shopify_app 17.1.1 → 18.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b7c85212f0a947dfc426afa1c06eec9330bfd47ff42794f05d070e7e01cdbe42
-  data.tar.gz: f919606ea20ae9b7626983783dc99aa1fc7776fc0cc2fe1f87b35653847f86ee
+  metadata.gz: 2fcfa987c56d06c327c1cff6e12350711473a1a265844b6f4f3c32b696c1495e
+  data.tar.gz: 57b44743afc3e0175fe408ccfa688bc0b8c28d7b99db6fae5e6c7ab1a843ec9a
 SHA512:
-  metadata.gz: 0ed7553a6e6c0397668e7897bb42871bc96375f2773d017f18c3ef60572fb3979cd7ce101c3ffcf601057134676b4881aa96097123438ba83275c20086a9d4aa
-  data.tar.gz: 2a37f8439ad82010abddbc9108e08de3d8ef3c574a7ee24b67eb3ec36cfd36856563658f2f5014815a9cbea7210f495f8672337b6cd2c0ce5445e61a46753ce8
+  metadata.gz: 583dbf51eaa3a3a600a410eca4d30fab58776709f6882908ed72af5da222163bbeaeba6805682ed95100abcce1217aceeba5851fa9cf00836b7a1f1201f30289
+  data.tar.gz: 8dcb0f7bceb2f4ec7bcbe8eb5f5d5bb294767fa5ead28b1d329ef34a5119fd835f99669480514473a5e184b91f9e79f4abd9941399b269faf5522ce6f69e6eb7

data/.github/CODEOWNERS

@@ -1 +1,2 @@
 *       @shopify/platform-dev-tools-education
+*       @shopify/app-foundations

data/CHANGELOG.md

@@ -1,5 +1,27 @@
-Unreleased
+18.0.2 (Jun 15, 2021)
 ----------
+* Added careers link to readme. [#1274](https://github.com/Shopify/shopify_app/pull/1274)
+
+18.0.1 (May 7, 2021)
+----------
+* Fix bug causing OAuth flow to fail due to CSP violation. [#1265](https://github.com/Shopify/shopify_app/pull/1265)
+
+18.0.0 (May 3, 2021)
+----------
+* Support OmniAuth 2.x 
+  * If your app has custom OmniAuth configuration, please refer to the [OmniAuth 2.0 upgrade guide](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0).
+* Support App Bridge version 2.x in the Embedded App layout. [#1241](https://github.com/Shopify/shopify_app/pull/1241)
+
+17.2.1 (April 1, 2021)
+----------
+* Bug fix: Lock the CDN App Bridge version to `v1.X.Y` in the Embedded App layout [#1238](https://github.com/Shopify/shopify_app/pull/1238)
+  * App Bridge `v2.0` is a non-backwards compatible release
+  * A future major shopify_app gem release will support only App Bridge `v2.0`
+
+17.2.0 (April 1, 2021)
+----------
+* Support Rails `v6.1` [#1221](https://github.com/Shopify/shopify_app/pull/1221)
+  * Check out [Upgrading to `v17.2.0`](/docs/Upgrading.md#upgrading-to-v1720) in the Upgrading.md guide for the changes needed to support Rails `v6.1`
 
