shopify_app 18.1.2 → 19.0.2

data/lib/generators/shopify_app/routes/routes_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class RoutesGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def inject_shopify_app_routes_into_application_routes
         route(session_routes)
@@ -12,9 +13,9 @@ module ShopifyApp
 
       def disable_engine_routes
         gsub_file(
-          'config/routes.rb',
+          "config/routes.rb",
           "mount ShopifyApp::Engine, at: '/'",
-          ''
+          ""
         )
       end
 
@@ -25,7 +26,7 @@ module ShopifyApp
       end
 
       def routes_file_path
-        File.expand_path(find_in_source_paths('routes.rb'))
+        File.expand_path(find_in_source_paths("routes.rb"))
       end
     end
   end

data/lib/generators/shopify_app/routes/templates/routes.rb

@@ -1,12 +1,12 @@
 # frozen_string_literal: true
 
 controller :sessions do
-  get 'login' => :new, :as => :login
-  post 'login' => :create, :as => :authenticate
-  get 'auth/shopify/callback' => :callback
-  get 'logout' => :destroy, :as => :logout
+  get "login" => :new, :as => :login
+  post "login" => :create, :as => :authenticate
+  get "auth/shopify/callback" => :callback
+  get "logout" => :destroy, :as => :logout
 end
 
 namespace :webhooks do
-  post ':type' => :receive
+  post ":type" => :receive
 end

data/lib/generators/shopify_app/shop_model/shop_model_generator.rb

@@ -1,21 +1,22 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
-require 'rails/generators/active_record'
+
+require "rails/generators/base"
+require "rails/generators/active_record"
 
 module ShopifyApp
   module Generators
     class ShopModelGenerator < Rails::Generators::Base
       include Rails::Generators::Migration
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       class_option :new_shopify_cli_app, type: :boolean, default: false
 
       def create_shop_model
-        copy_file('shop.rb', 'app/models/shop.rb')
+        copy_file("shop.rb", "app/models/shop.rb")
       end
 
       def create_shop_migration
-        migration_template('db/migrate/create_shops.erb', 'db/migrate/create_shops.rb')
+        migration_template("db/migrate/create_shops.erb", "db/migrate/create_shops.rb")
       end
 
       def create_shop_with_access_scopes_migration
@@ -33,24 +34,24 @@ module ShopifyApp
 
         if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
           migration_template(
-            'db/migrate/add_shop_access_scopes_column.erb',
-            'db/migrate/add_shop_access_scopes_column.rb'
+            "db/migrate/add_shop_access_scopes_column.erb",
+            "db/migrate/add_shop_access_scopes_column.rb"
           )
         end
       end
 
       def update_shopify_app_initializer
-        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryShopSessionStore', 'Shop')
+        gsub_file("config/initializers/shopify_app.rb", "ShopifyApp::InMemoryShopSessionStore", "Shop")
       end
 
       def create_shop_fixtures
-        copy_file('shops.yml', 'test/fixtures/shops.yml')
+        copy_file("shops.yml", "test/fixtures/shops.yml")
       end
 
       private
 
       def new_shopify_cli_app?
-        options['new_shopify_cli_app']
+        options["new_shopify_cli_app"]
       end
 
       def rails_migration_version

data/lib/generators/shopify_app/shop_model/templates/shop.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 class Shop < ActiveRecord::Base
   include ShopifyApp::ShopSessionStorageWithScopes
 

data/lib/generators/shopify_app/shopify_app_generator.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Generators
     class ShopifyAppGenerator < Rails::Generators::Base
@@ -8,10 +9,10 @@ module ShopifyApp
       end
 
       def run_all_generators
-        generate("shopify_app:install #{@opts.join(' ')}")
-        generate("shopify_app:shop_model #{@opts.join(' ')}")
+        generate("shopify_app:install #{@opts.join(" ")}")
+        generate("shopify_app:shop_model #{@opts.join(" ")}")
         generate("shopify_app:authenticated_controller")
-        generate("shopify_app:home_controller #{@opts.join(' ')}")
+        generate("shopify_app:home_controller #{@opts.join(" ")}")
       end
     end
   end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 class User < ActiveRecord::Base
   include ShopifyApp::UserSessionStorageWithScopes
 

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -1,21 +1,22 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
-require 'rails/generators/active_record'
+
+require "rails/generators/base"
+require "rails/generators/active_record"
 
 module ShopifyApp
   module Generators
     class UserModelGenerator < Rails::Generators::Base
       include Rails::Generators::Migration
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       class_option :new_shopify_cli_app, type: :boolean, default: false
 
       def create_user_model
-        copy_file('user.rb', 'app/models/user.rb')
+        copy_file("user.rb", "app/models/user.rb")
       end
 
       def create_user_migration
-        migration_template('db/migrate/create_users.erb', 'db/migrate/create_users.rb')
+        migration_template("db/migrate/create_users.erb", "db/migrate/create_users.rb")
       end
 
