shopify_app 19.0.0 → 19.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 68bc78da7e88e7482f179b4d8ce4cf6734f3595631007e047c59a3a31cfcc7f3
-  data.tar.gz: 84e0a185dfc9e34e80749db04c1b1a218fb0aed3499379e532c9a5903da3706a
+  metadata.gz: 0eed46621f78732a98d006f66631afbf2d5dcd17ed88af699ac20ff141df6ff6
+  data.tar.gz: 38180008e68e107e260eb0d629035ec65a8bd23915f361a4e9716ae4abca6604
 SHA512:
-  metadata.gz: fe5829d4783dcee78ae5141f51b1e177f65fcae58407101b25af7a83b467c9d3586e58a58785d7fb1730e8c7be34861c6f2cfc62e1e36c4527486e529da74910
-  data.tar.gz: e125dd848ea4faf473ea39d38dd186114dad9bf7ce1ebe4083bbf121fec18ba165936e28f7be0ee485b92426ed4f0cb76743a7cb014de5edbfdc85a4d8511489
+  metadata.gz: 3f0d7de43a22c940aa6e64ad343605b5ab4662d3cb9a9a4f21df3ba96f0fcee301f7430efed97dfcc55fe7b2b13dd7398c294895c08cbf777fb2b7b1fdce8fdf
+  data.tar.gz: 4671f6646686de7feb6c5b410ee435108fe98686bf35b6884e2305895d51038dbb7b24ac21d1da12b8e16dc71d831e6fbf769c5de510413b17d2c68cdfeb26ed

data/CHANGELOG.md

@@ -1,3 +1,23 @@
+Unreleased
+----------
+
+19.1.0 (June 20, 2022)
+----------
+
+* Add the `login_callback_url` config to allow overwriting that route as well, and mount the engine routes based on the configurations. [#1445](https://github.com/Shopify/shopify_app/pull/1445)
+* Add special headers when returning 401s from LoginProtection. [#1450](https://github.com/Shopify/shopify_app/pull/1450)
+* Add a new `billing` configuration which takes in a `ShopifyApp::BillingConfiguration` object and checks for payment on controllers with `Authenticated`. [#1455](https://github.com/Shopify/shopify_app/pull/1455)
+
+19.0.2 (April 27, 2022)
+----------
+
+* Fix regression in apps using online tokens. [#1413](https://github.com/Shopify/shopify_app/pull/1413)
+* Bump [Shopify API](https://github.com/Shopify/shopify_api) to version 10.0.3. It includes [these fixes](https://github.com/Shopify/shopify_api/blob/main/CHANGELOG.md#version-1003).
+
+19.0.1 (April 11, 2022)
+----------
+* Bump Shopify API (https://github.com/Shopify/shopify_api) to version 10.0.2. This update includes patch fixes since the initial v10 release.
+
 19.0.0 (April 6, 2022)
 ----------
 * Use v10 of the Shopify API (https://github.com/Shopify/shopify_api). This update requires changes to an app - please refer to the [migration guide](https://github.com/Shopify/shopify_app/blob/main/docs/Upgrading.md) for details.
@@ -14,7 +34,7 @@ BREAKING, please see migration notes.
 18.1.0 (Jan 28, 2022)
 ----------
 * Support Rails 7 [#1354](https://github.com/Shopify/shopify_app/pull/1354)
-* Fix webhooks handling in Ruby 3 [#1342](https://github.com/Shopify/shopify_app/pull/1342) 
+* Fix webhooks handling in Ruby 3 [#1342](https://github.com/Shopify/shopify_app/pull/1342)
 * Update to Ruby 3 and drop support to Ruby 2.5 [#1359](https://github.com/Shopify/shopify_app/pull/1359)
 
 18.0.4 (Jan 27, 2022)
@@ -38,7 +58,7 @@ BREAKING, please see migration notes.
 
 18.0.0 (May 3, 2021)
 ----------
-* Support OmniAuth 2.x 
+* Support OmniAuth 2.x
   * If your app has custom OmniAuth configuration, please refer to the [OmniAuth 2.0 upgrade guide](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0).
 * Support App Bridge version 2.x in the Embedded App layout. [#1241](https://github.com/Shopify/shopify_app/pull/1241)
 
@@ -68,7 +88,7 @@ BREAKING, please see migration notes.
 
