shopify_app 14.4.1 → 15.0.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c53834e226dee411a573d23cc538fef0d371cd087e0983afecdcbb43c1fa588b
4
- data.tar.gz: 4878d4a4e7d87ac44262936c1dc9167d7301386370822e039535cf9aa1d5b7a8
3
+ metadata.gz: 766b20c9b903b80875806ea437bd132f004a27f5b339faae48ee14656da7a110
4
+ data.tar.gz: d8cbdf61e359a4990f21127b4e811332253f808f011080659410ecab73144d4b
5
5
  SHA512:
6
- metadata.gz: 6d2e00ff84e56bbfb9b1f208bdcce0150dbb17bcb5ed32986c3edfe5436ae782a84c3953031537ac666056a1e1415fb7e613f6414be1c56dbe5ba1c288757292
7
- data.tar.gz: 6145b1164d52407d4906a19633cc75773c18879c821fcba90b475e311abbfd838437274b85d00646fde3f3d1170a5229ee7a972fcf774cb5d3b345ef16fcab44
6
+ metadata.gz: 2821dedc568c6f542f79dc4bc17eb26e38b5ffd6f341cdaf22fbde7a96750145ebd6685fb2213bb7ff402795b0abf92554d3e85d961dc7e21995c3c3ba86901a
7
+ data.tar.gz: 73002f4ae08f88cbc9bfc95fe846416255e4a4e587fa954731d7e05d476bc10a3b7110ed4262e60e44277fef42ab17c6eafc4a0883eb5ee1f9149109ed657ee4
@@ -12,3 +12,8 @@ Authentication Issues
12
12
  A great deal of the issues surrounding this repo are around authenticating (installing) the generated app with Shopify.
13
13
 
14
14
  If you are experiencing issues with your app authenticating/installing the best way to get help fast is to create a repo with the minimal amount of code to demonstrate the issue and a clearly documented set of steps you took to arrive there. This will help us solve your problem quicker since we won't need to spend any time figuring out how to reproduce the bug. Please also include your operating system and browser.
15
+
16
+ Security
17
+ --------
18
+
19
+ Please be certain to redact any private information from your logs or code snippets such as Api Keys, Api Secrets, and any authentication tokens such as shop_tokens.
@@ -10,6 +10,7 @@ AllCops:
10
10
  Style/MethodCallWithArgsParentheses:
11
11
  Exclude:
12
12
  - '**/Gemfile'
13
+ - 'test/**/*'
13
14
 
14
15
  Style/ClassAndModuleChildren:
15
16
  Exclude:
@@ -1,3 +1,23 @@
1
+ 15.0.1
2
+ ------
3
+ * Allow JWT session token `sub` field to be parsed as a string [#1103](https://github.com/Shopify/shopify_app/pull/1103)
4
+
5
+ 15.0.0
6
+ ------
7
+ * Change `X-Shopify-API-Request-Failure-Unauthorized` HTTP header value from boolean to string
8
+
9
+ 14.4.4
10
+ ------
11
+ * Patch to not log params in ShopifyApp jobs [#1086](https://github.com/Shopify/shopify_app/pull/1086)
12
+
13
+ 14.4.3
14
+ ------
15
+ * Fix to ensure post authenticate jobs are run after callback requests [#1079](https://github.com/Shopify/shopify_app/pull/1079)
16
+
17
+ 14.4.2
18
+ ------
19
+ * Add debug logs in sessions controller
20
+
1
21
  14.4.1
2
22
  ------
3
23
  * Add debug logs for investigating authentication issues
data/README.md CHANGED
@@ -26,7 +26,7 @@ Table of Contents
26
26
  - [Troubleshooting](#troubleshooting)
27
27
  - [Testing an embedded app outside the Shopify admin](#testing-an-embedded-app-outside-the-shopify-admin)
28
28
  - [Migration to 13.0.0](#migrating-to-1300)
29
- - [Questions or problems?](#questions-or-problems-)
29
+ - [Questions or problems?](#questions-or-problems)
30
30
  - [Rails 6 Compatibility](#rails-6-compatibility)
31
31
  - [Upgrading from 8.6 to 9.0.0](#upgrading-from-86-to-900)
32
32
 