       def create_scopes_storage_in_user_model
@@ -33,24 +34,24 @@ module ShopifyApp
 
         if new_shopify_cli_app? || Rails.env.test? || yes?(scopes_column_prompt)
           migration_template(
-            'db/migrate/add_user_access_scopes_column.erb',
-            'db/migrate/add_user_access_scopes_column.rb'
+            "db/migrate/add_user_access_scopes_column.erb",
+            "db/migrate/add_user_access_scopes_column.rb"
           )
         end
       end
 
       def update_shopify_app_initializer
-        gsub_file('config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User')
+        gsub_file("config/initializers/shopify_app.rb", "ShopifyApp::InMemoryUserSessionStore", "User")
       end
 
       def create_user_fixtures
-        copy_file('users.yml', 'test/fixtures/users.yml')
+        copy_file("users.yml", "test/fixtures/users.yml")
       end
 
       private
 
       def new_shopify_cli_app?
-        options['new_shopify_cli_app']
+        options["new_shopify_cli_app"]
       end
 
       def rails_migration_version

data/lib/generators/shopify_app/views/views_generator.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
@@ -15,14 +16,14 @@ module ShopifyApp
       private
 
       def views
-        files_within_root('.', 'app/views/**/*.*')
+        files_within_root(".", "app/views/**/*.*")
       end
 
       def files_within_root(prefix, glob)
         root = "#{self.class.source_root}/#{prefix}"
 
         Dir["#{root}/#{glob}"].sort.map do |full_path|
-          full_path.sub(root, '.').gsub('/./', '/')
+          full_path.sub(root, ".").gsub("/./", "/")
         end
       end
     end

data/lib/shopify_app/access_scopes/shop_strategy.rb

@@ -12,11 +12,11 @@ module ShopifyApp
         private
 
         def shop_access_scopes(shop_domain)
-          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(shop_domain)&.scope
         end
 
         def configuration_access_scopes
-          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.shop_access_scopes)
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.shop_access_scopes)
         end
       end
     end

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -9,7 +9,7 @@ module ShopifyApp
         def update_access_scopes?(user_id: nil, shopify_user_id: nil)
           return update_access_scopes_for_user_id?(user_id) if user_id
           return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
-          raise(InvalidInput, '#update_access_scopes? requires user_id or shopify_user_id parameter inputs')
+          raise(InvalidInput, "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
         private
@@ -25,15 +25,15 @@ module ShopifyApp
         end
 
         def user_access_scopes_by_user_id(user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.scope
         end
 
         def user_access_scopes_by_shopify_user_id(shopify_user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope
         end
 
         def configuration_access_scopes
-          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.user_access_scopes)
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.user_access_scopes)
         end
       end
     end

data/lib/shopify_app/configuration.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
@@ -37,25 +38,16 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
-    # allow enabling of same site none on cookies
-    attr_writer :enable_same_site_none
-
-    # allow enabling jwt headers for authentication
-    attr_accessor :allow_jwt_authentication
-
-    attr_accessor :allow_cookie_authentication
-
     def initialize
-      @root_url = '/'
-      @myshopify_domain = 'myshopify.com'
+      @root_url = "/"
+      @myshopify_domain = "myshopify.com"
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
-      @allow_cookie_authentication = true
+      @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
     end
 
     def login_url
-      @login_url || File.join(@root_url, 'login')
+      @login_url || File.join(@root_url, "login")
     end
 
     def user_session_repository=(klass)
@@ -92,10 +84,6 @@ module ShopifyApp
       scripttags.present?
     end
 
-    def enable_same_site_none
-      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
-    end
-
     def shop_access_scopes
       @shop_access_scopes || scope
     end

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -16,7 +17,7 @@ module ShopifyApp
     def query_string_valid?(query_string)
       query_hash = Rack::Utils.parse_query(query_string)
 
-      signature = query_hash.delete('signature')
+      signature = query_hash.delete("signature")
       return false if signature.nil?
 
       ActiveSupport::SecurityUtils.secure_compare(
@@ -26,10 +27,10 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
-        OpenSSL::Digest.new('sha256'),
+        OpenSSL::Digest.new("sha256"),
         ShopifyApp.configuration.secret,
         sorted_params
       )

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module CsrfProtection
     extend ActiveSupport::Concern
@@ -9,7 +10,7 @@ module ShopifyApp
     private
 
     def valid_session_token?
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
   end
 end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
@@ -6,15 +7,15 @@ module ShopifyApp
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
-        layout('embedded_app')
+        layout("embedded_app")
       end
     end
 
     private
 
     def set_esdk_headers
-      response.set_header('P3P', 'CP="Not used"')
-      response.headers.except!('X-Frame-Options')
+      response.set_header("P3P", 'CP="Not used"')
+      response.headers.except!("X-Frame-Options")
     end
   end
 end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -9,15 +9,15 @@ module ShopifyApp
       return unless ShopifyApp.configuration.embedded_app?
       return unless user_agent_can_partition_cookies
 