 17.0.4 (January 25, 2021)
 ----------
-* Redirect user to login page if shopify domain is not found in the `EnsureAuthenticatedLinks` concern [#1158](https://github.com/Shopify/shopify_app/pull/1158) 
+* Redirect user to login page if shopify domain is not found in the `EnsureAuthenticatedLinks` concern [#1158](https://github.com/Shopify/shopify_app/pull/1158)
 
 17.0.3 (January 22, 2021)
 ----------

data/Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    shopify_app (19.0.0)
+    shopify_app (19.1.0)
       activeresource
-      browser_sniffer (~> 1.4.0)
+      browser_sniffer (~> 2.0)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
@@ -85,7 +85,7 @@ GEM
     ast (2.4.2)
     binding_of_caller (1.0.0)
       debug_inspector (>= 0.0.1)
-    browser_sniffer (1.4.0)
+    browser_sniffer (2.0.0)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -104,7 +104,7 @@ GEM
       multi_xml (>= 0.5.2)
     i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.3.0)
+    jwt (2.4.1)
     loofah (2.15.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -121,10 +121,10 @@ GEM
     mocha (1.13.0)
     multi_xml (0.6.0)
     nio4r (2.5.8)
-    nokogiri (1.13.3)
+    nokogiri (1.13.4)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    oj (3.13.11)
+    oj (3.13.14)
     openssl (3.0.0)
     parallel (1.21.0)
     parser (3.1.0.0)
@@ -194,7 +194,7 @@ GEM
       rubocop (~> 1.24)
     ruby-progressbar (1.11.0)
     securerandom (0.2.0)
-    shopify_api (10.0.0)
+    shopify_api (10.1.0)
       concurrent-ruby
       hash_diff
       httparty
@@ -204,7 +204,7 @@ GEM
       securerandom
       sorbet-runtime
       zeitwerk (~> 2.5)
-    sorbet-runtime (0.5.9854)
+    sorbet-runtime (0.5.10101)
     sprockets (4.0.3)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -9,8 +9,11 @@ module ShopifyApp
       include ShopifyApp::LoginProtection
       include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
+      include ShopifyApp::EnsureBilling
+
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session
+      after_action :add_top_level_redirection_headers
     end
   end
 end

data/app/controllers/shopify_app/callback_controller.rb

@@ -4,6 +4,7 @@ module ShopifyApp
   # Performs login after OAuth completes
   class CallbackController < ActionController::Base
     include ShopifyApp::LoginProtection
+    include ShopifyApp::EnsureBilling
 
     def callback
       begin
@@ -27,9 +28,16 @@ module ShopifyApp
         value: auth_result[:cookie].value,
       }
 
+      session[:shopify_user_id] = auth_result[:session].associated_user.id if auth_result[:session].online?
+
+      if start_user_token_flow?(auth_result[:session])
+        return respond_with_user_token_flow
+      end
+
       perform_post_authenticate_jobs(auth_result[:session])
+      has_payment = check_billing(auth_result[:session])
 
-      respond_successfully
+      respond_successfully if has_payment
     end
 
     private
@@ -43,6 +51,25 @@ module ShopifyApp
       redirect_to(login_url_with_optional_shop)
     end
 
+    def respond_with_user_token_flow
+      redirect_to(login_url_with_optional_shop)
+    end
+
+    def start_user_token_flow?(shopify_session)
+      return false unless ShopifyApp::SessionRepository.user_storage.present?
+      return false if shopify_session.online?
+      update_user_access_scopes?
+    end
+
+    def update_user_access_scopes?
+      return true if session[:shopify_user_id].nil?
+      user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
+    end
+
+    def user_access_scopes_strategy
+      ShopifyApp.configuration.user_access_scopes_strategy
+    end
+
     def perform_post_authenticate_jobs(session)
       install_webhooks(session)
       install_scripttags(session)

data/app/controllers/shopify_app/sessions_controller.rb

@@ -44,9 +44,11 @@ module ShopifyApp
     end
 
     def start_oauth
+      callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, "")
+
       auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
         shop: sanitized_shop_name,
-        redirect_path: "/auth/shopify/callback",
+        redirect_path: "/#{callback_url}",
         is_online: user_session_expected?
       )
       cookies.encrypted[auth_attributes[:cookie].name] = {

