shopify_app 18.1.1 → 19.0.1

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -1,62 +1,60 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
 
-    def self.queue(shop_domain, shop_token, webhooks)
-      ShopifyApp::WebhooksManagerJob.perform_later(
-        shop_domain: shop_domain,
-        shop_token: shop_token,
-        webhooks: webhooks
-      )
-    end
-
-    attr_reader :required_webhooks
-
-    def initialize(webhooks)
-      @required_webhooks = webhooks
-    end
-
-    def recreate_webhooks!
-      destroy_webhooks
-      create_webhooks
-    end
-
-    def create_webhooks
-      return unless required_webhooks.present?
+    class << self
+      def queue(shop_domain, shop_token)
+        ShopifyApp::WebhooksManagerJob.perform_later(
+          shop_domain: shop_domain,
+          shop_token: shop_token
+        )
+      end
 
-      required_webhooks.each do |webhook|
-        create_webhook(webhook) unless webhook_exists?(webhook[:topic])
+      def create_webhooks(session:)
+        return unless ShopifyApp.configuration.has_webhooks?
+        ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
-    end
 
-    def destroy_webhooks
-      ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
+      def recreate_webhooks!(session:)
+        destroy_webhooks
+        return unless ShopifyApp.configuration.has_webhooks?
+        add_registrations
+        ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
 
-      @current_webhooks = nil
-    end
+      def destroy_webhooks
+        return unless ShopifyApp.configuration.has_webhooks?
 
-    private
+        ShopifyApp.configuration.webhooks.each do |attributes|
+          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic])
+        end
+      end
 
-    def required_webhook?(webhook)
-      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
-    end
+      def add_registrations
+        return unless ShopifyApp.configuration.has_webhooks?
+
+        ShopifyApp.configuration.webhooks.each do |attributes|
+          ShopifyAPI::Webhooks::Registry.add_registration(
+            topic: attributes[:topic],
+            delivery_method: attributes[:delivery_method] || :http,
+            path: attributes[:address],
+            handler: webhook_job_klass(attributes[:topic]),
+            fields: attributes[:fields]
+          )
+        end
+      end
 
-    def create_webhook(attributes)
-      attributes.reverse_merge!(format: 'json')
-      webhook = ShopifyAPI::Webhook.create(attributes)
-      raise CreationFailed, webhook.errors.full_messages.to_sentence unless webhook.persisted?
-      webhook
-    end
+      private
 
-    def webhook_exists?(topic)
-      current_webhooks[topic]
-    end
+      def webhook_job_klass(topic)
+        webhook_job_klass_name(topic).safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
+      end
 
-    def current_webhooks
-      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
+      def webhook_job_klass_name(topic)
+        [ShopifyApp.configuration.webhook_jobs_namespace, "#{topic.gsub("/", "_")}_job"].compact.join("/").classify
+      end
     end
   end
 end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class JWTMiddleware
     TOKEN_REGEX = /^Bearer\s+(.*?)$/
@@ -24,7 +25,7 @@ module ShopifyApp
     end
 
     def authorization_header(env)
-      env['HTTP_AUTHORIZATION']
+      env["HTTP_AUTHORIZATION"]
     end
 
     def extract_token(env)
@@ -35,9 +36,9 @@ module ShopifyApp
     def set_env_variables(token, env)
       jwt = ShopifyApp::JWT.new(token)
 
-      env['jwt.shopify_domain'] = jwt.shopify_domain
-      env['jwt.shopify_user_id'] = jwt.shopify_user_id
-      env['jwt.expire_at'] = jwt.expire_at
+      env["jwt.shopify_domain"] = jwt.shopify_domain
+      env["jwt.shopify_user_id"] = jwt.shopify_user_id
+      env["jwt.expire_at"] = jwt.expire_at
     end
   end
 end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   # rubocop:disable Style/ClassVars
   # Class var repo is needed here in order to share data between the 2 child classes.

