shopify_app 18.0.2 → 19.1.0

data/lib/shopify_app/configuration.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
@@ -23,6 +24,7 @@ module ShopifyApp
     # customise urls
     attr_accessor :root_url
     attr_writer :login_url
+    attr_writer :login_callback_url
 
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -37,25 +39,24 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
-    # allow enabling of same site none on cookies
-    attr_writer :enable_same_site_none
-
-    # allow enabling jwt headers for authentication
-    attr_accessor :allow_jwt_authentication
-
-    attr_accessor :allow_cookie_authentication
+    # takes a ShopifyApp::BillingConfiguration object
+    attr_accessor :billing
 
     def initialize
-      @root_url = '/'
-      @myshopify_domain = 'myshopify.com'
+      @root_url = "/"
+      @myshopify_domain = "myshopify.com"
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
-      @allow_cookie_authentication = true
+      @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
     end
 
     def login_url
-      @login_url || File.join(@root_url, 'login')
+      @login_url || File.join(@root_url, "login")
+    end
+
+    def login_callback_url
+      # Not including @root_url to keep historic behaviour
+      @login_callback_url || File.join("auth/shopify/callback")
     end
 
     def user_session_repository=(klass)
@@ -92,8 +93,8 @@ module ShopifyApp
       scripttags.present?
     end
 
-    def enable_same_site_none
-      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
+    def requires_billing?
+      billing.present?
     end
 
     def shop_access_scopes
@@ -105,6 +106,24 @@ module ShopifyApp
     end
   end
 
+  class BillingConfiguration
+    INTERVAL_ONE_TIME = "ONE_TIME"
+    INTERVAL_EVERY_30_DAYS = "EVERY_30_DAYS"
+    INTERVAL_ANNUAL = "ANNUAL"
+
+    attr_reader :charge_name
+    attr_reader :amount
+    attr_reader :currency_code
+    attr_reader :interval
+
+    def initialize(charge_name:, amount:, interval:, currency_code: "USD")
+      @charge_name = charge_name
+      @amount = amount
+      @currency_code = currency_code
+      @interval = interval
+    end
+  end
+
   def self.configuration
     @configuration ||= Configuration.new
   end

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -16,7 +17,7 @@ module ShopifyApp
     def query_string_valid?(query_string)
       query_hash = Rack::Utils.parse_query(query_string)
 
-      signature = query_hash.delete('signature')
+      signature = query_hash.delete("signature")
       return false if signature.nil?
 
       ActiveSupport::SecurityUtils.secure_compare(
@@ -26,10 +27,10 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
-        OpenSSL::Digest.new('sha256'),
+        OpenSSL::Digest.new("sha256"),
         ShopifyApp.configuration.secret,
         sorted_params
       )

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module CsrfProtection
     extend ActiveSupport::Concern
@@ -9,7 +10,7 @@ module ShopifyApp
     private
 
     def valid_session_token?
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
   end
 end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
@@ -6,15 +7,15 @@ module ShopifyApp
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
-        layout('embedded_app')
+        layout("embedded_app")
       end
     end
 
     private
 
     def set_esdk_headers
-      response.set_header('P3P', 'CP="Not used"')
-      response.headers.except!('X-Frame-Options')
+      response.set_header("P3P", 'CP="Not used"')
+      response.headers.except!("X-Frame-Options")
     end
   end
 end

