RubyGems - shopify_app - Versions diffs - 18.0.2 → 19.1.0 - Mend

shopify_app 18.0.2 → 19.1.0

Files changed (112) hide show

data/app/controllers/shopify_app/callback_controller.rb CHANGED Viewed

@@ -4,180 +4,95 @@ module ShopifyApp
   # Performs login after OAuth completes
   class CallbackController < ActionController::Base
     include ShopifyApp::LoginProtection
+    include ShopifyApp::EnsureBilling
     def callback
-      return respond_with_error if invalid_request?
+      begin
+        filtered_params = request.parameters.symbolize_keys.slice(:code, :shop, :timestamp, :state, :host, :hmac)
+        auth_result = ShopifyAPI::Auth::Oauth.validate_auth_callback(
+          cookies: {
+            ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME =>
+              cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME],
+          },
+          auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(**filtered_params)
+        )
+      rescue
+        return respond_with_error
+      end
+      cookies.encrypted[auth_result[:cookie].name] = {
+        expires: auth_result[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_result[:cookie].value,
+      }
-      store_access_token_and_build_session
+      session[:shopify_user_id] = auth_result[:session].associated_user.id if auth_result[:session].online?
-      if start_user_token_flow?
+      if start_user_token_flow?(auth_result[:session])
         return respond_with_user_token_flow
       end
-      perform_post_authenticate_jobs
+      perform_post_authenticate_jobs(auth_result[:session])
+      has_payment = check_billing(auth_result[:session])
-      respond_successfully
+      respond_successfully if has_payment
     end
     private
     def respond_successfully
-      if jwt_request?
-        head(:ok)
-      else
-        redirect_to(return_address)
-      end
-    end
-    def respond_with_user_token_flow
-      redirect_to(login_url_with_optional_shop)
-    end
-    def store_access_token_and_build_session
-      if native_browser_request?
-        reset_session_options
-      end
-      set_shopify_session
-    end
-    def invalid_request?
-      return true unless auth_hash
-      jwt_request? && !valid_jwt_auth?
-    end
-    def native_browser_request?
-      !jwt_request?
-    end
-    def perform_post_authenticate_jobs
-      install_webhooks
-      install_scripttags
-      perform_after_authenticate_job
+      redirect_to(return_address)
     end
     def respond_with_error
-      if jwt_request?
-        head(:unauthorized)
-      else
-        flash[:error] = I18n.t('could_not_log_in')
-        redirect_to(login_url_with_optional_shop)
-      end
+      flash[:error] = I18n.t("could_not_log_in")
+      redirect_to(login_url_with_optional_shop)
     end
-    # Override user_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def user_session_by_cookie
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    def respond_with_user_token_flow
+      redirect_to(login_url_with_optional_shop)
     end
-    def start_user_token_flow?
-      if jwt_request?
-        false
-      else
-        return false unless ShopifyApp::SessionRepository.user_storage.present?
-        update_user_access_scopes?
-      end
+    def start_user_token_flow?(shopify_session)
+      return false unless ShopifyApp::SessionRepository.user_storage.present?
+      return false if shopify_session.online?
+      update_user_access_scopes?
     end
     def update_user_access_scopes?
-      return true if user_session.blank?
-      user_access_scopes_strategy.update_access_scopes?(user_id: session[:user_id])
+      return true if session[:shopify_user_id].nil?
+      user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
     end
     def user_access_scopes_strategy
       ShopifyApp.configuration.user_access_scopes_strategy
     end
-    def jwt_request?
-      jwt_shopify_domain || jwt_shopify_user_id
-    end
-    def valid_jwt_auth?
-      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
+    def perform_post_authenticate_jobs(session)
+      install_webhooks(session)
+      install_scripttags(session)
+      perform_after_authenticate_job(session)
     end
-    def auth_hash
-      request.env['omniauth.auth']
-    end
-    def shop_name
-      auth_hash.uid
-    end
-    def offline_access_token
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_name)&.token
-    end
-    def online_access_token
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(associated_user_id)&.token
-    end
-    def associated_user
-      return unless auth_hash.dig('extra', 'associated_user').present?
-      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
-    end
-    def associated_user_id
-      associated_user && associated_user['id']
-    end
-    def token
-      auth_hash['credentials']['token']
-    end
-    def access_scopes
-      auth_hash.dig('extra', 'scope')
-    end
-    def reset_session_options
-      request.session_options[:renew] = true
-      session.delete(:_csrf_token)
-    end
-    def set_shopify_session
-      session_store = ShopifyAPI::Session.new(
-        domain: shop_name,
-        token: token,
-        api_version: ShopifyApp.configuration.api_version,
-        access_scopes: access_scopes
-      )
-      session[:shopify_user] = associated_user
-      if session[:shopify_user].present?
-        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
-        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
-      else
-        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
-        session[:user_id] = nil if user_session && user_session.domain != shop_name
-      end
-      session[:shopify_domain] = shop_name
-      session[:user_session] = auth_hash&.extra&.session
-    end
-    def install_webhooks
+    def install_webhooks(session)
       return unless ShopifyApp.configuration.has_webhooks?
-      WebhooksManager.queue(
-        shop_name,
-        offline_access_token || online_access_token,
-        ShopifyApp.configuration.webhooks
-      )
+      WebhooksManager.queue(session.shop, session.access_token)
     end
-    def install_scripttags
+    def install_scripttags(session)
       return unless ShopifyApp.configuration.has_scripttags?
       ScripttagsManager.queue(
-        shop_name,
-        offline_access_token || online_access_token,
+        session.shop,
+        session.access_token,
         ShopifyApp.configuration.scripttags
       )
     end
-    def perform_after_authenticate_job
+    def perform_after_authenticate_job(session)
       config = ShopifyApp.configuration.after_authenticate_job
       return unless config && config[:job].present?
@@ -186,9 +101,9 @@ module ShopifyApp
       job = job.constantize if job.is_a?(String)
       if config[:inline] == true
-        job.perform_now(shop_domain: session[:shopify_domain])
+        job.perform_now(shop_domain: session.shop)
       else
-        job.perform_later(shop_domain: session[:shopify_domain])
+        job.perform_later(shop_domain: session.shop)
       end
     end
   end

