shopify_app 15.0.0 → 17.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5e94d4b7a80d63547bb4556d0fbe89fb87d7193be8f633a7aceb830c7fc0208
-  data.tar.gz: e97c20fd31bf5a6f3f39f9e7981be42d8900add4d4c78565f171a6d7a5fa5ffe
+  metadata.gz: 8903612dd539f6990fa6931bc28a2e2a8d37ba5f1177baea4d5326f41f581dca
+  data.tar.gz: 1760faccb6a46bd3d15a7e5635f33d31d492d81b14a07331e0f778e4e15ff974
 SHA512:
-  metadata.gz: af85918cd16f6b0e66bea9c3db28f8e0aadb6e7421881425b0562239ac889f1506785b495057698713752f66d58ffa04e58407bc633c60954f891d318d5416ad
-  data.tar.gz: 729148164c29d9e9f4de9a62a19e1a9d1d8aaace09f7461ee1e4d472f4573d34727d6091cd86785707fc9b33f0f3c450dd126e77fb09793eedfaa38d54970b09
+  metadata.gz: 334bd5cb712bd1823133cdfc095a67c547901699bf7dc9b924fb60d009077e0c89629d5e661c15b60e8e5a1fb0ca4656726b75527db76d6db725f6df48b20731
+  data.tar.gz: a4d52f1d592da1644015edd08f2b153c762cab5a2762426d4406a3105d63ee66e257e65219b56d0c02682e9fc9836890f5cd07c0332e55bf0f9c05d8fd0c49ab

data/.github/workflows/build.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on: 
+  push:
+
+jobs:
+  build:
+    runs-on: macos-latest # prevents intermittent Chrome Headless error unlike ubuntu
+    name: Ruby ${{ matrix.version }}
+    strategy:
+      matrix:
+        version: [2.5, 2.6, 2.7]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Cache node modules
+        uses: actions/cache@v2
+        with:
+          # npm cache files are stored in `~/.npm` on Linux/macOS
+          path: ~/.npm
+          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
+      - name: Set up Ruby ${{ matrix.version }}
+        uses: ruby/setup-ruby@v1
+        with: 
+          ruby-version: ${{ matrix.version }}
+          bundler-cache: true
+      - name: Set up Node
+        uses: actions/setup-node@v2-beta
+        with:
+          node-version: '12'
+      - name: Install Dependencies
+        run: |
+          yarn
+      - name: Run Tests
+        run: |
+          yarn test
+          bundle exec rake test
+          

data/.github/workflows/release.yml

@@ -0,0 +1,20 @@
+name: Create Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Extract tag name
+      id: tag
+      run: echo "::set-output name=value::${GITHUB_REF##*/}"
+    - uses: actions/checkout@v2
+
+    - name: Create Release # https://hub.github.com/hub-release.1.html
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: hub release create ${{ steps.tag.outputs.value }}

data/.github/workflows/rubocop.yml

@@ -12,13 +12,7 @@ jobs:
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: 2.7
-    - name: Cache gems
-      uses: actions/cache@v1
-      with:
-        path: vendor/bundle
-        key: ${{ runner.os }}-rubocop-${{ hashFiles('**/Gemfile.lock') }}
-        restore-keys: |
-          ${{ runner.os }}-rubocop-
+        bundler-cache: true
     - name: Install gems
       run: |
         bundle config path vendor/bundle

data/.gitignore

@@ -1,6 +1,5 @@
 *.gem
 .bundle
-Gemfile.lock
 pkg/*
 .DS_Store
 .yardoc
@@ -13,4 +12,3 @@ test/tmp/*
 /test/dummy/tmp/*
 /node_modules/
 .byebug_history
-

