shopify_app 18.1.3 → 19.0.0

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class SessionsController < ActionController::Base
     include ShopifyApp::LoginProtection
@@ -6,7 +7,7 @@ module ShopifyApp
     layout false, only: :new
 
     after_action only: [:new, :create] do |controller|
-      controller.response.headers.except!('X-Frame-Options')
+      controller.response.headers.except!("X-Frame-Options")
     end
 
     def new
@@ -17,43 +18,14 @@ module ShopifyApp
       authenticate
     end
 
-    def enable_cookies
-      return unless validate_shop_presence
-
-      render(:enable_cookies, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        has_storage_access_url: login_url_with_optional_shop(top_level: true),
-        app_target_url: granted_storage_access_path(
-          shop: sanitized_shop_name,
-          host: host,
-          return_to: params[:return_to]
-        ),
-        current_shopify_domain: current_shopify_domain,
-      })
-    end
-
     def top_level_interaction
       @url = login_url_with_optional_shop(top_level: true)
       validate_shop_presence
     end
 
-    def granted_storage_access
-      return unless validate_shop_presence
-
-      session['shopify.granted_storage_access'] = true
-
-      copy_return_to_param_to_session
-
-      redirect_to(return_address_with_params({ shop: @shop }))
-    end
-
     def destroy
       reset_session
-      flash[:notice] = I18n.t('.logged_out')
+      flash[:notice] = I18n.t(".logged_out")
       redirect_to(login_url_with_optional_shop)
     end
 
@@ -61,69 +33,31 @@ module ShopifyApp
 
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
-      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
       copy_return_to_param_to_session
 
-      set_user_tokens_option
-
-      if user_agent_can_partition_cookies
-        authenticate_with_partitioning
+      if top_level?
+        start_oauth
       else
-        authenticate_normally
+        redirect_auth_to_top_level
       end
     end
 
-    def authenticate_normally
-      if request_storage_access?
-        redirect_to_request_storage_access
-      elsif authenticate_in_context?
-        authenticate_in_context
-      else
-        authenticate_at_top_level
-      end
-    end
-
-    def authenticate_with_partitioning
-      if session['shopify.cookies_persist']
-        clear_top_level_oauth_cookie
-        authenticate_in_context
-      else
-        set_top_level_oauth_cookie
-        enable_cookie_access
-      end
-    end
-
-    # Override shop_session_by_cookie from LoginProtection to bypass allow_cookie_authentication
-    # setting check because session cookies are justified at top level
-    def shop_session_by_cookie
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-
-    # rubocop:disable Lint/SuppressedException
-    def set_user_tokens_option
-      current_shop_session = shop_session
-
-      if current_shop_session.blank?
-        session[:user_tokens] = false
-        return
-      end
-
-      session[:user_tokens] = ShopifyApp::SessionRepository.user_storage.present?
+    def start_oauth
+      auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
+        shop: sanitized_shop_name,
+        redirect_path: "/auth/shopify/callback",
+        is_online: user_session_expected?
+      )
+      cookies.encrypted[auth_attributes[:cookie].name] = {
+        expires: auth_attributes[:cookie].expires,
+        secure: true,
+        http_only: true,
+        value: auth_attributes[:cookie].value,
+      }
 
-      ShopifyAPI::Session.temp(
-        domain: current_shop_session.domain,
-        token: current_shop_session.token,
-        api_version: current_shop_session.api_version
-      ) do
-        ShopifyAPI::Metafield.find(:token_validity_bogus_check)
-      end
-    rescue ActiveResource::UnauthorizedAccess
-      session[:user_tokens] = false
-    rescue StandardError
+      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
     end
-    # rubocop:enable Lint/SuppressedException
 
     def validate_shop_presence
       @shop = sanitized_shop_name
@@ -136,67 +70,21 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], "/") if params[:return_to]
     end
 
     def render_invalid_shop_error
-      flash[:error] = I18n.t('invalid_shop_url')
+      flash[:error] = I18n.t("invalid_shop_url")
       redirect_to(return_address)
     end
 
-    def enable_cookie_access
-      fullpage_redirect_to(enable_cookies_path(
-        shop: sanitized_shop_name,
-        host: host,
-        return_to: session[:return_to]
-      ))
-    end
-
-    def authenticate_in_context
-      post_redirect_to_auth_shopify
-    end
-
-    def post_redirect_to_auth_shopify
-      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
-    end
-
-    def authenticate_at_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
-    end
-
-    def authenticate_in_context?
+    def top_level?
       return true unless ShopifyApp.configuration.embedded_app?
-      params[:top_level]
+      !params[:top_level].nil?
     end
 
