shopify_app 17.0.3 → 17.2.0

data/lib/shopify_app/configuration.rb

@@ -9,6 +9,8 @@ module ShopifyApp
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope
+    attr_writer :shop_access_scopes
+    attr_writer :user_access_scopes
     attr_accessor :embedded_app
     alias_method  :embedded_app?, :embedded_app
     attr_accessor :webhooks
@@ -16,6 +18,8 @@ module ShopifyApp
     attr_accessor :after_authenticate_job
     attr_accessor :api_version
 
+    attr_accessor :reauth_on_access_scope_changes
+
     # customise urls
     attr_accessor :root_url
     attr_writer :login_url
@@ -70,6 +74,16 @@ module ShopifyApp
       ShopifyApp::SessionRepository.shop_storage
     end
 
+    def shop_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::ShopStrategy
+    end
+
+    def user_access_scopes_strategy
+      return ShopifyApp::AccessScopes::NoopStrategy unless reauth_on_access_scope_changes
+      ShopifyApp::AccessScopes::UserStrategy
+    end
+
     def has_webhooks?
       webhooks.present?
     end
@@ -81,6 +95,14 @@ module ShopifyApp
     def enable_same_site_none
       !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
     end
+
+    def shop_access_scopes
+      @shop_access_scopes || scope
+    end
+
+    def user_access_scopes
+      @user_access_scopes || scope
+    end
   end
 
   def self.configuration

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -21,7 +21,7 @@ module ShopifyApp
           .compact
           .map do |cookie|
             cookie << '; Secure' unless cookie =~ /;\s*secure/i
-            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
             cookie
           end
 

data/lib/shopify_app/omniauth/omniauth_configuration.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class OmniAuthConfiguration
+    attr_reader :strategy, :request
+    attr_writer :client_options_site, :scopes, :per_user_permissions
+
+    def initialize(strategy, request)
+      @strategy = strategy
+      @request = request
+    end
+
+    def build_options
+      strategy.options[:client_options][:site] = client_options_site
+      strategy.options[:scope] = scopes
+      strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+      strategy.options[:per_user_permissions] = request_online_tokens?
+    end
+
+    private
+
+    def request_online_tokens?
+      return @per_user_permissions unless @per_user_permissions.nil?
+      default_request_online_tokens?
+    end
+
+    def scopes
+      @scopes || default_scopes
+    end
+
+    def client_options_site
+      @client_options_site || default_client_options_site
+    end
+
+    def default_scopes
+      if request_online_tokens?
+        ShopifyApp.configuration.user_access_scopes
+      else
+        ShopifyApp.configuration.shop_access_scopes
+      end
+    end
+
+    def default_client_options_site
+      return '' unless shop_domain.present?
+      "https://#{shopify_auth_params[:shop]}"
+    end
+
+    def default_request_online_tokens?
+      strategy.session[:user_tokens] && !update_shop_scopes?
+    end
+
+    def update_shop_scopes?
+      ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_domain)
+    end
+
+    def shop_domain
+      request.params['shop'] || (shopify_auth_params && shopify_auth_params['shop'])
+    end
+
+    def shopify_auth_params
+      strategy.session['shopify.omniauth_params']&.with_indifferent_access
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 module ShopifyApp
   class InMemoryShopSessionStore < InMemorySessionStore
-    def self.store(session, *args)
-      id = super
-      repo[session.domain] = session
-      id
-    end
+    class << self
+      def store(session, *args)
+        id = super
+        repo[session.domain] = session
+        id
+      end
 
-    def self.retrieve_by_shopify_domain(shopify_domain)
-      repo[shopify_domain]
+      def retrieve_by_shopify_domain(shopify_domain)
+        repo[shopify_domain]
+      end
     end
   end
 end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 module ShopifyApp
   class InMemoryUserSessionStore < InMemorySessionStore
-    def self.store(session, user)
-      id = super
-      repo[user.shopify_user_id] = session
-      id
-    end
+    class << self
+      def store(session, user)
+        id = super
+        repo[user.shopify_user_id] = session
+        id
+      end
 