data/app/controllers/shopify_app/sessions_controller.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 module ShopifyApp
   class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
@@ -6,7 +7,7 @@ module ShopifyApp
     layout false, only: :new
     after_action only: [:new, :create] do |controller|
-      controller.response.headers.except!('X-Frame-Options')
+      controller.response.headers.except!("X-Frame-Options")
     end
     def new
@@ -17,41 +18,14 @@ module ShopifyApp
       authenticate
     end
-    def enable_cookies
-      return unless validate_shop_presence
-      render(:enable_cookies, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name,
-          return_to: params[:return_to]
-        ),
-        has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_target_url: granted_storage_access_path(
-          shop: sanitized_shop_name,
-          return_to: params[:return_to]
-        ),
-        current_shopify_domain: current_shopify_domain,
-      })
-    end
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
       validate_shop_presence
     end
-    def granted_storage_access
-      return unless validate_shop_presence
-      session['shopify.granted_storage_access'] = true
-      copy_return_to_param_to_session
-      redirect_to(return_address_with_params({ shop: @shop }))
-    end
     def destroy
       reset_session
-      flash[:notice] = I18n.t('.logged_out')
+      flash[:notice] = I18n.t(".logged_out")
       redirect_to(login_url_with_optional_shop)
     end
@@ -59,69 +33,33 @@ module ShopifyApp
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
-      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
       copy_return_to_param_to_session
-      set_user_tokens_option
-      if user_agent_can_partition_cookies
-        authenticate_with_partitioning
+      if top_level?
+        start_oauth
       else
-        authenticate_normally
+        redirect_auth_to_top_level
       end
     end
-    def authenticate_normally
-      if request_storage_access?
-        redirect_to_request_storage_access
-      elsif authenticate_in_context?
-        authenticate_in_context
-      else
-        authenticate_at_top_level
-      end
-    end
-    def authenticate_with_partitioning
-      if session['shopify.cookies_persist']
-        clear_top_level_oauth_cookie
-        authenticate_in_context
-      else
-        set_top_level_oauth_cookie
-        enable_cookie_access
-      end
-    end
-    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def shop_session_by_cookie
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-    # rubocop:disable Lint/SuppressedException
-    def set_user_tokens_option
-      current_shop_session = shop_session
+    def start_oauth
+      callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, "")
-      if current_shop_session.blank?
-        session[:user_tokens] = false
-        return
-      end
-      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+      auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
+        shop: sanitized_shop_name,
+        redirect_path: "/#{callback_url}",
+        is_online: user_session_expected?
+      )
+      cookies.encrypted[auth_attributes[:cookie].name] = {
+        expires: auth_attributes[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_attributes[:cookie].value,
+      }
-      ShopifyAPI::Session.temp(
-        domain: current_shop_session.domain,
-        token: current_shop_session.token,
-        api_version: current_shop_session.api_version
-      ) do
-        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
-      end
-    rescue ActiveResource::UnauthorizedAccess
-      session[:user_tokens] = false
-    rescue StandardError
+      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
     end
-    # rubocop:enable Lint/SuppressedException
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -134,64 +72,21 @@ module ShopifyApp
     end
     def copy_return_to_param_to_session
-      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], "/") if params[:return_to]
     end
     def render_invalid_shop_error
-      flash[:error] = I18n.t('invalid_shop_url')
+      flash[:error] = I18n.t("invalid_shop_url")
       redirect_to(return_address)
     end
-    def enable_cookie_access
-      fullpage_redirect_to(enable_cookies_path(
-        shop: sanitized_shop_name,
-        return_to: session[:return_to]
-      ))
-    end
-    def authenticate_in_context
-      post_redirect_to_auth_shopify
-    end
-    def post_redirect_to_auth_shopify
-      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
-    end
-    def authenticate_at_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
-    end
-    def authenticate_in_context?
+    def top_level?
       return true unless ShopifyApp.configuration.embedded_app?
-      params[:top_level]
+      !params[:top_level].nil?
     end
-    def request_storage_access?
-      return false unless ShopifyApp.configuration.embedded_app?
-      return false if params[:top_level]
-      return false if user_agent_is_mobile
-      return false if user_agent_is_pos
-      !session['shopify.granted_storage_access']
-    end
-    def redirect_to_request_storage_access
-      render(
-        :request_storage_access,
-        layout: false,
-        locals: {
-          does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name,
-            return_to: session[:return_to]
-          ),
-          has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_target_url: granted_storage_access_path(
-            shop: sanitized_shop_name,
-            return_to: session[:return_to]
-          ),
-          current_shopify_domain: current_shopify_domain,
-        }
-      )
+    def redirect_auth_to_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
   end
 end