data/lib/shopify_app/controller_concerns/ensure_billing.rb

@@ -0,0 +1,254 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureBilling
+    class BillingError < StandardError
+      attr_accessor :message
+      attr_accessor :errors
+
+      def initialize(message, errors)
+        super
+        @message = message
+        @errors = errors
+      end
+    end
+
+    extend ActiveSupport::Concern
+
+    RECURRING_INTERVALS = [BillingConfiguration::INTERVAL_EVERY_30_DAYS, BillingConfiguration::INTERVAL_ANNUAL]
+
+    included do
+      before_action :check_billing, if: :billing_required?
+      rescue_from BillingError, with: :handle_billing_error
+    end
+
+    private
+
+    def check_billing(session = current_shopify_session)
+      return true if session.blank? || !billing_required?
+
+      confirmation_url = nil
+
+      if has_active_payment?(session)
+        has_payment = true
+      else
+        has_payment = false
+        confirmation_url = request_payment(session)
+      end
+
+      unless has_payment
+        if request.xhr?
+          add_top_level_redirection_headers(url: confirmation_url, ignore_response_code: true)
+          head(:unauthorized)
+        else
+          redirect_to(confirmation_url, allow_other_host: true)
+        end
+      end
+
+      has_payment
+    end
+
+    def billing_required?
+      ShopifyApp.configuration.requires_billing?
+    end
+
+    def handle_billing_error(error)
+      logger.info("#{error.message}: #{error.errors}")
+      redirect_to_login
+    end
+
+    def has_active_payment?(session)
+      if recurring?
+        has_subscription?(session)
+      else
+        has_one_time_payment?(session)
+      end
+    end
+
+    def has_subscription?(session)
+      response = run_query(session: session, query: RECURRING_PURCHASES_QUERY)
+      subscriptions = response.body["data"]["currentAppInstallation"]["activeSubscriptions"]
+
+      subscriptions.each do |subscription|
+        if subscription["name"] == ShopifyApp.configuration.billing.charge_name &&
+            (!Rails.env.production? || !subscription["test"])
+
+          return true
+        end
+      end
+
+      false
+    end
+
+    def has_one_time_payment?(session)
+      purchases = nil
+      end_cursor = nil
+
+      loop do
+        response = run_query(session: session, query: ONE_TIME_PURCHASES_QUERY, variables: { endCursor: end_cursor })
+        purchases = response.body["data"]["currentAppInstallation"]["oneTimePurchases"]
+
+        purchases["edges"].each do |purchase|
+          node = purchase["node"]
+
+          if node["name"] == ShopifyApp.configuration.billing.charge_name &&
+              (!Rails.env.production? || !node["test"]) &&
+              node["status"] == "ACTIVE"
+
+            return true
+          end
+        end
+
+        end_cursor = purchases["pageInfo"]["endCursor"]
+        break unless purchases["pageInfo"]["hasNextPage"]
+      end
+
+      false
+    end
+
+    def request_payment(session)
+      shop = session.shop
+      host = Base64.encode64("#{shop}/admin")
+      return_url = "https://#{ShopifyAPI::Context.host_name}?shop=#{shop}&host=#{host}"
+
+      if recurring?
+        data = request_recurring_payment(session: session, return_url: return_url)
+        data = data["data"]["appSubscriptionCreate"]
+      else
+        data = request_one_time_payment(session: session, return_url: return_url)
+        data = data["data"]["appPurchaseOneTimeCreate"]
+      end
+
+      raise BillingError.new("Error while billing the store", data["userErrros"]) unless data["userErrors"].empty?
+
+      data["confirmationUrl"]
+    end
+
+    def request_recurring_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: RECURRING_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          lineItems: {
+            plan: {
+              appRecurringPricingDetails: {
+                interval: ShopifyApp.configuration.billing.interval,
+                price: {
+                  amount: ShopifyApp.configuration.billing.amount,
+                  currencyCode: ShopifyApp.configuration.billing.currency_code,
+                },
+              },
+            },
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def request_one_time_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: ONE_TIME_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          price: {
+            amount: ShopifyApp.configuration.billing.amount,
+            currencyCode: ShopifyApp.configuration.billing.currency_code,
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def recurring?
+      RECURRING_INTERVALS.include?(ShopifyApp.configuration.billing.interval)
+    end
+
+    def run_query(session:, query:, variables: nil)
+      client = ShopifyAPI::Clients::Graphql::Admin.new(session: session)
+
+      response = client.query(query: query, variables: variables)
+
+      raise BillingError.new("Error while billing the store", []) unless response.ok?
+      raise BillingError.new("Error while billing the store", response.body["errors"]) if response.body["errors"]
+
+      response
+    end
+
+    RECURRING_PURCHASES_QUERY = <<~'QUERY'
+      query appSubscription {
+        currentAppInstallation {
+          activeSubscriptions {
+            name, test
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASES_QUERY = <<~'QUERY'
+      query appPurchases($endCursor: String) {
+        currentAppInstallation {
+          oneTimePurchases(first: 250, sortKey: CREATED_AT, after: $endCursor) {
+            edges {
+              node {
+                name, test, status
+              }
+            }
+            pageInfo {
+              hasNextPage, endCursor
+            }
+          }
+        }
+      }
+    QUERY
+
+    RECURRING_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $lineItems: [AppSubscriptionLineItemInput!]!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appSubscriptionCreate(
+          name: $name
+          lineItems: $lineItems
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $price: MoneyInput!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appPurchaseOneTimeCreate(
+          name: $name
+          price: $price
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+  end
+end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -9,15 +9,15 @@ module ShopifyApp
       return unless ShopifyApp.configuration.embedded_app?
       return unless user_agent_can_partition_cookies
 
-      session['shopify.cookies_persist'] = true
+      session["shopify.cookies_persist"] = true
     end
 
     def set_top_level_oauth_cookie
-      session['shopify.top_level_oauth'] = true
+      session["shopify.top_level_oauth"] = true
     end
 
     def clear_top_level_oauth_cookie
-      session.delete('shopify.top_level_oauth')
+      session.delete("shopify.top_level_oauth")
     end
 
     def user_agent_is_mobile

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'browser_sniffer'
+require "browser_sniffer"
 
 module ShopifyApp
   module LoginProtection
@@ -13,106 +13,99 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+      rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
     end
 
