shopify_app 14.3.0 → 14.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e6d4b068e8936d9c688b668c97ab15fb09647eee15dc066fcb904b24662cb65
-  data.tar.gz: 289b6e8e1b23b0b633189e5be740c5e32b4e3bfaf8b8c98d8609a8dcf626c12a
+  metadata.gz: a3962aefcffacf58b7e57836a66b40a7689d5fe64d754fe1b236081cfeefcda2
+  data.tar.gz: 3f7200abedcd9598e08e7fcc816009acd236093c5a3ca011fa1d05684b31a1ed
 SHA512:
-  metadata.gz: df4a5e39e099532a7e262e24c51a31ab0ad25023ddab9c0b01a54bf33ffa05b711d71904362c34594fdb54ba68b3ead41ce5c77505e8e22c023daeaf66b2b61d
-  data.tar.gz: 91e53b6d7111d2833b6ccd88316c7dac3b2f91cbe9bad5f68ee1c7a6b37dee9a4f0bc64b40391ac00ac7db9f7d7b8c3b9a66e9af0db0a8aca1057b85465f3d17
+  metadata.gz: a3c2eaf95a630a628de9252be8f1802b35ce57be387a5e5ae3e8047484432b5ed7b1af98b739911c1f6afa74b09c44b5f8589481ad699c6595ef95d5332952de
+  data.tar.gz: 312ef3c7dd4013c17696289e9b8890e359d24753501468155cdb3ae63a7ff5a577d4b5f1a3f0606d438e78be655b0df791ccd45406d88485f5386db1a563d9af

data/.github/ISSUE_TEMPLATE.md

@@ -12,3 +12,8 @@ Authentication Issues
 A great deal of the issues surrounding this repo are around authenticating (installing) the generated app with Shopify.
 
 If you are experiencing issues with your app authenticating/installing the best way to get help fast is to create a repo with the minimal amount of code to demonstrate the issue and a clearly documented set of steps you took to arrive there. This will help us solve your problem quicker since we won't need to spend any time figuring out how to reproduce the bug. Please also include your operating system and browser.
+
+Security
+--------
+
+Please be certain to redact any private information from your logs or code snippets such as Api Keys, Api Secrets, and any authentication tokens such as shop_tokens.

data/.rubocop.yml

@@ -10,6 +10,7 @@ AllCops:
 Style/MethodCallWithArgsParentheses:
   Exclude:
     - '**/Gemfile'
+    - 'test/**/*'
 
 Style/ClassAndModuleChildren:
   Exclude:

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+14.4.4
+------
+* Patch to not log params in ShopifyApp jobs [#1086](https://github.com/Shopify/shopify_app/pull/1086)
+
+14.4.3
+------
+* Fix to ensure post authenticate jobs are run after callback requests [#1079](https://github.com/Shopify/shopify_app/pull/1079)
+
+14.4.2
+------
+* Add debug logs in sessions controller
+
+14.4.1
+------
+* Add debug logs for investigating authentication issues
+
+14.4.0
+------
+* Replace script tags for ITP screens with data attributes
+
 14.3.0
 ------
 * Create user session if one does not exist but was expected

data/README.md

@@ -26,7 +26,7 @@ Table of Contents
 - [Troubleshooting](#troubleshooting)
 - [Testing an embedded app outside the Shopify admin](#testing-an-embedded-app-outside-the-shopify-admin)
 - [Migration to 13.0.0](#migrating-to-1300)
-- [Questions or problems?](#questions-or-problems-)
+- [Questions or problems?](#questions-or-problems)
 - [Rails 6 Compatibility](#rails-6-compatibility)
 - [Upgrading from 8.6 to 9.0.0](#upgrading-from-86-to-900)
 
@@ -105,7 +105,7 @@ Options include:
 * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
 * `scope` - the OAuth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
-For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
+For more information, refer to the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
 
 You can update any of these settings later on easily; the arguments are simply for convenience.
@@ -427,7 +427,7 @@ bin/rails g shopify_app:rotate_shopify_token_job
 
 The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token.rake` and is provided strictly for example purposes. It might not work with your application out of the box without some configuration.
 
-⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/intializers/omniauth.rb`:
+⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/initializers/omniauth.rb`:
 
 ```ruby
 strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -132,7 +132,8 @@
 
   /* ITP 2.0 solution: handles cookie partitioning */
   StorageAccessHelper.prototype.setUpHelper = function() {
-    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey + window.returnTo});
+    var shopifyData = document.body.dataset;
+    return new ITPHelper({redirectUrl: shopifyData.shopOrigin + "/admin/apps/" + shopifyData.apiKey + shopifyData.returnTo});
   }
 
   StorageAccessHelper.prototype.setCookieAndRedirect = function() {

data/app/assets/javascripts/shopify_app/top_level_interaction.js

@@ -1,7 +1,7 @@
 (function() {
   function setUpTopLevelInteraction() {
     var TopLevelInteraction = new ITPHelper({
-      redirectUrl: window.redirectUrl,
+      redirectUrl: document.body.dataset.redirectUrl,
     });
 
     TopLevelInteraction.execute();

data/app/controllers/shopify_app/callback_controller.rb

@@ -6,46 +6,77 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     def callback
-      unless auth_hash
-        return respond_with_error
-      end
+      return respond_with_error if invalid_request?
+
+      store_access_token_and_build_session
 
-      if jwt_request? && !valid_jwt_auth?
-        return respond_with_error
+      if start_user_token_flow?
+        return respond_with_user_token_flow
       end
 
+      perform_post_authenticate_jobs
+
+      respond_successfully
+    end
+
+    private
+
+    def respond_successfully
       if jwt_request?
-        set_shopify_session
         head(:ok)
       else
+        redirect_to(return_address)
+      end
+    end
+
+    def respond_with_user_token_flow
+      Rails.logger.debug("[ShopifyApp::CallbackController] Redirecting for user token...")
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    def store_access_token_and_build_session
+      if native_browser_request?
+        Rails.logger.debug("[ShopifyApp::CallbackController] Not a JWT request. Resetting session options...")
         reset_session_options
-        set_shopify_session
+      else
+        Rails.logger.debug("[ShopifyApp::CallbackController] JWT request detected. Setting shopify session...")
+      end
+      set_shopify_session
+    end
 
-        if redirect_for_user_token?
-          return redirect_to(login_url_with_optional_shop)
-        end
+    def invalid_request?
+      return true unless auth_hash
 
-        install_webhooks
-        install_scripttags
-        perform_after_authenticate_job
+      jwt_request? && !valid_jwt_auth?
+    end
 
-        redirect_to(return_address)
-      end
+    def native_browser_request?
+      !jwt_request?
     end
 
-    private
+    def perform_post_authenticate_jobs
+      install_webhooks
+      install_scripttags
+      perform_after_authenticate_job
+    end
 
     def respond_with_error
       if jwt_request?
+        Rails.logger.debug("[ShopifyApp::CallbackController] Invalid JWT auth detected.")
         head(:unauthorized)
       else
+        Rails.logger.debug("[ShopifyApp::CallbackController] Invalid non JWT auth detected.")
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
 
-    def redirect_for_user_token?
-      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    def start_user_token_flow?
+      if jwt_request?
+        false
+      else
+        ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+      end
     end
 
     def jwt_request?

data/app/controllers/shopify_app/sessions_controller.rb

@@ -10,14 +10,19 @@ module ShopifyApp
     end
 
     def new
-      authenticate if sanitized_shop_name.present?
+      if sanitized_shop_name.present?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Sanitized shop name present. Authenticating...")
+        authenticate
+      end
     end
 
     def create
+      Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating...")
       authenticate
     end
 
     def enable_cookies
+      Rails.logger.debug("[ShopifyApp::SessionsController] Enabling cookies...")
       return unless validate_shop_presence
 
       render(:enable_cookies, layout: false, locals: {
@@ -40,6 +45,7 @@ module ShopifyApp
     end
 
     def granted_storage_access
+      Rails.logger.debug("[ShopifyApp::SessionsController] Granted storage access.")
       return unless validate_shop_presence
 
       session['shopify.granted_storage_access'] = true
@@ -50,6 +56,7 @@ module ShopifyApp
     end
 
     def destroy
+      Rails.logger.debug("[ShopifyApp::SessionsController] Resetting session.")
       reset_session
       flash[:notice] = I18n.t('.logged_out')
       redirect_to(login_url_with_optional_shop)
@@ -66,18 +73,23 @@ module ShopifyApp
       set_user_tokens_option
 
       if user_agent_can_partition_cookies
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating with partitioning...")
         authenticate_with_partitioning
       else
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating normally...")
         authenticate_normally
       end
     end
 
     def authenticate_normally
       if request_storage_access?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Redirecting to request storage access...")
         redirect_to_request_storage_access
       elsif authenticate_in_context?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating in context...")
         authenticate_in_context
       else
+        Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating at top level...")
         authenticate_at_top_level
       end
     end
@@ -95,6 +107,7 @@ module ShopifyApp
     # rubocop:disable Lint/SuppressedException
     def set_user_tokens_option
       if shop_session.blank?
+        Rails.logger.debug("[ShopifyApp::SessionsController] Shop session is blank.")
         session[:user_tokens] = false
         return
       end
@@ -117,6 +130,7 @@ module ShopifyApp