data/app/controllers/shopify_app/webhooks_controller.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 module ShopifyApp
   class MissingWebhookJobError < StandardError; end
@@ -7,31 +8,11 @@ module ShopifyApp
     def receive
       params.permit!
-      job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
-      webhook_job_klass.perform_later(job_args)
-      head(:ok)
-    end
-    private
-    def webhook_params
-      params.except(:controller, :action, :type)
-    end
-    def webhook_job_klass
-      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
-    end
-    def webhook_job_klass_name(type = webhook_type)
-      [webhook_namespace, "#{type}_job"].compact.join('/').classify
-    end
-    def webhook_type
-      params[:type]
-    end
-    def webhook_namespace
-      ShopifyApp.configuration.webhook_jobs_namespace
+      ShopifyAPI::Webhooks::Registry.process(
+        ShopifyAPI::Webhooks::Request.new(raw_body: request.raw_post, headers: request.headers.to_h)
+      )
+      head(:ok)
     end
   end
 end

data/app/views/shopify_app/sessions/enable_cookies.html.erb CHANGED Viewed

@@ -17,7 +17,7 @@
   <%= javascript_include_tag('shopify_app/enable_cookies', crossorigin: 'anonymous', integrity: true) %>
 </head>
-<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-redirect-url="<%= @url %>">
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="<%= @shop %>" data-redirect-url="<%= @url %>" data-host="<%= params[:host] %>" data-return-to="<%= params[:return_to] %>">
   <%=
     content_tag(
       :div, nil,

data/app/views/shopify_app/sessions/request_storage_access.html.erb CHANGED Viewed

@@ -15,19 +15,19 @@
     }
   </style>
 </head>
-<body>
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="<%= current_shopify_domain %>" data-host="<%= params[:host] %>" data-return-to="<%= params[:return_to] %>">
 <%=
   content_tag(:div, nil,
-              id: 'redirection-target',
-              data: {
-                  target: {
-                      myshopifyUrl: "https://#{current_shopify_domain}",
-                      hasStorageAccessUrl: "#{has_storage_access_url}",
-                      doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-                      appTargetUrl: "#{app_target_url}"
-                  },
-              },
-              )
+    id: 'redirection-target',
+    data: {
+      target: {
+        myshopifyUrl: "https://#{current_shopify_domain}",
+        hasStorageAccessUrl: "#{has_storage_access_url}",
+        doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
+        appTargetUrl: "#{app_target_url}"
+      },
+    },
+  )
 %>
 <main id="RequestStorageAccess">
   <div class="Polaris-Page">

data/app/views/shopify_app/sessions/top_level_interaction.html.erb CHANGED Viewed