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class InMemoryShopSessionStore < InMemorySessionStore
     class << self
       def store(session, *args)
         id = super
-        repo[session.domain] = session
+        repo[session.shop] = session
         id
       end
 

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class InMemoryUserSessionStore < InMemorySessionStore
     class << self

data/lib/shopify_app/session/jwt.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class JWT
     class InvalidDestinationError < StandardError; end
@@ -23,15 +24,15 @@ module ShopifyApp
     end
 
     def shopify_domain
-      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload['dest'])
+      @payload && ShopifyApp::Utils.sanitize_shop_domain(@payload["dest"])
     end
 
     def shopify_user_id
-      @payload['sub'].to_i if @payload && @payload['sub']
+      @payload["sub"].to_i if @payload && @payload["sub"]
     end
 
     def expire_at
-      @payload['exp'].to_i if @payload && @payload['exp']
+      @payload["exp"].to_i if @payload && @payload["exp"]
     end
 
     private
@@ -45,19 +46,19 @@ module ShopifyApp
     end
 
     def parse_token_data(secret, old_secret)
-      ::JWT.decode(@token, secret, true, { algorithm: 'HS256' })
+      ::JWT.decode(@token, secret, true, { algorithm: "HS256" })
     rescue ::JWT::VerificationError
       raise unless old_secret
 
-      ::JWT.decode(@token, old_secret, true, { algorithm: 'HS256' })
+      ::JWT.decode(@token, old_secret, true, { algorithm: "HS256" })
     end
 
     def validate_payload(payload)
-      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload['dest'])
-      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload['iss'])
+      dest_host = ShopifyApp::Utils.sanitize_shop_domain(payload["dest"])
+      iss_host = ShopifyApp::Utils.sanitize_shop_domain(payload["iss"])
       api_key = ShopifyApp.configuration.api_key
 
-      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload['aud'] == api_key
+      raise InvalidAudienceError, "'aud' claim does not match api_key" unless payload["aud"] == api_key
       raise InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
       raise MismatchedHostsError, "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
 

data/lib/shopify_app/session/null_user_session_store.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class NullUserSessionStore
     class << self
@@ -7,7 +8,7 @@ module ShopifyApp
       end
 
       def store(_, _)
-        raise SessionRepository::ConfigurationError, 'user_storage is not configured'
+        raise SessionRepository::ConfigurationError, "user_storage is not configured"
       end
 
       def retrieve_by_shopify_user_id(_)

data/lib/shopify_app/session/session_repository.rb

@@ -1,6 +1,9 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class SessionRepository
+    extend ShopifyAPI::Auth::SessionStorage
+
     class ConfigurationError < StandardError; end
 
     class << self
@@ -40,6 +43,40 @@ module ShopifyApp
         load_user_storage
       end
 
+      # ShopifyAPI::Auth::SessionStorage override
+      def store_session(session)
+        if session.online?
+          user_storage.store(session, session.associated_user.id.to_s)
+        else
+          shop_storage.store(session)
+        end
+      end
+
+      # ShopifyAPI::Auth::SessionStorage override
+      def load_session(id)
+        match = id.match(/^offline_(.*)/)
+        if match
+          retrieve_shop_session_by_shopify_domain(match[1])
+        else
+          retrieve_user_session_by_shopify_user_id(id.split("_").last)
+        end
+      end
+
+      # ShopifyAPI::Auth::SessionStorage override
+      def delete_session(id)
+        match = id.match(/^offline_(.*)/)
+
+        record = if match
+          Shop.find_by(shopify_domain: match[1])
+        else
+          User.find_by(shopify_user_id: id.split("_").last)
+        end
+
+        record.destroy
+
+        true
+      end
+
       private
 
       def load_shop_storage

data/lib/shopify_app/session/session_storage.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module SessionStorage
     extend ActiveSupport::Concern
@@ -9,12 +10,9 @@ module ShopifyApp
     end
 