data/CHANGELOG.md

@@ -1,3 +1,27 @@
+Unreleased
+----------
+
+17.0.1 (January 18, 2021)
+------
+* Don't attempt to read Shopify environment variables when the generators are running, since they may not be present yet [#1144](https://github.com/Shopify/shopify_app/pull/1144)
+
+17.0.0 (January 13, 2021)
+------
+* Rails 6.1 is not yet supported [#1134](https://github.com/Shopify/shopify_app/pull/1134)
+
+16.1.0
+------
+* Use Session Token auth strategy by default for new embedded apps [#1111](https://github.com/Shopify/shopify_app/pull/1111)
+* Create optional `EnsureAuthenticatedLinks` concern to authenticate deep links using Turbolinks [#1118](https://github.com/Shopify/shopify_app/pull/1118)
+
+16.0.0
+------
+* Update all `html.erb` and `css` files to correspond with updated store admin design language [#1102](https://github.com/Shopify/shopify_app/pull/1102)
+
+15.0.1
+------
+* Allow JWT session token `sub` field to be parsed as a string [#1103](https://github.com/Shopify/shopify_app/pull/1103)
+
 15.0.0
 ------
 * Change `X-Shopify-API-Request-Failure-Unauthorized` HTTP header value from boolean to string

data/Gemfile.lock

@@ -0,0 +1,256 @@
+PATH
+  remote: .
+  specs:
+    shopify_app (17.0.1)
+      browser_sniffer (~> 1.2.2)
+      jwt (~> 2.2.1)
+      omniauth-shopify-oauth2 (~> 2.2.2)
+      rails (> 5.2.1, < 6.1)
+      redirect_safely (~> 1.0)
+      shopify_api (~> 9.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      activejob (= 6.0.3.3)
+      activerecord (= 6.0.3.3)
+      activestorage (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      mail (>= 2.7.1)
+    actionmailer (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      actionview (= 6.0.3.3)
+      activejob (= 6.0.3.3)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (6.0.3.3)
+      actionview (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      activerecord (= 6.0.3.3)
+      activestorage (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.3.3)
+      activesupport (= 6.0.3.3)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.3.3)
+      activesupport (= 6.0.3.3)
+      globalid (>= 0.3.6)
+    activemodel (6.0.3.3)
+      activesupport (= 6.0.3.3)
+    activemodel-serializers-xml (1.0.2)
+      activemodel (> 5.x)
+      activesupport (> 5.x)
+      builder (~> 3.1)
+    activerecord (6.0.3.3)
+      activemodel (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+    activeresource (5.1.1)
+      activemodel (>= 5.0, < 7)
+      activemodel-serializers-xml (~> 1.0)
+      activesupport (>= 5.0, < 7)
+    activestorage (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      activejob (= 6.0.3.3)
+      activerecord (= 6.0.3.3)
+      marcel (~> 0.3.1)
+    activesupport (6.0.3.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    ast (2.4.1)
+    binding_of_caller (0.8.0)
+      debug_inspector (>= 0.0.1)
+    browser_sniffer (1.2.2)
+    builder (3.2.4)
+    byebug (11.1.3)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.7)
+    crack (0.4.4)
+    crass (1.0.6)
+    debug_inspector (0.0.3)
+    erubi (1.9.0)
+    faraday (1.3.0)
+      faraday-net_http (~> 1.0)
+      multipart-post (>= 1.2, < 3)
+      ruby2_keywords
+    faraday-net_http (1.0.1)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    graphql (1.11.6)
+    graphql-client (0.16.0)
+      activesupport (>= 3.0)
+      graphql (~> 1.8)
+    hashdiff (1.0.1)
+    hashie (4.1.0)
+    i18n (1.8.5)
+      concurrent-ruby (~> 1.0)
+    jwt (2.2.2)
+    loofah (2.7.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    method_source (0.9.2)
+    mimemagic (0.3.5)
+    mini_mime (1.0.2)
+    mini_portile2 (2.5.0)
+    minitest (5.14.2)
+    mocha (1.11.2)
+    multi_json (1.15.0)
+    multi_xml (0.6.0)
+    multipart-post (2.1.1)
+    nio4r (2.5.4)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    oauth2 (1.4.4)
+      faraday (>= 0.8, < 2.0)
+      jwt (>= 1.0, < 3.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.9.1)
+      hashie (>= 3.4.6)
+      rack (>= 1.6.2, < 3)
+    omniauth-oauth2 (1.5.0)
+      oauth2 (~> 1.1)
+      omniauth (~> 1.2)
+    omniauth-shopify-oauth2 (2.2.3)
+      activesupport
+      omniauth-oauth2 (~> 1.5.0)
+    parallel (1.20.1)
+    parser (2.7.2.0)
+      ast (~> 2.4.1)
+    pry (0.12.2)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    pry-nav (0.3.0)
+      pry (>= 0.9.10, < 0.13.0)
+    pry-stack_explorer (0.4.9.3)
+      binding_of_caller (>= 0.7)
+      pry (>= 0.9.11)
+    public_suffix (4.0.6)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (6.0.3.3)
+      actioncable (= 6.0.3.3)
+      actionmailbox (= 6.0.3.3)
+      actionmailer (= 6.0.3.3)
+      actionpack (= 6.0.3.3)
+      actiontext (= 6.0.3.3)
+      actionview (= 6.0.3.3)
+      activejob (= 6.0.3.3)
+      activemodel (= 6.0.3.3)
+      activerecord (= 6.0.3.3)
+      activestorage (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      bundler (>= 1.3.0)
+      railties (= 6.0.3.3)
+      sprockets-rails (>= 2.0.0)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.20.3, < 2.0)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    rb-readline (0.5.5)
+    redirect_safely (1.0.0)
+      activemodel
+    regexp_parser (2.0.0)
+    rexml (3.2.4)
+    rubocop (1.5.2)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.5)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.2.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (1.3.0)
+      parser (>= 2.7.1.5)
+    rubocop-shopify (1.0.7)
+      rubocop (~> 1.4)
+    ruby-progressbar (1.10.1)
+    ruby2_keywords (0.0.2)
+    shopify_api (9.2.0)
+      activeresource (>= 4.1.0, < 6.0.0)
+      graphql-client
+      rack
+    sprockets (4.0.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.2)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.4.2)
+    thor (1.0.1)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.7.0)
+    webmock (3.9.1)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+    websocket-driver (0.7.3)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.5)
+    zeitwerk (2.4.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  byebug
+  minitest
+  mocha
+  pry
+  pry-nav
+  pry-stack_explorer
+  rails-controller-testing
+  rake
+  rb-readline
+  rubocop-shopify
+  shopify_app!
+  sqlite3 (~> 1.4)
+  webmock
+
+BUNDLED WITH
+   2.1.4

