shopify_app 21.2.0 → 21.3.0

data/app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -3,46 +3,11 @@
 module ShopifyApp
   module RequireKnownShop
     extend ActiveSupport::Concern
-    include ShopifyApp::RedirectForEmbedded
+    include ShopifyApp::EnsureInstalled
 
     included do
-      before_action :check_shop_domain
-      before_action :check_shop_known
-    end
-
-    def current_shopify_domain
-      return if params[:shop].blank?
-
-      @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
-    end
-
-    private
-
-    def check_shop_domain
-      redirect_to(ShopifyApp.configuration.login_url) unless current_shopify_domain
-    end
-
-    def check_shop_known
-      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
-      unless @shop
-        if embedded_param?
-          redirect_for_embedded
-        else
-          redirect_to(shop_login)
-        end
-      end
-    end
-
-    def shop_login
-      url = URI(ShopifyApp.configuration.login_url)
-
-      url.query = URI.encode_www_form(
-        shop: params[:shop],
-        host: params[:host],
-        return_to: request.fullpath,
-      )
-
-      url.to_s
+      ShopifyApp::Logger.deprecated("RequireKnownShop has been replaced by EnsureInstalled."\
+        " Please use the EnsureInstalled controller concern for the same behavior", "22.0.0")
     end
   end
 end

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -2,7 +2,7 @@
 
 module ShopifyApp
   class AuthenticatedController < ActionController::Base
-    include ShopifyApp::Authenticated
+    include ShopifyApp::EnsureHasSession
 
     protect_from_forgery with: :exception
   end

data/app/controllers/shopify_app/callback_controller.rb

@@ -8,49 +8,86 @@ module ShopifyApp
 
     def callback
       begin
-        filtered_params = request.parameters.symbolize_keys.slice(:code, :shop, :timestamp, :state, :host, :hmac)
-
-        auth_result = ShopifyAPI::Auth::Oauth.validate_auth_callback(
-          cookies: {
-            ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME =>
-              cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME],
-          },
-          auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(**filtered_params),
-        )
-      rescue
+        api_session, cookie = validated_auth_objects
+      rescue => error
+        deprecate_callback_rescue(error) unless error.class.module_parent == ShopifyAPI::Errors
         return respond_with_error
       end
 
-      cookies.encrypted[auth_result[:cookie].name] = {
-        expires: auth_result[:cookie].expires,
-        secure: true,
-        http_only: true,
-        value: auth_result[:cookie].value,
-      }
+      save_session(api_session) if api_session
+      update_rails_cookie(api_session, cookie)
 
-      session[:shopify_user_id] = auth_result[:session].associated_user.id if auth_result[:session].online?
+      return respond_with_user_token_flow if start_user_token_flow?(api_session)
 
-      if start_user_token_flow?(auth_result[:session])
-        return respond_with_user_token_flow
-      end
+      perform_post_authenticate_jobs(api_session)
+      redirect_to_app if check_billing(api_session)
+    end
 
-      perform_post_authenticate_jobs(auth_result[:session])
-      has_payment = check_billing(auth_result[:session])
+    private
 
-      respond_successfully if has_payment
+    def deprecate_callback_rescue(error)
+      message = <<~EOS
+        An error of type #{error.class} was rescued. This is not part of `ShopifyAPI::Errors`, which could indicate a
+        bug in your app, or a bug in the shopify_app gem. Future versions of the gem may re-raise this error rather
+        than rescuing it.
+      EOS
+      ShopifyApp::Logger.deprecated(message, "22.0.0")
     end
 