-    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+    ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
 
     def activate_shopify_session
-      if user_session_expected? && user_session.blank?
+      if current_shopify_session.blank?
         signal_access_token_required
         return redirect_to_login
       end
 
-      return redirect_to_login if current_shopify_session.blank?
+      unless current_shopify_session.scope.to_a.empty? ||
+          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
 
-      clear_top_level_oauth_cookie
+        clear_shopify_session
+        return redirect_to_login
+      end
 
       begin
-        ShopifyAPI::Base.activate_session(current_shopify_session)
+        ShopifyAPI::Context.activate_session(current_shopify_session)
         yield
       ensure
-        ShopifyAPI::Base.clear_session
+        ShopifyAPI::Context.deactivate_session
       end
     end
 
     def current_shopify_session
       @current_shopify_session ||= begin
-        user_session || shop_session
+        cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
+        ShopifyAPI::Utils::SessionUtils.load_current_session(
+          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          cookies: { cookie_name => cookies.encrypted[cookie_name] },
+          is_online: user_session_expected?
+        )
+      rescue ShopifyAPI::Errors::CookieNotFoundError
+        nil
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        nil
       end
     end
 
-    def user_session
-      user_session_by_jwt || user_session_by_cookie
-    end
-
-    def user_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_user_id
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
-    end
-
-    def user_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
-    end
-
-    def shop_session
-      shop_session_by_jwt || shop_session_by_cookie
+    def login_again_if_different_user_or_shop
+      return unless session_id_conflicts_with_params || session_shop_conflicts_with_params
+      clear_shopify_session
+      redirect_to_login
     end
 
-    def shop_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_domain
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
+    def signal_access_token_required
+      response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
     end
 
-    def shop_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    def jwt_expire_at
+      expire_at = request.env["jwt.expire_at"]
+      return unless expire_at
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
 
-    def login_again_if_different_user_or_shop
-      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-      end
+    def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
+      if request.xhr? && (ignore_response_code || response.code.to_i == 401)
+        # Make sure the shop is set in the redirection URL
+        unless params[:shop]
+          params[:shop] = if current_shopify_session
+            current_shopify_session.shop
+          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+            jwt_payload.shop
+          end
+        end
 
-      if current_shopify_session &&
-        params[:shop] && params[:shop].is_a?(String) &&
-        (current_shopify_session.domain != params[:shop])
-        clear_session = true
-      end
+        url ||= login_url_with_optional_shop
 
-      if clear_session
-        clear_shopify_session
-        redirect_to_login
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
       end
     end
 
-    def signal_access_token_required
-      response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
-    end
-
     protected
 
     def jwt_shopify_domain
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
 
     def jwt_shopify_user_id
-      request.env['jwt.shopify_user_id']
+      request.env["jwt.shopify_user_id"]
     end
 
     def host
-      return params[:host] if params[:host].present?
-
-      raise ShopifyHostNotFound
+      params[:host]
     end
 
     def redirect_to_login
       if request.xhr?
+        add_top_level_redirection_headers(ignore_response_code: true)
         head(:unauthorized)
       else
         if request.get?
@@ -133,12 +126,16 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def handle_http_error(error)
+      if error.code == 401
+        close_session
+      else
+        raise error
+      end
+    end
+
     def clear_shopify_session
-      session[:shop_id] = nil
-      session[:user_id] = nil
-      session[:shopify_domain] = nil
-      session[:shopify_user] = nil
-      session[:user_session] = nil
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -166,28 +163,30 @@ module ShopifyApp
         query_params[:shop] ||= referer_sanitized_shop_name
       end
 
+      if params[:host].present?
+        query_params[:host] ||= host
+      end
+
       query_params[:top_level] = true if top_level
       query_params
     end
 
     def return_to_param_required?
-      native_params = %i[shop hmac timestamp locale protocol return_to]
-      request.path != '/' || sanitized_params.except(*native_params).any?
+      native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
+      request.path != "/" || sanitized_params.except(*native_params).any?
     end
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render('shopify_app/shared/redirect', layout: false,
-               locals: { url: url, current_shopify_domain: current_shopify_domain })
+        render("shopify_app/shared/redirect", layout: false,
+          locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
         redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name ||
-        jwt_shopify_domain ||
-        session[:shopify_domain]
+      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
 
       return shopify_domain if shopify_domain.present?
 
@@ -244,7 +243,22 @@ module ShopifyApp
 
     private
 
+    def session_id_conflicts_with_params
+      shopify_session_id = current_shopify_session&.shopify_session_id
+      params[:session].present? && shopify_session_id.present? && params[:session] != shopify_session_id
+    end
+
+    def session_shop_conflicts_with_params
+      current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
+    end
+
+    def shop_session
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(sanitize_shop_param(params))
+    end
+
     def user_session_expected?
+      return false if shop_session.nil?
+      return false if ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_session.shop)
       !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
     end
   end