data/config/routes.rb

@@ -1,14 +1,28 @@
 # frozen_string_literal: true
 
 ShopifyApp::Engine.routes.draw do
+  login_url = ShopifyApp.configuration.login_url.gsub(/^#{ShopifyApp.configuration.root_url}/, "")
+  login_callback_url = ShopifyApp.configuration.login_callback_url.gsub(/^#{ShopifyApp.configuration.root_url}/, "")
+
   controller :sessions do
-    get "login" => :new, :as => :login
-    post "login" => :create, :as => :authenticate
+    get login_url => :new, :as => :login
+    post login_url => :create, :as => :authenticate
     get "logout" => :destroy, :as => :logout
+
+    # Kept to prevent apps relying on these routes from breaking
+    if login_url.gsub(%r{^/}, "") != "login"
+      get "login" => :new, :as => :default_login
+      post "login" => :create, :as => :default_authenticate
+    end
   end
 
   controller :callback do
-    get "auth/shopify/callback" => :callback
+    get login_callback_url => :callback
+
+    # Kept to prevent apps relying on these routes from breaking
+    if login_callback_url.gsub(%r{^/}, "") != "auth/shopify/callback"
+      get "auth/shopify/callback" => :default_callback
+    end
   end
 
   namespace :webhooks do

data/docs/Upgrading.md

@@ -23,18 +23,23 @@ gem.
 
 ### High-level process
 
-* Delete `config/initializers/omniauth.rb` as apps no longer need to initialize `OmniAuth` directly.
-* Delete `config/initializers/user_agent.rb` as `shopify_app` will set the right `User-Agent` header for interacting
+- Delete `config/initializers/omniauth.rb` as apps no longer need to initialize `OmniAuth` directly.
+- Delete `config/initializers/user_agent.rb` as `shopify_app` will set the right `User-Agent` header for interacting
   with the Shopify API. If the app requires further information in the `User-Agent` header beyond what Shopify API
   requires, specify this in the `ShopifyAPI::Context.user_agent_prefix` setting.
-* Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
+- Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
   `config/initializers/shopify_app.rb` as the decision logic for which authentication method to use is now handled
   internally by the `shopify_api` gem, using the `ShopifyAPI::Context.embedded_app` setting.
-* `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
-  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify_api/blob/add_breaking_change_log_v10/README.md#breaking-change-notice-for-version-1000).
+- `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
+  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify_api#breaking-change-notice-for-version-1000).
 
 ### Specific cases
 
+#### Shopify user id in session
+
+Previously, we set the entire app user object in the `session` object.
+As of v19, since we no longer save the app user to the session (but only the shopify user id), we now store it as `session[:shopify_user_id]`. Please make sure to update any references to that object.
+
 #### Webhook Jobs
 
 Add a new `handle` method to existing webhook jobs to go through the updated `shopify_api` gem.
@@ -97,6 +102,7 @@ Rails.application.config.after_initialize do
   end
 end
 ```
+
 ## Upgrading to `v18.1.2`
 
 Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redirect when attempting to break out of an iframe. This happens when an app is installed, requires new access scopes, or re-authentication because the login session is expired.
@@ -105,7 +111,7 @@ Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redir
 
 ### Different SameSite cookie attribute behaviour
 
-To support Rails  `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
+To support Rails `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
 
 ```diff
 # same_site_cookie_middleware.rb
@@ -122,32 +128,33 @@ change to how session stores work. Here are the steps to migrate to 13.x
 
 ### Changes to `config/initializers/shopify_app.rb`
 
-- *REMOVE* `config.per_user_tokens = [true|false]` this is no longer needed
-- *CHANGE* `config.session_repository = 'Shop'` To  `config.shop_session_repository = 'Shop'`
-- *ADD (optional)*  User Session Storage `config.user_session_repository = 'User'`
+- _REMOVE_ `config.per_user_tokens = [true|false]` this is no longer needed
+- _CHANGE_ `config.session_repository = 'Shop'` To `config.shop_session_repository = 'Shop'`
+- _ADD (optional)_ User Session Storage `config.user_session_repository = 'User'`
 
 ### Shop Model Changes (normally `app/models/shop.rb`)
 
--  *CHANGE* `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
+- _CHANGE_ `include ShopifyApp::SessionStorage` to `include ShopifyApp::ShopSessionStorage`
 
 ### Changes to the @shop_session instance variable (normally in `app/controllers/*.rb`)
 
-- *CHANGE* if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
+- _CHANGE_ if you are using shop sessions, `@shop_session` will need to be changed to `@current_shopify_session`.
 