 17.1.1 (March 12, 2021)
 ----------

data/Gemfile.lock

@@ -1,80 +1,85 @@
 PATH
   remote: .
   specs:
-    shopify_app (17.1.1)
+    shopify_app (18.0.2)
       browser_sniffer (~> 1.2.2)
-      jwt (~> 2.2.1)
-      omniauth-shopify-oauth2 (~> 2.2.2)
-      rails (> 5.2.1, < 6.1)
+      jwt (>= 2.2.3)
+      omniauth-rails_csrf_protection
+      omniauth-shopify-oauth2 (~> 2.3)
+      rails (> 5.2.1, < 6.2)
       redirect_safely (~> 1.0)
       shopify_api (~> 9.4)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.3.5)
-      actionpack (= 6.0.3.5)
+    actioncable (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actionmailbox (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       mail (>= 2.7.1)
-    actionmailer (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      actionview (= 6.0.3.5)
-      activejob (= 6.0.3.5)
+    actionmailer (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      actionview (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.5)
-      actionview (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (6.1.3.1)
+      actionview (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actiontext (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       nokogiri (>= 1.8.5)
-    actionview (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    actionview (6.1.3.1)
+      activesupport (= 6.1.3.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activejob (6.1.3.1)
+      activesupport (= 6.1.3.1)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activemodel (6.1.3.1)
+      activesupport (= 6.1.3.1)
     activemodel-serializers-xml (1.0.2)
       activemodel (> 5.x)
       activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (6.0.3.5)
-      activemodel (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    activerecord (6.1.3.1)
+      activemodel (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
     activeresource (5.1.1)
       activemodel (>= 5.0, < 7)
       activemodel-serializers-xml (~> 1.0)
       activesupport (>= 5.0, < 7)
-    activestorage (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      marcel (~> 0.3.1)
-    activesupport (6.0.3.5)
+    activestorage (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      marcel (~> 1.0.0)
+      mini_mime (~> 1.0.2)
+    activesupport (6.1.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     ast (2.4.1)
@@ -88,15 +93,19 @@ GEM
     crack (0.4.4)
     crass (1.0.6)
     debug_inspector (0.0.3)
-    erubi (1.9.0)
-    faraday (1.3.0)
+    erubi (1.10.0)
+    faraday (1.4.1)
+      faraday-excon (~> 1.1)
       faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
       multipart-post (>= 1.2, < 3)
-      ruby2_keywords
+      ruby2_keywords (>= 0.0.4)
+    faraday-excon (1.1.0)
     faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.1.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    graphql (1.12.5)
+    graphql (1.12.8)
     graphql-client (0.16.0)
       activesupport (>= 3.0)
       graphql (~> 1.8)
@@ -104,17 +113,15 @@ GEM
     hashie (4.1.0)
     i18n (1.8.9)
       concurrent-ruby (~> 1.0)
-    jwt (2.2.2)
-    loofah (2.7.0)
+    jwt (2.2.3)
+    loofah (2.9.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
+    marcel (1.0.1)
     method_source (0.9.2)
-    mimemagic (0.3.5)
-    mini_mime (1.0.2)
+    mini_mime (1.0.3)
     mini_portile2 (2.5.0)
     minitest (5.14.4)
     mocha (1.11.2)
@@ -122,24 +129,28 @@ GEM
     multi_xml (0.6.0)
     multipart-post (2.1.1)
     nio4r (2.5.7)
-    nokogiri (1.11.1)
+    nokogiri (1.11.2)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    oauth2 (1.4.4)
+    oauth2 (1.4.7)
       faraday (>= 0.8, < 2.0)
       jwt (>= 1.0, < 3.0)
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
+    omniauth (2.0.4)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.5.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.2)
-    omniauth-shopify-oauth2 (2.2.3)
+      rack-protection
+    omniauth-oauth2 (1.7.1)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    omniauth-rails_csrf_protection (1.0.0)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth-shopify-oauth2 (2.3.2)
       activesupport
-      omniauth-oauth2 (~> 1.5.0)
+      omniauth-oauth2 (~> 1.5)
     parallel (1.20.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
@@ -154,22 +165,24 @@ GEM
     public_suffix (4.0.6)
     racc (1.5.2)
     rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.3.5)
-      actioncable (= 6.0.3.5)
-      actionmailbox (= 6.0.3.5)
-      actionmailer (= 6.0.3.5)
-      actionpack (= 6.0.3.5)
-      actiontext (= 6.0.3.5)
-      actionview (= 6.0.3.5)
-      activejob (= 6.0.3.5)
-      activemodel (= 6.0.3.5)
-      activerecord (= 6.0.3.5)
-      activestorage (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
-      bundler (>= 1.3.0)
-      railties (= 6.0.3.5)
+    rails (6.1.3.1)
+      actioncable (= 6.1.3.1)
+      actionmailbox (= 6.1.3.1)
+      actionmailer (= 6.1.3.1)
+      actionpack (= 6.1.3.1)
+      actiontext (= 6.1.3.1)
+      actionview (= 6.1.3.1)
+      activejob (= 6.1.3.1)
+      activemodel (= 6.1.3.1)
+      activerecord (= 6.1.3.1)
+      activestorage (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
+      bundler (>= 1.15.0)
+      railties (= 6.1.3.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
@@ -180,12 +193,12 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3.5)
-      actionpack (= 6.0.3.5)
-      activesupport (= 6.0.3.5)
+    railties (6.1.3.1)
+      actionpack (= 6.1.3.1)
+      activesupport (= 6.1.3.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
+      thor (~> 1.0)
     rainbow (3.0.0)
     rake (13.0.3)
     rb-readline (0.5.5)
@@ -208,7 +221,7 @@ GEM
       rubocop (~> 1.4)
     ruby-progressbar (1.10.1)
     ruby2_keywords (0.0.4)
-    shopify_api (9.4.0)
+    shopify_api (9.4.1)
       activeresource (>= 4.1.0, < 6.0.0)
       graphql-client
       rack
@@ -221,9 +234,8 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.4.2)
     thor (1.1.0)
-    thread_safe (0.3.6)
-    tzinfo (1.2.9)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
     webmock (3.9.1)
       addressable (>= 2.3.6)

