shopify_app 18.1.3 → 19.0.0

data/lib/shopify_app/access_scopes/user_strategy.rb

@@ -9,7 +9,7 @@ module ShopifyApp
         def update_access_scopes?(user_id: nil, shopify_user_id: nil)
           return update_access_scopes_for_user_id?(user_id) if user_id
           return update_access_scopes_for_shopify_user_id?(shopify_user_id) if shopify_user_id
-          raise(InvalidInput, '#update_access_scopes? requires user_id or shopify_user_id parameter inputs')
+          raise(InvalidInput, "#update_access_scopes? requires user_id or shopify_user_id parameter inputs")
         end
 
         private
@@ -25,15 +25,15 @@ module ShopifyApp
         end
 
         def user_access_scopes_by_user_id(user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session(user_id)&.scope
         end
 
         def user_access_scopes_by_shopify_user_id(shopify_user_id)
-          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.access_scopes
+          ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope
         end
 
         def configuration_access_scopes
-          ShopifyAPI::ApiAccess.new(ShopifyApp.configuration.user_access_scopes)
+          ShopifyAPI::Auth::AuthScopes.new(ShopifyApp.configuration.user_access_scopes)
         end
       end
     end

data/lib/shopify_app/configuration.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class Configuration
     # Shopify App settings. These values should match the configuration
@@ -37,25 +38,16 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
-    # allow enabling of same site none on cookies
-    attr_writer :enable_same_site_none
-
-    # allow enabling jwt headers for authentication
-    attr_accessor :allow_jwt_authentication
-
-    attr_accessor :allow_cookie_authentication
-
     def initialize
-      @root_url = '/'
-      @myshopify_domain = 'myshopify.com'
+      @root_url = "/"
+      @myshopify_domain = "myshopify.com"
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
-      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
-      @allow_cookie_authentication = true
+      @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
     end
 
     def login_url
-      @login_url || File.join(@root_url, 'login')
+      @login_url || File.join(@root_url, "login")
     end
 
     def user_session_repository=(klass)
@@ -92,10 +84,6 @@ module ShopifyApp
       scripttags.present?
     end
 
-    def enable_same_site_none
-      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
-    end
-
     def shop_access_scopes
       @shop_access_scopes || scope
     end

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
@@ -16,7 +17,7 @@ module ShopifyApp
     def query_string_valid?(query_string)
       query_hash = Rack::Utils.parse_query(query_string)
 
-      signature = query_hash.delete('signature')
+      signature = query_hash.delete("signature")
       return false if signature.nil?
 
       ActiveSupport::SecurityUtils.secure_compare(
@@ -26,10 +27,10 @@ module ShopifyApp
     end
 
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(",")}" }.sort.join
 
       OpenSSL::HMAC.hexdigest(
-        OpenSSL::Digest.new('sha256'),
+        OpenSSL::Digest.new("sha256"),
         ShopifyApp.configuration.secret,
         sorted_params
       )

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module CsrfProtection
     extend ActiveSupport::Concern
@@ -9,7 +10,7 @@ module ShopifyApp
     private
 
     def valid_session_token?
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
   end
 end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module EmbeddedApp
     extend ActiveSupport::Concern
@@ -6,15 +7,15 @@ module ShopifyApp
     included do
       if ShopifyApp.configuration.embedded_app?
         after_action(:set_esdk_headers)
-        layout('embedded_app')
+        layout("embedded_app")
       end
     end
 
     private
 
     def set_esdk_headers
-      response.set_header('P3P', 'CP="Not used"')
-      response.headers.except!('X-Frame-Options')
+      response.set_header("P3P", 'CP="Not used"')
+      response.headers.except!("X-Frame-Options")
     end
   end
 end

data/lib/shopify_app/controller_concerns/itp.rb

@@ -9,15 +9,15 @@ module ShopifyApp
       return unless ShopifyApp.configuration.embedded_app?
       return unless user_agent_can_partition_cookies
 
-      session['shopify.cookies_persist'] = true
+      session["shopify.cookies_persist"] = true
     end
 
     def set_top_level_oauth_cookie
-      session['shopify.top_level_oauth'] = true
+      session["shopify.top_level_oauth"] = true
     end
 
     def clear_top_level_oauth_cookie
-      session.delete('shopify.top_level_oauth')
+      session.delete("shopify.top_level_oauth")
     end
 
     def user_agent_is_mobile

data/lib/shopify_app/controller_concerns/localization.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module Localization
     extend ActiveSupport::Concern