 ### Changes to Rails `session`
 
-- *CHANGE* `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
+- _CHANGE_ `session[:shopify]` is no longer set. Use `session[:user_id]` if your app uses user based tokens, or `session[:shop_id]` if your app uses shop based tokens.
 
 ### Changes to `ShopifyApp::LoginProtection`
 
 `ShopifyApp::LoginProtection`
 
 - CHANGE if you are using `ShopifyApp::LoginProtection#shopify_session` in your code, it will need to be
-changed to `ShopifyApp::LoginProtection#activate_shopify_session`
+  changed to `ShopifyApp::LoginProtection#activate_shopify_session`
 - CHANGE if you are using `ShopifyApp::LoginProtection#clear_shop_session` in your code, it will need to be
-changed to `ShopifyApp::LoginProtection#clear_shopify_session`
+  changed to `ShopifyApp::LoginProtection#clear_shopify_session`
 
 ### Notes
+
 You do not need a user model; a shop session is fine for most applications.
 
 ---
@@ -155,6 +162,7 @@ You do not need a user model; a shop session is fine for most applications.
 ## Upgrading to `v11.7.0`
 
 ### Session storage method signature breaking change
+
 If you override `def self.store(auth_session)` method in your session storage model (e.g. Shop), the method signature has changed to `def self.store(auth_session, *args)` in order to support user-based token storage. Please update your method signature to include the second argument.
 
 ---
@@ -165,13 +173,15 @@ If you override `def self.store(auth_session)` method in your session storage mo
 
 Add an API version configuration in `config/initializers/shopify_app.rb`
 Set this to the version you want to run against by default. See [Shopify API docs](https://help.shopify.com/api/versioning) for versions available.
+
 ```ruby
 config.api_version = '2019-04'
 ```
 
 ### Session storage change
 
-You will need to add an `api_version` method to your session storage object.  The default implementation for this is.
+You will need to add an `api_version` method to your session storage object. The default implementation for this is.
+
 ```ruby
 def api_version
   ShopifyApp.configuration.api_version
@@ -181,6 +191,7 @@ end
 ### Generated file change
 
 `embedded_app.html.erb` the usage of `shop_session.url` needs to be changed to `shop_session.domain`
+
 ```erb
 <script type="text/javascript">
   ShopifyApp.init({
@@ -193,7 +204,9 @@ end
   });
 </script>
 ```
+
 is changed to
+
 ```erb
 <script type="text/javascript">
   ShopifyApp.init({
@@ -211,5 +224,5 @@ is changed to
 
 You will need to also follow the ShopifyAPI [upgrade guide](https://github.com/Shopify/shopify_api/blob/master/README.md#-breaking-change-notice-for-version-700-) to ensure your app is ready to work with API versioning.
 
-[dashboard]:https://partners.shopify.com
-[app-bridge]:https://shopify.dev/apps/tools/app-bridge
+[dashboard]: https://partners.shopify.com
+[app-bridge]: https://shopify.dev/apps/tools/app-bridge

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -13,6 +13,19 @@ ShopifyApp.configure do |config|
   config.api_key = ENV.fetch('SHOPIFY_API_KEY', '').presence
   config.secret = ENV.fetch('SHOPIFY_API_SECRET', '').presence
 
