shopify_app 13.5.0

data/Rakefile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+require File.expand_path('../test/dummy/config/application', __FILE__)
+
+Rails.application.load_tasks

data/SECURITY.md

@@ -0,0 +1,59 @@
+# Security Policy
+
+## Supported versions
+
+### New features
+
+New features will only be added to the master branch and will not be made available in point releases.
+
+### Bug fixes
+
+Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
+
+### Security issues
+
+Only the latest release series will receive patches and new versions in case of a security issue.
+
+### Severe security issues
+
+For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
+
+### Unsupported Release Series
+
+When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
+
+## Reporting a bug
+
+All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify)
+Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications.
+
+## Disclosure Policy
+
+We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
+
+- Reply to all reports within one business day and triage within two business days (if applicable)
+- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
+- Award bounties within a week of resolution (excluding extenuating circumstances)
+- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
+
+**The following rules must be followed in order for any rewards to be paid:**
+
+- You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address.
+- You must not attempt to gain access to, or interact with, any shops other than those created by you.
+- The use of commercial scanners is prohibited (e.g., Nessus).
+- Rules for reporting must be followed.
+- Do not disclose any issues publicly before they have been resolved.
+- Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time.
+- Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether.
+- You are not an employee of Shopify; employees should report bugs to the internal bug bounty program.
+- You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content.
+- By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content.
+- All content submitted by you to Shopify under this program is licensed under the MIT License.
+- You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability.
+- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
+
+** Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details
+
+## Receiving Security Updates
+
+To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)