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'browser_sniffer'
+require "browser_sniffer"
 
 module ShopifyApp
   module LoginProtection
@@ -13,82 +13,51 @@ module ShopifyApp
 
     included do
       after_action :set_test_cookie
-      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+      rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
     end
 
-    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+    ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
 
     def activate_shopify_session
-      if user_session_expected? && user_session.blank?
+      if current_shopify_session.blank?
         signal_access_token_required
         return redirect_to_login
       end
 
-      return redirect_to_login if current_shopify_session.blank?
+      unless current_shopify_session.scope.to_a.empty? ||
+          current_shopify_session.scope.covers?(ShopifyAPI::Context.scope)
 
-      clear_top_level_oauth_cookie
+        clear_shopify_session
+        return redirect_to_login
+      end
 
       begin
-        ShopifyAPI::Base.activate_session(current_shopify_session)
+        ShopifyAPI::Context.activate_session(current_shopify_session)
         yield
       ensure
-        ShopifyAPI::Base.clear_session
+        ShopifyAPI::Context.deactivate_session
       end
     end
 
     def current_shopify_session
       @current_shopify_session ||= begin
-        user_session || shop_session
+        cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
+        ShopifyAPI::Utils::SessionUtils.load_current_session(
+          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          cookies: { cookie_name => cookies.encrypted[cookie_name] },
+          is_online: user_session_expected?
+        )
+      rescue ShopifyAPI::Errors::CookieNotFoundError
+        nil
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        nil
       end
     end
 
-    def user_session
-      user_session_by_jwt || user_session_by_cookie
-    end
-
-    def user_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_user_id
-      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
-    end
-
-    def user_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:user_id].present?
-      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
-    end
-
-    def shop_session
-      shop_session_by_jwt || shop_session_by_cookie
-    end
-
-    def shop_session_by_jwt
-      return unless ShopifyApp.configuration.allow_jwt_authentication
-      return unless jwt_shopify_domain
-      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
-    end
-
-    def shop_session_by_cookie
-      return unless ShopifyApp.configuration.allow_cookie_authentication
-      return unless session[:shop_id].present?
-      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
-    end
-
     def login_again_if_different_user_or_shop
-      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
-        clear_session = session[:user_session] != params[:session] # current user is different from stored user
-      end
-
-      if current_shopify_session &&
-        params[:shop] && params[:shop].is_a?(String) &&
-        (current_shopify_session.domain != params[:shop])
-        clear_session = true
-      end
-
-      if clear_session
-        clear_shopify_session
-        redirect_to_login
-      end
+      return unless session_id_conflicts_with_params || session_shop_conflicts_with_params
+      clear_shopify_session
+      redirect_to_login
     end
 
     def signal_access_token_required
@@ -96,7 +65,7 @@ module ShopifyApp
     end
 
     def jwt_expire_at
-      expire_at = request.env['jwt.expire_at']
+      expire_at = request.env["jwt.expire_at"]
       return unless expire_at
       expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
@@ -104,11 +73,11 @@ module ShopifyApp
     protected
 
     def jwt_shopify_domain
-      request.env['jwt.shopify_domain']
+      request.env["jwt.shopify_domain"]
     end
 
     def jwt_shopify_user_id
-      request.env['jwt.shopify_user_id']
+      request.env["jwt.shopify_user_id"]
     end
 
     def host
@@ -137,12 +106,16 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def handle_http_error(error)
+      if error.code == 401
+        close_session
+      else
+        raise error
+      end
+    end
+
     def clear_shopify_session
-      session[:shop_id] = nil
-      session[:user_id] = nil
-      session[:shopify_domain] = nil
-      session[:shopify_user] = nil
-      session[:user_session] = nil
+      cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME] = nil
     end
 
     def login_url_with_optional_shop(top_level: false)
@@ -179,23 +152,21 @@ module ShopifyApp
     end
 
     def return_to_param_required?
-      native_params = %i[shop hmac timestamp locale protocol return_to]
-      request.path != '/' || sanitized_params.except(*native_params).any?
+      native_params = [:shop, :hmac, :timestamp, :locale, :protocol, :return_to]
+      request.path != "/" || sanitized_params.except(*native_params).any?
     end
 
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
-        render('shopify_app/shared/redirect', layout: false,
-               locals: { url: url, current_shopify_domain: current_shopify_domain })
+        render("shopify_app/shared/redirect", layout: false,
+          locals: { url: url, current_shopify_domain: current_shopify_domain })
       else
         redirect_to(url)
       end
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name ||
-        jwt_shopify_domain ||
-        session[:shopify_domain]
+      shopify_domain = sanitized_shop_name || current_shopify_session&.shop
 
       return shopify_domain if shopify_domain.present?
 