@@ -18,7 +18,7 @@
   <%= javascript_include_tag('shopify_app/top_level', crossorigin: 'anonymous', integrity: true) %>
 </head>
-<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-redirect-url="<%= @url %>">
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-host="<%= @host %>" data-redirect-url="<%= @url %>">
   <main id="TopLevelInteractionContent">
     <div class="Polaris-Page">
       <div class="Polaris-Page__Content">

data/app/views/shopify_app/shared/redirect.html.erb CHANGED Viewed

@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="<%= I18n.locale %>">
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
@@ -7,7 +7,7 @@
   <title>Redirecting…</title>
   <%= javascript_include_tag('shopify_app/redirect', crossorigin: 'anonymous', integrity: true) %>
 </head>
-<body>
+<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="<%= current_shopify_domain %>" data-host="<%= params[:host] %>" >
   <%=
   content_tag(:div, nil,
     id: 'redirection-target',

data/config/locales/zh-CN.yml CHANGED Viewed

@@ -11,6 +11,6 @@ zh-CN:
   top_level_interaction_body: 您的浏览器要求类似 %{app} 的应用向您申请访问 Cookie，之后 Shopify 才能为您打开它。
   top_level_interaction_action: 继续
   request_storage_access_heading: "%{app} 需要访问 Cookie"
-  request_storage_access_body: 这使此应用能够通过暂时存储您的个人信息来验证您的身份。单击继续并启用 Cookie 以使用此应用。
+  request_storage_access_body: 这使此应用能够通过暂时存储您的个人信息来验证您的身份。点击继续并启用 Cookie 以使用此应用。
   request_storage_access_footer: Cookie 将在 30 天后过期。
   request_storage_access_action: 继续

data/config/routes.rb CHANGED Viewed

@@ -1,23 +1,31 @@
 # frozen_string_literal: true
 ShopifyApp::Engine.routes.draw do
+  login_url = ShopifyApp.configuration.login_url.gsub(/^#{ShopifyApp.configuration.root_url}/, "")
+  login_callback_url = ShopifyApp.configuration.login_callback_url.gsub(/^#{ShopifyApp.configuration.root_url}/, "")
   controller :sessions do
-    get 'login' => :new, :as => :login
-    post 'login' => :create, :as => :authenticate
-    get 'enable_cookies' => :enable_cookies, :as => :enable_cookies
-    get 'top_level_interaction' =>
-      :top_level_interaction,
-        :as => :top_level_interaction
-    get 'granted_storage_access' =>
-      :granted_storage_access,
-        :as => :granted_storage_access
-    get 'logout' => :destroy, :as => :logout
+    get login_url => :new, :as => :login
+    post login_url => :create, :as => :authenticate
+    get "logout" => :destroy, :as => :logout
+    # Kept to prevent apps relying on these routes from breaking
+    if login_url.gsub(%r{^/}, "") != "login"
+      get "login" => :new, :as => :default_login
+      post "login" => :create, :as => :default_authenticate
+    end
   end
   controller :callback do
-    get 'auth/shopify/callback' => :callback
+    get login_callback_url => :callback
+    # Kept to prevent apps relying on these routes from breaking
+    if login_callback_url.gsub(%r{^/}, "") != "auth/shopify/callback"
+      get "auth/shopify/callback" => :default_callback
+    end
   end
   namespace :webhooks do
-    post ':type' => :receive
+    post ":type" => :receive
   end
 end

data/docs/Troubleshooting.md CHANGED Viewed

@@ -87,9 +87,6 @@ Edit `config/initializer/shopify_app.rb` and ensure the following configurations
 ```diff
 + config.embedded_app = true
-+ config.allow_jwt_authentication = true
-+ config.allow_cookie_authentication = false
 # This line should already exist if you're using shopify_app gem 13.x.x+
 + config.shop_session_repository = 'Shop'
 ```