     def with_shopify_session(&block)
-      ShopifyAPI::Session.temp(
-        domain: shopify_domain,
-        token: shopify_token,
-        api_version: api_version,
-        &block
-      )
+      ShopifyAPI::Auth::Session.temp(shop: shopify_domain, access_token: shopify_token) do
+        yield block
+      end
     end
   end
 end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module ShopSessionStorage
     extend ActiveSupport::Concern
@@ -10,8 +11,8 @@ module ShopifyApp
 
     class_methods do
       def store(auth_session, *_args)
-        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
-        shop.shopify_token = auth_session.token
+        shop = find_or_initialize_by(shopify_domain: auth_session.shop)
+        shop.shopify_token = auth_session.access_token
         shop.save!
         shop.id
       end
@@ -31,10 +32,9 @@ module ShopifyApp
       def construct_session(shop)
         return unless shop
 
-        ShopifyAPI::Session.new(
-          domain: shop.shopify_domain,
-          token: shop.shopify_token,
-          api_version: shop.api_version,
+        ShopifyAPI::Auth::Session.new(
+          shop: shop.shopify_domain,
+          access_token: shop.shopify_token
         )
       end
     end

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -11,9 +11,9 @@ module ShopifyApp
 
     class_methods do
       def store(auth_session, *_args)
-        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
-        shop.shopify_token = auth_session.token
-        shop.access_scopes = auth_session.access_scopes
+        shop = find_or_initialize_by(shopify_domain: auth_session.shop)
+        shop.shopify_token = auth_session.access_token
+        shop.access_scopes = auth_session.scope.to_s
 
         shop.save!
         shop.id
@@ -34,11 +34,10 @@ module ShopifyApp
       def construct_session(shop)
         return unless shop
 
-        ShopifyAPI::Session.new(
-          domain: shop.shopify_domain,
-          token: shop.shopify_token,
-          api_version: shop.api_version,
-          access_scopes: shop.access_scopes
+        ShopifyAPI::Auth::Session.new(
+          shop: shop.shopify_domain,
+          access_token: shop.shopify_token,
+          scope: shop.access_scopes
         )
       end
     end

data/lib/shopify_app/session/user_session_storage.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module UserSessionStorage
     extend ActiveSupport::Concern
@@ -11,8 +12,8 @@ module ShopifyApp
     class_methods do
       def store(auth_session, user)
         user = find_or_initialize_by(shopify_user_id: user[:id])
-        user.shopify_token = auth_session.token
-        user.shopify_domain = auth_session.domain
+        user.shopify_token = auth_session.access_token
+        user.shopify_domain = auth_session.shop
         user.save!
         user.id
       end
@@ -31,10 +32,22 @@ module ShopifyApp
 
       def construct_session(user)
         return unless user
-        ShopifyAPI::Session.new(
-          domain: user.shopify_domain,
-          token: user.shopify_token,
-          api_version: user.api_version,
+
+        associated_user = ShopifyAPI::Auth::AssociatedUser.new(
+          id: user.shopify_user_id,
+          first_name: "",
+          last_name: "",
+          email: "",
+          email_verified: false,
+          account_owner: false,
+          locale: "",
+          collaborator: false
+        )
+
+        ShopifyAPI::Auth::Session.new(
+          shop: user.shopify_domain,
+          access_token: user.shopify_token,
+          associated_user: associated_user
         )
       end
     end

data/lib/shopify_app/session/user_session_storage_with_scopes.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module UserSessionStorageWithScopes
     extend ActiveSupport::Concern
@@ -11,9 +12,9 @@ module ShopifyApp
     class_methods do
       def store(auth_session, user)
         user = find_or_initialize_by(shopify_user_id: user[:id])
-        user.shopify_token = auth_session.token
-        user.shopify_domain = auth_session.domain
-        user.access_scopes = auth_session.access_scopes
+        user.shopify_token = auth_session.access_token
+        user.shopify_domain = auth_session.shop
+        user.access_scopes = auth_session.scope.to_s
 
         user.save!
         user.id
@@ -34,11 +35,23 @@ module ShopifyApp
       def construct_session(user)
         return unless user
 