data/app/assets/images/storage_access.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg enable-background="new 0 0 1920 1080" version="1.1" viewBox="0 0 1920 1080" xml:space="preserve" xmlns="http://www.w3.org/2000/svg"><polygon points="1345 330.75 1345 437.24 1224.7 437.24 1224.7 676.56 873.52 676.56 874.04 643.85 1203.2 330.23" fill="#fff"/><path d="m1095.7 677.54c-18.553 0.074-37.107 0.163-55.66 0.126-18.553 0.056-37.107-0.188-55.66-0.233l-13.915-0.063-13.915 0.044-27.83 0.094c-18.553 0.128-37.107-5e-3 -55.66-0.056l-1.266-3e-3 3e-3 -1.259 0.047-22.532-0.093-22.532-0.068-11.266 6e-3 -11.266 0.019-22.532h2.703l0.111 22.532c0.053 7.511 0.06 15.022 0.038 22.532l-0.094 45.065-1.407-1.407c18.553 7e-3 37.107-0.041 55.66 0.086l27.83 0.131 13.915 0.066 13.915-0.028c18.553-8e-3 37.107-0.151 55.66-0.019 18.553 0.099 37.107 0.049 55.66-0.181v2.701z" fill="#0C1238"/><path d="m1225 677.54c-9.24 0.123-18.48 0.187-27.72 0.077l-13.86-0.213c-2.31-0.051-4.62-0.023-6.93 1e-3l-6.93 0.062c-9.24 0.156-18.48 0.076-27.72-0.054-2.31-0.034-4.62 1e-3 -6.93 2e-3l-6.93 0.121c-4.62 0.062-9.24-2e-3 -13.86 3e-3v-2.703c4.62-0.048 9.24-0.165 13.86-0.157l6.93 0.025c2.31 0.027 4.62 0.088 6.93 0.076 9.24-0.024 18.48-0.031 27.72 0.145 4.62 0.038 9.24 0.163 13.86 0.126l13.86-0.081c4.62-0.04 9.24 0.088 13.86 0.101 2.31 0.047 4.62-0.048 6.93-0.065 2.31-0.026 4.62-0.07 6.93-0.169v2.703z" fill="#0C1238"/><path d="m871.68 561.78l-0.13-115.72 0.07-115.72 1e-3 -1.414 1.411 3e-3 117.9 0.228 117.9-0.138 58.951-0.061 58.951 0.072 117.9 0.09 1.218 1e-3 4e-3 1.221 0.156 53.426-0.026 53.426h-2.703l-0.154-53.426 0.04-53.426 1.466 1.466-235.8-0.148-117.9-0.193-117.9 0.087 1.212-1.212-0.084 115.72c-0.058 19.286 0.032 38.573 0.074 57.859l0.15 57.859h-2.705z" fill="#0C1238"/><g fill="#E6E8F0"><circle cx="891.37" cy="344.49" r="6.812"/><circle cx="912.86" cy="345.01" r="6.812"/><circle cx="934.34" cy="345.54" r="6.812"/><path d="m1202.7 352.87h-186.64c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h186.64c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" stroke="#F0F3F5" stroke-miterlimit="10"/><rect x="1288.6" y="339.25" width="17.816" height="13.624"/><path d="m1327.4 352.87h-15.816c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h15.816c0.552 0 1 0.448 1 1v11.624c0 0.552-0.447 1-1 1z"/></g><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="8"><path d="m1098.3 576.8c-24.295 0-43.99-19.695-43.99-43.99v-29.485c0-2.209 1.791-4 4-4h79.98c2.209 0 4 1.791 4 4v29.485c0 24.295-19.695 43.99-43.99 43.99z"/><path d="m1066 499.33v-12.41c0-17.804 14.433-32.237 32.237-32.237s32.237 14.433 32.237 32.237v12.41"/></g><circle cx="1098.3" cy="529.08" r="8.966" fill="#8891EA"/><line x1="1098.3" x2="1098.3" y1="529.08" y2="546.68" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="8"/><polygon points="1416.1 676.19 1358 748.57 1416.1 749.77 1225 749.77 1225 659.42 1416.1 437.19" fill="#fff"/><path d="m1415.2 497.07l-0.12-59.83 1.472 1.472-95.89-0.052-47.945-0.135c-15.982-0.023-31.963-0.14-47.945-0.085l1.2-1.2 0.139 78.077c0.086 26.026 4e-3 52.052-0.039 78.077l-0.076 78.077c0.056 26.026 0.201 52.052 0.145 78.077l-1.368-1.368 38.25 0.017v2.703l-38.251 0.1-1.444 4e-3 -6e-3 -1.454c-0.102-26.026-0.045-52.052-0.026-78.077l0.068-78.077 0.067-78.077 0.191-78.077 3e-3 -1.15h1.147l47.945-0.013 47.945-0.051 95.89 0.089 1.121 1e-3 4e-3 1.125 0.226 59.83h-2.703z" fill="#0C1238"/><path d="m1417.9 518.33c0.051 19.268 0.165 38.536 0.128 57.804l-0.022 28.902-0.134 28.902-0.134 28.902 0.061 28.902 0.087 28.902 0.046 14.451-0.034 14.451-3e-3 1.353-1.347-3e-3c-22.64-0.042-45.28-0.192-67.919-0.118l-33.96 0.144-33.96-0.025v-2.703l33.96-0.143 33.96 0.01c11.32 0.049 22.64 0.1 33.96 0.078l33.96-2e-3 -1.409 1.409c-0.03-19.268 0.125-38.536 0.178-57.804l0.103-28.902-0.051-28.902-0.051-28.902 0.081-28.902c0.128-19.268-0.116-38.536-0.204-57.804h2.704z" fill="#0C1238"/><path d="m1400.3 458.72h-160.44c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h160.44c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" fill="#E6E8F0" stroke="#F0F3F5" stroke-miterlimit="10"/><path d="m1238.5 467.44c13.587-0.084 27.173-0.121 40.76-0.055l20.38 0.141c6.793 0.061 13.587-0.03 20.38-0.038 13.587-0.116 27.173-0.022 40.76 0.038 6.793 0.029 13.587-0.022 