shopify_app 18.1.0 → 19.0.0

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -1,21 +1,22 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
-require 'rails/generators/active_record'
+
+require "rails/generators/base"
+require "rails/generators/active_record"
 
 module ShopifyApp
   module Generators
     class UserModelGenerator < Rails::Generators::Base
       include Rails::Generators::Migration
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       class_option :new_shopify_cli_app, type: :boolean, default: false
 
       def create_user_model
-        copy_file('user.rb', 'app/models/user.rb')
+        copy_file("user.rb", "app/models/user.rb")
       end
 
       def create_user_migration
-        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
+        migration_template("db/migrate/create_users.erb", "db/migrate/create_users.rb")
       end
 
       def create_scopes_storage_in_user_model
@@ -33,24 +34,24 @@ module ShopifyApp
 
         if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
           migration_template(
-            'db/migrate/add_user_access_scopes_column.erb',
-            'db/migrate/add_user_access_scopes_column.rb'
+            "db/migrate/add_user_access_scopes_column.erb",
+            "db/migrate/add_user_access_scopes_column.rb"
           )
         end
       end
 
       def update_shopify_app_initializer
-        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
+        gsub_file("config/initializers/shopify_app.rb", "ShopifyApp::InMemoryUserSessionStore", "User")
       end
 
       def create_user_fixtures
-        copy_file('users.yml', 'test/fixtures/users.yml')
+        copy_file("users.yml", "test/fixtures/users.yml")
       end
 
       private
 
       def new_shopify_cli_app?
-        options['new_shopify_cli_app']
+        options["new_shopify_cli_app"]
       end
 
       def rails_migration_version

data/lib/generators/shopify_app/views/views_generator.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
@@ -15,14 +16,14 @@ module ShopifyApp
       private
 
       def views
-        files_within_root('.', 'app/views/**/*.*')
+        files_within_root(".", "app/views/**/*.*")
       end
 
       def files_within_root(prefix, glob)
         root = "#{self.class.source_root}/#{prefix}"
 
         Dir["#{root}/#{glob}"].sort.map do |full_path|
-          full_path.sub(root, '.').gsub('/./', '/')
+          full_path.sub(root, ".").gsub("/./", "/")
         end
       end
     end

data/lib/shopify_app/access_scopes/shop_strategy.rb

@@ -12,11 +12,11 @@ module ShopifyApp
         private
 
         def shop_access_scopes(shop_domain)
-          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.scope
         end
 
         def configuration_access_scopes
-          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.shop_access_scopes)
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.shop_access_scopes)
         end
       end
     end

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -9,7 +9,7 @@ module ShopifyApp
         def update_access_scopes?(user_id: nil, shopify_user_id: nil)
           return update_access_scopes_for_user_id?(user_id) if user_id
           return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
-          raise(InvalidInput, '#update_access_scopes? requires user_id or shopify_user_id parameter inputs')
+          raise(InvalidInput, "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
         private
@@ -25,15 +25,15 @@ module ShopifyApp
         end
 
         def user_access_scopes_by_user_id(user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.scope
         end
 
         def user_access_scopes_by_shopify_user_id(shopify_user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope
         end
 
         def configuration_access_scopes
-          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.user_access_scopes)
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.user_access_scopes)
         end
       end
     end

data/lib/shopify_app/configuration.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
@@ -37,25 +38,16 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
-    # allow enabling of same site none on cookies
-    attr_writer :enable_same_site_none
-
-    # allow enabling jwt headers for authentication
-    attr_accessor :allow_jwt_authentication
-
-    attr_accessor :allow_cookie_authentication
-
     def initialize
-      @root_url = '/'
-      @myshopify_domain = 'myshopify.com'
+      @root_url = "/"
+      @myshopify_domain = "myshopify.com"
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
-      @allow_cookie_authentication = true
+      @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
     end
 
     def login_url
-      @login_url || File.join(@root_url, 'login')
+      @login_url || File.join(@root_url, "login")
     end
 
     def user_session_repository=(klass)
@@ -92,10 +84,6 @@ module ShopifyApp
       scripttags.present?
     end
 
-    def enable_same_site_none
-      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
-    end
-
     def shop_access_scopes
       @shop_access_scopes || scope
     end

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -16,7 +17,7 @@ module ShopifyApp
     def query_string_valid?(query_string)
       query_hash = Rack::Utils.parse_query(query_string)
 
-      signature = query_hash.delete('signature')
+      signature = query_hash.delete("signature")
       return false if signature.nil?
 
