RubyGems - shopify_app - Versions diffs - 18.1.2 → 19.0.2 - Mend

shopify_app 18.1.2 → 19.0.2

Files changed (88) hide show

data/app/controllers/shopify_app/callback_controller.rb CHANGED Viewed

@@ -6,15 +6,34 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
     def callback
-      return respond_with_error if invalid_request?
+      begin
+        filtered_params = request.parameters.symbolize_keys.slice(:code, :shop, :timestamp, :state, :host, :hmac)
+        auth_result = ShopifyAPI::Auth::Oauth.validate_auth_callback(
+          cookies: {
+            ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME =>
+              cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME],
+          },
+          auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(**filtered_params)
+        )
+      rescue
+        return respond_with_error
+      end
+      cookies.encrypted[auth_result[:cookie].name] = {
+        expires: auth_result[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_result[:cookie].value,
+      }
-      store_access_token_and_build_session
+      session[:shopify_user_id] = auth_result[:session].associated_user.id if auth_result[:session].online?
-      if start_user_token_flow?
+      if start_user_token_flow?(auth_result[:session])
         return respond_with_user_token_flow
       end
-      perform_post_authenticate_jobs
+      perform_post_authenticate_jobs(auth_result[:session])
       respond_successfully
     end
@@ -22,162 +41,56 @@ module ShopifyApp
     private
     def respond_successfully
-      if jwt_request?
-        head(:ok)
-      else
-        redirect_to(return_address)
-      end
-    end
-    def respond_with_user_token_flow
-      redirect_to(login_url_with_optional_shop)
-    end
-    def store_access_token_and_build_session
-      if native_browser_request?
-        reset_session_options
-      end
-      set_shopify_session
-    end
-    def invalid_request?
-      return true unless auth_hash
-      jwt_request? && !valid_jwt_auth?
-    end
-    def native_browser_request?
-      !jwt_request?
-    end
-    def perform_post_authenticate_jobs
-      install_webhooks
-      install_scripttags
-      perform_after_authenticate_job
+      redirect_to(return_address)
     end
     def respond_with_error
-      if jwt_request?
-        head(:unauthorized)
-      else
-        flash[:error] = I18n.t('could_not_log_in')
-        redirect_to(login_url_with_optional_shop)
-      end
+      flash[:error] = I18n.t("could_not_log_in")
+      redirect_to(login_url_with_optional_shop)
     end
-    # Override user_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def user_session_by_cookie
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    def respond_with_user_token_flow
+      redirect_to(login_url_with_optional_shop)
     end
-    def start_user_token_flow?
-      if jwt_request?
-        false
-      else
-        return false unless ShopifyApp::SessionRepository.user_storage.present?
-        update_user_access_scopes?
-      end
+    def start_user_token_flow?(shopify_session)
+      return false unless ShopifyApp::SessionRepository.user_storage.present?
+      return false if shopify_session.online?
+      update_user_access_scopes?
     end
     def update_user_access_scopes?
-      return true if user_session.blank?
-      user_access_scopes_strategy.update_access_scopes?(user_id: session[:user_id])
+      return true if session[:shopify_user_id].nil?
+      user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
     end
     def user_access_scopes_strategy
       ShopifyApp.configuration.user_access_scopes_strategy
     end
-    def jwt_request?
-      jwt_shopify_domain || jwt_shopify_user_id
-    end
-    def valid_jwt_auth?
-      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
+    def perform_post_authenticate_jobs(session)
+      install_webhooks(session)
+      install_scripttags(session)
+      perform_after_authenticate_job(session)
     end
-    def auth_hash
-      request.env['omniauth.auth']
-    end
-    def shop_name
-      auth_hash.uid
-    end
-    def offline_access_token
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_name)&.token
-    end
-    def online_access_token
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(associated_user_id)&.token
-    end
-    def associated_user
-      return unless auth_hash.dig('extra', 'associated_user').present?
-      auth_hash['extra']['associated_user'].merge('scope' => auth_hash['extra']['associated_user_scope'])
-    end
-    def associated_user_id
-      associated_user && associated_user['id']
-    end
-    def token
-      auth_hash['credentials']['token']
-    end
-    def access_scopes
-      auth_hash.dig('extra', 'scope')
-    end
-    def reset_session_options
-      request.session_options[:renew] = true
-      session.delete(:_csrf_token)
-    end
-    def set_shopify_session
-      session_store = ShopifyAPI::Session.new(
-        domain: shop_name,
-        token: token,
-        api_version: ShopifyApp.configuration.api_version,
-        access_scopes: access_scopes
-      )
-      session[:shopify_user] = associated_user
-      if session[:shopify_user].present?
-        session[:shop_id] = nil if shop_session && shop_session.domain != shop_name
-        session[:user_id] = ShopifyApp::SessionRepository.store_user_session(session_store, associated_user)
-      else
-        session[:shop_id] = ShopifyApp::SessionRepository.store_shop_session(session_store)
-        session[:user_id] = nil if user_session && user_session.domain != shop_name
-      end
-      session[:shopify_domain] = shop_name
-      session[:user_session] = auth_hash&.extra&.session
-    end
-    def install_webhooks
+    def install_webhooks(session)
       return unless ShopifyApp.configuration.has_webhooks?
-      WebhooksManager.queue(
-        shop_name,
-        offline_access_token || online_access_token,
-        ShopifyApp.configuration.webhooks
-      )
+      WebhooksManager.queue(session.shop, session.access_token)
     end
-    def install_scripttags
+    def install_scripttags(session)
       return unless ShopifyApp.configuration.has_scripttags?
       ScripttagsManager.queue(
-        shop_name,
-        offline_access_token || online_access_token,
+        session.shop,
+        session.access_token,
         ShopifyApp.configuration.scripttags
       )
     end
-    def perform_after_authenticate_job
+    def perform_after_authenticate_job(session)
       config = ShopifyApp.configuration.after_authenticate_job
       return unless config && config[:job].present?
@@ -186,9 +99,9 @@ module ShopifyApp
       job = job.constantize if job.is_a?(String)
       if config[:inline] == true
-        job.perform_now(shop_domain: session[:shopify_domain])
+        job.perform_now(shop_domain: session.shop)
       else
-        job.perform_later(shop_domain: session[:shopify_domain])
+        job.perform_later(shop_domain: session.shop)
       end
     end
   end