20.38-0.082 6.793-0.046 13.587 0 20.38-5e-3v1.802c-13.587 0.111-27.173 0.144-40.76 0.036-13.587 2e-3 -27.173 0.027-40.76-0.09-6.793-0.025-13.587-0.117-20.38-0.088l-20.38 0.054c-6.793 0.022-13.587-0.048-20.38-0.067-6.793-7e-3 -13.587 0.107-20.38 0.154v-1.8z" fill="#E6E8F0"/><path d="m891.69 362.56c36.392-0.084 72.784-0.121 109.18-0.055l54.588 0.141c18.196 0.062 36.392-0.034 54.588-0.043l218.35-0.043v1.802c-36.392 0.111-72.784 0.144-109.18 0.036l-109.18-0.09-54.588-0.088-54.588 0.054-54.588-0.067-54.588 0.154v-1.801z" fill="#E6E8F0"/><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="6"><path d="m1320.6 638.41c-17.878 0-32.371-14.493-32.371-32.371v-21.697c0-1.626 1.318-2.943 2.943-2.943h58.854c1.626 0 2.943 1.318 2.943 2.943v21.697c1e-3 17.878-14.491 32.371-32.369 32.371z"/><path d="m1296.9 581.4v-9.132c0-13.101 10.62-23.722 23.722-23.722 13.101 0 23.722 10.621 23.722 23.722v9.132"/></g><circle cx="1320.6" cy="604.5" r="5.88" fill="#8891EA"/><line x1="1320.6" x2="1320.6" y1="603.3" y2="616.25" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="6"/><path d="m966.35 697.36l-0.029 13.745c-0.01 1.145 0.011 2.291-0.023 3.436l-0.124 3.436c-0.103 2.291 0.022 4.582 0.121 6.872l-1.912-1.912c10.168-0.857 20.337-0.478 30.505-0.36 5.084 0.104 10.168 0.133 15.252 0.178 5.084 6e-3 10.168 0.199 15.252 0.287l7.626 0.168 7.626 0.264c2.542 0.09 5.084 0.032 7.626 0.023 2.542-0.035 5.084 0.047 7.626 0.065 10.168 0.377 20.337-0.052 30.505 0.201l7.626 0.04c2.542 6e-3 5.084-0.283 7.626-0.394 5.084-0.14 10.168-0.184 15.252-0.268 5.084-0.072 10.168-0.071 15.252-0.204 2.542-0.07 5.084-0.088 7.626-0.118 2.542-0.019 5.084 0.1 7.626 0.143 10.168 0.462 20.337-0.303 30.505 0.192 2.542 0.145 5.084 0.163 7.626 0.139 2.542 0 5.084-0.038 7.626-0.099l15.252-0.314v3.936l-15.252 0.106c-5.084 0.024-10.168 0.012-15.252 0.3-10.168 0.483-20.337-0.281-30.505-0.213-20.337-1.165-40.673 0.704-61.01-0.137-2.542 0.117-5.084 0.33-7.626 0.382-2.542 0.092-5.084 0.173-7.626-0.018s-5.084-0.219-7.626-0.183c-2.542-2e-3 -5.084 0.099-7.626 0.081-2.542-0.027-5.084 0.026-7.626-0.066-1.271-0.039-2.542-0.079-3.813-0.09-1.271-0.022-2.542-0.05-3.813 0.018-2.542 0.097-5.084 0.355-7.626 0.327-1.271-0.037-2.542-0.06-3.813-0.12l-3.813-0.238c-2.542-0.162-5.084-0.324-7.626-0.268-2.542 0.109-5.084-0.092-7.626-0.222-2.542-0.112-5.084-0.326-7.626-0.371-2.542-0.094-5.084-0.061-7.626-0.038-5.084 0.101-10.168 0.266-15.252 0.414-2.542 0.071-5.084 0.122-7.626 0.123l-7.626-0.19-1.598-0.04 0.032-1.527c0.047-2.291 0.153-4.582 9e-3 -6.872l-0.162-3.436c-0.047-1.145-0.04-2.291-0.062-3.436l-0.186-13.745h3.934z" fill="#E6E8F0"/><path d="m1434.8 722.88l16.096 0.019 8.048 0.01c2.683 0.018 5.365-0.029 8.048 0.05l-1.89 1.89c0.07-3.44 0.218-6.88 0.086-10.32l-0.312-10.32c-0.261-6.88-0.364-13.76-0.339-20.639l0.314-41.279c0.052-6.88 0.033-13.76 0.144-20.639l0.275-20.639c0.057-6.88 0.274-13.76 0.375-20.639 0.058-6.88-0.069-13.76 0.033-20.639l0.226-20.639-0.071-10.32-0.046-5.16 0.032-5.16 0.11-20.639c0.012-3.44 0.045-6.88-0.068-10.32-0.149-3.44-0.261-6.88-0.361-10.32l-0.328-41.279c-0.074-6.88-0.188-13.76-0.211-20.639 0.028-6.88 0.177-13.76 0.261-20.639l1.77 1.77c-4.37-0.095-8.74 1e-3 -13.111 1e-3l-13.111 0.063c-4.37 1e-3 -8.74 0.084-13.111 0.016l-13.111-0.231c-4.37-0.118-8.74-0.058-13.111-0.055-4.37-4e-3 -8.74 0.077-13.111 0.113l-26.221 0.29v-3.936l26.221-0.107 13.111-0.052c4.37-0.026 8.74 2e-3 13.111-0.14l13.111-0.262c4.37-0.066 8.74 0.04 13.111 0.051l26.221 0.283 2.211 0.024-0.016 2.172c-0.049 6.88-0.045 13.76-0.139 20.639-0.152 6.88-0.325 13.76-0.304 20.639l0.499 41.279c-0.024 1.72-0.037 3.44-0.138 5.16l-0.297 5.16c-0.137 3.44-0.045 6.88 0.01 10.32 0.12 6.88 0.479 13.76 0.59 20.639 0.273 6.88-0.127 13.76-0.227 20.639-0.014 6.88 0.146 13.76 0.091 20.639 0.051 6.88-0.202 13.76-0.162 20.639 0.04 3.44 0.226 6.88 0.324 10.32 0.061 3.44 4e-3 6.88-0.082 10.32l-0.356 10.32c-0.047 1.72-0.141 3.44-0.149 5.16l2e-3 5.16c-0.012 1.72 0.032 3.44-0.026 5.16l-0.164 5.16-0.335 10.32c-0.306 13.76 0.065 27.519 0.289 41.279 0.074 3.44 0.091 6.88 0.13 10.32 0.059 3.44-0.071 6.88-0.098 10.32l-0.153 10.32c-0.053 1.72 0.021 3.44 0.049 5.16l0.139 5.16 0.044 1.627-1.73 0.06c-2.683 0.093-5.365 0.065-8.048 0.1l-8.048 0.061-16.096 0.121v-3.941z" fill="#E6E8F0"/></svg>

