shopify_app 17.1.0 → 18.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: db6d499169653da5b11b813fe35e2ecf11312403cfa418c755e43c6b2dea3667
-  data.tar.gz: 39d42cd9bba1bc353a5959376758fc52a71cfb3005c25dd9defb9d0816210244
+  metadata.gz: 05a2dce084fe578139757483538102b6f57d1fc4ec6935ae8ce4d11df7a914cf
+  data.tar.gz: 789a109b204a143850cc0c7d3fe14c6d4519b94d89671d46ddb09101283ceb7a
 SHA512:
-  metadata.gz: 013f7337c0018134bd389a4c968118d8f26a4df9dca4d22a2dfe8de7d514f6914c5c11bd9e7446e3ab15d7c81c744967621f03c9fd354c43843706e77db79d21
-  data.tar.gz: 3cc55404a0dd1e4dc0d3dadf1226c1755d887f13698dd87d118589a8c325b657d85de719a8a49ec3e6dcf33e7191968f7b04b8caaf5f722ee9ad36c1513937cb
+  metadata.gz: 2cee778a503dc5652623f9b2d6e82b9844dff44840d77b57e8ecc4051bb7b3dd1707ba35cc2df93f348006da29251290b82c32988499f0e864d65d0d868bf00e
+  data.tar.gz: 6ff6e53fb49335ee6e151ce8d21d2b7bd66b8f9267b9ed03ef589282bc9db2e5e9a3c17e4d2dfcec6fca5cc7fe59676d28dc4762254b6dfab356f2bcc9c47ec4

data/.github/CODEOWNERS

@@ -1 +1,2 @@
 *       @shopify/platform-dev-tools-education
+*       @shopify/app-foundations

data/.github/workflows/build.yml

@@ -1,7 +1,10 @@
 name: CI
 
-on: 
+on:
   push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
 
 jobs:
   build:

data/CHANGELOG.md

@@ -1,5 +1,27 @@
-Unreleased
+18.0.1 (May 7, 2021)
 ----------
+* Fix bug causing OAuth flow to fail due to CSP violation. [#1265](https://github.com/Shopify/shopify_app/pull/1265)
+
+18.0.0 (May 3, 2021)
+----------
+* Support OmniAuth 2.x 
+  * If your app has custom OmniAuth configuration, please refer to the [OmniAuth 2.0 upgrade guide](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0).
+* Support App Bridge version 2.x in the Embedded App layout. [#1241](https://github.com/Shopify/shopify_app/pull/1241)
+
+17.2.1 (April 1, 2021)
+----------
+* Bug fix: Lock the CDN App Bridge version to `v1.X.Y` in the Embedded App layout [#1238](https://github.com/Shopify/shopify_app/pull/1238)
+  * App Bridge `v2.0` is a non-backwards compatible release
+  * A future major shopify_app gem release will support only App Bridge `v2.0`
+
+17.2.0 (April 1, 2021)
+----------
+* Support Rails `v6.1` [#1221](https://github.com/Shopify/shopify_app/pull/1221)
+  * Check out [Upgrading to `v17.2.0`](/docs/Upgrading.md#upgrading-to-v1720) in the Upgrading.md guide for the changes needed to support Rails `v6.1`
+
+17.1.1 (March 12, 2021)
+----------
+* Fix issues with mocking OmniAuth callback controller tests [#1210](https://github.com/Shopify/shopify_app/pull/1210)
 