-    def request_storage_access?
-      return false unless ShopifyApp.configuration.embedded_app?
-      return false if params[:top_level]
-      return false if user_agent_is_mobile
-      return false if user_agent_is_pos
-
-      !session['shopify.granted_storage_access']
-    end
-
-    def redirect_to_request_storage_access
-      render(
-        :request_storage_access,
-        layout: false,
-        locals: {
-          does_not_have_storage_access_url: top_level_interaction_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          has_storage_access_url: login_url_with_optional_shop(top_level: true),
-          app_target_url: granted_storage_access_path(
-            shop: sanitized_shop_name,
-            host: host,
-            return_to: session[:return_to]
-          ),
-          current_shopify_domain: current_shopify_domain,
-        }
-      )
+    def redirect_auth_to_top_level
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
   end
 end

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class MissingWebhookJobError < StandardError; end
 
@@ -7,30 +8,11 @@ module ShopifyApp
 
     def receive
       params.permit!
-      webhook_job_klass.perform_later(shop_domain: shop_domain, webhook: webhook_params.to_h)
-      head(:ok)
-    end
-
-    private
 
-    def webhook_params
-      params.except(:controller, :action, :type)
-    end
-
-    def webhook_job_klass
-      webhook_job_klass_name.safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
-    end
-
-    def webhook_job_klass_name(type = webhook_type)
-      [webhook_namespace, "#{type}_job"].compact.join('/').classify
-    end
-
-    def webhook_type
-      params[:type]
-    end
-
-    def webhook_namespace
-      ShopifyApp.configuration.webhook_jobs_namespace
+      ShopifyAPI::Webhooks::Registry.process(
+        ShopifyAPI::Webhooks::Request.new(raw_body: request.raw_post, headers: request.headers.to_h)
+      )
+      head(:ok)
     end
   end
 end

data/config/routes.rb

@@ -1,23 +1,17 @@
 # frozen_string_literal: true
+
 ShopifyApp::Engine.routes.draw do
   controller :sessions do
-    get 'login' => :new, :as => :login
-    post 'login' => :create, :as => :authenticate
-    get 'enable_cookies' => :enable_cookies, :as => :enable_cookies
-    get 'top_level_interaction' =>
-      :top_level_interaction,
-        :as => :top_level_interaction
-    get 'granted_storage_access' =>
-      :granted_storage_access,
-        :as => :granted_storage_access
-    get 'logout' => :destroy, :as => :logout
+    get "login" => :new, :as => :login
+    post "login" => :create, :as => :authenticate
+    get "logout" => :destroy, :as => :logout
   end
 
   controller :callback do
-    get 'auth/shopify/callback' => :callback
+    get "auth/shopify/callback" => :callback
   end
 
   namespace :webhooks do
-    post ':type' => :receive
+    post ":type" => :receive
   end
 end

data/docs/Troubleshooting.md

@@ -87,9 +87,6 @@ Edit `config/initializer/shopify_app.rb` and ensure the following configurations
 ```diff
 + config.embedded_app = true
 
-+ config.allow_jwt_authentication = true
-+ config.allow_cookie_authentication = false
-
 # This line should already exist if you're using shopify_app gem 13.x.x+
 + config.shop_session_repository = 'Shop'
 ```

data/docs/Upgrading.md

@@ -1,9 +1,11 @@
-# Upgrading 
+# Upgrading
 
 This file documents important changes needed to upgrade your app's Shopify App version to a new major version.
 
 #### Table of contents
 
+[Upgrading to `v19.0.0`](#upgrading-to-v1900)
+
 [Upgrading to `v18.1.2`](#upgrading-to-v1812)
 
 [Upgrading to `v17.2.0`](#upgrading-to-v1720)
@@ -14,6 +16,87 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
 