data/app/assets/javascripts/shopify_app/enable_cookies.js

@@ -0,0 +1,3 @@
+//= require ./itp_helper.js
+//= require ./storage_access.js
+//= require ./partition_cookies.js

data/app/assets/javascripts/shopify_app/itp_helper.js

@@ -0,0 +1,40 @@
+(function() {
+  function ITPHelper(opts) {
+    this.itpContent = document.getElementById('TopLevelInteractionContent');
+    this.itpAction = document.getElementById('TopLevelInteractionButton');
+    this.redirectUrl = opts.redirectUrl;
+  }
+
+  ITPHelper.prototype.redirect = function() {
+    sessionStorage.setItem('shopify.top_level_interaction', true);
+    window.location.href = this.redirectUrl;
+  }
+
+  ITPHelper.prototype.userAgentIsAffected = function() {
+    return Boolean(document.hasStorageAccess);
+  }
+
+  ITPHelper.prototype.canPartitionCookies = function() {
+    var versionRegEx = /Version\/12\.0\.?\d? Safari/;
+    return versionRegEx.test(navigator.userAgent);
+  }
+
+  ITPHelper.prototype.setUpContent = function(onClick) {
+    this.itpContent.style.display = 'block';
+    this.itpAction.addEventListener('click', this.redirect.bind(this));
+  }
+
+  ITPHelper.prototype.execute = function() {
+    if (!this.itpContent) {
+      return;
+    }
+
+    if (this.userAgentIsAffected()) {
+      this.setUpContent();
+    } else {
+      this.redirect();
+    }
+  }
+
+  this.ITPHelper = ITPHelper;
+})(window);

data/app/assets/javascripts/shopify_app/partition_cookies.js

@@ -0,0 +1,8 @@
+(function() {
+  document.addEventListener("DOMContentLoaded", function() {
+    var redirectTargetElement = document.getElementById("redirection-target");
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+    var storageAccessHelper = new StorageAccessHelper(targetInfo);
+    storageAccessHelper.execute();
+  });
+})();