data/README.md

@@ -1,10 +1,12 @@
 # Shopify App
 
+**Shopify is doubling our engineering staff in 2021! [Join our team and work on libraries like this one.](https://smrtr.io/5GGrK)**
+
 [![Version][gem]][gem_url] [![Build Status](https://github.com/Shopify/shopify_app/workflows/CI/badge.svg)](https://github.com/Shopify/shopify_app/actions?query=workflow%3ACI) ![Supported Rails version][supported_rails_version]
 
 [gem]: https://img.shields.io/gem/v/shopify_app.svg
 [gem_url]: https://rubygems.org/gems/shopify_app
-[supported_rails_version]: https://img.shields.io/badge/rails-%3C6.1.0-orange
+[supported_rails_version]: https://img.shields.io/badge/rails-%3C6.2.0-orange
 
 This gem builds Rails applications that can be embedded in the Shopify Admin.
 
@@ -23,7 +25,6 @@ This gem includes a Rails engine, generators, modules, and mixins that help crea
 ## Requirements
 
 > **Rails compatibility** 
-> * Rails 6.1 or above is not yet supported due to the new `cookies_same_site_protection` setting. 
 > * Use Shopify App `<= v7.2.8` if you need to work with Rails 4.
 
 To become a Shopify app developer, you will need a [Shopify Partners](https://www.shopify.com/partners) account. Explore the [Shopify dev docs](https://shopify.dev/concepts/shopify-introduction) to learn more about [building Shopify apps](https://shopify.dev/concepts/apps).

data/app/assets/javascripts/shopify_app/post_redirect.js

@@ -0,0 +1,9 @@
+(function() {
+  function redirect() {
+    var form = document.getElementById("redirect-form");
+    if (form) {
+      form.submit();
+    }
+  }
+  document.addEventListener("DOMContentLoaded", redirect);
+})();

data/app/controllers/shopify_app/sessions_controller.rb

@@ -150,7 +150,11 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to("#{main_app.root_path}auth/shopify")
+      post_redirect_to_auth_shopify
+    end
+
+    def post_redirect_to_auth_shopify
+      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
     end
 
     def authenticate_at_top_level

data/app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <base target="_top">
+  <title>Redirecting…</title>
+  <%= javascript_include_tag('shopify_app/post_redirect', crossorigin: 'anonymous', integrity: true) %>
+</head>
+<body>
+  <%= form_tag '/auth/shopify', id: 'redirect-form' %>
+</body>
+</html>

data/config/locales/nl.yml

@@ -1,7 +1,7 @@
 ---
 nl:
   logged_out: Je bent afgemeld
-  could_not_log_in: Kon niet aanmelden bij Shopify-winkel
+  could_not_log_in: Kon niet inloggen bij Shopify-winkel
   invalid_shop_url: Ongeldig winkeldomein
   enable_cookies_heading: Schakel cookies in van %{app}
   enable_cookies_body: Je moet cookies in deze browser handmatig inschakelen om %{app}

data/docs/Troubleshooting.md

@@ -5,13 +5,20 @@
 [Generators](#generators)
   * [The `shopify_app:install` generator hangs](#the-shopifyappinstall-generator-hangs)
 