-    private
+    def save_session(api_session)
+      ShopifyApp::SessionRepository.store_session(api_session)
+    end
+
+    def validated_auth_objects
+      filtered_params = request.parameters.symbolize_keys.slice(:code, :shop, :timestamp, :state, :host, :hmac)
+
+      oauth_payload = ShopifyAPI::Auth::Oauth.validate_auth_callback(
+        cookies: {
+          ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME =>
+            cookies.encrypted[ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME],
+        },
+        auth_query: ShopifyAPI::Auth::Oauth::AuthQuery.new(**filtered_params),
+      )
+      api_session = oauth_payload.dig(:session)
+      cookie = oauth_payload.dig(:cookie)
+
+      [api_session, cookie]
+    end
+
+    def update_rails_cookie(api_session, cookie)
+      if cookie.value.present?
+        cookies.encrypted[cookie.name] = {
+          expires: cookie.expires,
+          secure: true,
+          http_only: true,
+          value: cookie.value,
+        }
+      end
+
+      session[:shopify_user_id] = api_session.associated_user.id if api_session.online?
+      ShopifyApp::Logger.debug("Saving Shopify user ID to cookie")
+    end
 
-    def respond_successfully
+    def redirect_to_app
       if ShopifyAPI::Context.embedded?
-        return_to = session.delete(:return_to) || ""
-        redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]) + return_to, allow_other_host: true)
+        return_to = "#{decoded_host}#{session.delete(:return_to)}"
+        return_to = ShopifyApp.configuration.root_url if deduced_phishing_attack?
+        redirect_to(return_to, allow_other_host: true)
       else
         redirect_to(return_address)
       end
     end
 
+    def decoded_host
+      @decoded_host ||= ShopifyAPI::Auth.embedded_app_url(params[:host])
+    end
+
+    # host param doesn't match the configured myshopify_domain
+    def deduced_phishing_attack?
+      sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(URI(decoded_host).host)
+      sanitized_host.nil?
+    end
+
     def respond_with_error
       flash[:error] = I18n.t("could_not_log_in")
       redirect_to(login_url_with_optional_shop)

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -9,7 +9,10 @@ module ShopifyApp
     private
 
     def verify_request
-      head(:unauthorized) unless hmac_valid?(request.body.read)
+      unless hmac_valid?(request.body.read)
+        head(:unauthorized)
+        ShopifyApp::Logger.debug("Extension verification failed due to invalid HMAC")
+      end
     end
   end
 end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -27,6 +27,8 @@ module ShopifyApp
     def destroy
       reset_session
       flash[:notice] = I18n.t(".logged_out")
+      ShopifyApp::Logger.debug("Session destroyed")
+      ShopifyApp::Logger.debug("Redirecting to #{login_url_with_optional_shop}")
       redirect_to(login_url_with_optional_shop)
     end
 
@@ -38,6 +40,7 @@ module ShopifyApp
       copy_return_to_param_to_session
 
       if embedded_redirect_url?
+        ShopifyApp::Logger.debug("Embedded URL within / authenticate")
         if embedded_param?
           redirect_for_embedded
         else
@@ -52,6 +55,7 @@ module ShopifyApp
 
     def start_oauth
       callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, "")
+      ShopifyApp::Logger.debug("Starting OAuth with the following callback URL: #{callback_url}")
 
       auth_attributes = ShopifyAPI::Auth::Oauth.begin_auth(
         shop: sanitized_shop_name,
@@ -65,7 +69,10 @@ module ShopifyApp
         value: auth_attributes[:cookie].value,
       }
 
-      redirect_to(auth_attributes[:auth_route], allow_other_host: true)
+      auth_route = auth_attributes[:auth_route]
+
+      ShopifyApp::Logger.debug("Redirecting to auth_route - #{auth_route}")
+      redirect_to(auth_route, allow_other_host: true)
     end
 
     def validate_shop_presence
@@ -94,7 +101,9 @@ module ShopifyApp
     end
 
     def redirect_auth_to_top_level
-      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
+      url = login_url_with_optional_shop(top_level: true)
+      ShopifyApp::Logger.debug("Redirecting to top level - #{url}")
+      fullpage_redirect_to(url)
     end
   end
 end

data/config/locales/ja.yml

@@ -8,7 +8,7 @@ ja:
   enable_cookies_footer: Cookieを使用すると、各種設定や個人情報を一時的に保存することで、アプリ認証を受けることができます。30日後に有効期限が切れます。
   enable_cookies_action: Cookieを有効にする
   top_level_interaction_heading: お使いのブラウザを更新する必要があります%{app}
-  top_level_interaction_body: Shopifyがアプリを開けるように、ブラウザーはCookieにアクセスするための%{app}のようなアプリが必要です。
+  top_level_interaction_body: Shopifyがアプリを開けるように、ブラウザはCookieにアクセスするための%{app}のようなアプリが必要です。
   top_level_interaction_action: 続ける
   request_storage_access_heading: "%{app}はCookieへのアクセス許可が必要です"
   request_storage_access_body: Cookieを使用すると、個人情報を一時的に保存することで、アプリ認証を受けることができます。[続ける]

data/docs/Troubleshooting.md

@@ -3,7 +3,7 @@
 #### Table of contents
 
 [Generators](#generators)
-  * [The `shopify_app:install` generator hangs](#the-shopifyappinstall-generator-hangs)
+  * [The `shopify_app:install` generator hangs](#the-shopify_appinstall-generator-hangs)
 
 [Rails](#rails)
   * [Known issues with Rails `v6.1`](#known-issues-with-rails-v61)
@@ -18,6 +18,8 @@
   * [My app can't make requests to the Shopify API](#my-app-cant-make-requests-to-the-shopify-api)
   * [I'm stuck in a redirect loop after OAuth](#im-stuck-in-a-redirect-loop-after-oauth)
 
+[Debugging Tips](#debugging-tips)
+
 ## Generators
 
 ### The shopify_app:install generator hangs
@@ -143,9 +145,43 @@ X-Shopify-API-Request-Failure-Unauthorized: true
 
 Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
 
-
 ### I'm stuck in a redirect loop after OAuth
 
 In previous versions of `ShopifyApp::Authenticated` controller concern, App Bridge embedded apps were able to include the `Authenticated` controller concern in the `HomeController` and other embedded controllers. This is no longer supported due to browsers blocking 3rd party cookies to increase privacy. App Bridge 3 is needed to handle all embedded sessions.
 
 For more details on how to handle embeded sessions, refer to [the session token documentation](https://shopify.dev/apps/auth/oauth/session-tokens).
+
+### `redirect_uri is not whitelisted`
+
+* Ensure you have set the `HOST` environment variable to match your host's URL, e.g. `http://localhost:3000` or `https://my-host-name.trycloudflare.com`.
+* Update the app's URL and whitelisted URLs in App Setup on https://partners.shopify.com
+
+### `This app can’t load due to an issue with browser cookies`
+
+This can be caused by an infinite redirect due to a coding error
+To investigate the cause, you can add a breakpoint or logging to the `rescue` clause of `ShopifyApp::CallbackController`.
+
+One possible cause is that for XHR requests, the `Authenticated` concern should be used, rather than `RequireKnownShop`.
+See below for further details.
+
+## Controller Concerns
+### Authenticated vs RequireKnownShop
+The gem heavily relies on the `current_shopify_domain` helper to contextualize a request to a given Shopify shop. This helper is set in different and conflicting ways if the request is authenticated or not.
+
+Because of these conflicting approaches the `Authenticated` (for use in authenticated requests) and `RequireKnownShop` (for use in unauthenticated requests) controller concerns must *never* be included within the same controller.
+
+#### Authenticated Requests
+For authenticated requests, use the [`Authenticated` controller concern](https://github.com/Shopify/shopify_app/blob/main/app/controllers/concerns/shopify_app/authenticated.rb). The `current_shopify_domain` is set from the JWT for these requests.
+
+#### Unauthenticated Requests
+For unauthenticated requests, use the [`RequireKnownShop` controller concern](https://github.com/Shopify/shopify_app/blob/main/app/controllers/concerns/shopify_app/require_known_shop.rb). The `current_shopify_domain` is set from the query string parameters that are passed.
+
+## Debugging Tips
+
+If you do run into issues with the gem there are two useful techniques to apply: Adding log statements, and using an interactive debugger, such as `pry`.
+
+You can temporarily add log statements or debugger calls to the `shopify_app` or `shopify-api-ruby` gems:
+  * You can modify a gem using [`bundle open`](https://boringrails.com/tips/bundle-open-debug-gems)
+  * Alternatively, you can your modify your `Gemfile` to use local locally checked out gems with the the [`path` option](https://bundler.io/man/gemfile.5.html).
+
+Note that if you make changes to a gem, you will need to restart the app for the changes to be applied.

data/docs/Upgrading.md

@@ -4,6 +4,12 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 #### Table of contents
 
+[General Advice](#general-advice)
+
+[Unreleased](#unreleased)
+
+[Upgrading to `v20.3.0`](#upgrading-to-v2030)
+
 [Upgrading to `v20.2.0`](#upgrading-to-v2020)
 
 [Upgrading to `v20.1.0`](#upgrading-to-v2010)
@@ -20,7 +26,29 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 [Upgrading from `v8.6` to `v9.0.0`](#upgrading-from-v86-to-v900)
 
+## General Advice
+
+Although we strive to make upgrades as smooth as possible, some effort may be required to stay up to date with the latest changes to `shopify_app`.
+
+We strongly recommend you avoid 'monkeypatching' any existing code from `ShopifyApp`, e.g. by inheriting from `ShopifyApp` and then overriding particular methods. This can result in difficult upgrades. If your app does so, you will need to carefully check the gem's internal changes when upgrading.
+
+If you need to upgrade by more than one major version (e.g. from v18 to v20), we recommend doing one at a time. Deploy each into production to help to detect problems earlier.
+
+We also recommend the use of a staging site which matches your production environment as closely as possible.
+
+If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips)
+
+## Upgrading to 21.3.0
+The `Itp` controller concern has been removed from `LoginProtection` which is included by the `Authenticated` controller concern.
+If any of your controllers are dependant on methods from `Itp` then you can include `ShopifyApp::Itp` directly.
+You may notice a deprecation notice saying, `Itp will be removed in an upcoming version`.
+This is because we intend on removing `Itp` completely in `v22.0.0`, but this will work in the meantime.
+
+## Upgrading to `v20.3.0`
+Calling `LoginProtection#current_shopify_domain` will no longer raise an error if there is no active session. It will now return a nil value. The internal behavior of raising an error on OAuth redirect is still in place, however. If you were calling `current_shopify_domain` in authenticated actions and expecting an error if nil, you'll need to do a presence check and raise that error within your app.
+
 ## Upgrading to `v20.2.0`
+
 All custom errors defined inline within the `ShopifyApp` gem have been moved to `lib/shopify_app/errors.rb`.
 
 - If you rescue any errors defined in this gem, you will need to rename them to match their new namespacing.
@@ -36,8 +64,11 @@ Note that the following steps are *optional* and only apply to **embedded** appl
 
 ## Upgrading to `v19.0.0`
 
-This update moves API authentication logic from this gem to the [`shopify_api`](https://github.com/Shopify/shopify-api-ruby)
-gem.
+There are several major changes in this release:
+
+* A change of strategy regarding sessions: Due to security changes with browsers, support for cookie based sessions was dropped. JWT is now the only supported method for managing sessions.
+* As part of that change, this update moves API authentication logic from this gem to the [`shopify_api`](https://github.com/Shopify/shopify-api-ruby) gem.
+* Previously the `shopify_api` gem relied on `ActiveResource`, an outdated library which was [removed](https://github.com/rails/rails/commit/f1637bf2bb00490203503fbd943b73406e043d1d) from Rails in 2012. v10 of `shopify_api` has a replacement approach which aims to provide a similar syntax, but changes will be necessary.
 
 ### High-level process
 
@@ -48,18 +79,20 @@ gem.
 - Remove `allow_jwt_authentication=` and `allow_cookie_authentication=` invocations from
   `config/initializers/shopify_app.rb` as the decision logic for which authentication method to use is now handled
   internally by the `shopify_api` gem, using the `ShopifyAPI::Context.embedded_app` setting.
-- `v19.0.0` updates the `shopify_api` dependency to `10.0.0`. This version of `shopify_api` has breaking changes. See
-  the documentation for addressing these breaking changes on GitHub [here](https://github.com/Shopify/shopify-api-ruby#breaking-change-notice-for-version-1000).
+- [Follow the guidance for upgrading `shopify-api-ruby`](https://github.com/Shopify/shopify-api-ruby#breaking-change-notice-for-version-1000).
 
 ### Specific cases
 
-#### Shopify user id in session
+#### Shopify user ID in session
 
 Previously, we set the entire app user object in the `session` object.
 As of v19, since we no longer save the app user to the session (but only the shopify user id), we now store it as `session[:shopify_user_id]`. Please make sure to update any references to that object.
 
 #### Webhook Jobs
 
+It is assumed that you have an ActiveJob implementation configured for `perform_later`, e.g. Sidekiq.
+Ensure your jobs inherit from `ApplicationJob` or `ActiveJob::Base`.
+
 Add a new `handle` method to existing webhook jobs to go through the updated `shopify_api` gem.
 
 ```ruby
@@ -95,32 +128,7 @@ Shopify API session, or `nil` if no such session is available.
 
 #### Setting up `ShopifyAPI::Context`
 
-The `shopify_app` initializer must configure the `ShopifyAPI::Context`. The Rails generator will
-generate a block in the `shopify_app` initializer. To do so manually, ensure the following is
-part of the `after_initialize` block in `shopify_app.rb`.
-
-```ruby
-Rails.application.config.after_initialize do
-  if ShopifyApp.configuration.api_key.present? && ShopifyApp.configuration.secret.present?
-    ShopifyAPI::Context.setup(
-      api_key: ShopifyApp.configuration.api_key,
-      api_secret_key: ShopifyApp.configuration.secret,
-      old_api_secret_key: ShopifyApp.configuration.old_secret,
-      api_version: ShopifyApp.configuration.api_version,
-      host_name: URI(ENV.fetch('HOST', '')).host || '',
-      scope: ShopifyApp.configuration.scope,
-      is_private: !ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', '').empty?,
-      is_embedded: ShopifyApp.configuration.embedded_app,
-      session_storage: ShopifyApp::SessionRepository,
-      logger: Rails.logger,
-      private_shop: ENV.fetch('SHOPIFY_APP_PRIVATE_SHOP', nil),
-      user_agent_prefix: "ShopifyApp/#{ShopifyApp::VERSION}"
-    )
-
-    ShopifyApp::WebhooksManager.add_registrations
-  end
-end
-```
+The `shopify_app` initializer must configure the `ShopifyAPI::Context`. The Rails generator will generate a block in the `shopify_app` initializer. To do so manually, you can refer to `after_initialize` block in the [template](https://github.com/Shopify/shopify_app/blob/main/lib/generators/shopify_app/install/templates/shopify_app.rb.tt).
 
 ## Upgrading to `v18.1.2`
 
@@ -128,7 +136,7 @@ Version 18.1.2 replaces the deprecated EASDK redirect with an App Bridge 2 redir
 
 ## Upgrading to `v17.2.0`
 
-### Different SameSite cookie attribute behaviour
+### Different SameSite cookie attribute behavior
 
 To support Rails `v6.1`, the [`SameSiteCookieMiddleware`](/lib/shopify_app/middleware/same_site_cookie_middleware.rb) was updated to configure cookies to `SameSite=None` if the app is embedded. Before this release, cookies were configured to `SameSite=None` only if this attribute had not previously been set before.
 

data/docs/shopify_app/controller-concerns.md

@@ -0,0 +1,48 @@
+# Controller Concerns
+
+The following controller concerns are designed to be public and can be included in your controllers. Concerns defined in `lib/shopify_app/controller_concerns` are designed to be private and are not meant to be included directly into your controllers.
+
+## Authenticated
+Designed for controllers that are designed to handle authenticated actions by ensuring there is a valid session for the request.
+
+In addition to session management, this concern will also handle localization, CSRF protection, embedded app settings, and billing enforcement.
+
+#### LoginProtection - Session Management
+This concern will setup and teardown the session around the action. If the session cannot be setup for the requested shop the request will be redirected to login.
+
+The concern will load sessions depending on your app's configuration:
+
+**Embedded apps**
+
+Cookies are not available for embedded apps because it loads in an iframe, so this concern will load the session from the request's `Authorization` header containing a session token, which can be set using [App Bridge](https://shopify.dev/apps/tools/app-bridge).
+
+Learn more about [using `authenticatedFetch`](https://shopify.dev/apps/auth/oauth/session-tokens/getting-started#step-2-authenticate-your-requests) to create session tokens and authenticate your requests.
+
+**Non-embedded apps**
+
+Since cookies are available, the concern will load the session directly from them, so you can make regular `fetch` requests on your front-end.
+
+#### Localization
+I18n localization is saved to the session for consistent translations for the session.
+
+#### CSRFProtection
+Implements Rails' [protect_from_forgery](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-protect_from_forgery) unless a valid session token is found for the request.
+
+#### EmbeddedApp
+If your ShopifyApp configuration has the `embedded_app` config set to true, [P3P header](https://www.w3.org/P3P/) and [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) are handled for you.
+
+#### EnsureBilling
+If billing is enabled for the app, the active payment for the session is queried and enforced if needed. If billing is required the user will be redirected to a page requesting payment.
+
+## EnsureAuthenticatedLinks
+Designed to be more of a lightweight session concern specifically for XHR requests. Where `Authenticated` does far more than just session management, this concern will redirect to the splash page of the app if no active session was found.
+
+## RequireKnownShop
+Designed to handle unauthenticated requests for *embedded apps*. If you are non-embedded app, we recommend using `Authenticated` concern instead of this one.
+
+Rather than using the JWT to determine the requested shop of the request, the `shop` name param is taken from the query string that Shopify Admin provides.
+
+If the shop session cannot be found for the provided `shop` in the query string, the request will be redirected to login or the `embedded_redirect_url`.
+
+## ShopAccessScopesVerification
+If scopes for the session don't match configuration of scopes defined in `config/initializers/shopify_app.rb` the user will be redirected to login or the `embedded_redirect_url`

data/docs/shopify_app/logging.md

@@ -0,0 +1,21 @@
+# Logging
+
+## Log Levels
+
+There are four log levels with `error` being the most severe.
+
+1. Debug
+2. Info
+3. Warn
+4. Error
+
+## Configuration
+
+The logging is controlled by the `log_level` configuration setting.
+The default log level is `:info`.
+You can disable all logs by setting this to `:off`.
+
+## Upgrading
+
+For a newly-generated app, the `shopify_app` initializer will contain the `log_level` setting.
+If you are upgrading from a previous version of the `shopify_app` gem then you will need to add this manually, otherwise it will default to `:info`.

data/docs/shopify_app/webhooks.md

@@ -3,6 +3,7 @@
 #### Table of contents
 
 [Manage webhooks using `ShopifyApp::WebhooksManager`](#manage-webhooks-using-shopifyappwebhooksmanager)
+[Mandatory GDPR Webhooks](#mandatory-gdpr-webhooks)
 
 ## Manage webhooks using `ShopifyApp::WebhooksManager`
 
@@ -70,3 +71,15 @@ rails g shopify_app:add_webhook --topic carts/update --path webhooks/carts_updat
 ```
 