data/app/assets/javascripts/shopify_app/redirect.js

@@ -0,0 +1,33 @@
+(function() {
+  function redirect() {
+    var redirectTargetElement = document.getElementById("redirection-target");
+
+    if (!redirectTargetElement) {
+      return;
+    }
+
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+
+    if (window.top == window.self) {
+      // If the current window is the 'parent', change the URL by setting location.href
+      window.top.location.href = targetInfo.url;
+    } else {
+      // If the current window is the 'child', change the parent's URL with postMessage
+      normalizedLink = document.createElement('a');
+      normalizedLink.href = targetInfo.url;
+
+      data = JSON.stringify({
+        message: 'Shopify.API.remoteRedirect',
+        data: {location: normalizedLink.href}
+      });
+      window.parent.postMessage(data, targetInfo.myshopifyUrl);
+    }
+  }
+
+  document.addEventListener("DOMContentLoaded", redirect);
+
+  // In the turbolinks context, neither DOMContentLoaded nor turbolinks:load
+  // consistently fires. This ensures that we at least attempt to fire in the
+  // turbolinks situation as well.
+  redirect();
+})();

data/app/assets/javascripts/shopify_app/request_storage_access.js

@@ -0,0 +1,3 @@
+//= require ./itp_helper.js
+//= require ./storage_access.js
+//= require ./storage_access_redirect.js