@@ -105,7 +105,7 @@ Options include:
105
105
  * `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
106
106
  * `scope` - the OAuth access scope required for your app, e.g. **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space and can be supplied with or without double-quotes
107
107
  (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
108
- For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
108
+ For more information, refer to the [docs](http://docs.shopify.com/api/tutorials/oauth).
109
109
  * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
110
110
 
111
111
  You can update any of these settings later on easily; the arguments are simply for convenience.
@@ -427,7 +427,7 @@ bin/rails g shopify_app:rotate_shopify_token_job
427
427
 
428
428
  The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token.rake` and is provided strictly for example purposes. It might not work with your application out of the box without some configuration.
429
429
 
430
- ⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/intializers/omniauth.rb`:
430
+ ⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/initializers/omniauth.rb`:
431
431
 
432
432
  ```ruby
433
433
  strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
@@ -6,50 +6,77 @@ module ShopifyApp
6
6
  include ShopifyApp::LoginProtection
7
7
 
8
8
  def callback
9
- unless auth_hash
10
- return respond_with_error
11
- end
9
+ return respond_with_error if invalid_request?
12
10
 
13
- if jwt_request? && !valid_jwt_auth?
14
- Rails.logger.debug("[ShopifyApp::CallbackController] Invalid JWT auth detected.")
15
- return respond_with_error
11
+ store_access_token_and_build_session
12
+
13
+ if start_user_token_flow?
14
+ return respond_with_user_token_flow
16
15
  end
17
16
 
17
+ perform_post_authenticate_jobs
18
+
19
+ respond_successfully
20
+ end
21
+
22
+ private
23
+
24
+ def respond_successfully
18
25
  if jwt_request?
19
- Rails.logger.debug("[ShopifyApp::CallbackController] JWT request detected. Setting shopify session...")
20
- set_shopify_session
21
26
  head(:ok)
22
27
  else
28
+ redirect_to(return_address)
29
+ end
30
+ end
31
+
32
+ def respond_with_user_token_flow
33
+ Rails.logger.debug("[ShopifyApp::CallbackController] Redirecting for user token...")
34
+ redirect_to(login_url_with_optional_shop)
35
+ end
36
+
37
+ def store_access_token_and_build_session
38
+ if native_browser_request?
23
39
  Rails.logger.debug("[ShopifyApp::CallbackController] Not a JWT request. Resetting session options...")
24
40
  reset_session_options
25
- set_shopify_session
41
+ else
42
+ Rails.logger.debug("[ShopifyApp::CallbackController] JWT request detected. Setting shopify session...")
43
+ end
44
+ set_shopify_session
45
+ end
26
46
 
27
- if redirect_for_user_token?
28
- Rails.logger.debug("[ShopifyApp::CallbackController] Redirecting for user token...")
29
- return redirect_to(login_url_with_optional_shop)
30
- end
47
+ def invalid_request?
48
+ return true unless auth_hash
31
49
 
32
- install_webhooks
33
- install_scripttags
34
- perform_after_authenticate_job
50
+ jwt_request? && !valid_jwt_auth?
51
+ end
35
52
 
36
- redirect_to(return_address)
37
- end
53
+ def native_browser_request?
54
+ !jwt_request?
38
55
  end
39
56
 
40
- private
57
+ def perform_post_authenticate_jobs
58
+ install_webhooks
59
+ install_scripttags
60
+ perform_after_authenticate_job
61
+ end
41
62
 
42
63
  def respond_with_error
43
64
  if jwt_request?
65
+ Rails.logger.debug("[ShopifyApp::CallbackController] Invalid JWT auth detected.")
44
66
  head(:unauthorized)
45
67
  else
68
+ Rails.logger.debug("[ShopifyApp::CallbackController] Invalid non JWT auth detected.")
46
69
  flash[:error] = I18n.t('could_not_log_in')
47
70
  redirect_to(login_url_with_optional_shop)
48
71
  end
49
72
  end
50
73
 
51
- def redirect_for_user_token?