data/README.md

@@ -1,6 +1,6 @@
 Shopify App
 ===========
-[![Version][gem]][gem_url] [![Build Status](https://travis-ci.org/Shopify/shopify_app.png)](https://travis-ci.org/Shopify/shopify_app)
+[![Version][gem]][gem_url] [![Build Status](https://github.com/Shopify/shopify_app/workflows/CI/badge.svg)](https://github.com/Shopify/shopify_app/actions?query=workflow%3ACI)
 
 [gem]: https://img.shields.io/gem/v/shopify_app.svg
 [gem_url]: https://rubygems.org/gems/shopify_app
@@ -8,6 +8,8 @@ Shopify App
 
 Shopify Application Rails engine and generator
 
+### NOTE: Rails 6.1 or above is not yet supported due to the new `cookies_same_site_protection` setting.
+
 #### NOTE: Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
 
 Table of Contents
@@ -72,28 +74,31 @@ The latest version of shopify_app is compatible with Rails `>= 5`. Use version `
 Generators
 ----------
 
-### Default Generator
+### API Keys
+<!-- This anchor name `#api-keys` is linked to from user output in `templates/shopify_app.rb.tt` so beware of changing -->
+Before starting the app, you'll need to ensure it can read the Shopify environment variables `SHOPIFY_API_KEY` and `SHOPIFY_API_SECRET`.
 