@@ -252,6 +223,15 @@ module ShopifyApp
 
     private
 
+    def session_id_conflicts_with_params
+      shopify_session_id = current_shopify_session&.shopify_session_id
+      params[:session].present? && shopify_session_id.present? && params[:session] != shopify_session_id
+    end
+
+    def session_shop_conflicts_with_params
+      current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
+    end
+
     def user_session_expected?
       !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
     end

data/lib/shopify_app/controller_concerns/payload_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module PayloadVerification
     extend ActiveSupport::Concern
@@ -6,14 +7,14 @@ module ShopifyApp
     private
 
     def shopify_hmac
-      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request.headers["HTTP_X_SHOPIFY_HMAC_SHA256"]
     end
 
     def hmac_valid?(data)
       secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
 
       secrets.any? do |secret|
-        digest = OpenSSL::Digest.new('sha256')
+        digest = OpenSSL::Digest.new("sha256")
         ActiveSupport::SecurityUtils.secure_compare(
           shopify_hmac,
           Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module WebhookVerification
     extend ActiveSupport::Concern
@@ -17,7 +18,7 @@ module ShopifyApp
     end
 
     def shop_domain
-      request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+      request.headers["HTTP_X_SHOPIFY_SHOP_DOMAIN"]
     end
   end
 end

data/lib/shopify_app/engine.rb

@@ -1,36 +1,28 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   module RedactJobParams
     private
 
     def args_info(job)
-      log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
+      log_disabled_classes = ["ShopifyApp::ScripttagsManagerJob", "ShopifyApp::WebhooksManagerJob"]
       return "" if log_disabled_classes.include?(job.class.name)
       super
     end
   end
 
   class Engine < Rails::Engine
-    engine_name 'shopify_app'
+    engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
     initializer "shopify_app.assets.precompile" do |app|
-      app.config.assets.precompile += %w[
-        shopify_app/redirect.js
-        shopify_app/post_redirect.js
-        shopify_app/top_level.js
-        shopify_app/enable_cookies.js
-        shopify_app/request_storage_access.js
-        storage_access.svg
-      ]
+      app.config.assets.precompile += ["shopify_app/redirect.js", "shopify_app/post_redirect.js",
+                                       "shopify_app/top_level.js", "shopify_app/enable_cookies.js",
+                                       "shopify_app/request_storage_access.js", "storage_access.svg",]
     end
 
     initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
-
-      if ShopifyApp.configuration.allow_jwt_authentication
-        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
-      end
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
     end
 
     initializer "shopify_app.redact_job_params" do

data/lib/shopify_app/jobs/scripttags_manager_job.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManagerJob < ActiveJob::Base
     queue_as do
@@ -6,8 +7,7 @@ module ShopifyApp
     end
 
     def perform(shop_domain:, shop_token:, scripttags:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do
         manager = ScripttagsManager.new(scripttags, shop_domain)
         manager.create_scripttags
       end

data/lib/shopify_app/jobs/webhooks_manager_job.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end
 
-    def perform(shop_domain:, shop_token:, webhooks:)
-      api_version = ShopifyApp.configuration.api_version
-      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
-        manager = WebhooksManager.new(webhooks)
-        manager.create_webhooks
+    def perform(shop_domain:, shop_token:)
+      ShopifyAPI::Auth::Session.temp(shop: shop_domain, access_token: shop_token) do |session|
+        WebhooksManager.create_webhooks(session: session)
       end
     end
   end

data/lib/shopify_app/managers/scripttags_manager.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -44,7 +45,7 @@ module ShopifyApp
     def destroy_scripttags
       scripttags = expanded_scripttags
       ShopifyAPI::ScriptTag.all.each do |tag|
-        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
+        tag.delete if required_scripttag?(scripttags, tag)
       end
 