52
- ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
74
+ def start_user_token_flow?
75
+ if jwt_request?
76
+ false
77
+ else
78
+ ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
79
+ end
53
80
  end
54
81
 
55
82
  def jwt_request?
@@ -10,14 +10,19 @@ module ShopifyApp
10
10
  end
11
11
 
12
12
  def new
13
- authenticate if sanitized_shop_name.present?
13
+ if sanitized_shop_name.present?
14
+ Rails.logger.debug("[ShopifyApp::SessionsController] Sanitized shop name present. Authenticating...")
15
+ authenticate
16
+ end
14
17
  end
15
18
 
16
19
  def create
20
+ Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating...")
17
21
  authenticate
18
22
  end
19
23
 
20
24
  def enable_cookies
25
+ Rails.logger.debug("[ShopifyApp::SessionsController] Enabling cookies...")
21
26
  return unless validate_shop_presence
22
27
 
23
28
  render(:enable_cookies, layout: false, locals: {
@@ -40,6 +45,7 @@ module ShopifyApp
40
45
  end
41
46
 
42
47
  def granted_storage_access
48
+ Rails.logger.debug("[ShopifyApp::SessionsController] Granted storage access.")
43
49
  return unless validate_shop_presence
44
50
 
45
51
  session['shopify.granted_storage_access'] = true
@@ -50,6 +56,7 @@ module ShopifyApp
50
56
  end
51
57
 
52
58
  def destroy
59
+ Rails.logger.debug("[ShopifyApp::SessionsController] Resetting session.")
53
60
  reset_session
54
61
  flash[:notice] = I18n.t('.logged_out')
55
62
  redirect_to(login_url_with_optional_shop)
@@ -66,18 +73,23 @@ module ShopifyApp
66
73
  set_user_tokens_option
67
74
 
68
75
  if user_agent_can_partition_cookies
76
+ Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating with partitioning...")
69
77
  authenticate_with_partitioning
70
78
  else
79
+ Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating normally...")
71
80
  authenticate_normally
72
81
  end
73
82
  end
74
83
 
75
84
  def authenticate_normally
76
85
  if request_storage_access?
86
+ Rails.logger.debug("[ShopifyApp::SessionsController] Redirecting to request storage access...")
77
87
  redirect_to_request_storage_access
78
88
  elsif authenticate_in_context?
89
+ Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating in context...")
79
90
  authenticate_in_context
80
91
  else
92
+ Rails.logger.debug("[ShopifyApp::SessionsController] Authenticating at top level...")
81
93
  authenticate_at_top_level
82
94
  end
83
95
  end
@@ -95,6 +107,7 @@ module ShopifyApp
95
107
  # rubocop:disable Lint/SuppressedException
96
108
  def set_user_tokens_option
97
109
  if shop_session.blank?
110
+ Rails.logger.debug("[ShopifyApp::SessionsController] Shop session is blank.")
98
111
  session[:user_tokens] = false
99
112
  return
100
113
  end
@@ -117,6 +130,7 @@ module ShopifyApp
117
130
  def validate_shop_presence
118
131
  @shop = sanitized_shop_name
119
132
  unless @shop
133
+ Rails.logger.debug("[ShopifyApp::SessionsController] Invalid shop detected.")
120
134
  render_invalid_shop_error
121
135
  return false
122
136
  end
@@ -1,6 +1,7 @@
1
- Releasing ShopifyApp
1
+ # Releasing ShopifyApp
2
2
 
3
- 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
3
+ 1. Make the code changes in a separate PR that doesn't modify the version.
4
+ 1. After that is merged, check the Semantic Versioning page for info on how to version the new release: http://semver.org
4
5
  1. Create a pull request with the following changes:
5
6
  - Update the version of ShopifyApp in lib/shopify_app/version.rb
6
7
  - Update the version of shopify_app in package.json
@@ -8,11 +9,11 @@ Releasing ShopifyApp
8
9
  - Change the title of the PR to something like: "Packaging for release X.Y.Z"
9
10
  1. Merge your pull request
10
11
  1. Checkout and pull from master so you have the latest version of the shopify_app
11
- 1. Tag the HEAD with the version
12
+ 1. Tag the HEAD with the version
12
13