+  # You may want to charge merchants for using your app. Setting the billing configuration will cause the Authenticated
+  # controller concern to check that the session is for a merchant that has an active one-time payment or subscription.
+  # If no payment is found, it starts off the process and sends the merchant to a confirmation URL so that they can
+  # approve the purchase.
+  #
+  # Learn more about billing in our documentation: https://shopify.dev/apps/billing
+  # config.billing = ShopifyApp::BillingConfiguration.new(
+  #   charge_name: "My app billing charge",
+  #   amount: 5,
+  #   interval: ShopifyApp::BillingConfiguration::INTERVAL_EVERY_30_DAYS,
+  #   currency_code: "USD", # Only supports USD for now
+  # )
+
   if defined? Rails::Server
     raise('Missing SHOPIFY_API_KEY. See https://github.com/Shopify/shopify_app#requirements') unless config.api_key
     raise('Missing SHOPIFY_API_SECRET. See https://github.com/Shopify/shopify_app#requirements') unless config.secret

data/lib/shopify_app/configuration.rb

@@ -24,6 +24,7 @@ module ShopifyApp
     # customise urls
     attr_accessor :root_url
     attr_writer :login_url
+    attr_writer :login_callback_url
 
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
@@ -38,6 +39,9 @@ module ShopifyApp
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
+    # takes a ShopifyApp::BillingConfiguration object
+    attr_accessor :billing
+
     def initialize
       @root_url = "/"
       @myshopify_domain = "myshopify.com"
@@ -50,6 +54,11 @@ module ShopifyApp
       @login_url || File.join(@root_url, "login")
     end
 
+    def login_callback_url
+      # Not including @root_url to keep historic behaviour
+      @login_callback_url || File.join("auth/shopify/callback")
+    end
+
     def user_session_repository=(klass)
       ShopifyApp::SessionRepository.user_storage = klass
     end
@@ -84,6 +93,10 @@ module ShopifyApp
       scripttags.present?
     end
 
+    def requires_billing?
+      billing.present?
+    end
+
     def shop_access_scopes
       @shop_access_scopes || scope
     end
@@ -93,6 +106,24 @@ module ShopifyApp
     end
   end
 
+  class BillingConfiguration
+    INTERVAL_ONE_TIME = "ONE_TIME"
+    INTERVAL_EVERY_30_DAYS = "EVERY_30_DAYS"
+    INTERVAL_ANNUAL = "ANNUAL"
+
+    attr_reader :charge_name
+    attr_reader :amount
+    attr_reader :currency_code
+    attr_reader :interval
+
+    def initialize(charge_name:, amount:, interval:, currency_code: "USD")
+      @charge_name = charge_name
+      @amount = amount
+      @currency_code = currency_code
+      @interval = interval
+    end
+  end
+
   def self.configuration
     @configuration ||= Configuration.new
   end

