shopify_app 16.0.0 → 16.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb021068958e3d20cb00ac2e038b2b51b475a70fe586756b426b4fe9f36ee214
-  data.tar.gz: 1263b5be44c7a8db83e4620130e00e191d30e12f541edc93861cf2383c132be1
+  metadata.gz: 44ec6da287b58bdae2e84213de7ef0780078bd09c7c25558b75e738e7b1fe8ae
+  data.tar.gz: fc2e72d9c007933a42c45f286b259b2a27a425b0174aadd9095f140d2707922a
 SHA512:
-  metadata.gz: 0105ac8d2e7efe5b523ed8ab9d3e968ab9613215b000fb99c6f9515b2379428da7b291c3a2c0b6e9640440d9f2754474a3c11a62b3de2f9dbbdd4d02003af12e
-  data.tar.gz: 320fd2f2cf36367bffc54edf546169cc13d9be9ee3b02a3fdd02e1df9333529cfe323378e303872284567ed7f6642399dfbbc5ad46ba29a15ebc012184d25035
+  metadata.gz: cf8d2e8fda1d93bf9bee47491662d751be025f2f3dd80cf0e6bc92fc7a5577481dcf78fcba8e9dee1c03c0b5ebf34c686e062eb03313de9679ca3056f675b669
+  data.tar.gz: a71980adc7d070ba469e1fe1a15b69ebbadf8f4f871b3fb2ccc32d989df85cbb702df5101c5cc57b253416693530cd412011e227dc5aa9a24c96e2efddcdb506

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+16.1.0
+------
+* Use Session Token auth strategy by default for new embedded apps [#1111](https://github.com/Shopify/shopify_app/pull/1111)
+* Create optional `EnsureAuthenticatedLinks` concern to authenticate deep links using Turbolinks [#1118](https://github.com/Shopify/shopify_app/pull/1118)
+
 16.0.0
 ------
 * Update all `html.erb` and `css` files to correspond with updated store admin design language [#1102](https://github.com/Shopify/shopify_app/pull/1102)

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    shopify_app (16.0.0)
+    shopify_app (16.1.0)
       browser_sniffer (~> 1.2.2)
       jwt (~> 2.2.1)
       omniauth-shopify-oauth2 (~> 2.2.2)

data/README.md

@@ -107,6 +107,7 @@ Options include:
 (e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer to the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
+* __[Not recommended for embedded apps]__ `with-cookie-authentication` - sets up the authentication strategy of the app to use cookies. By default, it uses JWT based session tokens.
 
 You can update any of these settings later on easily; the arguments are simply for convenience.
 