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -0,0 +1,153 @@
+(function() {
+  var ACCESS_GRANTED_STATUS = 'storage_access_granted';
+  var ACCESS_DENIED_STATUS = 'storage_access_denied';
+
+  function StorageAccessHelper(redirectData) {
+    this.redirectData = redirectData;
+  }
+
+  StorageAccessHelper.prototype.setNormalizedLink = function(storageAccessStatus) {
+    return storageAccessStatus === ACCESS_GRANTED_STATUS ? this.redirectData.hasStorageAccessUrl : this.redirectData.doesNotHaveStorageAccessUrl;
+  }
+
+  StorageAccessHelper.prototype.redirectToAppTLD = function(storageAccessStatus) {
+    var normalizedLink = document.createElement('a');
+
+    normalizedLink.href = this.setNormalizedLink(storageAccessStatus);
+
+    data = JSON.stringify({
+      message: 'Shopify.API.remoteRedirect',
+      data: {
+        location: normalizedLink.href,
+      }
+    });
+    window.parent.postMessage(data, this.redirectData.myshopifyUrl);
+  }
+
+  StorageAccessHelper.prototype.redirectToAppsIndex = function() {
+    window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
+  }
+
+  StorageAccessHelper.prototype.redirectToAppTargetUrl = function() {
+    window.location.href = this.redirectData.appTargetUrl;
+  }
+
+  StorageAccessHelper.prototype.sameSiteNoneIncompatible = function(ua) {
+    return ua.includes("iPhone OS 12_") || ua.includes("iPad; CPU OS 12_") || //iOS 12
+    (ua.includes("UCBrowser/")
+        ? this.isOlderUcBrowser(ua) //UC Browser < 12.13.2
+        : (ua.includes("Chrome/5") || ua.includes("Chrome/6"))) ||
+    ua.includes("Chromium/5") || ua.includes("Chromium/6") ||
+    (ua.includes(" OS X 10_14_") &&
+        ((ua.includes("Version/") && ua.includes("Safari")) || //Safari on MacOS 10.14
+        ua.endsWith("(KHTML, like Gecko)"))); //Web view on MacOS 10.14
+  }
+
+  StorageAccessHelper.prototype.isOlderUcBrowser = function(ua) {
+    var match = ua.match(/UCBrowser\/(\d+)\.(\d+)\.(\d+)\./);
+    if (!match) return false;
+    var major = parseInt(match[1]);
+    var minor = parseInt(match[2]);
+    var build = parseInt(match[3]);
+    if (major != 12) return major < 12;
+    if (minor != 13) return minor < 13;
+    return build < 2;
+  }
+
+  StorageAccessHelper.prototype.setCookie = function(value) {
+    if(!this.sameSiteNoneIncompatible(navigator.userAgent)) {
+      value += '; secure; SameSite=None'
+    }
+    document.cookie = value;
+  }
+
+  StorageAccessHelper.prototype.grantedStorageAccess = function() {
+    try {
+      sessionStorage.setItem('shopify.granted_storage_access', true);
+      this.setCookie('shopify.granted_storage_access=true');
+      if (!document.cookie) {
+        throw 'Cannot set third-party cookie.'
+      }
+      this.redirectToAppTargetUrl();
+    } catch (error) {
+      console.warn('Third party cookies may be blocked.', error);
+      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.handleRequestStorageAccess = function() {
+    return document.requestStorageAccess().then(this.grantedStorageAccess.bind(this), this.redirectToAppsIndex.bind(this, ACCESS_DENIED_STATUS));
+  }
+
+  StorageAccessHelper.prototype.setupRequestStorageAccess = function() {
+    var requestContent = document.getElementById('RequestStorageAccess');
+    var requestButton = document.getElementById('TriggerAllowCookiesPrompt');
+
+    requestButton.addEventListener('click', this.handleRequestStorageAccess.bind(this));
+    requestContent.style.display = 'block';
+  }
+
+  StorageAccessHelper.prototype.handleHasStorageAccess = function() {
+    if (sessionStorage.getItem('shopify.granted_storage_access')) {
+      // If app was classified by ITP and used Storage Access API to acquire access
+      this.redirectToAppTargetUrl();
+    } else {
+      // If app has not been classified by ITP and still has storage access
+      this.redirectToAppTLD(ACCESS_GRANTED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.handleGetStorageAccess = function() {
+    if (sessionStorage.getItem('shopify.top_level_interaction')) {
+      // If merchant has been redirected to interact with TLD (requirement for prompting request to gain storage access)
+      this.setupRequestStorageAccess();
+    } else {
+      // If merchant has not been redirected to interact with TLD (requirement for prompting request to gain storage access)
+      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.manageStorageAccess = function() {
+    return document.hasStorageAccess().then(function(hasAccess) {
+      if (hasAccess) {
+        this.handleHasStorageAccess();
+      } else {
+        this.handleGetStorageAccess();
+      }
+    }.bind(this));
+  }
+
+  StorageAccessHelper.prototype.execute = function() {
+    if (ITPHelper.prototype.canPartitionCookies()) {
+      this.setUpCookiePartitioning();
+      return;
+    }
+
+    if (ITPHelper.prototype.userAgentIsAffected()) {
+      this.manageStorageAccess();
+    } else {
+      this.grantedStorageAccess();
+    }
+  }
+
+  /* ITP 2.0 solution: handles cookie partitioning */
+  StorageAccessHelper.prototype.setUpHelper = function() {
+    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey + window.returnTo});
+  }
+
+  StorageAccessHelper.prototype.setCookieAndRedirect = function() {
+    this.setCookie('shopify.cookies_persist=true');
+    var helper = this.setUpHelper();
+    helper.redirect();
+  }
+
+  StorageAccessHelper.prototype.setUpCookiePartitioning = function() {
+    var itpContent = document.getElementById('CookiePartitionPrompt');
+    itpContent.style.display = 'block';
+
+    var button = document.getElementById('AcceptCookies');
+    button.addEventListener('click', this.setCookieAndRedirect.bind(this));
+  }
+
+  this.StorageAccessHelper = StorageAccessHelper;
+})(window);

data/app/assets/javascripts/shopify_app/storage_access_redirect.js

@@ -0,0 +1,17 @@
+(function() {
+  function redirect() {
+    var redirectTargetElement = document.getElementById("redirection-target");
+
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+
+    if (window.top == window.self) {
+      // If the current window is the 'parent', change the URL by setting location.href
+      window.top.location.href = targetInfo.hasStorageAccessUrl;
+    } else {
+        var storageAccessHelper = new StorageAccessHelper(targetInfo);
+        storageAccessHelper.execute();
+    }
+  }
+
+  document.addEventListener("DOMContentLoaded", redirect);
+})();