 17.1.0 (March 5, 2021)
 ----------

data/Gemfile.lock

@@ -1,80 +1,85 @@
 PATH
   remote: .
   specs:
-    shopify_app (17.1.0)
+    shopify_app (18.0.1)
       browser_sniffer (~> 1.2.2)
-      jwt (~> 2.2.1)
-      omniauth-shopify-oauth2 (~> 2.2.2)
-      rails (> 5.2.1, < 6.1)
+      jwt (>= 2.2.3)
+      omniauth-rails_csrf_protection
+      omniauth-shopify-oauth2 (~> 2.3)
+      rails (> 5.2.1, < 6.2)
       redirect_safely (~> 1.0)
       shopify_api (~> 9.4)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.3.5)
-      actionpack (= 6.0.3.5)
+    actioncable (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actionmailbox (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       mail (>= 2.7.1)
-    actionmailer (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      actionview (= 6.0.3.5)
-      activejob (= 6.0.3.5)
+    actionmailer (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      actionview (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.5)
-      actionview (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (6.1.3.1)
+      actionview (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actiontext (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       nokogiri (>= 1.8.5)
-    actionview (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actionview (6.1.3.1)
+      activesupport (= 6.1.3.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activejob (6.1.3.1)
+      activesupport (= 6.1.3.1)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activemodel (6.1.3.1)
+      activesupport (= 6.1.3.1)
     activemodel-serializers-xml (1.0.2)
       activemodel (> 5.x)
       activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (6.0.3.5)
-      activemodel (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activerecord (6.1.3.1)
+      activemodel (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
     activeresource (5.1.1)
       activemodel (>= 5.0, < 7)
       activemodel-serializers-xml (~> 1.0)
       activesupport (>= 5.0, < 7)
-    activestorage (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      marcel (~> 0.3.1)
-    activesupport (6.0.3.5)
+    activestorage (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.1)
@@ -88,15 +93,19 @@ GEM
     crack (0.4.4)
     crass (1.0.6)
     debug_inspector (0.0.3)
-    erubi (1.9.0)
-    faraday (1.3.0)
+    erubi (1.10.0)
+    faraday (1.4.1)
+      faraday-excon (~> 1.1)
       faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
       multipart-post (>= 1.2, < 3)
-      ruby2_keywords
+      ruby2_keywords (>= 0.0.4)
+    faraday-excon (1.1.0)
     faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.1.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    graphql (1.12.5)
+    graphql (1.12.8)
     graphql-client (0.16.0)
       activesupport (>= 3.0)
       graphql (~> 1.8)
@@ -104,17 +113,15 @@ GEM
     hashie (4.1.0)
     i18n (1.8.9)
       concurrent-ruby (~> 1.0)
-    jwt (2.2.2)
-    loofah (2.7.0)
+    jwt (2.2.3)
+    loofah (2.9.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (0.9.2)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
+    mini_mime (1.0.3)
     mini_portile2 (2.5.0)
     minitest (5.14.4)
     mocha (1.11.2)
@@ -122,24 +129,28 @@ GEM
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     nio4r (2.5.7)
-    nokogiri (1.11.1)
+    nokogiri (1.11.2)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    oauth2 (1.4.4)
+    oauth2 (1.4.7)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
+    omniauth (2.0.4)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.5.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.2)
-    omniauth-shopify-oauth2 (2.2.3)
+      rack-protection
+    omniauth-oauth2 (1.7.1)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    omniauth-rails_csrf_protection (1.0.0)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth-shopify-oauth2 (2.3.2)
       activesupport
-      omniauth-oauth2 (~> 1.5.0)
+      omniauth-oauth2 (~> 1.5)
     parallel (1.20.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
@@ -154,22 +165,24 @@ GEM
     public_suffix (4.0.6)
     racc (1.5.2)
     rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.3.5)
-      actioncable (= 6.0.3.5)
-      actionmailbox (= 6.0.3.5)
-      actionmailer (= 6.0.3.5)
-      actionpack (= 6.0.3.5)
-      actiontext (= 6.0.3.5)
-      actionview (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activemodel (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
-      bundler (>= 1.3.0)
-      railties (= 6.0.3.5)
+    rails (6.1.3.1)
+      actioncable (= 6.1.3.1)
+      actionmailbox (= 6.1.3.1)
+      actionmailer (= 6.1.3.1)
+      actionpack (= 6.1.3.1)
+      actiontext (= 6.1.3.1)
+      actionview (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activemodel (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      bundler (>= 1.15.0)
+      railties (= 6.1.3.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
@@ -180,12 +193,12 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    railties (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
+      thor (~> 1.0)
     rainbow (3.0.0)
     rake (13.0.3)
     rb-readline (0.5.5)
@@ -208,7 +221,7 @@ GEM
       rubocop (~> 1.4)
     ruby-progressbar (1.10.1)
     ruby2_keywords (0.0.4)
-    shopify_api (9.4.0)
+    shopify_api (9.4.1)
       activeresource (>= 4.1.0, < 6.0.0)
       graphql-client
       rack
@@ -221,9 +234,8 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.4.2)
     thor (1.1.0)
-    thread_safe (0.3.6)
-    tzinfo (1.2.9)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
     webmock (3.9.1)
       addressable (>= 2.3.6)

data/README.md

@@ -4,7 +4,7 @@
 
 [gem]: https://img.shields.io/gem/v/shopify_app.svg
 [gem_url]: https://rubygems.org/gems/shopify_app
-[supported_rails_version]: https://img.shields.io/badge/rails-%3C6.1.0-orange
+[supported_rails_version]: https://img.shields.io/badge/rails-%3C6.2.0-orange
 