-        ShopifyAPI::Session.new(
-          domain: user.shopify_domain,
-          token: user.shopify_token,
-          api_version: user.api_version,
-          access_scopes: user.access_scopes
+        associated_user = ShopifyAPI::Auth::AssociatedUser.new(
+          id: user.shopify_user_id,
+          first_name: "",
+          last_name: "",
+          email: "",
+          email_verified: false,
+          account_owner: false,
+          locale: "",
+          collaborator: false
+        )
+
+        ShopifyAPI::Auth::Session.new(
+          shop: user.shopify_domain,
+          access_token: user.shopify_token,
+          scope: user.access_scopes,
+          associated_user_scope: user.access_scopes,
+          associated_user: associated_user
         )
       end
     end

data/lib/shopify_app/test_helpers/all.rb

@@ -1,2 +1,3 @@
 # frozen_string_literal: true
-require 'shopify_app/test_helpers/webhook_verification_helper'
+
+require "shopify_app/test_helpers/webhook_verification_helper"

data/lib/shopify_app/test_helpers/webhook_verification_helper.rb

@@ -1,16 +1,17 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module TestHelpers
     module WebhookVerificationHelper
       def authorized_webhook_verification_headers!(params = {})
-        digest = OpenSSL::Digest.new('sha256')
+        digest = OpenSSL::Digest.new("sha256")
         secret = ShopifyApp.configuration.secret
         valid_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, params.to_query)).strip
-        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = valid_hmac
+        @request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"] = valid_hmac
       end
 
       def unauthorized_webhook_verification_headers!
-        @request.headers['HTTP_X_SHOPIFY_HMAC_SHA256'] = "invalid_hmac"
+        @request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"] = "invalid_hmac"
       end
     end
   end

data/lib/shopify_app/utils.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Utils
     def self.sanitize_shop_domain(shop_domain)
       myshopify_domain = ShopifyApp.configuration.myshopify_domain
       name = shop_domain.to_s.downcase.strip
       name += ".#{myshopify_domain}" if !name.include?(myshopify_domain.to_s) && !name.include?(".")
-      name.sub!(%r|https?://|, '')
+      name.sub!(%r|https?://|, "")
 
       u = URI("http://#{name}")
       u.host if u.host&.match(/^[a-z0-9][a-z0-9\-]*[a-z0-9]\.#{Regexp.escape(myshopify_domain)}$/)
@@ -13,20 +14,13 @@ module ShopifyApp
       nil
     end
 
-    def self.fetch_known_api_versions
-      Rails.logger.info("[ShopifyAPI::ApiVersion] Fetching known Admin API Versions from Shopify...")
-      ShopifyAPI::ApiVersion.fetch_known_versions
-      Rails.logger.info("[ShopifyAPI::ApiVersion] Known API Versions: #{ShopifyAPI::ApiVersion.versions.keys}")
-    rescue ActiveResource::ConnectionError
-      logger.error("[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
-    end
-
-    def self.shop_login_url(shop:, return_to:)
+    def self.shop_login_url(shop:, host:, return_to:)
       return ShopifyApp.configuration.login_url unless shop
       url = URI(ShopifyApp.configuration.login_url)
 
       url.query = URI.encode_www_form(
         shop: shop,
+        host: host,
         return_to: return_to,
       )
 

data/lib/shopify_app/version.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
-  VERSION = '18.1.1'
+  VERSION = "19.0.1"
 end

data/lib/shopify_app.rb

@@ -1,11 +1,10 @@
 # frozen_string_literal: true
-require 'shopify_app/version'
+
+require "shopify_app/version"
 
 # deps
-require 'shopify_api'
-require 'omniauth/rails_csrf_protection'
-require 'omniauth-shopify-oauth2'
-require 'redirect_safely'
+require "shopify_api"
+require "redirect_safely"
 
 module ShopifyApp
   def self.rails6?
@@ -22,59 +21,55 @@ module ShopifyApp
 
   def self.use_webpacker?
     rails6? &&
-      defined?(Webpacker) == 'constant' &&
+      defined?(Webpacker) == "constant" &&
       !configuration.disable_webpacker
   end
 