data/lib/shopify_app/controller_concerns/ensure_billing.rb

@@ -0,0 +1,254 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureBilling
+    class BillingError < StandardError
+      attr_accessor :message
+      attr_accessor :errors
+
+      def initialize(message, errors)
+        super
+        @message = message
+        @errors = errors
+      end
+    end
+
+    extend ActiveSupport::Concern
+
+    RECURRING_INTERVALS = [BillingConfiguration::INTERVAL_EVERY_30_DAYS, BillingConfiguration::INTERVAL_ANNUAL]
+
+    included do
+      before_action :check_billing, if: :billing_required?
+      rescue_from BillingError, with: :handle_billing_error
+    end
+
+    private
+
+    def check_billing(session = current_shopify_session)
+      return true if session.blank? || !billing_required?
+
+      confirmation_url = nil
+
+      if has_active_payment?(session)
+        has_payment = true
+      else
+        has_payment = false
+        confirmation_url = request_payment(session)
+      end
+
+      unless has_payment
+        if request.xhr?
+          add_top_level_redirection_headers(url: confirmation_url, ignore_response_code: true)
+          head(:unauthorized)
+        else
+          redirect_to(confirmation_url, allow_other_host: true)
+        end
+      end
+
+      has_payment
+    end
+
+    def billing_required?
+      ShopifyApp.configuration.requires_billing?
+    end
+
+    def handle_billing_error(error)
+      logger.info("#{error.message}: #{error.errors}")
+      redirect_to_login
+    end
+
+    def has_active_payment?(session)
+      if recurring?
+        has_subscription?(session)
+      else
+        has_one_time_payment?(session)
+      end
+    end
+
+    def has_subscription?(session)
+      response = run_query(session: session, query: RECURRING_PURCHASES_QUERY)
+      subscriptions = response.body["data"]["currentAppInstallation"]["activeSubscriptions"]
+
+      subscriptions.each do |subscription|
+        if subscription["name"] == ShopifyApp.configuration.billing.charge_name &&
+            (!Rails.env.production? || !subscription["test"])
+
+          return true
+        end
+      end
+
+      false
+    end
+
+    def has_one_time_payment?(session)
+      purchases = nil
+      end_cursor = nil
+
+      loop do
+        response = run_query(session: session, query: ONE_TIME_PURCHASES_QUERY, variables: { endCursor: end_cursor })
+        purchases = response.body["data"]["currentAppInstallation"]["oneTimePurchases"]
+
+        purchases["edges"].each do |purchase|
+          node = purchase["node"]
+
+          if node["name"] == ShopifyApp.configuration.billing.charge_name &&
+              (!Rails.env.production? || !node["test"]) &&
+              node["status"] == "ACTIVE"
+
+            return true
+          end
+        end
+
+        end_cursor = purchases["pageInfo"]["endCursor"]
+        break unless purchases["pageInfo"]["hasNextPage"]
+      end
+
+      false
+    end
+
+    def request_payment(session)
+      shop = session.shop
+      host = Base64.encode64("#{shop}/admin")
+      return_url = "https://#{ShopifyAPI::Context.host_name}?shop=#{shop}&host=#{host}"
+
+      if recurring?
+        data = request_recurring_payment(session: session, return_url: return_url)
+        data = data["data"]["appSubscriptionCreate"]
+      else
+        data = request_one_time_payment(session: session, return_url: return_url)
+        data = data["data"]["appPurchaseOneTimeCreate"]
+      end
+
+      raise BillingError.new("Error while billing the store", data["userErrros"]) unless data["userErrors"].empty?
+
+      data["confirmationUrl"]
+    end
+
+    def request_recurring_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: RECURRING_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          lineItems: {
+            plan: {
+              appRecurringPricingDetails: {
+                interval: ShopifyApp.configuration.billing.interval,
+                price: {
+                  amount: ShopifyApp.configuration.billing.amount,
+                  currencyCode: ShopifyApp.configuration.billing.currency_code,
+                },
+              },
+            },
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def request_one_time_payment(session:, return_url:)
+      response = run_query(
+        session: session,
+        query: ONE_TIME_PURCHASE_MUTATION,
+        variables: {
+          name: ShopifyApp.configuration.billing.charge_name,
+          price: {
+            amount: ShopifyApp.configuration.billing.amount,
+            currencyCode: ShopifyApp.configuration.billing.currency_code,
+          },
+          returnUrl: return_url,
+          test: !Rails.env.production?,
+        }
+      )
+
+      response.body
+    end
+
+    def recurring?
+      RECURRING_INTERVALS.include?(ShopifyApp.configuration.billing.interval)
+    end
+
+    def run_query(session:, query:, variables: nil)
+      client = ShopifyAPI::Clients::Graphql::Admin.new(session: session)
+
+      response = client.query(query: query, variables: variables)
+
+      raise BillingError.new("Error while billing the store", []) unless response.ok?
+      raise BillingError.new("Error while billing the store", response.body["errors"]) if response.body["errors"]
+
+      response
+    end
+
+    RECURRING_PURCHASES_QUERY = <<~'QUERY'
+      query appSubscription {
+        currentAppInstallation {
+          activeSubscriptions {
+            name, test
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASES_QUERY = <<~'QUERY'
+      query appPurchases($endCursor: String) {
+        currentAppInstallation {
+          oneTimePurchases(first: 250, sortKey: CREATED_AT, after: $endCursor) {
+            edges {
+              node {
+                name, test, status
+              }
+            }
+            pageInfo {
+              hasNextPage, endCursor
+            }
+          }
+        }
+      }
+    QUERY
+
+    RECURRING_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $lineItems: [AppSubscriptionLineItemInput!]!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appSubscriptionCreate(
+          name: $name
+          lineItems: $lineItems
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+
+    ONE_TIME_PURCHASE_MUTATION = <<~'QUERY'
+      mutation createPaymentMutation(
+        $name: String!
+        $price: MoneyInput!
+        $returnUrl: URL!
+        $test: Boolean
+      ) {
+        appPurchaseOneTimeCreate(
+          name: $name
+          price: $price
+          returnUrl: $returnUrl
+          test: $test
+        ) {
+          confirmationUrl
+          userErrors {
+            field, message
+          }
+        }
+      }
+    QUERY
+  end
+end