 This gem builds Rails applications that can be embedded in the Shopify Admin.
 

data/app/assets/javascripts/shopify_app/post_redirect.js

@@ -0,0 +1,9 @@
+(function() {
+  function redirect() {
+    var form = document.getElementById("redirect-form");
+    if (form) {
+      form.submit();
+    }
+  }
+  document.addEventListener("DOMContentLoaded", redirect);
+})();

data/app/controllers/shopify_app/callback_controller.rb

@@ -129,8 +129,7 @@ module ShopifyApp
     end
 
     def access_scopes
-      return unless auth_hash['extra']['scope']
-      auth_hash['extra']['scope']
+      auth_hash.dig('extra', 'scope')
     end
 
     def reset_session_options

data/app/controllers/shopify_app/sessions_controller.rb

@@ -150,7 +150,11 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to("#{main_app.root_path}auth/shopify")
+      post_redirect_to_auth_shopify
+    end
+
+    def post_redirect_to_auth_shopify
+      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
     end
 
     def authenticate_at_top_level

data/app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <base target="_top">
+  <title>Redirecting…</title>
+  <%= javascript_include_tag('shopify_app/post_redirect', crossorigin: 'anonymous', integrity: true) %>
+</head>
+<body>
+  <%= form_tag '/auth/shopify', id: 'redirect-form' %>
+</body>
+</html>

data/config/locales/nl.yml

@@ -1,7 +1,7 @@
 ---
 nl:
   logged_out: Je bent afgemeld
-  could_not_log_in: Kon niet aanmelden bij Shopify-winkel
+  could_not_log_in: Kon niet inloggen bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
   enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}

data/docs/Troubleshooting.md

@@ -1,7 +1,27 @@
-Troubleshooting Shopify App
-===========
+# Troubleshooting Shopify App
 
-### Generator shopify_app:install hangs
+#### Table of contents
+
+[Generators](#generators)
+  * [The `shopify_app:install` generator hangs](#the-shopifyappinstall-generator-hangs)
+
+[Rails](#rails)
+  * [Known issues with Rails `v6.1`](#known-issues-with-rails-v61)
+
+[App installation](#app-installation)
+  * [My app won't install](#my-app-wont-install)
+  * [My app keeps redirecting to login](#my-app-keeps-redirecting-to-login)
+  * [My app returns 401 during oauth](#my-app-returns-401-during-oauth)
+
+[JWT session tokens](#jwt-session-tokens)
+  * [My app is still using cookies to authenticate](#my-app-is-still-using-cookies-to-authenticate)
+  * [My app can't make requests to the Shopify API](#my-app-cant-make-requests-to-the-shopify-api)
+
+[Migrating to App Bridge 2.0](#migrating-to-app-bridge-2.0)
+
+## Generators
+
+### The shopify_app:install generator hangs
 
 Rails uses spring by default to speed up development. To run the generator, spring has to be stopped:
 
@@ -11,6 +31,129 @@ $ bundle exec spring stop
 
 Run shopify_app generator again.
 
