shopify_app 18.1.2 → 19.0.0

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
@@ -6,7 +7,7 @@ module ShopifyApp
     layout false, only: :new
 
     after_action only: [:new, :create] do |controller|
-      controller.response.headers.except!('X-Frame-Options')
+      controller.response.headers.except!("X-Frame-Options")
     end
 
     def new
@@ -17,43 +18,14 @@ module ShopifyApp
       authenticate
     end
 
-    def enable_cookies
-      return unless validate_shop_presence
-
-      render(:enable_cookies, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_target_url: granted_storage_access_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        current_shopify_domain: current_shopify_domain,
-      })
-    end
-
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
       validate_shop_presence
     end
 
-    def granted_storage_access
-      return unless validate_shop_presence
-
-      session['shopify.granted_storage_access'] = true
-
-      copy_return_to_param_to_session
-
-      redirect_to(return_address_with_params({ shop: @shop }))
-    end
-
     def destroy
       reset_session
-      flash[:notice] = I18n.t('.logged_out')
+      flash[:notice] = I18n.t(".logged_out")
       redirect_to(login_url_with_optional_shop)
     end
 
@@ -61,69 +33,31 @@ module ShopifyApp
 
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
-      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
       copy_return_to_param_to_session
 
-      set_user_tokens_option
-
-      if user_agent_can_partition_cookies
-        authenticate_with_partitioning
+      if top_level?
+        start_oauth
       else
-        authenticate_normally
+        redirect_auth_to_top_level
       end
     end
 
-    def authenticate_normally
-      if request_storage_access?
-        redirect_to_request_storage_access
-      elsif authenticate_in_context?
-        authenticate_in_context
-      else
-        authenticate_at_top_level
-      end
-    end
-
-    def authenticate_with_partitioning
-      if session['shopify.cookies_persist']
-        clear_top_level_oauth_cookie
-        authenticate_in_context
-      else
-        set_top_level_oauth_cookie
-        enable_cookie_access
-      end
-    end
-
-    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def shop_session_by_cookie
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-
-    # rubocop:disable Lint/SuppressedException
-    def set_user_tokens_option
-      current_shop_session = shop_session
-
-      if current_shop_session.blank?
-        session[:user_tokens] = false
-        return
-      end
-
-      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+    def start_oauth
+      auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
+        shop: sanitized_shop_name,
+        redirect_path: "/auth/shopify/callback",
+        is_online: user_session_expected?
+      )
+      cookies.encrypted[auth_attributes[:cookie].name] = {
+        expires: auth_attributes[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_attributes[:cookie].value,
+      }
 
-      ShopifyAPI::Session.temp(
-        domain: current_shop_session.domain,
-        token: current_shop_session.token,
-        api_version: current_shop_session.api_version
-      ) do
-        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
-      end
-    rescue ActiveResource::UnauthorizedAccess
-      session[:user_tokens] = false
-    rescue StandardError
+      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
     end
-    # rubocop:enable Lint/SuppressedException
 
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -136,67 +70,21 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], "/") if params[:return_to]
     end
 
     def render_invalid_shop_error
-      flash[:error] = I18n.t('invalid_shop_url')
+      flash[:error] = I18n.t("invalid_shop_url")
       redirect_to(return_address)
     end
 
-    def enable_cookie_access
-      fullpage_redirect_to(enable_cookies_path(
-        shop: sanitized_shop_name,
-        host: host,
-        return_to: session[:return_to]
-      ))
-    end
-
-    def authenticate_in_context
-      post_redirect_to_auth_shopify
-    end
-
-    def post_redirect_to_auth_shopify
-      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
-    end
-
-    def authenticate_at_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
-    end
-
-    def authenticate_in_context?
+    def top_level?
       return true unless ShopifyApp.configuration.embedded_app?
-      params[:top_level]
+      !params[:top_level].nil?
     end
 
-    def request_storage_access?
-      return false unless ShopifyApp.configuration.embedded_app?
-      return false if params[:top_level]
-      return false if user_agent_is_mobile
-      return false if user_agent_is_pos
-
-      !session['shopify.granted_storage_access']
-    end
-
-    def redirect_to_request_storage_access
-      render(
-        :request_storage_access,
-        layout: false,
-        locals: {
-          does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_target_url: granted_storage_access_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          current_shopify_domain: current_shopify_domain,
-        }
-      )
+    def redirect_auth_to_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
   end
 end