       @current_scripttags = nil
@@ -61,9 +62,15 @@ module ShopifyApp
     end
 
     def create_scripttag(attributes)
-      attributes.reverse_merge!(format: 'json')
-      scripttag = ShopifyAPI::ScriptTag.create(attributes)
-      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag = ShopifyAPI::ScriptTag.new
+      attributes.each { |key, value| scripttag.public_send("#{key}=", value) }
+
+      begin
+        scripttag.save!
+      rescue ShopifyAPI::Errors::HttpResponseError => e
+        raise CreationFailed, e.message
+      end
+
       scripttag
     end
 

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -1,62 +1,60 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
 
-    def self.queue(shop_domain, shop_token, webhooks)
-      ShopifyApp::WebhooksManagerJob.perform_later(
-        shop_domain: shop_domain,
-        shop_token: shop_token,
-        webhooks: webhooks
-      )
-    end
-
-    attr_reader :required_webhooks
-
-    def initialize(webhooks)
-      @required_webhooks = webhooks
-    end
-
-    def recreate_webhooks!
-      destroy_webhooks
-      create_webhooks
-    end
-
-    def create_webhooks
-      return unless required_webhooks.present?
+    class << self
+      def queue(shop_domain, shop_token)
+        ShopifyApp::WebhooksManagerJob.perform_later(
+          shop_domain: shop_domain,
+          shop_token: shop_token
+        )
+      end
 
-      required_webhooks.each do |webhook|
-        create_webhook(webhook) unless webhook_exists?(webhook[:topic])
+      def create_webhooks(session:)
+        return unless ShopifyApp.configuration.has_webhooks?
+        ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
-    end
 
-    def destroy_webhooks
-      ShopifyAPI::Webhook.all.to_a.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
+      def recreate_webhooks!(session:)
+        destroy_webhooks
+        return unless ShopifyApp.configuration.has_webhooks?
+        add_registrations
+        ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
 
-      @current_webhooks = nil
-    end
+      def destroy_webhooks
+        return unless ShopifyApp.configuration.has_webhooks?
 
-    private
+        ShopifyApp.configuration.webhooks.each do |attributes|
+          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic])
+        end
+      end
 
-    def required_webhook?(webhook)
-      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
-    end
+      def add_registrations
+        return unless ShopifyApp.configuration.has_webhooks?
+
+        ShopifyApp.configuration.webhooks.each do |attributes|
+          ShopifyAPI::Webhooks::Registry.add_registration(
+            topic: attributes[:topic],
+            delivery_method: attributes[:delivery_method] || :http,
+            path: attributes[:address],
+            handler: webhook_job_klass(attributes[:topic]),
+            fields: attributes[:fields]
+          )
+        end
+      end
 
-    def create_webhook(attributes)
-      attributes.reverse_merge!(format: 'json')
-      webhook = ShopifyAPI::Webhook.create(attributes)
-      raise CreationFailed, webhook.errors.full_messages.to_sentence unless webhook.persisted?
-      webhook
-    end
+      private
 
-    def webhook_exists?(topic)
-      current_webhooks[topic]
-    end
+      def webhook_job_klass(topic)
+        webhook_job_klass_name(topic).safe_constantize || raise(ShopifyApp::MissingWebhookJobError)
+      end
 
-    def current_webhooks
-      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
+      def webhook_job_klass_name(topic)
+        [ShopifyApp.configuration.webhook_jobs_namespace, "#{topic.gsub("/", "_")}_job"].compact.join("/").classify
+      end
     end
   end
 end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   class JWTMiddleware
     TOKEN_REGEX = /^Bearer\s+(.*?)$/
@@ -24,7 +25,7 @@ module ShopifyApp
     end
 
     def authorization_header(env)
-      env['HTTP_AUTHORIZATION']
+      env["HTTP_AUTHORIZATION"]
     end
 
     def extract_token(env)
@@ -35,9 +36,9 @@ module ShopifyApp
     def set_env_variables(token, env)
       jwt = ShopifyApp::JWT.new(token)
 
-      env['jwt.shopify_domain'] = jwt.shopify_domain
-      env['jwt.shopify_user_id'] = jwt.shopify_user_id
-      env['jwt.expire_at'] = jwt.expire_at
+      env["jwt.shopify_domain"] = jwt.shopify_domain
+      env["jwt.shopify_user_id"] = jwt.shopify_user_id
+      env["jwt.expire_at"] = jwt.expire_at
     end
   end
 end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module ShopifyApp
   # rubocop:disable Style/ClassVars
   # Class var repo is needed here in order to share data between the 2 child classes.