data/app/assets/javascripts/shopify_app/top_level.js

@@ -0,0 +1,2 @@
+//= require ./itp_helper.js
+//= require ./top_level_interaction.js

data/app/assets/javascripts/shopify_app/top_level_interaction.js

@@ -0,0 +1,11 @@
+(function() {
+  function setUpTopLevelInteraction() {
+    var TopLevelInteraction = new ITPHelper({
+      redirectUrl: window.redirectUrl,
+    });
+
+    TopLevelInteraction.execute();
+  }
+
+  document.addEventListener("DOMContentLoaded", setUpTopLevelInteraction);
+})();

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Authenticated
+    extend ActiveSupport::Concern
+
+    included do
+      include ShopifyApp::Localization
+      include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
+      include ShopifyApp::EmbeddedApp
+      before_action :login_again_if_different_user_or_shop
+      around_action :activate_shopify_session
+    end
+  end
+end

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module RequireKnownShop
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_shop_domain
+      before_action :check_shop_known
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def check_shop_domain
+      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
+    end
+
+    def check_shop_known
+      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      redirect_to(shop_login) unless @shop
+    end
+
+    def shop_login
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: params[:shop],
+        return_to: request.fullpath,
+      )
+
+      url.to_s
+    end
+  end
+end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class AuthenticatedController < ActionController::Base
+    include ShopifyApp::Authenticated
+
+    protect_from_forgery with: :exception
+  end
+end

data/app/controllers/shopify_app/callback_controller.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  # Performs login after OAuth completes
+  class CallbackController < ActionController::Base
+    include ShopifyApp::LoginProtection
+
+    def callback
+      unless auth_hash
+        return respond_with_error
+      end
+
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
+
+        if redirect_for_user_token?
+          return redirect_to(login_url_with_optional_shop)
+        end
+
+        install_webhooks
+        install_scripttags
+        perform_after_authenticate_job
+
+        redirect_to(return_address)
+      end
+    end
+
+    private
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
+      else
+        flash[:error] = I18n.t('could_not_log_in')
+        redirect_to(login_url_with_optional_shop)
+      end
+    end
+
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
+
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
+    end
+
+    def auth_hash
+      request.env['omniauth.auth']
+    end
+
+    def shop_name
+      auth_hash.uid
+    end
+
+    def associated_user
+      return unless auth_hash.dig('extra', 'associated_user').present?
+
+      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
+    end
+
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
+
+    def token
+      auth_hash['credentials']['token']
+    end
+
+    def reset_session_options
+      request.session_options[:renew] = true
+      session.delete(:_csrf_token)
+    end
+
+    def set_shopify_session
+      session_store = ShopifyAPI::Session.new(
+        domain: shop_name,
+        token: token,
+        api_version: ShopifyApp.configuration.api_version
+      )
+
+      session[:shopify_user] = associated_user
+      if session[:shopify_user].present?
+        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
+        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
+      else
+        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
+        session[:user_id] = nil if user_session && user_session.domain != shop_name
+      end
+      session[:shopify_domain] = shop_name
+      session[:user_session] = auth_hash&.extra&.session
+    end
+
+    def install_webhooks
+      return unless ShopifyApp.configuration.has_webhooks?
+
+      WebhooksManager.queue(
+        shop_name,
+        shop_session&.token || user_session.token,
+        ShopifyApp.configuration.webhooks
+      )
+    end
+
+    def install_scripttags
+      return unless ShopifyApp.configuration.has_scripttags?
+
+      ScripttagsManager.queue(
+        shop_name,
+        shop_session&.token || user_session.token,
+        ShopifyApp.configuration.scripttags
+      )
+    end
+
+    def perform_after_authenticate_job
+      config = ShopifyApp.configuration.after_authenticate_job
+
+      return unless config && config[:job].present?
+
+      job = config[:job]
+      job = job.constantize if job.is_a?(String)
+
+      if config[:inline] == true
+        job.perform_now(shop_domain: session[:shopify_domain])
+      else
+        job.perform_later(shop_domain: session[:shopify_domain])
+      end
+    end
+  end
+end