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class MissingWebhookJobError < StandardError; end
 
@@ -7,30 +8,11 @@ module ShopifyApp
 
     def receive
       params.permit!
-      webhook_job_klass.perform_later(shop_domain: shop_domain, webhook: webhook_params.to_h)
-      head(:ok)
-    end
-
-    private
 
-    def webhook_params
-      params.except(:controller, :action, :type)
-    end
-
-    def webhook_job_klass
-      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
-    end
-
-    def webhook_job_klass_name(type = webhook_type)
-      [webhook_namespace, "#{type}_job"].compact.join('/').classify
-    end
-
-    def webhook_type
-      params[:type]
-    end
-
-    def webhook_namespace
-      ShopifyApp.configuration.webhook_jobs_namespace
+      ShopifyAPI::Webhooks::Registry.process(
+        ShopifyAPI::Webhooks::Request.new(raw_body: request.raw_post, headers: request.headers.to_h)
+      )
+      head(:ok)
     end
   end
 end

data/config/routes.rb

@@ -1,23 +1,17 @@
 # frozen_string_literal: true
+
 ShopifyApp::Engine.routes.draw do
   controller :sessions do
-    get 'login' => :new, :as => :login
-    post 'login' => :create, :as => :authenticate
-    get 'enable_cookies' => :enable_cookies, :as => :enable_cookies
-    get 'top_level_interaction' =>
-      :top_level_interaction,
-        :as => :top_level_interaction
-    get 'granted_storage_access' =>
-      :granted_storage_access,
-        :as => :granted_storage_access
-    get 'logout' => :destroy, :as => :logout
+    get "login" => :new, :as => :login
+    post "login" => :create, :as => :authenticate
+    get "logout" => :destroy, :as => :logout
   end
 
   controller :callback do
-    get 'auth/shopify/callback' => :callback
+    get "auth/shopify/callback" => :callback
   end
 
   namespace :webhooks do
-    post ':type' => :receive
+    post ":type" => :receive
   end
 end

data/docs/Troubleshooting.md

@@ -87,9 +87,6 @@ Edit `config/initializer/shopify_app.rb` and ensure the following configurations
 ```diff
 + config.embedded_app = true
 
-+ config.allow_jwt_authentication = true
-+ config.allow_cookie_authentication = false
-
 # This line should already exist if you're using shopify_app gem 13.x.x+
 + config.shop_session_repository = 'Shop'
 ```

data/docs/Upgrading.md

@@ -1,10 +1,12 @@
-# Upgrading 
+# Upgrading
 
 This file documents important changes needed to upgrade your app's Shopify App version to a new major version.
 
 #### Table of contents
 
-[Upgrading to `v18.1.1`](#upgrading-to-v1811)
+[Upgrading to `v19.0.0`](#upgrading-to-v1900)
+
+[Upgrading to `v18.1.2`](#upgrading-to-v1812)
 
 [Upgrading to `v17.2.0`](#upgrading-to-v1720)
 
@@ -14,10 +16,90 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
 
+## Upgrading to `v19.0.0`
+
+This update moves API authentication logic from this gem to the [`shopify_api`](https://github.com/Shopify/shopify_api)
+gem.
+
+### High-level process
+
+* Delete `config/initializers/omniauth.rb` as apps no longer need to initialize `OmniAuth` directly.
+* Delete `config/initializers/user_agent.rb` as `shopify_app` will set the right `User-Agent` header for interacting
+  with the Shopify API. If the app requires further information in the `User-Agent` header beyond what Shopify API
+  requires, specify this in the `ShopifyAPI::Context.user_agent_prefix` setting.
+* Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
+  `config/initializers/shopify_app.rb` as the decision logic for which authentication method to use is now handled
+  internally by the `shopify_api` gem, using the `ShopifyAPI::Context.embedded_app` setting.
+* `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
+  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify_api/blob/add_breaking_change_log_v10/README.md#breaking-change-notice-for-version-1000).
+
+### Specific cases
+
+#### Webhook Jobs
+
+Add a new `handle` method to existing webhook jobs to go through the updated `shopify_api` gem.
+
+```ruby
+class MyWebhookJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    # new handle function
+    def handle(topic:, shop:, body:)
+      # delegate to pre-existing perform_later function
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  # original perform function
+  def perform(topic:, shop_domain:, webhook:)
+    # ...
+```
+
+#### Temporary sessions
 