-### App installation fails with 'The page you’re looking for could not be found' if the app was installed before
+## Rails
+
+### Known issues with Rails `v6.1`
+
+If you recently upgraded your application's `Rails::Application` configuration to load the default configuration for Rails `v6.1`, then you will need to update the following `cookies_same_site_protection` ActionDispatch configuration.
+
+```diff
+# config/application.rb
+
+require_relative 'boot'
+
+require 'rails/all'
+
+Bundler.require(*Rails.groups)
+
+module AppName
+  class Application < Rails::Application
++    config.load_defaults 6.1
+
++    config.action_dispatch.cookies_same_site_protection = :none
+    ...
+  end
+end
+```
+
+As of Rails `v6.1`, the same-site cookie protection setting defaults  to `Lax`. This does not allow an embedded app to make cross-domain requests in the Shopify Admin.
+
+Alternatively, you can upgrade to [`v17.2.0` of the shopify_app gem](/docs/Upgrading.md#upgrading-to-v1720).
+
+## App installation
+
+### My app won't install
+
+#### App installation fails with 'The page you’re looking for could not be found' if the app was installed before
 
 This issue can occur when the session (the model you set as `ShopifyApp::SessionRepository.storage`) isn't deleted when the user uninstalls your app. A possible fix for this is listening to the `app/uninstalled` webhook and deleting the corresponding session in the webhook handler.
+
+### My app returns 401 during oauth
+
+If your local dev env uses the `cookie_store` session storage strategy, you may encounter 401 errors during oauth due to a race condition between asset requests and `/auth/shopify`. You should be able to work around for local testing by using a different browser or session storage strategy.  [Read more about the status of this issue](https://github.com/Shopify/shopify_app/issues/1269).
+
+## JWT session tokens
+
+### My app is still using cookies to authenticate
+
+#### `shopify_app` gem version
+
+Ensure the app is using shopify_app gem v13.x.x+. See [*Upgrading to `v13.0.0`*](/docs/Upgrading.md#upgrading-to-v1300).
+
+#### `shopify_app` gem Rails configuration
+
+Edit `config/initializer/shopify_app.rb` and ensure the following configurations are set:
+
+```diff
++ config.embedded_app = true
+
++ config.allow_jwt_authentication = true
++ config.allow_cookie_authentication = false
+
+# This line should already exist if you're using shopify_app gem 13.x.x+
++ config.shop_session_repository = 'Shop'
+```
+
+#### Inspect server logs
+
+If you have checked the configurations above, and the app is still using cookies, then it is possible that the `shopify_app` gem defaulted to relying on cookies. This would happen when your browser allows third-party cookies and a session token was not successfully found as part of your request.
+
+In this case, check the server logs to see if the session token was invalid:
+
+```los
+[ShopifyApp::JWT] Failed to validate JWT: [JWT::<Error>] <Failure message>
+```
+
+*Example*
+
+```
+[ShopifyApp::JWT] Failed to validate JWT: [JWT::ImmatureSignature] Signature nbf has not been reached
+```
+
+**Note:** In a local development environment, you may want to temporarily update your `Gemfile` to point to a local instance of the `shopify_app` library instad of an installed gem. This will enable you to use a debugging tool like `byebug` to debug the library.
+
+```diff
+- gem 'shopify_app', '~> 14.2'
++ gem 'shopify_app', path: '/path/to/shopify_app'
+```
+
+### My app can't make requests to the Shopify API
+
+> **Note:** Session tokens cannot be used to make authenticated requests to the Shopify API. Learn more about authenticating your backend requests to Shopify APIs at [Shopify API authentication](https://shopify.dev/concepts/about-apis/authentication).
+
+#### The Shopify API returns `401 Unauthorized`
+
+If your app uses [user-based token storage](/docs/shopify_app/session-repository.md#user-based-token-storage), then your app is configured to use **online** access tokens (see [API access modes](https://shopify.dev/concepts/about-apis/authentication#api-access-modes) to learn the difference between "online" and "offline" access tokens ). Unlike offline access tokens, online access tokens expire daily and cannot be used to make authenticated requests to the Shopify API once they expire.
+
+Converting your app to use session tokens means that your app will most likely not go through the OAuth flow as often as it did when relying on cookie sessions. Since the online access tokens stored in your app's database are refreshed during OAuth, this may cause your app's user session repository to use expired online access tokens.
+
+If the Shopify API  returns `401 Unauthorized`, handle this error on your app by redirecting the user to your login path to start the OAuth flow. As a result, your app will be given a new online access token for the current user.
+
+> **Note:** The following are examples to common app configurations. Your specific use-case may differ.
+
+##### Example solution
+
+Add the following line to your app's unauthorized response handler:
+
+```diff
++ redirect_to(ShopifyApp.configuration.login_url, shop: current_shopify_domain)
+```
+
+_Example:_ If your embedded app cannot handle server-side XHR redirects, then configure your app's unauthorized response handler to set a response header:
+
+```
+X-Shopify-API-Request-Failure-Unauthorized: true
+```
+
+Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+
+## Migrating to App Bridge 2.0
+
+In order to upgrade your embedded app to the latest App Bridge 2.0 version, please refer to the [migration guide](https://shopify.dev/tutorials/migrate-your-app-to-app-bridge-2).
+
+To ensure that your app's embedded layout doesn't import App Bridge 2.0 before fully migrating, make the following change to bind it to v1.x.
+
+```diff
+ - <script src="https://unpkg.com/@shopify/app-bridge"></script>
+ + <script src="https://unpkg.com/@shopify/app-bridge@1"></script>
+``` 