+## Upgrading to `v19.0.0`
+
+This update moves API authentication logic from this gem to the [`shopify_api`](https://github.com/Shopify/shopify_api)
+gem.
+
+### High-level process
+
+* Delete `config/initializers/omniauth.rb` as apps no longer need to initialize `OmniAuth` directly.
+* Delete `config/initializers/user_agent.rb` as `shopify_app` will set the right `User-Agent` header for interacting
+  with the Shopify API. If the app requires further information in the `User-Agent` header beyond what Shopify API
+  requires, specify this in the `ShopifyAPI::Context.user_agent_prefix` setting.
+* Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
+  `config/initializers/shopify_app.rb` as the decision logic for which authentication method to use is now handled
+  internally by the `shopify_api` gem, using the `ShopifyAPI::Context.embedded_app` setting.
+* `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
+  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify_api/blob/add_breaking_change_log_v10/README.md#breaking-change-notice-for-version-1000).
+
+### Specific cases
+
+#### Webhook Jobs
+
+Add a new `handle` method to existing webhook jobs to go through the updated `shopify_api` gem.
+
+```ruby
+class MyWebhookJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    # new handle function
+    def handle(topic:, shop:, body:)
+      # delegate to pre-existing perform_later function
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  # original perform function
+  def perform(topic:, shop_domain:, webhook:)
+    # ...
+```
+
+#### Temporary sessions
+
+The new `shopify_api` gem offers a utility to temporarily create sessions for interacting with the API within a block.
+This is useful for interacting with the Shopify API outside of the context of a subclass of `AuthenticatedController`.
+
+```ruby
+ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+  # make invocations to the API
+end
+```
+
+Within a subclass of `AuthenticatedController`, the `current_shopify_session` function will return the current active
+Shopify API session, or `nil` if no such session is available.
+
+#### Setting up `ShopifyAPI::Context`
+
+The `shopify_app` initializer must configure the `ShopifyAPI::Context`. The Rails generator will
+generate a block in the `shopify_app` initializer. To do so manually, ensure the following is
+part of the `after_initialize` block in `shopify_app.rb`.
+
+```ruby
+Rails.application.config.after_initialize do
+  if ShopifyApp.configuration.api_key.present? && ShopifyApp.configuration.secret.present?
+    ShopifyAPI::Context.setup(
+      api_key: ShopifyApp.configuration.api_key,
+      api_secret_key: ShopifyApp.configuration.secret,
+      api_version: ShopifyApp.configuration.api_version,
+      host_name: URI(ENV.fetch('HOST', '')).host || '',
+      scope: ShopifyApp.configuration.scope,
+      is_private: !ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', '').empty?,
+      is_embedded: ShopifyApp.configuration.embedded_app,
+      session_storage: ShopifyApp::SessionRepository,
+      logger: Rails.logger,
+      private_shop: ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', nil),
+      user_agent_prefix: "ShopifyApp/#{ShopifyApp::VERSION}"
+    )
+
+    ShopifyApp::WebhooksManager.add_registrations
+  end
+end
+```
 ## Upgrading to `v18.1.2`
 
 Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
@@ -126,7 +209,7 @@ is changed to
 
 ### ShopifyAPI changes
 
-You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning. 
+You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 
 [dashboard]:https://partners.shopify.com
 [app-bridge]:https://shopify.dev/apps/tools/app-bridge

data/docs/shopify_app/webhooks.md

@@ -66,7 +66,7 @@ The WebhooksManager uses ActiveJob. If ActiveJob is not configured then by defau
 ShopifyApp can create webhooks for you using the `add_webhook` generator. This will add the new webhook to your config and create the required job class for you.
 
 ```
-rails g shopify_app:add_webhook -t carts/update -a https://example.com/webhooks/carts_update
+rails g shopify_app:add_webhook -t carts/update -a /webhooks/carts_update
 ```
 
 Where `-t` is the topic and `-a` is the address the webhook should be sent to.

data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddAfterAuthenticateJobGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       hook_for :test_framework, as: :job, in: :rails do |instance, generator|
         instance.invoke(generator, [instance.send(:job_file_name)])
@@ -15,32 +16,32 @@ module ShopifyApp
 
         after_authenticate_job_config =
           "  config.after_authenticate_job = "\
-          "{ job: \"Shopify::AfterAuthenticateJob\", inline: false }\n"
+            "{ job: \"Shopify::AfterAuthenticateJob\", inline: false }\n"
 
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           after_authenticate_job_config,
-          before: 'end'
+          before: "end"
         )
 
         unless initializer.include?(after_authenticate_job_config)
           shell.say("Error adding after_authenticate_job to config. Add this line manually: "\
-                    "#{after_authenticate_job_config}", :red)
+            "#{after_authenticate_job_config}", :red)
         end
       end
 
       def add_after_authenticate_job
-        template('after_authenticate_job.rb', "app/jobs/#{job_file_name}_job.rb")
+        template("after_authenticate_job.rb", "app/jobs/#{job_file_name}_job.rb")
       end
 
       private
 
       def load_initializer
-        File.read(File.join(destination_root, 'config/initializers/shopify_app.rb'))
+        File.read(File.join(destination_root, "config/initializers/shopify_app.rb"))
       end
 
       def job_file_name
-        'shopify/after_authenticate'
+        "shopify/after_authenticate"
       end
     end
   end

data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module Shopify
   class AfterAuthenticateJob < ActiveJob::Base
     def perform(shop_domain:)

data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddMarketingActivityExtensionGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def generate_app_extension
         template("marketing_activities_controller.rb", "app/controllers/marketing_activities_controller.rb")
@@ -15,7 +16,7 @@ module ShopifyApp
 
       def generate_routes
         inject_into_file(
-          'config/routes.rb',
+          "config/routes.rb",
           optimize_indentation(routes, 2),
           after: "root :to => 'home#index'\n"
         )

data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AddWebhookGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
       class_option :topic, type: :string, aliases: "-t", required: true
       class_option :address, type: :string, aliases: "-a", required: true
 