-      session['shopify.cookies_persist'] = true
+      session["shopify.cookies_persist"] = true
     end
 
     def set_top_level_oauth_cookie
-      session['shopify.top_level_oauth'] = true
+      session["shopify.top_level_oauth"] = true
     end
 
     def clear_top_level_oauth_cookie
-      session.delete('shopify.top_level_oauth')
+      session.delete("shopify.top_level_oauth")
     end
 
     def user_agent_is_mobile

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'browser_sniffer'
+require "browser_sniffer"
 
 module ShopifyApp
   module LoginProtection
@@ -13,82 +13,51 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+      rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
     end
 
-    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+    ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
 
     def activate_shopify_session
-      if user_session_expected? && user_session.blank?
+      if current_shopify_session.blank?
         signal_access_token_required
         return redirect_to_login
       end
 
-      return redirect_to_login if current_shopify_session.blank?
+      unless current_shopify_session.scope.to_a.empty? ||
+          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
 
-      clear_top_level_oauth_cookie
+        clear_shopify_session
+        return redirect_to_login
+      end
 
       begin
-        ShopifyAPI::Base.activate_session(current_shopify_session)
+        ShopifyAPI::Context.activate_session(current_shopify_session)
         yield
       ensure
-        ShopifyAPI::Base.clear_session
+        ShopifyAPI::Context.deactivate_session
       end
     end
 
     def current_shopify_session
       @current_shopify_session ||= begin
-        user_session || shop_session
+        cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
+        ShopifyAPI::Utils::SessionUtils.load_current_session(
+          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          cookies: { cookie_name => cookies.encrypted[cookie_name] },
+          is_online: user_session_expected?
+        )
+      rescue ShopifyAPI::Errors::CookieNotFoundError
+        nil
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        nil
       end
     end
 
-    def user_session
-      user_session_by_jwt || user_session_by_cookie
-    end
-
-    def user_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_user_id
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
-    end
-
-    def user_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
-    end
-
-    def shop_session
-      shop_session_by_jwt || shop_session_by_cookie
-    end
-
-    def shop_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_domain
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
-    end
-
-    def shop_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-
     def login_again_if_different_user_or_shop
-      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-      end
-
-      if current_shopify_session &&
-        params[:shop] && params[:shop].is_a?(String) &&
-        (current_shopify_session.domain != params[:shop])
-        clear_session = true
-      end
-
-      if clear_session
-        clear_shopify_session
-        redirect_to_login
-      end
+      return unless session_id_conflicts_with_params || session_shop_conflicts_with_params
+      clear_shopify_session
+      redirect_to_login
     end
 
     def signal_access_token_required
@@ -96,7 +65,7 @@ module ShopifyApp
     end
 
     def jwt_expire_at
-      expire_at = request.env['jwt.expire_at']
+      expire_at = request.env["jwt.expire_at"]
       return unless expire_at
       expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
@@ -104,11 +73,11 @@ module ShopifyApp
     protected
 
     def jwt_shopify_domain
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
 
     def jwt_shopify_user_id
-      request.env['jwt.shopify_user_id']
+      request.env["jwt.shopify_user_id"]
     end
 
     def host
@@ -137,12 +106,16 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def handle_http_error(error)
+      if error.code == 401
+        close_session
+      else
+        raise error
+      end
+    end
+
     def clear_shopify_session
-      session[:shop_id] = nil
-      session[:user_id] = nil
-      session[:shopify_domain] = nil
-      session[:shopify_user] = nil
-      session[:user_session] = nil
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -179,23 +152,21 @@ module ShopifyApp
     end
 
     def return_to_param_required?
-      native_params = %i[shop hmac timestamp locale protocol return_to]
-      request.path != '/' || sanitized_params.except(*native_params).any?
+      native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
+      request.path != "/" || sanitized_params.except(*native_params).any?
     end
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render('shopify_app/shared/redirect', layout: false,
-               locals: { url: url, current_shopify_domain: current_shopify_domain })
+        render("shopify_app/shared/redirect", layout: false,
+          locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
         redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name ||
-        jwt_shopify_domain ||
-        session[:shopify_domain]
+      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
 
       return shopify_domain if shopify_domain.present?
 
@@ -252,7 +223,22 @@ module ShopifyApp
 
     private
 
+    def session_id_conflicts_with_params
+      shopify_session_id = current_shopify_session&.shopify_session_id
+      params[:session].present? && shopify_session_id.present? && params[:session] != shopify_session_id
+    end
+
+    def session_shop_conflicts_with_params
+      current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
+    end
+
+    def shop_session
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(sanitize_shop_param(params))
+    end
+
     def user_session_expected?
+      return false if shop_session.nil?
+      return false if ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_session.shop)
       !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
     end
   end

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module PayloadVerification
     extend ActiveSupport::Concern
@@ -6,14 +7,14 @@ module ShopifyApp
     private
 
     def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
     end
 
     def hmac_valid?(data)
       secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
 
       secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
+        digest = OpenSSL::Digest.new("sha256")
         ActiveSupport::SecurityUtils.secure_compare(
           shopify_hmac,
           Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -17,7 +18,7 @@ module ShopifyApp
     end
 
     def shop_domain
-      request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+      request.headers["HTTP_X_SHOPIFY_SHOP_DOMAIN"]
     end
   end
 end