data/app/controllers/shopify_app/sessions_controller.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 module ShopifyApp
   class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
@@ -6,7 +7,7 @@ module ShopifyApp
     layout false, only: :new
     after_action only: [:new, :create] do |controller|
-      controller.response.headers.except!('X-Frame-Options')
+      controller.response.headers.except!("X-Frame-Options")
     end
     def new
@@ -17,43 +18,14 @@ module ShopifyApp
       authenticate
     end
-    def enable_cookies
-      return unless validate_shop_presence
-      render(:enable_cookies, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_target_url: granted_storage_access_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        current_shopify_domain: current_shopify_domain,
-      })
-    end
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
       validate_shop_presence
     end
-    def granted_storage_access
-      return unless validate_shop_presence
-      session['shopify.granted_storage_access'] = true
-      copy_return_to_param_to_session
-      redirect_to(return_address_with_params({ shop: @shop }))
-    end
     def destroy
       reset_session
-      flash[:notice] = I18n.t('.logged_out')
+      flash[:notice] = I18n.t(".logged_out")
       redirect_to(login_url_with_optional_shop)
     end
@@ -61,69 +33,31 @@ module ShopifyApp
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
-      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
       copy_return_to_param_to_session
-      set_user_tokens_option
-      if user_agent_can_partition_cookies
-        authenticate_with_partitioning
+      if top_level?
+        start_oauth
       else
-        authenticate_normally
+        redirect_auth_to_top_level
       end
     end
-    def authenticate_normally
-      if request_storage_access?
-        redirect_to_request_storage_access
-      elsif authenticate_in_context?
-        authenticate_in_context
-      else
-        authenticate_at_top_level
-      end
-    end
-    def authenticate_with_partitioning
-      if session['shopify.cookies_persist']
-        clear_top_level_oauth_cookie
-        authenticate_in_context
-      else
-        set_top_level_oauth_cookie
-        enable_cookie_access
-      end
-    end
-    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def shop_session_by_cookie
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-    # rubocop:disable Lint/SuppressedException
-    def set_user_tokens_option
-      current_shop_session = shop_session
-      if current_shop_session.blank?
-        session[:user_tokens] = false
-        return
-      end
-      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+    def start_oauth
+      auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
+        shop: sanitized_shop_name,
+        redirect_path: "/auth/shopify/callback",
+        is_online: user_session_expected?
+      )
+      cookies.encrypted[auth_attributes[:cookie].name] = {
+        expires: auth_attributes[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_attributes[:cookie].value,
+      }
-      ShopifyAPI::Session.temp(
-        domain: current_shop_session.domain,
-        token: current_shop_session.token,
-        api_version: current_shop_session.api_version
-      ) do
-        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
-      end
-    rescue ActiveResource::UnauthorizedAccess
-      session[:user_tokens] = false
-    rescue StandardError
+      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
     end
-    # rubocop:enable Lint/SuppressedException
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -136,67 +70,21 @@ module ShopifyApp
     end
     def copy_return_to_param_to_session
-      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], "/") if params[:return_to]
     end
     def render_invalid_shop_error
-      flash[:error] = I18n.t('invalid_shop_url')
+      flash[:error] = I18n.t("invalid_shop_url")
       redirect_to(return_address)
     end
-    def enable_cookie_access
-      fullpage_redirect_to(enable_cookies_path(
-        shop: sanitized_shop_name,
-        host: host,
-        return_to: session[:return_to]
-      ))
-    end
-    def authenticate_in_context
-      post_redirect_to_auth_shopify
-    end
-    def post_redirect_to_auth_shopify
-      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
-    end
-    def authenticate_at_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
-    end
-    def authenticate_in_context?
+    def top_level?
       return true unless ShopifyApp.configuration.embedded_app?
-      params[:top_level]
+      !params[:top_level].nil?
     end
-    def request_storage_access?
-      return false unless ShopifyApp.configuration.embedded_app?
-      return false if params[:top_level]
-      return false if user_agent_is_mobile
-      return false if user_agent_is_pos
-      !session['shopify.granted_storage_access']
-    end
-    def redirect_to_request_storage_access
-      render(
-        :request_storage_access,
-        layout: false,
-        locals: {
-          does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_target_url: granted_storage_access_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          current_shopify_domain: current_shopify_domain,
-        }
-      )
+    def redirect_auth_to_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
   end
 end