@@ -17,15 +18,15 @@ module ShopifyApp
         return if initializer.include?("config.webhooks")
 
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           "  config.webhooks = [\n  ]\n",
-          before: 'end'
+          after: /ShopifyApp\.configure.*\n/
         )
       end
 
       def inject_webhook_to_shopify_app_initializer
         inject_into_file(
-          'config/initializers/shopify_app.rb',
+          "config/initializers/shopify_app.rb",
           webhook_config,
           after: "config.webhooks = ["
         )
@@ -38,31 +39,31 @@ module ShopifyApp
       end
 
       def add_webhook_job
-        @job_file_name = job_file_name + '_job'
+        @job_file_name = job_file_name + "_job"
         @job_class_name = @job_file_name.classify
-        template('webhook_job.rb', "app/jobs/#{@job_file_name}.rb")
+        template("webhook_job.rb", "app/jobs/#{@job_file_name}.rb")
       end
 
       private
 
       def job_file_name
-        address.split('/').last
+        address.split("/").last
       end
 
       def load_initializer
-        File.read(File.join(destination_root, 'config/initializers/shopify_app.rb'))
+        File.read(File.join(destination_root, "config/initializers/shopify_app.rb"))
       end
 
       def webhook_config
-        "\n    {topic: '#{topic}', address: '#{address}', format: 'json'},"
+        "\n    { topic: \"#{topic}\", address: \"#{address}\" },"
       end
 
       def topic
-        options['topic']
+        options["topic"]
       end
 
       def address
-        options['address']
+        options["address"]
       end
     end
   end

data/lib/generators/shopify_app/add_webhook/templates/webhook_job.rb.tt

@@ -1,5 +1,13 @@
 class <%= @job_class_name %> < ActiveJob::Base
-  def perform(shop_domain:, webhook:)
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
     shop = Shop.find_by(shopify_domain: shop_domain)
 
     if shop.nil?

data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb

@@ -1,23 +1,24 @@
 # frozen_string_literal: true
-require 'rails/generators/base'
+
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AppProxyControllerGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def create_app_proxy_controller
-        template('app_proxy_controller.rb', 'app/controllers/app_proxy_controller.rb')
+        template("app_proxy_controller.rb", "app/controllers/app_proxy_controller.rb")
       end
 
       def create_app_proxy_index_view
-        copy_file('index.html.erb', 'app/views/app_proxy/index.html.erb')
+        copy_file("index.html.erb", "app/views/app_proxy/index.html.erb")
       end
 
       def add_app_proxy_route
         inject_into_file(
-          'config/routes.rb',
-          File.read(File.expand_path(find_in_source_paths('app_proxy_route.rb'))),
+          "config/routes.rb",
+          File.read(File.expand_path(find_in_source_paths("app_proxy_route.rb"))),
           after: "mount ShopifyApp::Engine, at: '/'\n"
         )
       end

data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
+
 class AppProxyController < ApplicationController
   include ShopifyApp::AppProxyVerification
 
   def index
-    render(layout: false, content_type: 'application/liquid')
+    render(layout: false, content_type: "application/liquid")
   end
 end

data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 namespace :app_proxy do
-  root action: 'index'
+  root action: "index"
   # simple routes without a specified controller will go to AppProxyController
 
   # more complex routes will go to controllers in the AppProxy namespace

data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb

@@ -1,14 +1,14 @@
 # frozen_string_literal: true
 
-require 'rails/generators/base'
+require "rails/generators/base"
 
 module ShopifyApp
   module Generators
     class AuthenticatedControllerGenerator < Rails::Generators::Base
-      source_root File.expand_path('../templates', __FILE__)
+      source_root File.expand_path("../templates", __FILE__)
 
       def create_authenticated_controller
-        template('authenticated_controller.rb', 'app/controllers/authenticated_controller.rb')
+        template("authenticated_controller.rb", "app/controllers/authenticated_controller.rb")
       end
     end
   end