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -70,6 +70,25 @@ module ShopifyApp
       expire_at - 5.seconds # 5s gap to start fetching new token in advance
     end
 
+    def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
+      if request.xhr? && (ignore_response_code || response.code.to_i == 401)
+        # Make sure the shop is set in the redirection URL
+        unless params[:shop]
+          params[:shop] = if current_shopify_session
+            current_shopify_session.shop
+          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+            jwt_payload.shop
+          end
+        end
+
+        url ||= login_url_with_optional_shop
+
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+      end
+    end
+
     protected
 
     def jwt_shopify_domain
@@ -86,6 +105,7 @@ module ShopifyApp
 
     def redirect_to_login
       if request.xhr?
+        add_top_level_redirection_headers(ignore_response_code: true)
         head(:unauthorized)
       else
         if request.get?
@@ -232,7 +252,13 @@ module ShopifyApp
       current_shopify_session && params[:shop].is_a?(String) && current_shopify_session.shop != params[:shop]
     end
 
+    def shop_session
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(sanitize_shop_param(params))
+    end
+
     def user_session_expected?
+      return false if shop_session.nil?
+      return false if ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(shop_session.shop)
       !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
     end
   end

data/lib/shopify_app/session/session_repository.rb

@@ -46,7 +46,7 @@ module ShopifyApp
       # ShopifyAPI::Auth::SessionStorage override
       def store_session(session)
         if session.online?
-          user_storage.store(session, session.associated_user.id.to_s)
+          user_storage.store(session, session.associated_user)
         else
           shop_storage.store(session)
         end

data/lib/shopify_app/session/user_session_storage_with_scopes.rb

@@ -11,7 +11,7 @@ module ShopifyApp
 
     class_methods do
       def store(auth_session, user)
-        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user = find_or_initialize_by(shopify_user_id: user.id)
         user.shopify_token = auth_session.access_token
         user.shopify_domain = auth_session.shop
         user.access_scopes = auth_session.scope.to_s

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "19.0.0"
+  VERSION = "19.1.0"
 end

data/lib/shopify_app.rb

@@ -39,6 +39,7 @@ module ShopifyApp
   require "shopify_app/controller_concerns/localization"
   require "shopify_app/controller_concerns/itp"
   require "shopify_app/controller_concerns/login_protection"
+  require "shopify_app/controller_concerns/ensure_billing"
   require "shopify_app/controller_concerns/embedded_app"
   require "shopify_app/controller_concerns/payload_verification"
   require "shopify_app/controller_concerns/app_proxy_verification"

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "19.0.0",
+  "version": "19.1.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
   s.metadata["allowed_push_host"] = "https://rubygems.org"
 
   s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
-  s.add_runtime_dependency("browser_sniffer", "~> 1.4.0")
+  s.add_runtime_dependency("browser_sniffer", "~> 2.0")
   s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")

data/yarn.lock

@@ -3515,9 +3515,9 @@ minimatch@3.0.4, minimatch@^3.0.4:
     brace-expansion "^1.1.7"
 
 minimist@^1.2.0, minimist@^1.2.3, minimist@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+  version "1.2.6"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44"
+  integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==
 
 mississippi@^3.0.0:
   version "3.0.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 19.0.0
+  version: 19.1.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-06 00:00:00.000000000 Z
+date: 2022-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.4.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -399,6 +399,7 @@ files:
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
 - lib/shopify_app/controller_concerns/csrf_protection.rb
 - lib/shopify_app/controller_concerns/embedded_app.rb
+- lib/shopify_app/controller_concerns/ensure_billing.rb
 - lib/shopify_app/controller_concerns/itp.rb
 - lib/shopify_app/controller_concerns/localization.rb
 - lib/shopify_app/controller_concerns/login_protection.rb
@@ -451,7 +452,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.20
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
 summary: This gem is used to get quickly started with the Shopify API