       ActiveSupport::SecurityUtils.secure_compare(
@@ -26,10 +27,10 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
-        OpenSSL::Digest.new('sha256'),
+        OpenSSL::Digest.new("sha256"),
         ShopifyApp.configuration.secret,
         sorted_params
       )

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module CsrfProtection
     extend ActiveSupport::Concern
@@ -9,7 +10,7 @@ module ShopifyApp
     private
 
     def valid_session_token?
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
   end
 end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
@@ -6,15 +7,15 @@ module ShopifyApp
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
-        layout('embedded_app')
+        layout("embedded_app")
       end
     end
 
     private
 
     def set_esdk_headers
-      response.set_header('P3P', 'CP="Not used"')
-      response.headers.except!('X-Frame-Options')
+      response.set_header("P3P", 'CP="Not used"')
+      response.headers.except!("X-Frame-Options")
     end
   end
 end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -9,15 +9,15 @@ module ShopifyApp
       return unless ShopifyApp.configuration.embedded_app?
       return unless user_agent_can_partition_cookies
 
-      session['shopify.cookies_persist'] = true
+      session["shopify.cookies_persist"] = true
     end
 
     def set_top_level_oauth_cookie
-      session['shopify.top_level_oauth'] = true
+      session["shopify.top_level_oauth"] = true
     end
 
     def clear_top_level_oauth_cookie
-      session.delete('shopify.top_level_oauth')
+      session.delete("shopify.top_level_oauth")
     end
 
     def user_agent_is_mobile

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'browser_sniffer'
+require "browser_sniffer"
 
 module ShopifyApp
   module LoginProtection
@@ -13,82 +13,51 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+      rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
     end
 
-    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+    ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
 
     def activate_shopify_session
-      if user_session_expected? && user_session.blank?
+      if current_shopify_session.blank?
         signal_access_token_required
         return redirect_to_login
       end
 
-      return redirect_to_login if current_shopify_session.blank?
+      unless current_shopify_session.scope.to_a.empty? ||
+          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
 
-      clear_top_level_oauth_cookie
+        clear_shopify_session
+        return redirect_to_login
+      end
 
       begin
-        ShopifyAPI::Base.activate_session(current_shopify_session)
+        ShopifyAPI::Context.activate_session(current_shopify_session)
         yield
       ensure
-        ShopifyAPI::Base.clear_session
+        ShopifyAPI::Context.deactivate_session
       end
     end
 
     def current_shopify_session
       @current_shopify_session ||= begin
-        user_session || shop_session
+        cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
+        ShopifyAPI::Utils::SessionUtils.load_current_session(
+          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          cookies: { cookie_name => cookies.encrypted[cookie_name] },
+          is_online: user_session_expected?
+        )
+      rescue ShopifyAPI::Errors::CookieNotFoundError
+        nil
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        nil
       end
     end
 
-    def user_session
-      user_session_by_jwt || user_session_by_cookie
-    end
-
-    def user_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_user_id
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
-    end
-
-    def user_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
-    end
-
-    def shop_session
-      shop_session_by_jwt || shop_session_by_cookie
-    end
-
-    def shop_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_domain
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
-    end
-
-    def shop_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-
     def login_again_if_different_user_or_shop
-      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-      end
-
-      if current_shopify_session &&
-        params[:shop] && params[:shop].is_a?(String) &&
-        (current_shopify_session.domain != params[:shop])
-        clear_session = true
-      end
-
-      if clear_session
-        clear_shopify_session
-        redirect_to_login
-      end
+      return unless session_id_conflicts_with_params || session_shop_conflicts_with_params
+      clear_shopify_session
+      redirect_to_login
     end
 
     def signal_access_token_required
@@ -96,7 +65,7 @@ module ShopifyApp
     end
 
     def jwt_expire_at
-      expire_at = request.env['jwt.expire_at']
+      expire_at = request.env["jwt.expire_at"]
       return unless expire_at
       expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
@@ -104,17 +73,15 @@ module ShopifyApp
     protected
 
     def jwt_shopify_domain
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
 
     def jwt_shopify_user_id
-      request.env['jwt.shopify_user_id']
+      request.env["jwt.shopify_user_id"]
     end
 
     def host
-      return params[:host] if params[:host].present?
-
-      raise ShopifyHostNotFound
+      params[:host]
     end
 
     def redirect_to_login
@@ -139,12 +106,16 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def handle_http_error(error)
+      if error.code == 401
+        close_session
+      else
+        raise error
+      end
+    end
+
     def clear_shopify_session
-      session[:shop_id] = nil
-      session[:user_id] = nil
-      session[:shopify_domain] = nil
-      session[:shopify_user] = nil
-      session[:user_session] = nil
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -172,28 +143,30 @@ module ShopifyApp
         query_params[:shop] ||= referer_sanitized_shop_name
       end
 