+[Rails](#rails)
+  * [Known issues with Rails `v6.1`](#known-issues-with-rails-v61)
+
 [App installation](#app-installation)
   * [My app won't install](#my-app-wont-install)
+  * [My app keeps redirecting to login](#my-app-keeps-redirecting-to-login)
+  * [My app returns 401 during oauth](#my-app-returns-401-during-oauth)
 
 [JWT session tokens](#jwt-session-tokens)
   * [My app is still using cookies to authenticate](#my-app-is-still-using-cookies-to-authenticate)
   * [My app can't make requests to the Shopify API](#my-app-cant-make-requests-to-the-shopify-api)
 
+[Migrating to App Bridge 2.0](#migrating-to-app-bridge-2.0)
+
 ## Generators
 
 ### The shopify_app:install generator hangs
@@ -24,6 +31,35 @@ $ bundle exec spring stop
 
 Run shopify_app generator again.
 
+## Rails
+
+### Known issues with Rails `v6.1`
+
+If you recently upgraded your application's `Rails::Application` configuration to load the default configuration for Rails `v6.1`, then you will need to update the following `cookies_same_site_protection` ActionDispatch configuration.
+
+```diff
+# config/application.rb
+
+require_relative 'boot'
+
+require 'rails/all'
+
+Bundler.require(*Rails.groups)
+
+module AppName
+  class Application < Rails::Application
++    config.load_defaults 6.1
+
++    config.action_dispatch.cookies_same_site_protection = :none
+    ...
+  end
+end
+```
+
+As of Rails `v6.1`, the same-site cookie protection setting defaults  to `Lax`. This does not allow an embedded app to make cross-domain requests in the Shopify Admin.
+
+Alternatively, you can upgrade to [`v17.2.0` of the shopify_app gem](/docs/Upgrading.md#upgrading-to-v1720).
+
 ## App installation
 
 ### My app won't install
@@ -32,6 +68,10 @@ Run shopify_app generator again.
 
 This issue can occur when the session (the model you set as `ShopifyApp::SessionRepository.storage`) isn't deleted when the user uninstalls your app. A possible fix for this is listening to the `app/uninstalled` webhook and deleting the corresponding session in the webhook handler.
 
+### My app returns 401 during oauth
+
+If your local dev env uses the `cookie_store` session storage strategy, you may encounter 401 errors during oauth due to a race condition between asset requests and `/auth/shopify`. You should be able to work around for local testing by using a different browser or session storage strategy.  [Read more about the status of this issue](https://github.com/Shopify/shopify_app/issues/1269).
+
 ## JWT session tokens
 