   # config
-  require 'shopify_app/configuration'
+  require "shopify_app/configuration"
 
   # engine
-  require 'shopify_app/engine'
+  require "shopify_app/engine"
 
   # utils
-  require 'shopify_app/utils'
+  require "shopify_app/utils"
 
   # controller concerns
-  require 'shopify_app/controller_concerns/csrf_protection'
-  require 'shopify_app/controller_concerns/localization'
-  require 'shopify_app/controller_concerns/itp'
-  require 'shopify_app/controller_concerns/login_protection'
-  require 'shopify_app/controller_concerns/embedded_app'
-  require 'shopify_app/controller_concerns/payload_verification'
-  require 'shopify_app/controller_concerns/app_proxy_verification'
-  require 'shopify_app/controller_concerns/webhook_verification'
+  require "shopify_app/controller_concerns/csrf_protection"
+  require "shopify_app/controller_concerns/localization"
+  require "shopify_app/controller_concerns/itp"
+  require "shopify_app/controller_concerns/login_protection"
+  require "shopify_app/controller_concerns/embedded_app"
+  require "shopify_app/controller_concerns/payload_verification"
+  require "shopify_app/controller_concerns/app_proxy_verification"
+  require "shopify_app/controller_concerns/webhook_verification"
 
   # jobs
-  require 'shopify_app/jobs/webhooks_manager_job'
-  require 'shopify_app/jobs/scripttags_manager_job'
+  require "shopify_app/jobs/webhooks_manager_job"
+  require "shopify_app/jobs/scripttags_manager_job"
 
   # managers
-  require 'shopify_app/managers/webhooks_manager'
-  require 'shopify_app/managers/scripttags_manager'
+  require "shopify_app/managers/webhooks_manager"
+  require "shopify_app/managers/scripttags_manager"
 
   # middleware
-  require 'shopify_app/middleware/jwt_middleware'
-  require 'shopify_app/middleware/same_site_cookie_middleware'
+  require "shopify_app/middleware/jwt_middleware"
 
   # session
-  require 'shopify_app/session/in_memory_session_store'
-  require 'shopify_app/session/in_memory_shop_session_store'
-  require 'shopify_app/session/in_memory_user_session_store'
-  require 'shopify_app/session/jwt'
-  require 'shopify_app/session/null_user_session_store'
-  require 'shopify_app/session/session_repository'
-  require 'shopify_app/session/session_storage'
-  require 'shopify_app/session/shop_session_storage'
-  require 'shopify_app/session/shop_session_storage_with_scopes'
-  require 'shopify_app/session/user_session_storage'
-  require 'shopify_app/session/user_session_storage_with_scopes'
+  require "shopify_app/session/in_memory_session_store"
+  require "shopify_app/session/in_memory_shop_session_store"
+  require "shopify_app/session/in_memory_user_session_store"
+  require "shopify_app/session/jwt"
+  require "shopify_app/session/null_user_session_store"
+  require "shopify_app/session/session_repository"
+  require "shopify_app/session/session_storage"
+  require "shopify_app/session/shop_session_storage"
+  require "shopify_app/session/shop_session_storage_with_scopes"
+  require "shopify_app/session/user_session_storage"
+  require "shopify_app/session/user_session_storage_with_scopes"
 
   # access scopes strategies
-  require 'shopify_app/access_scopes/shop_strategy'
-  require 'shopify_app/access_scopes/user_strategy'
-  require 'shopify_app/access_scopes/noop_strategy'
-
-  # omniauth_configuration
-  require 'shopify_app/omniauth/omniauth_configuration'
+  require "shopify_app/access_scopes/shop_strategy"
+  require "shopify_app/access_scopes/user_strategy"
+  require "shopify_app/access_scopes/noop_strategy"
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "18.1.1",
+  "version": "19.0.1",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",