data/docs/Upgrading.md

@@ -4,12 +4,28 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 #### Table of contents
 
+[Upgrading to `v17.2.0`](#upgrading-to-v1720)
+
 [Upgrading to `v13.0.0`](#upgrading-to-v1300)
 
 [Upgrading to `v11.7.0`](#upgrading-to-v1170)
 
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
 
+## Upgrading to `v17.2.0`
+
+### Different SameSite cookie attribute behaviour
+
+To support Rails  `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
+
+```diff
+# same_site_cookie_middleware.rb
+- cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
++ cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
+```
+
+By default, Rails `v6.1` configures `SameSite=Lax` on all cookies that don't specify this attribute.
+
 ## Upgrading to `v13.0.0`
 
 Version 13.0.0 adds the ability to use both user and shop sessions, concurrently. This however involved a large

data/docs/shopify_app/handling-access-scopes-changes.md

@@ -1,8 +1,14 @@
 # Handling changes in access scopes
-The Shopify App gem provides handling changes to scopes for both shop/offline and user/online tokens. To enable your app to login via OAuth on scope changes, you can set the following configuration flag:
+The Shopify App gem provides handling changes to scopes for both shop/offline and user/online tokens. To enable your app to login via OAuth on scope changes, you can set the following configuration flag in your `config/initializers/shopify_app.rb`:
 ```ruby
-ShopifyApp.configuration.reauth_on_access_scope_changes = true
+config.reauth_on_access_scope_changes = true
 ```
 
 ## ShopAccessScopesVerification
 The `ShopifyApp::ShopAccessScopesVerification` concern helps merchants grant new access scopes requested by the app. The concern compares the current access scopes granted by the shop and compares them with the scopes requested by the app. If there is a mismatch in configuration, the merchant is redirected to login via OAuth and grant the net new scopes.
+
+To activate the `ShopAccessScopesVerification` for a controller add `include ShopifyApp::ShopAccessScopesVerification`:
+```ruby
+class HomeController < AuthenticatedController
+  include ShopifyApp::ShopAccessScopesVerification
+```

data/docs/shopify_app/session-repository.md

@@ -78,7 +78,7 @@ end
 provider :shopify,
   ...
   setup: lambda { |env|
-    configuration = ShopifyApp::OmniauthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
+    configuration = ShopifyApp::OmniAuthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
     configuration.build_options
   }
 

data/lib/generators/shopify_app/home_controller/templates/home_controller.rb

@@ -3,8 +3,16 @@
 class HomeController < AuthenticatedController
   include ShopifyApp::ShopAccessScopesVerification
 
+  before_action :set_host
+
   def index
     @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
     @webhooks = ShopifyAPI::Webhook.find(:all)
   end
+
+  private
+
+  def set_host
+    @host = params[:host]
+  end
 end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -18,7 +18,7 @@
 
         // Save a session token for future requests
         window.sessionToken = await new Promise((resolve) => {
-          app.subscribe(SessionToken.ActionType.RESPOND, (data) => {
+          app.subscribe(SessionToken.Action.RESPOND, (data) => {
             resolve(data.sessionToken || "");
           });
         });

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -7,5 +7,6 @@ class HomeController < ApplicationController
 
   def index
     @shop_origin = current_shopify_domain
+    @host = params[:host]
   end
 end