-    def self.retrieve_by_shopify_user_id(user_id)
-      repo[user_id]
+      def retrieve_by_shopify_user_id(user_id)
+        repo[user_id]
+      end
     end
   end
 end

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module ShopSessionStorageWithScopes
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+
+    class_methods do
+      def store(auth_session, *_args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.access_scopes = auth_session.access_scopes
+
+        shop.save!
+        shop.id
+      end
+
+      def retrieve(id)
+        shop = find_by(id: id)
+        construct_session(shop)
+      end
+
+      def retrieve_by_shopify_domain(domain)
+        shop = find_by(shopify_domain: domain)
+        construct_session(shop)
+      end
+
+      private
+
+      def construct_session(shop)
+        return unless shop
+
+        ShopifyAPI::Session.new(
+          domain: shop.shopify_domain,
+          token: shop.shopify_token,
+          api_version: shop.api_version,
+          access_scopes: shop.access_scopes
+        )
+      end
+    end
+
+    def access_scopes=(scopes)
+      super(scopes)
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to handle storing access scopes: #{scopes}"
+    end
+
+    def access_scopes
+      super
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to hook into stored access scopes"
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage_with_scopes.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module UserSessionStorageWithScopes
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true
+    end
+
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.access_scopes = auth_session.access_scopes
+
+        user.save!
+        user.id
+      end
+
+      def retrieve(id)
+        user = find_by(id: id)
+        construct_session(user)
+      end
+
+      def retrieve_by_shopify_user_id(user_id)
+        user = find_by(shopify_user_id: user_id)
+        construct_session(user)
+      end
+
+      private
+
+      def construct_session(user)
+        return unless user
+
+        ShopifyAPI::Session.new(
+          domain: user.shopify_domain,
+          token: user.shopify_token,
+          api_version: user.api_version,
+          access_scopes: user.access_scopes
+        )
+      end
+    end
+
+    def access_scopes=(scopes)
+      super(scopes)
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to handle storing access scopes: #{scopes}"
+    end
+
+    def access_scopes
+      super
+    rescue NotImplementedError, NoMethodError
+      raise NotImplementedError, "#access_scopes= must be defined to hook into stored access scopes"
+    end
+  end
+end