data/app/controllers/shopify_app/webhooks_controller.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
 module ShopifyApp
   class MissingWebhookJobError < StandardError; end
@@ -7,30 +8,11 @@ module ShopifyApp
     def receive
       params.permit!
-      webhook_job_klass.perform_later(shop_domain: shop_domain, webhook: webhook_params.to_h)
-      head(:ok)
-    end
-    private
-    def webhook_params
-      params.except(:controller, :action, :type)
-    end
-    def webhook_job_klass
-      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
-    end
-    def webhook_job_klass_name(type = webhook_type)
-      [webhook_namespace, "#{type}_job"].compact.join('/').classify
-    end
-    def webhook_type
-      params[:type]
-    end
-    def webhook_namespace
-      ShopifyApp.configuration.webhook_jobs_namespace
+      ShopifyAPI::Webhooks::Registry.process(
+        ShopifyAPI::Webhooks::Request.new(raw_body: request.raw_post, headers: request.headers.to_h)
+      )
+      head(:ok)
     end
   end
 end

data/config/routes.rb CHANGED Viewed

@@ -1,23 +1,17 @@
 # frozen_string_literal: true
 ShopifyApp::Engine.routes.draw do
   controller :sessions do
-    get 'login' => :new, :as => :login
-    post 'login' => :create, :as => :authenticate
-    get 'enable_cookies' => :enable_cookies, :as => :enable_cookies
-    get 'top_level_interaction' =>
-      :top_level_interaction,
-        :as => :top_level_interaction
-    get 'granted_storage_access' =>
-      :granted_storage_access,
-        :as => :granted_storage_access
-    get 'logout' => :destroy, :as => :logout
+    get "login" => :new, :as => :login
+    post "login" => :create, :as => :authenticate
+    get "logout" => :destroy, :as => :logout
   end
   controller :callback do
-    get 'auth/shopify/callback' => :callback
+    get "auth/shopify/callback" => :callback
   end
   namespace :webhooks do
-    post ':type' => :receive
+    post ":type" => :receive
   end
 end

data/docs/Troubleshooting.md CHANGED Viewed

@@ -87,9 +87,6 @@ Edit `config/initializer/shopify_app.rb` and ensure the following configurations
 ```diff
 + config.embedded_app = true
-+ config.allow_jwt_authentication = true
-+ config.allow_cookie_authentication = false
 # This line should already exist if you're using shopify_app gem 13.x.x+
 + config.shop_session_repository = 'Shop'
 ```