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -24,11 +24,12 @@
 
     <%= render 'layouts/flash_messages' %>
 
-    <script src="https://unpkg.com/@shopify/app-bridge"></script>
+    <script src="https://unpkg.com/@shopify/app-bridge@2"></script>
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
       shop_origin: @shop_origin || (@current_shopify_session.domain if @current_shopify_session),
+      host: @host,
       debug: Rails.env.development?
     } ) %>
 

data/lib/generators/shopify_app/install/templates/shopify_app.js

@@ -4,7 +4,7 @@ document.addEventListener('DOMContentLoaded', () => {
   var createApp = AppBridge.default;
   window.app = createApp({
     apiKey: data.apiKey,
-    shopOrigin: data.shopOrigin,
+    host: data.host,
   });
 
   var actions = AppBridge.actions;

data/lib/shopify_app.rb

@@ -3,6 +3,7 @@ require 'shopify_app/version'
 
 # deps
 require 'shopify_api'
+require 'omniauth/rails_csrf_protection'
 require 'omniauth-shopify-oauth2'
 require 'redirect_safely'
 

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -9,6 +9,8 @@ module ShopifyApp
 
     class ShopifyDomainNotFound < StandardError; end
 
+    class ShopifyHostNotFound < StandardError; end
+
     included do
       after_action :set_test_cookie
       rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
@@ -103,6 +105,12 @@ module ShopifyApp
       request.env['jwt.shopify_user_id']
     end
 
+    def host
+      return params[:host] if params[:host].present?
+
+      raise ShopifyHostNotFound
+    end
+
     def redirect_to_login
       if request.xhr?
         head(:unauthorized)
@@ -215,9 +223,8 @@ module ShopifyApp
     end
 
     def return_address
-      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
-      return_address_with_params(shop: current_shopify_domain)
-    rescue ShopifyDomainNotFound
+      return_address_with_params(shop: current_shopify_domain, host: host)
+    rescue ShopifyDomainNotFound, ShopifyHostNotFound
       base_return_address
     end
 

data/lib/shopify_app/engine.rb

@@ -17,6 +17,7 @@ module ShopifyApp
     initializer "shopify_app.assets.precompile" do |app|
       app.config.assets.precompile += %w[
         shopify_app/redirect.js
+        shopify_app/post_redirect.js
         shopify_app/top_level.js
         shopify_app/enable_cookies.js
         shopify_app/request_storage_access.js

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -21,7 +21,7 @@ module ShopifyApp
           .compact
           .map do |cookie|
             cookie << '; Secure' unless cookie =~ /;\s*secure/i
-            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
             cookie
           end
 

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '17.1.0'
+  VERSION = '18.0.1'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "17.1.0",
+  "version": "18.0.1",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/service.yml

@@ -1,7 +1,4 @@
 audience: partner
 classification: library
-org_line: App & Partner Platform
-owners:
-  - Shopify/platform-dev-tools-education
 slack_channels:
-  - dev-tools-education
+- shopify_app_gem

data/shopify_app.gemspec

@@ -14,10 +14,11 @@ Gem::Specification.new do |s|
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
-  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.1')
+  s.add_runtime_dependency('omniauth-rails_csrf_protection')
+  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.2')
   s.add_runtime_dependency('shopify_api', '~> 9.4')
-  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
-  s.add_runtime_dependency('jwt', '~> 2.2.1')
+  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.3')
+  s.add_runtime_dependency('jwt', '>= 2.2.3')
   s.add_runtime_dependency('redirect_safely', '~> 1.0')
 
   s.add_development_dependency('rake')

data/yarn.lock

@@ -1474,10 +1474,10 @@ bluebird@^3.5.5:
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f"
   integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==
 
-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.4.0:
-  version "4.11.9"
-  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.9.tgz#26d556829458f9d1e81fc48952493d0ba3507828"
-  integrity sha512-E6QoYqCKZfgatHTdHzs1RRKP7ip4vvm+EyRUeE2RF0NblwVvb0p6jSVeNTOFxPn26QXN2o6SMfNxKp6kU8zQaw==
+bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.11.9:
+  version "4.12.0"
+  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88"
+  integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==
 
 bn.js@^5.1.1:
   version "5.1.3"
@@ -1531,7 +1531,7 @@ braces@^3.0.2, braces@~3.0.2:
   dependencies:
     fill-range "^7.0.1"
 