 ### My app is still using cookies to authenticate
@@ -105,4 +145,15 @@ _Example:_ If your embedded app cannot handle server-side XHR redirects, then co
 X-Shopify-API-Request-Failure-Unauthorized: true
 ```
 
-Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+
+## Migrating to App Bridge 2.0
+
+In order to upgrade your embedded app to the latest App Bridge 2.0 version, please refer to the [migration guide](https://shopify.dev/tutorials/migrate-your-app-to-app-bridge-2).
+
+To ensure that your app's embedded layout doesn't import App Bridge 2.0 before fully migrating, make the following change to bind it to v1.x.
+
+```diff
+ - <script src="https://unpkg.com/@shopify/app-bridge"></script>
+ + <script src="https://unpkg.com/@shopify/app-bridge@1"></script>
+``` 

data/docs/Upgrading.md

@@ -4,12 +4,28 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 #### Table of contents
 
+[Upgrading to `v17.2.0`](#upgrading-to-v1720)
+
 [Upgrading to `v13.0.0`](#upgrading-to-v1300)
 
 [Upgrading to `v11.7.0`](#upgrading-to-v1170)
 
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
 
+## Upgrading to `v17.2.0`
+
+### Different SameSite cookie attribute behaviour
+
+To support Rails  `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
+
+```diff
+# same_site_cookie_middleware.rb
+- cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
++ cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
+```
+
+By default, Rails `v6.1` configures `SameSite=Lax` on all cookies that don't specify this attribute.
+
 ## Upgrading to `v13.0.0`
 
 Version 13.0.0 adds the ability to use both user and shop sessions, concurrently. This however involved a large

data/docs/shopify_app/handling-access-scopes-changes.md

@@ -1,8 +1,14 @@
 # Handling changes in access scopes
-The Shopify App gem provides handling changes to scopes for both shop/offline and user/online tokens. To enable your app to login via OAuth on scope changes, you can set the following configuration flag:
+The Shopify App gem provides handling changes to scopes for both shop/offline and user/online tokens. To enable your app to login via OAuth on scope changes, you can set the following configuration flag in your `config/initializers/shopify_app.rb`:
 ```ruby
-ShopifyApp.configuration.reauth_on_access_scope_changes = true
+config.reauth_on_access_scope_changes = true
 ```
 
 ## ShopAccessScopesVerification
 The `ShopifyApp::ShopAccessScopesVerification` concern helps merchants grant new access scopes requested by the app. The concern compares the current access scopes granted by the shop and compares them with the scopes requested by the app. If there is a mismatch in configuration, the merchant is redirected to login via OAuth and grant the net new scopes.
+
+To activate the `ShopAccessScopesVerification` for a controller add `include ShopifyApp::ShopAccessScopesVerification`:
+```ruby
+class HomeController < AuthenticatedController
+  include ShopifyApp::ShopAccessScopesVerification
+```

data/docs/shopify_app/session-repository.md

@@ -78,7 +78,7 @@ end
 provider :shopify,
   ...
   setup: lambda { |env|
-    configuration = ShopifyApp::OmniauthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
+    configuration = ShopifyApp::OmniAuthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
     configuration.build_options
   }
 

data/lib/generators/shopify_app/home_controller/templates/home_controller.rb

@@ -3,8 +3,16 @@
 class HomeController < AuthenticatedController
   include ShopifyApp::ShopAccessScopesVerification
 
+  before_action :set_host
+
   def index
     @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
     @webhooks = ShopifyAPI::Webhook.find(:all)
   end
+
+  private
+
+  def set_host
+    @host = params[:host]
+  end
 end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -18,7 +18,7 @@
 
         // Save a session token for future requests
         window.sessionToken = await new Promise((resolve) => {
-          app.subscribe(SessionToken.ActionType.RESPOND, (data) => {
+          app.subscribe(SessionToken.Action.RESPOND, (data) => {
             resolve(data.sessionToken || "");
           });
         });

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -7,5 +7,6 @@ class HomeController < ApplicationController
 
   def index
     @shop_origin = current_shopify_domain
+    @host = params[:host]
   end
 end

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -24,11 +24,12 @@
 
     <%= render 'layouts/flash_messages' %>
 