-## Upgrading to `v18.1.1`
+The new `shopify_api` gem offers a utility to temporarily create sessions for interacting with the API within a block.
+This is useful for interacting with the Shopify API outside of the context of a subclass of `AuthenticatedController`.
+
+```ruby
+ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+  # make invocations to the API
+end
+```
+
+Within a subclass of `AuthenticatedController`, the `current_shopify_session` function will return the current active
+Shopify API session, or `nil` if no such session is available.
+
+#### Setting up `ShopifyAPI::Context`
+
+The `shopify_app` initializer must configure the `ShopifyAPI::Context`. The Rails generator will
+generate a block in the `shopify_app` initializer. To do so manually, ensure the following is
+part of the `after_initialize` block in `shopify_app.rb`.
+
+```ruby
+Rails.application.config.after_initialize do
+  if ShopifyApp.configuration.api_key.present? && ShopifyApp.configuration.secret.present?
+    ShopifyAPI::Context.setup(
+      api_key: ShopifyApp.configuration.api_key,
+      api_secret_key: ShopifyApp.configuration.secret,
+      api_version: ShopifyApp.configuration.api_version,
+      host_name: URI(ENV.fetch('HOST', '')).host || '',
+      scope: ShopifyApp.configuration.scope,
+      is_private: !ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', '').empty?,
+      is_embedded: ShopifyApp.configuration.embedded_app,
+      session_storage: ShopifyApp::SessionRepository,
+      logger: Rails.logger,
+      private_shop: ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', nil),
+      user_agent_prefix: "ShopifyApp/#{ShopifyApp::VERSION}"
+    )
+
+    ShopifyApp::WebhooksManager.add_registrations
+  end
+end
+```
+## Upgrading to `v18.1.2`
 
-Version 18.1.1 replaces the deprecated EASDK redirect with an App Bridge redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
+Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
 
 ## Upgrading to `v17.2.0`
 
@@ -127,7 +209,7 @@ is changed to
 
 ### ShopifyAPI changes
 
-You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning. 
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 
 [dashboard]:https://partners.shopify.com
 [app-bridge]:https://shopify.dev/apps/tools/app-bridge

data/docs/shopify_app/webhooks.md

@@ -66,7 +66,7 @@ The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by defau
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 
 ```
-rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
+rails g shopify_app:add_webhook -t carts/update -a /webhooks/carts_update
 ```
 
 Where `-t` is the topic and `-a` is the address the webhook should be sent to.

data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddAfterAuthenticateJobGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       hook_for :test_framework, as: :job, in: :rails do |instance, generator|
         instance.invoke(generator, [instance.send(:job_file_name)])
@@ -15,32 +16,32 @@ module ShopifyApp
 
         after_authenticate_job_config =
           "  config.after_authenticate_job = "\
-          "{ job: \"Shopify::AfterAuthenticateJob\", inline: false }\n"
+            "{ job: \"Shopify::AfterAuthenticateJob\", inline: false }\n"
 
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           after_authenticate_job_config,
-          before: 'end'
+          before: "end"
         )
 
         unless initializer.include?(after_authenticate_job_config)
           shell.say("Error adding after_authenticate_job to config. Add this line manually: "\
-                    "#{after_authenticate_job_config}", :red)
+            "#{after_authenticate_job_config}", :red)
         end
       end
 
       def add_after_authenticate_job
-        template('after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb")
+        template("after_authenticate_job.rb", "app/jobs/#{job_file_name}_job.rb")
       end
 
       private
 
       def load_initializer
-        File.read(File.join(destination_root, 'config/initializers/shopify_app.rb'))
+        File.read(File.join(destination_root, "config/initializers/shopify_app.rb"))
       end
 