-The default generator will run the `install`, `shop`, `authenticated_controller`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
+In a development environment, a common approach is to use the [dotenv-rails](https://github.com/bkeepers/dotenv) gem, along with an `.env` file in the following format:
 
-```sh
-$ rails generate shopify_app
+```
+SHOPIFY_API_KEY=your api key
+SHOPIFY_API_SECRET=your api secret
 ```
 
-After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
+These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard].
+(If you are using [shopify-app-cli](https://github.com/Shopify/shopify-app-cli) this `.env` file will be created automatically).
+If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
 
-### API Keys
+### Default Generator
 
-The default and install generators have been updated to source Shopify API key and secret from an Environment (`.env`) variables file, which you will need to create with the following format:
+The default generator will run the `install`, `shop`, `authenticated_controller`, and `home_controller` generators. This is the recommended way to start a new app from scratch:
 
-```
-SHOPIFY_API_KEY=your api key
-SHOPIFY_API_SECRET=your api secret
+```sh
+$ rails generate shopify_app
 ```
 
-These values can be found on the "App Setup" page in the [Shopify Partners Dashboard][dashboard]. If you are checking your code into a code repository, ensure your `.gitignore` prevents your `.env` file from being checked into any publicly accessible code.
+After running the generator, you will need to run `rails db:migrate` to add new tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting `http://localhost` in your web browser.
 
-**You will need to load the ENV variables into your environment, you can do this with the [dot-env](https://github.com/bkeepers/dotenv) gem or any other method you wish to.**
 
 ### Install Generator
 
@@ -107,6 +112,7 @@ Options include:
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer to the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
+* __[Not recommended for embedded apps]__ `with-cookie-authentication` - sets up the authentication strategy of the app to use cookies. By default, it uses JWT based session tokens.
 
 You can update any of these settings later on easily; the arguments are simply for convenience.
 
@@ -121,10 +127,10 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
 
-This generator creates an example home controller and view which fetches and displays products using the Shopify API.
+This generator creates an example home controller and view which fetches and displays products using the Shopify API. By default, this generator creates an unauthenticated home_controller and a sample protected products_controller.
 
 Options include:
-* __[beta]__ `with-session-token`: This flag generates an unauthenticated home_controller and a protected sample products_controller. It also creates a home view that leverages a session token to fetch products from your products_controller. Use this flag if you plan to build a single-page application or to secure your app using JWT session tokens (e.g. `--with-session-token` or `--with-session-token true`). 
+* __[Not recommended for embedded apps]__ `with-cookie-authentication` - This flag generates an authenticated home_controller, where the authentication strategy relies on cookies. By default, this generator creates an unauthenticated home_controller and protected sample products_controller.
 
 ### Products Controller Generator
 
@@ -279,6 +285,21 @@ The engine provides a `ShopifyApp::Authenticated` concern which should be includ
 
 For backwards compatibility, the engine still provides a controller called `ShopifyApp::AuthenticatedController` which includes the `ShopifyApp::Authenticated` concern. Note that it inherits directly from `ActionController::Base`, so you will not be able to share functionality between it and your application's `ApplicationController`.
 
+### EnsureAuthenticatedLinks
+
+The `ShopifyApp::EnsureAuthenticatedLinks` concern helps authenticate users that access protected pages of your app directly.
+
+Include this concern in your app's `AuthenticatedController` if your app uses session tokens with [Turbolinks](https://shopify.dev/tutorials/authenticate-server-side-rendered-apps-with-session-tokens-app-bridge-turbolinks). It adds a `before_action` filter that detects whether a session token is present or not. If a session is not found, the user is redirected to your app's splash page path (`root_path`) along with `return_to` and `shop` parameters.
+
+Example `AuthenticatedController`:
+
+```rb
+class AuthenticatedController < ApplicationController
+  include ShopifyApp::EnsureAuthenticatedLinks
+  include ShopifyApp::Authenticated
+end
+```
+
 ### AfterAuthenticate Job
 
 If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows: