shopify_app 21.0.0 → 22.5.0

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -4,6 +4,11 @@ module ShopifyApp
   module RedirectForEmbedded
     include ShopifyApp::SanitizedParams
 
+    def self.add_app_bridge_redirect_url_header(url, response)
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+    end
+
     private
 
     def embedded_redirect_url?
@@ -11,17 +16,24 @@ module ShopifyApp
     end
 
     def embedded_param?
-      embedded_redirect_url? && params[:embedded].present? && params[:embedded] == "1"
+      embedded_redirect_url? && params[:embedded].present? && loaded_directly_from_admin?
+    end
+
+    def loaded_directly_from_admin?
+      ShopifyApp.configuration.embedded_app? && params[:embedded] == "1"
     end
 
     def redirect_for_embedded
       # Don't actually redirect if we're already in the redirect route - we want the request to reach the FE
-      redirect_to(redirect_uri_for_embedded) unless request.path == ShopifyApp.configuration.embedded_redirect_url
+      unless request.path == ShopifyApp.configuration.embedded_redirect_url
+        ShopifyApp::Logger.debug("Redirecting to #{redirect_uri_for_embedded}")
+        redirect_to(redirect_uri_for_embedded)
+      end
     end
 
     def redirect_uri_for_embedded
       redirect_query_params = {}
-      redirect_uri = "https://#{ShopifyAPI::Context.host_name}#{ShopifyApp.configuration.login_url}"
+      redirect_uri = "#{ShopifyAPI::Context.host}#{ShopifyApp.configuration.login_url}"
       redirect_query_params[:shop] = sanitized_shop_name
       redirect_query_params[:shop] ||= referer_sanitized_shop_name if referer_sanitized_shop_name.present?
       redirect_query_params[:host] ||= params[:host] if params[:host].present?

data/lib/shopify_app/controller_concerns/sanitized_params.rb

@@ -21,6 +21,7 @@ module ShopifyApp
 
     def sanitize_shop_param(params)
       return unless params[:shop].present?
+
       ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
     end
 
@@ -32,5 +33,9 @@ module ShopifyApp
         end
       end
     end
+
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
+    end
   end
 end

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TokenExchange
+    extend ActiveSupport::Concern
+    include ShopifyApp::AdminAPI::WithTokenRefetch
+    include ShopifyApp::SanitizedParams
+    include ShopifyApp::EmbeddedApp
+
+    included do
+      include ShopifyApp::WithShopifyIdToken
+    end
+
+    INVALID_SHOPIFY_ID_TOKEN_ERRORS = [
+      ShopifyAPI::Errors::MissingJwtTokenError,
+      ShopifyAPI::Errors::InvalidJwtTokenError,
+    ].freeze
+
+    def activate_shopify_session(&block)
+      retrieve_session_from_token_exchange if current_shopify_session.blank? || should_exchange_expired_token?
+
+      ShopifyApp::Logger.debug("Activating Shopify session")
+      ShopifyAPI::Context.activate_session(current_shopify_session)
+      with_token_refetch(current_shopify_session, shopify_id_token, &block)
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      respond_to_invalid_shopify_id_token(e)
+    ensure
+      ShopifyApp::Logger.debug("Deactivating session")
+      ShopifyAPI::Context.deactivate_session
+    end
+
+    def should_exchange_expired_token?
+      ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
+    end
+
+    def current_shopify_session
+      return unless current_shopify_session_id
+
+      @current_shopify_session ||= ShopifyApp::SessionRepository.load_session(current_shopify_session_id)
+    end
+
+    def current_shopify_session_id
+      @current_shopify_session_id ||= ShopifyAPI::Utils::SessionUtils.session_id_from_shopify_id_token(
+        id_token: shopify_id_token,
+        online: online_token_configured?,
+      )
+    end
+
+    def current_shopify_domain
+      sanitized_shop_name || current_shopify_session&.shop
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      respond_to_invalid_shopify_id_token(e)
+    end
+
+    private
+
+    def retrieve_session_from_token_exchange
+      @current_shopify_session = nil
+      ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
+    end
+
+    def respond_to_invalid_shopify_id_token(error)
+      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{error.message}")
+      return if performed?
+
+      if request.headers["HTTP_AUTHORIZATION"].blank?
+        if embedded?
+          redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
+        end
+      else
+        ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
+        response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+        unauthorized_response = { message: :unauthorized }
+        render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      end
+    end
+
+    def redirect_to_bounce_page
+      ShopifyApp::Logger.debug("Redirecting to bounce page for patching Shopify ID token")
+      patch_shopify_id_token_url =
+        "#{ShopifyAPI::Context.host}#{ShopifyApp.configuration.root_url}/patch_shopify_id_token"
+      patch_shopify_id_token_params = request.query_parameters.except(:id_token)
+
+      bounce_url = "#{request.path}?#{patch_shopify_id_token_params.to_query}"
+
+      # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
+      patch_shopify_id_token_params["shopify-reload"] = bounce_url
+
+      redirect_to(
+        "#{patch_shopify_id_token_url}?#{patch_shopify_id_token_params.to_query}",
+        allow_other_host: true,
+      )
+    end
+
+    def online_token_configured?
+      ShopifyApp.configuration.online_token_configured?
+    end
+
+    def fullpage_redirect_to(url)
+      raise ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil?
+
+      render(
+        "shopify_app/shared/redirect",
+        layout: false,
+        locals: { url: url, current_shopify_domain: current_shopify_domain, is_iframe: embedded? },
+      )
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -14,7 +14,10 @@ module ShopifyApp
 
     def verify_request
       data = request.raw_post
-      return head(:unauthorized) unless hmac_valid?(data)
+      unless hmac_valid?(data)
+        ShopifyApp::Logger.debug("Webhook verification failed - HMAC invalid")
+        head(:unauthorized)
+      end
     end
 
     def shop_domain

data/lib/shopify_app/controller_concerns/with_shopify_id_token.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module WithShopifyIdToken
+    extend ActiveSupport::Concern
+
+    def shopify_id_token
+      return @shopify_id_token if defined?(@shopify_id_token)
+
+      @shopify_id_token = id_token_from_authorization_header || id_token_from_url_param
+    end
+
+    def jwt_payload
+      return @jwt_payload if defined?(@jwt_payload)
+
+      @jwt_payload = shopify_id_token.present? ? ShopifyAPI::Auth::JwtPayload.new(shopify_id_token) : nil
+    end
+
+    def jwt_shopify_domain
+      return @jwt_shopify_domain if defined?(@jwt_shopify_domain)
+
+      @jwt_shopify_domain = if jwt_payload.present?
+        ShopifyApp::Utils.sanitize_shop_domain(jwt_payload.shopify_domain)
+      end
+    end
+
+    def jwt_shopify_user_id
+      jwt_payload&.shopify_user_id
+    end
+
+    def jwt_expire_at
+      expire_at = jwt_payload&.expire_at
+      return unless expire_at
+
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
+    end
+
+    private
+
+    def id_token_from_authorization_header
+      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
+    end
+
+    def id_token_from_url_param
+      params["id_token"]
+    end
+  end
+end

data/lib/shopify_app/engine.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     private
 
     def args_info(job)
-      log_disabled_classes = ["ShopifyApp::ScripttagsManagerJob", "ShopifyApp::WebhooksManagerJob"]
+      log_disabled_classes = ["ShopifyApp::WebhooksManagerJob"]
       return "" if log_disabled_classes.include?(job.class.name)
 
       super
@@ -16,21 +16,20 @@ module ShopifyApp
     engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
-    initializer "shopify_app.assets.precompile" do |app|
-      app.config.assets.precompile += ["shopify_app/redirect.js", "shopify_app/post_redirect.js",
-                                       "shopify_app/top_level.js", "shopify_app/enable_cookies.js",
-                                       "shopify_app/request_storage_access.js", "storage_access.svg",]
-    end
-
     initializer "shopify_app.middleware" do |app|
       app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
     end
 
+    initializer "shopify_app.assets.precompile" do |app|
+      app.config.assets.precompile += [
+        "shopify_app/redirect.js",
+      ]
+    end
+
     initializer "shopify_app.redact_job_params" do
       ActiveSupport.on_load(:active_job) do
         if ActiveJob::Base.respond_to?(:log_arguments?)
           WebhooksManagerJob.log_arguments = false
-          ScripttagsManagerJob.log_arguments = false
         elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
           ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
         end

data/lib/shopify_app/logger.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class Logger < ShopifyAPI::Logger
+    class << self
+      def deprecated(message, version)
+        return unless enabled_for_log_level?(:warn)
+
+        raise ShopifyAPI::Errors::FeatureDeprecatedError unless valid_version(version)
+
+        ActiveSupport::Deprecation.warn("[#{version}] #{context(:warn)} #{message}")
+      end
+
+      private
+
+      def context(log_level)
+        current_shop = ShopifyAPI::Context.active_session&.shop || "Shop Not Found"
+        "[ ShopifyApp | #{log_level.to_s.upcase} | #{current_shop} ]"
+      end
+
+      def valid_version(version)
+        current_version = Gem::Version.create(ShopifyApp::VERSION)
+        deprecate_version = Gem::Version.create(version)
+        current_version < deprecate_version
+      end
+    end
+  end
+end

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -8,44 +8,52 @@ module ShopifyApp
       def queue(shop_domain, shop_token)
         ShopifyApp::WebhooksManagerJob.perform_later(
           shop_domain: shop_domain,
-          shop_token: shop_token
+          shop_token: shop_token,
         )
       end
 
       def create_webhooks(session:)
         return unless ShopifyApp.configuration.has_webhooks?
 
+        ShopifyApp::Logger.debug("Creating webhooks #{ShopifyApp.configuration.webhooks}")
+
         ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
 
       def recreate_webhooks!(session:)
-        destroy_webhooks
+        destroy_webhooks(session: session)
         return unless ShopifyApp.configuration.has_webhooks?
 
+        ShopifyApp::Logger.debug("Recreating webhooks")
         add_registrations
-        ShopifyAPI::Webhooks::Registry.register_all(session: session)
+        create_webhooks(session: session)
       end
 
-      def destroy_webhooks
+      def destroy_webhooks(session:)
         return unless ShopifyApp.configuration.has_webhooks?
 
+        ShopifyApp::Logger.debug("Destroying webhooks")
         ShopifyApp.configuration.webhooks.each do |attributes|
-          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic])
+          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic], session: session)
         end
       end
 
       def add_registrations
         return unless ShopifyApp.configuration.has_webhooks?
 
+        ShopifyApp::Logger.debug("Adding registrations to webhooks")
         ShopifyApp.configuration.webhooks.each do |attributes|
           webhook_path = path(attributes)
+          delivery_method = attributes[:delivery_method] || :http
 
           ShopifyAPI::Webhooks::Registry.add_registration(
             topic: attributes[:topic],
-            delivery_method: attributes[:delivery_method] || :http,
+            delivery_method: delivery_method,
             path: webhook_path,
-            handler: webhook_job_klass(webhook_path),
-            fields: attributes[:fields]
+            handler: delivery_method == :http ? webhook_job_klass(webhook_path) : nil,
+            fields: attributes[:fields],
+            filter: attributes[:filter],
+            metafield_namespaces: attributes[:metafield_namespaces],
           )
         end
       end
@@ -74,8 +82,10 @@ module ShopifyApp
       def webhook_job_klass_name(path)
         job_file_name = Pathname(path.to_s).basename
 
-        [ShopifyApp.configuration.webhook_jobs_namespace,
-         "#{job_file_name}_job",].compact.join("/").classify
+        [
+          ShopifyApp.configuration.webhook_jobs_namespace,
+          "#{job_file_name}_job",
+        ].compact.join("/").classify
       end
     end
   end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -2,16 +2,17 @@
 
 module ShopifyApp
   class JWTMiddleware
-    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    TOKEN_REGEX = /^Bearer (.+)$/
+    ID_TOKEN_QUERY_PARAM = "id_token"
 
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      return call_next(env) unless authorization_header(env)
+      return call_next(env) unless ShopifyApp.configuration.embedded_app?
 
-      token = extract_token(env)
+      token = token_from_authorization_header(env) || token_from_query_string(env)
       return call_next(env) unless token
 
       set_env_variables(token, env)
@@ -24,21 +25,24 @@ module ShopifyApp
       @app.call(env)
     end
 
-    def authorization_header(env)
-      env["HTTP_AUTHORIZATION"]
+    def token_from_authorization_header(env)
+      env["HTTP_AUTHORIZATION"]&.match(TOKEN_REGEX)&.[](1)
     end
 
-    def extract_token(env)
-      match = authorization_header(env).match(TOKEN_REGEX)
-      match && match[1]
+    def token_from_query_string(env)
+      Rack::Utils.parse_nested_query(env["QUERY_STRING"])[ID_TOKEN_QUERY_PARAM]
     end
 
     def set_env_variables(token, env)
-      jwt = ShopifyApp::JWT.new(token)
+      jwt = ShopifyAPI::Auth::JwtPayload.new(token)
 
+      env["jwt.token"] = token
       env["jwt.shopify_domain"] = jwt.shopify_domain
       env["jwt.shopify_user_id"] = jwt.shopify_user_id
       env["jwt.expire_at"] = jwt.expire_at
+    rescue ShopifyAPI::Errors::InvalidJwtTokenError
+      # ShopifyApp::JWT did not raise any exceptions, ensuring behaviour does not change
+      nil
     end
   end
 end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     class << self
       def store(session, user)
         id = super
-        repo[user.shopify_user_id] = session
+        repo[user.id.to_s] = session
         id
       end
 

data/lib/shopify_app/session/jwt.rb

@@ -13,6 +13,7 @@ module ShopifyApp
     ]
 
     def initialize(token)
+      warn_deprecation
       @token = token
       set_payload
     end
@@ -34,8 +35,7 @@ module ShopifyApp
     def set_payload
       payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
       @payload = validate_payload(payload)
-    rescue *WARN_EXCEPTIONS => error
-      Rails.logger.warn("[ShopifyApp::JWT] Failed to validate JWT: [#{error.class}] #{error}")
+    rescue *WARN_EXCEPTIONS
       nil
     end
 
@@ -55,10 +55,19 @@ module ShopifyApp
       raise ::ShopifyApp::InvalidAudienceError,
         "'aud' claim does not match api_key" unless payload["aud"] == api_key
       raise ::ShopifyApp::InvalidDestinationError, "'dest' claim host not a valid shopify host" unless dest_host
+
       raise ::ShopifyApp::MismatchedHostsError,
         "'dest' claim host does not match 'iss' claim host" unless dest_host == iss_host
 
       payload
     end
+
+    def warn_deprecation
+      message = <<~EOS
+        "ShopifyApp::JWT will be deprecated, use ShopifyAPI::Auth::JwtPayload to parse JWT token instead."
+      EOS
+
+      ShopifyApp::Logger.deprecated(message, "23.0.0")
+    end
   end
 end

data/lib/shopify_app/session/session_repository.rb

@@ -2,8 +2,6 @@
 
 module ShopifyApp
   class SessionRepository
-    extend ShopifyAPI::Auth::SessionStorage
-
     class << self
       attr_writer :shop_storage
 
@@ -25,6 +23,14 @@ module ShopifyApp
         user_storage.retrieve_by_shopify_user_id(user_id)
       end
 
+      def destroy_shop_session_by_domain(shopify_domain)
+        shop_storage.destroy_by_shopify_domain(shopify_domain)
+      end
+
+      def destroy_user_session_by_shopify_user_id(user_id)
+        user_storage.destroy_by_shopify_user_id(user_id)
+      end
+
       def store_shop_session(session)
         shop_storage.store(session)
       end
@@ -34,8 +40,11 @@ module ShopifyApp
       end
 
       def shop_storage
-        load_shop_storage || raise(::ShopifyApp::ConfigurationError,
-          "ShopifySessionRepository.shop_storage is not configured!")
+        load_shop_storage || raise(
+          ::ShopifyApp::ConfigurationError,
+          "ShopifyApp::Configuration.shop_session_repository is not configured!\n
+          See docs here: https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/sessions.md#sessions",
+        )
       end
 
       def user_storage
@@ -45,8 +54,11 @@ module ShopifyApp
       # ShopifyAPI::Auth::SessionStorage override
       def store_session(session)
         if session.online?
-          user_storage.store(session, session.associated_user)
+          user = session.associated_user
+          ShopifyApp::Logger.debug("Storing online user session - session: #{session.id}")
+          user_storage.store(session, user)
         else
+          ShopifyApp::Logger.debug("Storing offline store session - session: #{session.id}")
           shop_storage.store(session)
         end
       end
@@ -55,9 +67,13 @@ module ShopifyApp
       def load_session(id)
         match = id.match(/^offline_(.*)/)
         if match
-          retrieve_shop_session_by_shopify_domain(match[1])
+          domain = match[1]
+          ShopifyApp::Logger.debug("Loading session by domain - domain: #{domain}")
+          retrieve_shop_session_by_shopify_domain(domain)
         else
-          retrieve_user_session_by_shopify_user_id(id.split("_").last)
+          user = id.split("_").last
+          ShopifyApp::Logger.debug("Loading session by user_id - user: #{user}")
+          retrieve_user_session_by_shopify_user_id(user)
         end
       end
 
@@ -65,14 +81,17 @@ module ShopifyApp
       def delete_session(id)
         match = id.match(/^offline_(.*)/)
 
-        record = if match
-          Shop.find_by(shopify_domain: match[1])
+        if match
+          domain = match[1]
+          ShopifyApp::Logger.debug("Destroying session by domain - domain: #{domain}")
+          destroy_shop_session_by_domain(domain)
+
         else
-          User.find_by(shopify_user_id: id.split("_").last)
+          shopify_user_id = id.split("_").last
+          ShopifyApp::Logger.debug("Destroying session by user - user_id: #{shopify_user_id}")
+          destroy_user_session_by_shopify_user_id(shopify_user_id)
         end
 
-        record.destroy
-
         true
       end
 
@@ -81,13 +100,46 @@ module ShopifyApp
       def load_shop_storage
         return unless @shop_storage
 
-        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+        shop_storage_class =
+          @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+
+        [
+          :store,
+          :retrieve,
+          :retrieve_by_shopify_domain,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            missing_method_message("shop", method.to_s),
+          ) unless shop_storage_class.respond_to?(method)
+        end
+
+        shop_storage_class
       end
 
       def load_user_storage
         return NullUserSessionStore unless @user_storage
 
-        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+        user_storage_class =
+          @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+
+        [
+          :store,
+          :retrieve,
+          :retrieve_by_shopify_user_id,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            missing_method_message("user", method.to_s),
+          ) unless user_storage_class.respond_to?(method)
+        end
+
+        user_storage_class
+      end
+
+      def missing_method_message(type, method)
+        "Missing method - '#{method}' implementation for #{type}_storage_repository\n
+        See docs here: https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/sessions.md#sessions"
       end
     end
   end

data/lib/shopify_app/session/session_storage.rb

@@ -10,8 +10,8 @@ module ShopifyApp
     end
 
     def with_shopify_session(&block)
-      ShopifyAPI::Auth::Session.temp(shop: shopify_domain, access_token: shopify_token) do
-        yield block
+      ShopifyAPI::Auth::Session.temp(shop: shopify_domain, access_token: shopify_token) do |session|
+        block.call(session)
       end
     end
   end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -27,6 +27,10 @@ module ShopifyApp
         construct_session(shop)
       end
 
+      def destroy_by_shopify_domain(domain)
+        destroy_by(shopify_domain: domain)
+      end
+
       private
 
       def construct_session(shop)
@@ -34,7 +38,7 @@ module ShopifyApp
 
         ShopifyAPI::Auth::Session.new(
           shop: shop.shopify_domain,
-          access_token: shop.shopify_token
+          access_token: shop.shopify_token,
         )
       end
     end

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -29,6 +29,10 @@ module ShopifyApp
         construct_session(shop)
       end
 
+      def destroy_by_shopify_domain(domain)
+        destroy_by(shopify_domain: domain)
+      end
+
       private
 
       def construct_session(shop)
@@ -37,7 +41,7 @@ module ShopifyApp
         ShopifyAPI::Auth::Session.new(
           shop: shop.shopify_domain,
           access_token: shop.shopify_token,
-          scope: shop.access_scopes
+          scope: shop.access_scopes,
         )
       end
     end