-    <script src="https://unpkg.com/@shopify/app-bridge"></script>
+    <script src="https://unpkg.com/@shopify/app-bridge@2"></script>
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
       shop_origin: @shop_origin || (@current_shopify_session.domain if @current_shopify_session),
+      host: @host,
       debug: Rails.env.development?
     } ) %>
 

data/lib/generators/shopify_app/install/templates/shopify_app.js

@@ -4,7 +4,7 @@ document.addEventListener('DOMContentLoaded', () => {
   var createApp = AppBridge.default;
   window.app = createApp({
     apiKey: data.apiKey,
-    shopOrigin: data.shopOrigin,
+    host: data.host,
   });
 
   var actions = AppBridge.actions;

data/lib/shopify_app.rb

@@ -3,6 +3,7 @@ require 'shopify_app/version'
 
 # deps
 require 'shopify_api'
+require 'omniauth/rails_csrf_protection'
 require 'omniauth-shopify-oauth2'
 require 'redirect_safely'
 

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -9,6 +9,8 @@ module ShopifyApp
 
     class ShopifyDomainNotFound < StandardError; end
 
+    class ShopifyHostNotFound < StandardError; end
+
     included do
       after_action :set_test_cookie
       rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
@@ -103,6 +105,12 @@ module ShopifyApp
       request.env['jwt.shopify_user_id']
     end
 
+    def host
+      return params[:host] if params[:host].present?
+
+      raise ShopifyHostNotFound
+    end
+
     def redirect_to_login
       if request.xhr?
         head(:unauthorized)
@@ -215,9 +223,8 @@ module ShopifyApp
     end
 
     def return_address
-      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
-      return_address_with_params(shop: current_shopify_domain)
-    rescue ShopifyDomainNotFound
+      return_address_with_params(shop: current_shopify_domain, host: host)
+    rescue ShopifyDomainNotFound, ShopifyHostNotFound
       base_return_address
     end
 

data/lib/shopify_app/engine.rb

@@ -17,6 +17,7 @@ module ShopifyApp
     initializer "shopify_app.assets.precompile" do |app|
       app.config.assets.precompile += %w[
         shopify_app/redirect.js
+        shopify_app/post_redirect.js
         shopify_app/top_level.js
         shopify_app/enable_cookies.js
         shopify_app/request_storage_access.js

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -21,7 +21,7 @@ module ShopifyApp
           .compact
           .map do |cookie|
             cookie << '; Secure' unless cookie =~ /;\s*secure/i
-            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie << '; SameSite=None' if ShopifyApp.configuration.embedded_app?
             cookie
           end
 

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '17.1.1'
+  VERSION = '18.0.2'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "17.1.1",
+  "version": "18.0.2",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/service.yml

@@ -1,7 +1,4 @@
 audience: partner
 classification: library
-org_line: App & Partner Platform
-owners:
-  - Shopify/platform-dev-tools-education
 slack_channels:
-  - dev-tools-education
+- shopify_app_gem

data/shopify_app.gemspec

@@ -14,10 +14,11 @@ Gem::Specification.new do |s|
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
-  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.1')
+  s.add_runtime_dependency('omniauth-rails_csrf_protection')
+  s.add_runtime_dependency('rails', '> 5.2.1', '< 6.2')
   s.add_runtime_dependency('shopify_api', '~> 9.4')
-  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
-  s.add_runtime_dependency('jwt', '~> 2.2.1')
+  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.3')
+  s.add_runtime_dependency('jwt', '>= 2.2.3')
   s.add_runtime_dependency('redirect_safely', '~> 1.0')
 
   s.add_development_dependency('rake')

data/yarn.lock

@@ -1474,10 +1474,10 @@ bluebird@^3.5.5:
   resolved "https://registry.yarnpkg.com/bluebird/-/bluebird-3.7.2.tgz#9f229c15be272454ffa973ace0dbee79a1b0c36f"
   integrity sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==
 
-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.4.0:
-  version "4.11.9"
-  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.9.tgz#26d556829458f9d1e81fc48952493d0ba3507828"
-  integrity sha512-E6QoYqCKZfgatHTdHzs1RRKP7ip4vvm+EyRUeE2RF0NblwVvb0p6jSVeNTOFxPn26QXN2o6SMfNxKp6kU8zQaw==
+bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.11.9:
+  version "4.12.0"
+  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88"
+  integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==
 
 bn.js@^5.1.1:
   version "5.1.3"