data/lib/shopify_app/utils.rb

@@ -20,5 +20,17 @@ module ShopifyApp
     rescue ActiveResource::ConnectionError
       logger.error("[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
     end
+
+    def self.shop_login_url(shop:, return_to:)
+      return ShopifyApp.configuration.login_url unless shop
+      url = URI(ShopifyApp.configuration.login_url)
+
+      url.query = URI.encode_www_form(
+        shop: shop,
+        return_to: return_to,
+      )
+
+      url.to_s
+    end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '17.0.3'
+  VERSION = '17.2.0'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "17.0.3",
+  "version": "17.2.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -14,8 +14,8 @@ Gem::Specification.new do |s|
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
-  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.1')
-  s.add_runtime_dependency('shopify_api', '~> 9.1')
+  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.2')
+  s.add_runtime_dependency('shopify_api', '~> 9.4')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
   s.add_runtime_dependency('jwt', '~> 2.2.1')
   s.add_runtime_dependency('redirect_safely', '~> 1.0')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 17.0.3
+  version: 17.2.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-01-22 00:00:00.000000000 Z
+date: 2021-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -33,7 +33,7 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -43,21 +43,21 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: shopify_api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.1'
+        version: '9.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '9.1'
+        version: '9.4'
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -248,7 +248,9 @@ extra_rdoc_files: []
 files:
 - ".babelrc"
 - ".github/CODEOWNERS"
-- ".github/ISSUE_TEMPLATE.md"
+- ".github/ISSUE_TEMPLATE/bug-report.md"
+- ".github/ISSUE_TEMPLATE/config.yml"
+- ".github/ISSUE_TEMPLATE/feature-request.md"
 - ".github/PULL_REQUEST_TEMPLATE.md"
 - ".github/probots.yml"
 - ".github/workflows/build.yml"
@@ -259,6 +261,7 @@ files:
 - ".rubocop.yml"
 - ".ruby-version"
 - CHANGELOG.md
+- CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -278,6 +281,7 @@ files:
 - app/controllers/concerns/shopify_app/authenticated.rb
 - app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
 - app/controllers/concerns/shopify_app/require_known_shop.rb
+- app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb
 - app/controllers/shopify_app/authenticated_controller.rb
 - app/controllers/shopify_app/callback_controller.rb
 - app/controllers/shopify_app/extension_verification_controller.rb
@@ -321,8 +325,15 @@ files:
 - docs/Quickstart.md
 - docs/Releasing.md
 - docs/Troubleshooting.md
-- docs/install-on-dev-shop.png
-- docs/test-your-app.png
+- docs/Upgrading.md
+- docs/shopify_app/authentication.md
+- docs/shopify_app/engine.md
+- docs/shopify_app/generators.md
+- docs/shopify_app/handling-access-scopes-changes.md
+- docs/shopify_app/script-tags.md
+- docs/shopify_app/session-repository.md
+- docs/shopify_app/testing.md
+- docs/shopify_app/webhooks.md
 - images/app-proxy-screenshot.png
 - karma.conf.js
 - lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb
@@ -351,7 +362,7 @@ files:
 - lib/generators/shopify_app/install/templates/shopify_app.js
 - lib/generators/shopify_app/install/templates/shopify_app.rb.tt
 - lib/generators/shopify_app/install/templates/shopify_app_index.js
-- lib/generators/shopify_app/install/templates/shopify_provider.rb
+- lib/generators/shopify_app/install/templates/shopify_provider.rb.tt
 - lib/generators/shopify_app/install/templates/user_agent.rb
 - lib/generators/shopify_app/products_controller/products_controller_generator.rb
 - lib/generators/shopify_app/products_controller/templates/products_controller.rb
@@ -361,16 +372,21 @@ files:
 - lib/generators/shopify_app/routes/routes_generator.rb
 - lib/generators/shopify_app/routes/templates/routes.rb
 - lib/generators/shopify_app/shop_model/shop_model_generator.rb
+- lib/generators/shopify_app/shop_model/templates/db/migrate/add_shop_access_scopes_column.erb
 - lib/generators/shopify_app/shop_model/templates/db/migrate/create_shops.erb
 - lib/generators/shopify_app/shop_model/templates/shop.rb
 - lib/generators/shopify_app/shop_model/templates/shops.yml
 - lib/generators/shopify_app/shopify_app_generator.rb
+- lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb
 - lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb
 - lib/generators/shopify_app/user_model/templates/user.rb
 - lib/generators/shopify_app/user_model/templates/users.yml
 - lib/generators/shopify_app/user_model/user_model_generator.rb
 - lib/generators/shopify_app/views/views_generator.rb
 - lib/shopify_app.rb
+- lib/shopify_app/access_scopes/noop_strategy.rb
+- lib/shopify_app/access_scopes/shop_strategy.rb
+- lib/shopify_app/access_scopes/user_strategy.rb
 - lib/shopify_app/configuration.rb
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
 - lib/shopify_app/controller_concerns/csrf_protection.rb
@@ -387,6 +403,7 @@ files:
 - lib/shopify_app/managers/webhooks_manager.rb
 - lib/shopify_app/middleware/jwt_middleware.rb
 - lib/shopify_app/middleware/same_site_cookie_middleware.rb
+- lib/shopify_app/omniauth/omniauth_configuration.rb
 - lib/shopify_app/session/in_memory_session_store.rb
 - lib/shopify_app/session/in_memory_shop_session_store.rb
 - lib/shopify_app/session/in_memory_user_session_store.rb
@@ -395,7 +412,9 @@ files:
 - lib/shopify_app/session/session_repository.rb
 - lib/shopify_app/session/session_storage.rb
 - lib/shopify_app/session/shop_session_storage.rb
+- lib/shopify_app/session/shop_session_storage_with_scopes.rb
 - lib/shopify_app/session/user_session_storage.rb
+- lib/shopify_app/session/user_session_storage_with_scopes.rb
 - lib/shopify_app/test_helpers/all.rb
 - lib/shopify_app/test_helpers/webhook_verification_helper.rb
 - lib/shopify_app/utils.rb