+      if params[:host].present?
+        query_params[:host] ||= host
+      end
+
       query_params[:top_level] = true if top_level
       query_params
     end
 
     def return_to_param_required?
-      native_params = %i[shop hmac timestamp locale protocol return_to]
-      request.path != '/' || sanitized_params.except(*native_params).any?
+      native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
+      request.path != "/" || sanitized_params.except(*native_params).any?
     end
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render('shopify_app/shared/redirect', layout: false,
-               locals: { url: url, current_shopify_domain: current_shopify_domain })
+        render("shopify_app/shared/redirect", layout: false,
+          locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
         redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name ||
-        jwt_shopify_domain ||
-        session[:shopify_domain]
+      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
 
       return shopify_domain if shopify_domain.present?
 
@@ -250,6 +223,15 @@ module ShopifyApp
 
     private
 
+    def session_id_conflicts_with_params
+      shopify_session_id = current_shopify_session&.shopify_session_id
+      params[:session].present? && shopify_session_id.present? && params[:session] != shopify_session_id
+    end
+
+    def session_shop_conflicts_with_params
+      current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
+    end
+
     def user_session_expected?
       !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
     end

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module PayloadVerification
     extend ActiveSupport::Concern
@@ -6,14 +7,14 @@ module ShopifyApp
     private
 
     def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
     end
 
     def hmac_valid?(data)
       secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
 
       secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
+        digest = OpenSSL::Digest.new("sha256")
         ActiveSupport::SecurityUtils.secure_compare(
           shopify_hmac,
           Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -17,7 +18,7 @@ module ShopifyApp
     end
 
     def shop_domain
-      request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+      request.headers["HTTP_X_SHOPIFY_SHOP_DOMAIN"]
     end
   end
 end

data/lib/shopify_app/engine.rb

@@ -1,36 +1,28 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module RedactJobParams
     private
 
     def args_info(job)
-      log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
+      log_disabled_classes = ["ShopifyApp::ScripttagsManagerJob", "ShopifyApp::WebhooksManagerJob"]
       return "" if log_disabled_classes.include?(job.class.name)
       super
     end
   end
 
   class Engine < Rails::Engine
-    engine_name 'shopify_app'
+    engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
     initializer "shopify_app.assets.precompile" do |app|
-      app.config.assets.precompile += %w[
-        shopify_app/redirect.js
-        shopify_app/post_redirect.js
-        shopify_app/top_level.js
-        shopify_app/enable_cookies.js
-        shopify_app/request_storage_access.js
-        storage_access.svg
-      ]
+      app.config.assets.precompile += ["shopify_app/redirect.js", "shopify_app/post_redirect.js",
+                                       "shopify_app/top_level.js", "shopify_app/enable_cookies.js",
+                                       "shopify_app/request_storage_access.js", "storage_access.svg",]
     end
 
     initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
-
-      if ShopifyApp.configuration.allow_jwt_authentication
-        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
-      end
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
     end
 
     initializer "shopify_app.redact_job_params" do

data/lib/shopify_app/jobs/scripttags_manager_job.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
     queue_as do
@@ -6,8 +7,7 @@ module ShopifyApp
     end
 
     def perform(shop_domain:, shop_token:, scripttags:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do
         manager = ScripttagsManager.new(scripttags, shop_domain)
         manager.create_scripttags
       end

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end
 
-    def perform(shop_domain:, shop_token:, webhooks:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
-        manager = WebhooksManager.new(webhooks)
-        manager.create_webhooks
+    def perform(shop_domain:, shop_token:)
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+        WebhooksManager.create_webhooks(session: session)
       end
     end
   end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -44,7 +45,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
+        tag.delete if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -61,9 +62,15 @@ module ShopifyApp
     end
 
     def create_scripttag(attributes)
-      attributes.reverse_merge!(format: 'json')
-      scripttag = ShopifyAPI::ScriptTag.create(attributes)
-      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag = ShopifyAPI::ScriptTag.new
+      attributes.each { |key, value| scripttag.public_send("#{key}=", value) }
+
+      begin
+        scripttag.save!
+      rescue ShopifyAPI::Errors::HttpResponseError => e
+        raise CreationFailed, e.message
+      end
+
       scripttag
     end