@@ -1531,7 +1531,7 @@ braces@^3.0.2, braces@~3.0.2:
   dependencies:
     fill-range "^7.0.1"
 
-brorand@^1.0.1:
+brorand@^1.0.1, brorand@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f"
   integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=
@@ -2180,17 +2180,17 @@ electron-to-chromium@^1.3.562:
   integrity sha512-fNaYN3EtKQWLQsrKXui8mzcryJXuA0LbCLoizeX6oayG2emBaS5MauKjCPAvc29NEY4FpLHIUWiP+Y0Bfrs5dg==
 
 elliptic@^6.5.3:
-  version "6.5.3"
-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.3.tgz#cb59eb2efdaf73a0bd78ccd7015a62ad6e0f93d6"
-  integrity sha512-IMqzv5wNQf+E6aHeIqATs0tOLeOTwj1QKbRcS3jBbYkl5oLAserA8yJTT7/VyHUYG91PRmPyeQDObKLPpeS4dw==
+  version "6.5.4"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb"
+  integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==
   dependencies:
-    bn.js "^4.4.0"
-    brorand "^1.0.1"
+    bn.js "^4.11.9"
+    brorand "^1.1.0"
     hash.js "^1.0.0"
-    hmac-drbg "^1.0.0"
-    inherits "^2.0.1"
-    minimalistic-assert "^1.0.0"
-    minimalistic-crypto-utils "^1.0.0"
+    hmac-drbg "^1.0.1"
+    inherits "^2.0.4"
+    minimalistic-assert "^1.0.1"
+    minimalistic-crypto-utils "^1.0.1"
 
 emoji-regex@^7.0.1:
   version "7.0.3"
@@ -2782,7 +2782,7 @@ he@1.2.0:
   resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
   integrity sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==
 
-hmac-drbg@^1.0.0:
+hmac-drbg@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"
   integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=
@@ -3492,7 +3492,7 @@ minimalistic-assert@^1.0.0, minimalistic-assert@^1.0.1:
   resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
 
-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1:
+minimalistic-crypto-utils@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a"
   integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
@@ -4519,9 +4519,9 @@ sprintf-js@~1.0.2:
   integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
 
 ssri@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.1.tgz#2a3c41b28dd45b62b63676ecb74001265ae9edd8"
-  integrity sha512-3Wge10hNcT1Kur4PDFwEieXSCMCJs/7WvSACcrMYrNp+b8kDL1/0wJch5Ni2WrtwEa2IO8OsVfeKIciKCDx/QA==
+  version "6.0.2"
+  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.2.tgz#157939134f20464e7301ddba3e90ffa8f7728ac5"
+  integrity sha512-cepbSq/neFK7xB6A50KHN0xHDotYzq58wWCa5LeWqnPrHG8GzfEjO/4O8kpmcGW+oaxkvhEJCWgbgNk4/ZV93Q==
   dependencies:
     figgy-pudding "^3.5.1"
 
@@ -5115,9 +5115,9 @@ xtend@^4.0.0, xtend@~4.0.1:
   integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
 
 y18n@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.0.tgz#95ef94f85ecc81d007c264e190a120f0a3c8566b"
-  integrity sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.3.tgz#b5f259c82cd6e336921efd7bfd8bf560de9eeedf"
+  integrity sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==
 
 yallist@^3.0.2:
   version "3.1.1"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 17.1.1
+  version: 18.0.2
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-12 00:00:00.000000000 Z
+date: 2021-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.2.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -33,7 +47,7 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -43,7 +57,7 @@ dependencies:
         version: 5.2.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: shopify_api
   requirement: !ruby/object:Gem::Requirement
@@ -64,28 +78,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: redirect_safely
   requirement: !ruby/object:Gem::Requirement
@@ -272,6 +286,7 @@ files:
 - app/assets/javascripts/shopify_app/enable_cookies.js
 - app/assets/javascripts/shopify_app/itp_helper.js
 - app/assets/javascripts/shopify_app/partition_cookies.js
+- app/assets/javascripts/shopify_app/post_redirect.js
 - app/assets/javascripts/shopify_app/redirect.js
 - app/assets/javascripts/shopify_app/request_storage_access.js
 - app/assets/javascripts/shopify_app/storage_access.js
@@ -297,6 +312,7 @@ files:
 - app/views/shopify_app/sessions/new.html.erb
 - app/views/shopify_app/sessions/request_storage_access.html.erb
 - app/views/shopify_app/sessions/top_level_interaction.html.erb
+- app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb
 - app/views/shopify_app/shared/redirect.html.erb
 - config/locales/cs.yml
 - config/locales/da.yml
@@ -445,7 +461,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.2.17
 signing_key: 
 specification_version: 4
 summary: This gem is used to get quickly started with the Shopify API