-brorand@^1.0.1:
+brorand@^1.0.1, brorand@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f"
   integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=
@@ -2180,17 +2180,17 @@ electron-to-chromium@^1.3.562:
   integrity sha512-fNaYN3EtKQWLQsrKXui8mzcryJXuA0LbCLoizeX6oayG2emBaS5MauKjCPAvc29NEY4FpLHIUWiP+Y0Bfrs5dg==
 
 elliptic@^6.5.3:
-  version "6.5.3"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.3.tgz#cb59eb2efdaf73a0bd78ccd7015a62ad6e0f93d6"
-  integrity sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==
+  version "6.5.4"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb"
+  integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==
   dependencies:
-    bn.js "^4.4.0"
-    brorand "^1.0.1"
+    bn.js "^4.11.9"
+    brorand "^1.1.0"
     hash.js "^1.0.0"
-    hmac-drbg "^1.0.0"
-    inherits "^2.0.1"
-    minimalistic-assert "^1.0.0"
-    minimalistic-crypto-utils "^1.0.0"
+    hmac-drbg "^1.0.1"
+    inherits "^2.0.4"
+    minimalistic-assert "^1.0.1"
+    minimalistic-crypto-utils "^1.0.1"
 
 emoji-regex@^7.0.1:
   version "7.0.3"
@@ -2782,7 +2782,7 @@ he@1.2.0:
   resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
   integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==
 
-hmac-drbg@^1.0.0:
+hmac-drbg@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"
   integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=
@@ -3492,7 +3492,7 @@ minimalistic-assert@^1.0.0, minimalistic-assert@^1.0.1:
   resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
 
-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1:
+minimalistic-crypto-utils@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a"
   integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
@@ -4519,9 +4519,9 @@ sprintf-js@~1.0.2:
   integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
 
 ssri@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.1.tgz#2a3c41b28dd45b62b63676ecb74001265ae9edd8"
-  integrity sha512-3Wge10hNcT1Kur4PDFwEieXSCMCJs/7WvSACcrMYrNp+b8kDL1/0wJch5Ni2WrtwEa2IO8OsVfeKIciKCDx/QA==
+  version "6.0.2"
+  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.2.tgz#157939134f20464e7301ddba3e90ffa8f7728ac5"
+  integrity sha512-cepbSq/neFK7xB6A50KHN0xHDotYzq58wWCa5LeWqnPrHG8GzfEjO/4O8kpmcGW+oaxkvhEJCWgbgNk4/ZV93Q==
   dependencies:
     figgy-pudding "^3.5.1"
 
@@ -5115,9 +5115,9 @@ xtend@^4.0.0, xtend@~4.0.1:
   integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
 
 y18n@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.0.tgz#95ef94f85ecc81d007c264e190a120f0a3c8566b"
-  integrity sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.3.tgz#b5f259c82cd6e336921efd7bfd8bf560de9eeedf"
+  integrity sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==
 
 yallist@^3.0.2:
   version "3.1.1"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 17.1.0
+  version: 18.0.1
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-05 00:00:00.000000000 Z
+date: 2021-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.2.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -33,7 +47,7 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -43,7 +57,7 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: shopify_api
   requirement: !ruby/object:Gem::Requirement
@@ -64,28 +78,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: redirect_safely
   requirement: !ruby/object:Gem::Requirement
@@ -272,6 +286,7 @@ files:
 - app/assets/javascripts/shopify_app/enable_cookies.js
 - app/assets/javascripts/shopify_app/itp_helper.js
 - app/assets/javascripts/shopify_app/partition_cookies.js
+- app/assets/javascripts/shopify_app/post_redirect.js
 - app/assets/javascripts/shopify_app/redirect.js
 - app/assets/javascripts/shopify_app/request_storage_access.js
 - app/assets/javascripts/shopify_app/storage_access.js
@@ -297,6 +312,7 @@ files:
 - app/views/shopify_app/sessions/new.html.erb
 - app/views/shopify_app/sessions/request_storage_access.html.erb
 - app/views/shopify_app/sessions/top_level_interaction.html.erb
+- app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb
 - app/views/shopify_app/shared/redirect.html.erb
 - config/locales/cs.yml
 - config/locales/da.yml