     def validate_shop_presence
       @shop = sanitized_shop_name
       unless @shop
+        Rails.logger.debug("[ShopifyApp::SessionsController] Invalid shop detected.")
         render_invalid_shop_error
         return false
       end

data/app/views/shopify_app/sessions/enable_cookies.html.erb

@@ -14,15 +14,10 @@
       display: none;
     }
   </style>
-  <script>
-    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
-    window.shopOrigin = "https://<%= @shop %>";
-    window.returnTo = "<%= params[:return_to] %>"
-  </script>
 
   <%= javascript_include_tag('shopify_app/enable_cookies', crossorigin: 'anonymous', integrity: true) %>
 </head>
-<body>
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-redirect-url="<%= @url %>">
   <%=
     content_tag(
       :div, nil,

data/app/views/shopify_app/sessions/top_level_interaction.html.erb

@@ -15,15 +15,9 @@
     }
   </style>
 
-  <script>
-    window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
-    window.shopOrigin = "https://<%= @shop %>";
-    window.redirectUrl = "<%= @url %>";
-  </script>
-
   <%= javascript_include_tag('shopify_app/top_level', crossorigin: 'anonymous', integrity: true) %>
 </head>
-<body>
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-redirect-url="<%= @url %>">
   <main id="TopLevelInteractionContent">
     <div class="Polaris-Page">
       <div class="Polaris-Page__Content">

data/docs/Releasing.md

@@ -8,7 +8,7 @@ Releasing ShopifyApp
     - Change the title of the PR to something like: "Packaging for release X.Y.Z"
 1. Merge your pull request
 1. Checkout and pull from master so you have the latest version of the shopify_app
-1. Tag the HEAD with the version 
+1. Tag the HEAD with the version
 ```bash
 $ git tag -f vX.Y.Z && git push --tags --force
 ```

data/karma.conf.js

@@ -8,7 +8,7 @@ module.exports = function(config) {
   config.set({
     mode: 'development',
     basePath: '',
-    frameworks: ['mocha-debug', 'mocha', 'chai-sinon'],
+    frameworks: ['mocha', 'chai-sinon'],
     files: [
       'app/assets/javascripts/**/*.js',
       'test/javascripts/**/*test.js',

data/lib/generators/shopify_app/controllers/controllers_generator.rb

@@ -8,7 +8,7 @@ module ShopifyApp
 
       def create_controllers
         controllers.each do |controller|
-          copy_file controller
+          copy_file(controller)
         end
       end
 

data/lib/generators/shopify_app/views/views_generator.rb

@@ -8,7 +8,7 @@ module ShopifyApp
 
       def create_views
         views.each do |view|
-          copy_file view
+          copy_file(view)
         end
       end
 

data/lib/shopify_app/controller_concerns/itp.rb

@@ -13,10 +13,12 @@ module ShopifyApp
     end
 
     def set_top_level_oauth_cookie
+      Rails.logger.debug("[ShopifyApp::Itp] Setting top level oauth cookie...")
       session['shopify.top_level_oauth'] = true
     end
 
     def clear_top_level_oauth_cookie
+      Rails.logger.debug("[ShopifyApp::Itp] Clearing top level oauth cookie...")
       session.delete('shopify.top_level_oauth')
     end
 

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -18,17 +18,24 @@ module ShopifyApp
 
     def activate_shopify_session
       if user_session_expected? && user_session.blank?
+        Rails.logger.debug("[ShopifyApp::LoginProtection] User session required. Redirecting to login...")
         signal_access_token_required
         return redirect_to_login
       end
 
-      return redirect_to_login if current_shopify_session.blank?
+      if current_shopify_session.blank?
+        Rails.logger.debug("[ShopifyApp::LoginProtection] Current shopify session is blank. Redirecting to login...")
+        return redirect_to_login
+      end
+
       clear_top_level_oauth_cookie
 
       begin
+        Rails.logger.debug("[ShopifyApp::LoginProtection] Activating session...")
         ShopifyAPI::Base.activate_session(current_shopify_session)
         yield
       ensure
+        Rails.logger.debug("[ShopifyApp::LoginProtection] Clearing session...")
         ShopifyAPI::Base.clear_session
       end
     end
@@ -71,8 +78,12 @@ module ShopifyApp
 
     def login_again_if_different_user_or_shop
       if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        Rails.logger.debug("[ShopifyApp::LoginProtection] Session data was sent/stored correctly.")
         clear_session = session[:user_session] != params[:session] # current user is different from stored user
-
+        if clear_session
+          Rails.logger.debug("[ShopifyApp::LoginProtection] Current user is different from stored user.")
+        end
+        clear_session
       end
 
       if current_shopify_session &&
@@ -82,6 +93,7 @@ module ShopifyApp
       end
 
       if clear_session
+        Rails.logger.debug("[ShopifyApp::LoginProtection] Clearing shopify session and redirecting to login...")
         clear_shopify_session
         redirect_to_login
       end

data/lib/shopify_app/engine.rb

@@ -1,5 +1,15 @@
 # frozen_string_literal: true
 module ShopifyApp
+  module RedactJobParams
+    private
+
+    def args_info(job)
+      log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
+      return "" if log_disabled_classes.include?(job.class.name)
+      super
+    end
+  end
+
   class Engine < Rails::Engine
     engine_name 'shopify_app'
     isolate_namespace ShopifyApp
@@ -21,5 +31,16 @@ module ShopifyApp
         app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
       end
     end
+
+    initializer "shopify_app.redact_job_params" do
+      ActiveSupport.on_load(:active_job) do
+        if ActiveJob::Base.respond_to?(:log_arguments?)
+          WebhooksManagerJob.log_arguments = false
+          ScripttagsManagerJob.log_arguments = false
+        elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
+          ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
+        end
+      end
+    end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '14.3.0'
+  VERSION = '14.4.4'
 end