data/docs/Upgrading.md CHANGED Viewed

@@ -1,10 +1,12 @@
-# Upgrading
+# Upgrading
 This file documents important changes needed to upgrade your app's Shopify App version to a new major version.
 #### Table of contents
-[Upgrading to `v18.1.1`](#upgrading-to-v1811)
+[Upgrading to `v19.0.0`](#upgrading-to-v1900)
+[Upgrading to `v18.1.2`](#upgrading-to-v1812)
 [Upgrading to `v17.2.0`](#upgrading-to-v1720)
@@ -14,10 +16,90 @@ This file documents important changes needed to upgrade your app's Shopify App v
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
+## Upgrading to `v19.0.0`
+This update moves API authentication logic from this gem to the [`shopify_api`](https://github.com/Shopify/shopify_api)
+gem.
+### High-level process
+* Delete `config/initializers/omniauth.rb` as apps no longer need to initialize `OmniAuth` directly.
+* Delete `config/initializers/user_agent.rb` as `shopify_app` will set the right `User-Agent` header for interacting
+  with the Shopify API. If the app requires further information in the `User-Agent` header beyond what Shopify API
+  requires, specify this in the `ShopifyAPI::Context.user_agent_prefix` setting.
+* Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
+  `config/initializers/shopify_app.rb` as the decision logic for which authentication method to use is now handled
+  internally by the `shopify_api` gem, using the `ShopifyAPI::Context.embedded_app` setting.
+* `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
+  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify_api#breaking-change-notice-for-version-1000).
+### Specific cases
+#### Webhook Jobs
+Add a new `handle` method to existing webhook jobs to go through the updated `shopify_api` gem.
+```ruby
+class MyWebhookJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+  class << self
+    # new handle function
+    def handle(topic:, shop:, body:)
+      # delegate to pre-existing perform_later function
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+  # original perform function
+  def perform(topic:, shop_domain:, webhook:)
+    # ...
+```
+#### Temporary sessions
-## Upgrading to `v18.1.1`
+The new `shopify_api` gem offers a utility to temporarily create sessions for interacting with the API within a block.
+This is useful for interacting with the Shopify API outside of the context of a subclass of `AuthenticatedController`.
+```ruby
+ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+  # make invocations to the API
+end
+```
+Within a subclass of `AuthenticatedController`, the `current_shopify_session` function will return the current active
+Shopify API session, or `nil` if no such session is available.
+#### Setting up `ShopifyAPI::Context`
+The `shopify_app` initializer must configure the `ShopifyAPI::Context`. The Rails generator will
+generate a block in the `shopify_app` initializer. To do so manually, ensure the following is
+part of the `after_initialize` block in `shopify_app.rb`.
+```ruby
+Rails.application.config.after_initialize do
+  if ShopifyApp.configuration.api_key.present? && ShopifyApp.configuration.secret.present?
+    ShopifyAPI::Context.setup(
+      api_key: ShopifyApp.configuration.api_key,
+      api_secret_key: ShopifyApp.configuration.secret,
+      api_version: ShopifyApp.configuration.api_version,
+      host_name: URI(ENV.fetch('HOST', '')).host || '',
+      scope: ShopifyApp.configuration.scope,
+      is_private: !ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', '').empty?,
+      is_embedded: ShopifyApp.configuration.embedded_app,
+      session_storage: ShopifyApp::SessionRepository,
+      logger: Rails.logger,
+      private_shop: ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', nil),
+      user_agent_prefix: "ShopifyApp/#{ShopifyApp::VERSION}"
+    )
+    ShopifyApp::WebhooksManager.add_registrations
+  end
+end
+```
+## Upgrading to `v18.1.2`
-Version 18.1.1 replaces the deprecated EASDK redirect with an App Bridge redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
+Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
 ## Upgrading to `v17.2.0`
@@ -127,7 +209,7 @@ is changed to
 ### ShopifyAPI changes
-You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 [dashboard]:https://partners.shopify.com
 [app-bridge]:https://shopify.dev/apps/tools/app-bridge

data/docs/shopify_app/webhooks.md CHANGED Viewed

@@ -66,7 +66,7 @@ The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by defau
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 ```
-rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
+rails g shopify_app:add_webhook -t carts/update -a /webhooks/carts_update
 ```
 Where `-t` is the topic and `-a` is the address the webhook should be sent to.