  ```bash
13
14
  $ git tag -f vX.Y.Z && git push --tags --force
14
15
  ```
15
16
  1. Use Shipit to build and push the gem
16
17
 
17
- If you see an error like 'You need to create the vX.Y.X tag first', clear GIT
18
+ If you see an error like 'You need to create the vX.Y.X tag first', clear git
18
19
  cache in Shipit settings
@@ -8,7 +8,7 @@ module ShopifyApp
8
8
 
9
9
  def create_controllers
10
10
  controllers.each do |controller|
11
- copy_file controller
11
+ copy_file(controller)
12
12
  end
13
13
  end
14
14
 
@@ -64,7 +64,7 @@ module ShopifyApp
64
64
  def insert_hosts_into_development_config
65
65
  inject_into_file(
66
66
  'config/environments/development.rb',
67
- " config.hosts = (config.hosts rescue []) << /\\h+.ngrok.io/\n",
67
+ " config.hosts = (config.hosts rescue []) << /\\w+\\.ngrok\\.io/\n",
68
68
  after: "Rails.application.configure do\n"
69
69
  )
70
70
  end
@@ -1,7 +1,7 @@
1
1
  ShopifyApp.configure do |config|
2
2
  config.application_name = "<%= @application_name %>"
3
- config.api_key = ENV['SHOPIFY_API_KEY']
4
- config.secret = ENV['SHOPIFY_API_SECRET']
3
+ config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence || raise('Missing SHOPIFY_API_KEY')
4
+ config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence || raise('Missing SHOPIFY_API_SECRET')
5
5
  config.old_secret = "<%= @old_secret %>"
6
6
  config.scope = "<%= @scope %>" # Consult this page for more scope options:
7
7
  # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
@@ -8,7 +8,7 @@ module ShopifyApp
8
8
 
9
9
  def create_views
10
10
  views.each do |view|
11
- copy_file view
11
+ copy_file(view)
12
12
  end
13
13
  end
14
14
 
@@ -100,7 +100,7 @@ module ShopifyApp
100
100
  end
101
101
 
102
102
  def signal_access_token_required
103
- response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, true)
103
+ response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
104
104
  end
105
105
 
106
106
  protected
@@ -1,5 +1,15 @@
1
1
  # frozen_string_literal: true
2
2
  module ShopifyApp
3
+ module RedactJobParams
4
+ private
5
+
6
+ def args_info(job)
7
+ log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
8
+ return "" if log_disabled_classes.include?(job.class.name)
9
+ super
10
+ end
11
+ end
12
+
3
13
  class Engine < Rails::Engine
4
14
  engine_name 'shopify_app'
5
15
  isolate_namespace ShopifyApp
@@ -21,5 +31,16 @@ module ShopifyApp
21
31
  app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
22
32
  end
23
33
  end
34
+
35
+ initializer "shopify_app.redact_job_params" do
36
+ ActiveSupport.on_load(:active_job) do
37
+ if ActiveJob::Base.respond_to?(:log_arguments?)
38
+ WebhooksManagerJob.log_arguments = false
39
+ ScripttagsManagerJob.log_arguments = false
40
+ elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
41
+ ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
42
+ end
43
+ end
44
+ end
24
45
  end
25
46
  end
@@ -25,7 +25,7 @@ module ShopifyApp
25
25
  end
26
26
 
27
27
  def shopify_user_id
28
- @payload && @payload['sub']
28
+ @payload['sub'].to_i if @payload && @payload['sub']
29
29
  end
30
30
 
31
31
  private
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  module ShopifyApp
3
- VERSION = '14.4.1'
3
+ VERSION = '15.0.1'
4
4
  end
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "shopify_app",
3
- "version": "14.4.1",
3
+ "version": "15.0.1",
4
4
  "repository": "git@github.com:Shopify/shopify_app.git",
5
5
  "author": "Shopify",
6
6
  "license": "MIT",
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: shopify_app
3
3
  version: !ruby/object:Gem::Version
4
- version: 14.4.1
4
+ version: 15.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Shopify
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-17 00:00:00.000000000 Z
11
+ date: 2020-12-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: browser_sniffer