topic)
+      current_webhooks[topic]
+    end
+    def current_webhooks
+      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
+    end
+  end
+end

data/lib/shopify_app/middleware/jwt_middleware.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+      token = extract_token(env)
+      return call_next(env) unless token
+      set_env_variables(token, env)
+      call_next(env)
+    end
+    private
+    def call_next(env)
+      @app.call(env)
+    end
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    COOKIE_SEPARATOR = "\n"
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      status, headers, body = @app.call(env)
+      user_agent = env['HTTP_USER_AGENT']
+      if headers && headers['Set-Cookie'] &&
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
+        set_cookies = headers['Set-Cookie']
+          .split(COOKIE_SEPARATOR)
+          .compact
+          .map do |cookie|
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
+            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie
+          end
+        headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
+      end
+      [status, headers, body]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_session_store.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+module ShopifyApp
+  # rubocop:disable Style/ClassVars
+  # Class var repo is needed here in order to share data between the 2 child classes.
+  class InMemorySessionStore
+    class EnvironmentError < StandardError; end
+    def self.retrieve(id)
+      repo[id]
+    end
+    def self.store(session, *_args)
+      id = SecureRandom.uuid
+      repo[id] = session
+      id
+    end
+    def self.clear
+      @@repo = nil
+    end
+    def self.repo
+      if Rails.env.production?
+        raise EnvironmentError, "Cannot use InMemorySessionStore in a Production environment. \
+          Please initialize ShopifyApp with a model that can store and retrieve sessions"
+      end
+      @@repo ||= {}
+    end
+  end
+  # rubocop:enable Style/ClassVars
+end

data/lib/shopify_app/session/in_memory_shop_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+    def self.store(session, *args)
+      id = super
+      repo[session.domain] = session
+      id
+    end
+    def self.retrieve_by_shopify_domain(shopify_domain)
+      repo[shopify_domain]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb ADDED

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+    def self.store(session, user)
+      id = super
+      repo[user.shopify_user_id] = session
+      id
+    end
+    def self.retrieve_by_shopify_user_id(user_id)
+      repo[user_id]
+    end
+  end
+end

data/lib/shopify_app/session/jwt.rb ADDED

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWT
+    class InvalidDestinationError < StandardError; end
+    class MismatchedHostsError < StandardError; end
+    class InvalidAudienceError < StandardError; end
+    WARN_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::ExpiredSignature,
+      ::JWT::ImmatureSignature,
+      ::JWT::VerificationError,
+      InvalidAudienceError,
+      InvalidDestinationError,
+      MismatchedHostsError,
+    ]
+    def initialize(token)
+      @token = token
+      set_payload
+    end
+    def shopify_domain
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+    end
+    def shopify_user_id
+      @payload && @payload['sub']
+    end
+    private
+    def set_payload
+      payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
+      @payload = validate_payload(payload)
+    rescue *WARN_EXCEPTIONS => error
+      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+      nil
+    end
+    def parse_token_data(secret, old_secret)
+      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+    rescue ::JWT::VerificationError
+      raise unless old_secret
+      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+    end
+    def validate_payload(payload)
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      api_key = ShopifyApp.configuration.api_key
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+      raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
+      payload
+    end
+  end
+end

data/lib/shopify_app/session/null_user_session_store.rb ADDED

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class NullUserSessionStore
+    class << self
+      def retrieve(_)
+        nil
+      end
+      def store(_, _)
+        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+      end
+      def retrieve_by_shopify_user_id(_)
+        nil
+      end
+      def blank?
+        true
+      end
+    end
+  end
+end

data/lib/shopify_app/session/session_repository.rb ADDED

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SessionRepository
+    class ConfigurationError < StandardError; end
+    class << self
+      attr_writer :shop_storage
+      attr_writer :user_storage
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
+      end
+      def retrieve_shop_session_by_shopify_domain(shopify_domain)
+        shop_storage.retrieve_by_shopify_domain(shopify_domain)
+      end
+      def retrieve_user_session_by_shopify_user_id(user_id)
+        user_storage.retrieve_by_shopify_user_id(user_id)
+      end
+      def store_shop_session(session)
+        shop_storage.store(session)
+      end
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError, "ShopifySessionRepository.shop_storage is not configured!")
+      end
+      def user_storage
+        load_user_storage
+      end
+      private
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+      def load_user_storage
+        return NullUserSessionStore unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+      end
+    end
+  end
+end