@@ -121,10 +122,10 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:home_controller
 ```
 
-This generator creates an example home controller and view which fetches and displays products using the Shopify API.
+This generator creates an example home controller and view which fetches and displays products using the Shopify API. By default, this generator creates an unauthenticated home_controller and a sample protected products_controller.
 
 Options include:
-* __[beta]__ `with-session-token`: This flag generates an unauthenticated home_controller and a protected sample products_controller. It also creates a home view that leverages a session token to fetch products from your products_controller. Use this flag if you plan to build a single-page application or to secure your app using JWT session tokens (e.g. `--with-session-token` or `--with-session-token true`). 
+* __[Not recommended for embedded apps]__ `with-cookie-authentication` - This flag generates an authenticated home_controller, where the authentication strategy relies on cookies. By default, this generator creates an unauthenticated home_controller and protected sample products_controller.
 
 ### Products Controller Generator
 
@@ -279,6 +280,21 @@ The engine provides a `ShopifyApp::Authenticated` concern which should be includ
 
 For backwards compatibility, the engine still provides a controller called `ShopifyApp::AuthenticatedController` which includes the `ShopifyApp::Authenticated` concern. Note that it inherits directly from `ActionController::Base`, so you will not be able to share functionality between it and your application's `ApplicationController`.
 
+### EnsureAuthenticatedLinks
+
+The `ShopifyApp::EnsureAuthenticatedLinks` concern helps authenticate users that access protected pages of your app directly.
+
+Include this concern in your app's `AuthenticatedController` if your app uses session tokens with [Turbolinks](https://shopify.dev/tutorials/authenticate-server-side-rendered-apps-with-session-tokens-app-bridge-turbolinks). It adds a `before_action` filter that detects whether a session token is present or not. If a session is not found, the user is redirected to your app's splash page path (`root_path`) along with `return_to` and `shop` parameters.
+
+Example `AuthenticatedController`:
+
+```rb
+class AuthenticatedController < ApplicationController
+  include ShopifyApp::EnsureAuthenticatedLinks
+  include ShopifyApp::Authenticated
+end
+```
+
 ### AfterAuthenticate Job
 
 If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:

data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureAuthenticatedLinks
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_splash_page, if: :missing_expected_jwt?
+    end
+
+    private
+
+    def redirect_to_splash_page
+      splash_page_path = root_path(return_to: request.fullpath, shop: current_shopify_domain)
+      redirect_to(splash_page_path)
+    end
+
+    def missing_expected_jwt?
+      jwt_shopify_domain.blank?
+    end
+  end
+end

data/docs/Releasing.md

@@ -5,6 +5,7 @@
 1. Create a pull request with the following changes:
     - Update the version of ShopifyApp in lib/shopify_app/version.rb
     - Update the version of shopify_app in package.json
+    - Run `bundle` to update `Gemfile.lock`
     - Add a CHANGELOG entry for the new release with the date
     - Change the title of the PR to something like: "Packaging for release X.Y.Z"
 1. Merge your pull request

data/lib/generators/shopify_app/home_controller/home_controller_generator.rb

@@ -6,16 +6,15 @@ module ShopifyApp
     class HomeControllerGenerator < Rails::Generators::Base
       source_root File.expand_path('../templates', __FILE__)
 
-      class_option :with_session_token, type: :boolean, default: false
+      class_option :with_cookie_authentication, type: :boolean, default: false
+      class_option :embedded, type: :string, default: 'true'
 
       def create_home_controller
-        @with_session_token = options['with_session_token']
-
         template(home_controller_template, 'app/controllers/home_controller.rb')
       end
 
       def create_products_controller
-        generate("shopify_app:products_controller") if with_session_token?
+        generate("shopify_app:products_controller") unless with_cookie_authentication?
       end
 
       def create_home_index_view
@@ -28,16 +27,26 @@ module ShopifyApp
 
       private
 
+      def embedded?
+        options['embedded'] == 'true'
+      end
+
       def embedded_app?
         ShopifyApp.configuration.embedded_app?
       end
 
-      def with_session_token?
-        @with_session_token
+      def with_cookie_authentication?
+        options['with_cookie_authentication']
       end
 
       def home_controller_template
-        with_session_token? ? 'unauthenticated_home_controller.rb' : 'home_controller.rb'
+        return 'unauthenticated_home_controller.rb' unless authenticated_home_controller_required?
+
+        'home_controller.rb'
+      end
+
+      def authenticated_home_controller_required?
+        with_cookie_authentication? || !embedded? || !embedded_app?
       end
     end
   end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -7,7 +7,7 @@
       rel="stylesheet"
       href="https://unpkg.com/@shopify/polaris@4.25.0/styles.min.css"
       />
-<% if @with_session_token %>    <script>
+<% unless with_cookie_authentication? %>    <script>
       document.addEventListener("DOMContentLoaded", async function() {
         var SessionToken = window["app-bridge"].actions.SessionToken
         var app = window.app;
@@ -47,7 +47,7 @@
 <% end %>  </head>
   <body>
     <h2>Products</h2>
-<% if @with_session_token %>    <div id="products"><br>Loading...</div><% else %>
+<% unless with_cookie_authentication? %>    <div id="products"><br>Loading...</div><% else %>
     <ul>
       <%% @products.each do |product| %>
         <li><%%= link_to product.title, "https://#{@current_shopify_session.domain}/admin/products/#{product.id}", target: "_top" %></li>
@@ -55,17 +55,17 @@
     </ul>
 
     <hr>
-
+    <% end %>
     <h2>Webhooks</h2>
 
     <%% if @webhooks.present? %>
-      <ul>
-        <%% @webhooks.each do |webhook| %>
-          <li><%%= webhook.topic %> : <%%= webhook.address %></li>
-        <%% end %>
-      </ul>
+    <ul>
+      <%% @webhooks.each do |webhook| %>
+      <li><%%= webhook.topic %> : <%%= webhook.address %></li>
+      <%% end %>
+    </ul>
     <%% else %>
-      <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
-    <%% end %><% end %>
+    <p>This app has not created any webhooks for this Shop. Add webhooks to your ShopifyApp initializer if you need webhooks</p>
+    <%% end %>
   </body>
 </html>

data/lib/generators/shopify_app/install/install_generator.rb

@@ -11,6 +11,7 @@ module ShopifyApp
       class_option :scope, type: :array, default: ['read_products']
       class_option :embedded, type: :string, default: 'true'
       class_option :api_version, type: :string, default: nil
+      class_option :with_cookie_authentication, type: :boolean, default: false
 
       def create_shopify_app_initializer
         @application_name = format_array_argument(options['application_name'])
@@ -78,6 +79,10 @@ module ShopifyApp
       def format_array_argument(array)
         array.join(' ').tr('"', '')
       end
+
+      def with_cookie_authentication?
+        options['with_cookie_authentication'] || !embedded_app?
+      end
     end
   end
 end

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -9,7 +9,8 @@ ShopifyApp.configure do |config|
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
   config.shop_session_repository = 'Shop'
-  config.allow_jwt_authentication = true
+  config.allow_jwt_authentication = <%= !with_cookie_authentication? %>
+  config.allow_cookie_authentication = <%= with_cookie_authentication? %>
 end
 
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/shopify_app/configuration.rb

@@ -39,12 +39,15 @@ module ShopifyApp
     # allow enabling jwt headers for authentication
     attr_accessor :allow_jwt_authentication
 
+    attr_accessor :allow_cookie_authentication
+
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
       @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
+      @allow_cookie_authentication = true
     end
 
     def login_url

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -57,6 +57,7 @@ module ShopifyApp
     end
 
     def user_session_by_cookie
+      return unless ShopifyApp.configuration.allow_cookie_authentication
       return unless session[:user_id].present?
       ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
     end
@@ -72,6 +73,7 @@ module ShopifyApp
     end
 
     def shop_session_by_cookie
+      return unless ShopifyApp.configuration.allow_cookie_authentication
       return unless session[:shop_id].present?
       ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
     end

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '16.0.0'
+  VERSION = '16.1.0'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "16.0.0",
+  "version": "16.1.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 16.0.0
+  version: 16.1.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-10 00:00:00.000000000 Z
+date: 2020-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -269,6 +269,7 @@ files:
 - app/assets/javascripts/shopify_app/top_level.js
 - app/assets/javascripts/shopify_app/top_level_interaction.js
 - app/controllers/concerns/shopify_app/authenticated.rb
+- app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
 - app/controllers/concerns/shopify_app/require_known_shop.rb
 - app/controllers/shopify_app/authenticated_controller.rb
 - app/controllers/shopify_app/callback_controller.rb