       def job_file_name
-        'shopify/after_authenticate'
+        "shopify/after_authenticate"
       end
     end
   end

data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Shopify
   class AfterAuthenticateJob < ActiveJob::Base
     def perform(shop_domain:)

data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddMarketingActivityExtensionGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def generate_app_extension
         template("marketing_activities_controller.rb", "app/controllers/marketing_activities_controller.rb")
@@ -15,7 +16,7 @@ module ShopifyApp
 
       def generate_routes
         inject_into_file(
-          'config/routes.rb',
+          "config/routes.rb",
           optimize_indentation(routes, 2),
           after: "root :to => 'home#index'\n"
         )

data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddWebhookGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
       class_option :topic, type: :string, aliases: "-t", required: true
       class_option :address, type: :string, aliases: "-a", required: true
 
@@ -17,15 +18,15 @@ module ShopifyApp
         return if initializer.include?("config.webhooks")
 
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           "  config.webhooks = [\n  ]\n",
-          before: 'end'
+          after: /ShopifyApp\.configure.*\n/
         )
       end
 
       def inject_webhook_to_shopify_app_initializer
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           webhook_config,
           after: "config.webhooks = ["
         )
@@ -38,31 +39,31 @@ module ShopifyApp
       end
 
       def add_webhook_job
-        @job_file_name = job_file_name + '_job'
+        @job_file_name = job_file_name + "_job"
         @job_class_name = @job_file_name.classify
-        template('webhook_job.rb', "app/jobs/#{@job_file_name}.rb")
+        template("webhook_job.rb", "app/jobs/#{@job_file_name}.rb")
       end
 
       private
 
       def job_file_name
-        address.split('/').last
+        address.split("/").last
       end
 
       def load_initializer
-        File.read(File.join(destination_root, 'config/initializers/shopify_app.rb'))
+        File.read(File.join(destination_root, "config/initializers/shopify_app.rb"))
       end
 
       def webhook_config
-        "\n    {topic: '#{topic}', address: '#{address}', format: 'json'},"
+        "\n    { topic: \"#{topic}\", address: \"#{address}\" },"
       end
 
       def topic
-        options['topic']
+        options["topic"]
       end
 
       def address
-        options['address']
+        options["address"]
       end
     end
   end

data/lib/generators/shopify_app/add_webhook/templates/webhook_job.rb.tt

@@ -1,5 +1,13 @@
 class <%= @job_class_name %> < ActiveJob::Base
-  def perform(shop_domain:, webhook:)
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
     shop = Shop.find_by(shopify_domain: shop_domain)
 
     if shop.nil?

data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb

@@ -1,23 +1,24 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AppProxyControllerGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def create_app_proxy_controller
-        template('app_proxy_controller.rb', 'app/controllers/app_proxy_controller.rb')
+        template("app_proxy_controller.rb", "app/controllers/app_proxy_controller.rb")
       end
 
       def create_app_proxy_index_view
-        copy_file('index.html.erb', 'app/views/app_proxy/index.html.erb')
+        copy_file("index.html.erb", "app/views/app_proxy/index.html.erb")
       end
 
       def add_app_proxy_route
         inject_into_file(
-          'config/routes.rb',
-          File.read(File.expand_path(find_in_source_paths('app_proxy_route.rb'))),
+          "config/routes.rb",
+          File.read(File.expand_path(find_in_source_paths("app_proxy_route.rb"))),
           after: "mount ShopifyApp::Engine, at: '/'\n"
         )
       end

data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
+
 class AppProxyController < ApplicationController
   include ShopifyApp::AppProxyVerification
 
   def index
-    render(layout: false, content_type: 'application/liquid')
+    render(layout: false, content_type: "application/liquid")
   end
 end

data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 namespace :app_proxy do
-  root action: 'index'
+  root action: "index"
   # simple routes without a specified controller will go to AppProxyController
 
   # more complex routes will go to controllers in the AppProxy namespace

data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb

@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
-require 'rails/generators/base'
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AuthenticatedControllerGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def create_authenticated_controller
-        template('authenticated_controller.rb', 'app/controllers/authenticated_controller.rb')
+        template("authenticated_controller.rb", "app/controllers/authenticated_controller.rb")
       end
     end
   end