 Where `--topic` is the topic and `--path` is the path the webhook should be sent to.
+
+## Mandatory GDPR Webhooks
+
+We have three mandatory GDPR webhooks
+
+1. `customers/data_request`
+2. `customer/redact`
+3. `shop/redact`
+
+The `generate shopify_app` command generated three job templates corresponding to all three of these webhooks.
+To pass our approval process you will need to set these webhooks in your partner dashboard.
+You can read more about that [here](https://shopify.dev/apps/webhooks/configuration/mandatory-webhooks).

data/lib/generators/shopify_app/add_app_uninstalled_job/add_app_uninstalled_job_generator.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module ShopifyApp
+  module Generators
+    class AddAppUninstalledJobGenerator < Rails::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def create_job
+        template("app_uninstalled_job.rb", "app/jobs/app_uninstalled_job.rb")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/add_app_uninstalled_job/templates/app_uninstalled_job.rb.tt

@@ -0,0 +1,22 @@
+class AppUninstalledJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
+    shop = Shop.find_by(shopify_domain: shop_domain)
+
+    if shop.nil?
+      logger.error("#{self.class} failed: cannot find shop with domain '#{shop_domain}'")
+      
+      raise ActiveRecord::RecordNotFound, "Shop Not Found"
+    end
+
+    logger.info("#{self.class} started for shop '#{shop_domain}'")
+    shop.destroy
+  end
+end

data/lib/generators/shopify_app/add_gdpr_jobs/add_gdpr_jobs_generator.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+
+module ShopifyApp
+  module Generators
+    class AddGdprJobsGenerator < Rails::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def add_customer_data_request_job
+        template("customers_data_request_job.rb", "app/jobs/customers_data_request_job.rb")
+      end
+
+      def add_shop_redact_job
+        template("shop_redact_job.rb", "app/jobs/shop_redact_job.rb")
+      end
+
+      def add_customer_redact_job
+        template("customers_redact_job.rb", "app/jobs/customers_redact_job.rb")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/add_gdpr_jobs/templates/customers_data_request_job.rb.tt

@@ -0,0 +1,22 @@
+class CustomersDataRequestJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
+    shop = Shop.find_by(shopify_domain: shop_domain)
+
+    if shop.nil?
+      logger.error("#{self.class} failed: cannot find shop with domain '#{shop_domain}'")
+      
+      raise ActiveRecord::RecordNotFound, "Shop Not Found"
+    end
+
+    shop.with_shopify_session do
+    end
+  end
+end

data/lib/generators/shopify_app/add_gdpr_jobs/templates/customers_redact_job.rb.tt

@@ -0,0 +1,22 @@
+class CustomersRedactJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
+    shop = Shop.find_by(shopify_domain: shop_domain)
+
+    if shop.nil?
+      logger.error("#{self.class} failed: cannot find shop with domain '#{shop_domain}'")
+      
+      raise ActiveRecord::RecordNotFound, "Shop Not Found"
+    end
+
+    shop.with_shopify_session do
+    end
+  end
+end

data/lib/generators/shopify_app/add_gdpr_jobs/templates/shop_redact_job.rb.tt

@@ -0,0 +1,22 @@
+class ShopRedactJob < ActiveJob::Base
+  extend ShopifyAPI::Webhooks::Handler
+
+  class << self
+    def handle(topic:, shop:, body:)
+      perform_later(topic: topic, shop_domain: shop, webhook: body)
+    end
+  end
+
+  def perform(topic:, shop_domain:, webhook:)
+    shop = Shop.find_by(shopify_domain: shop_domain)
+
+    if shop.nil?
+      logger.error("#{self.class} failed: cannot find shop with domain '#{shop_domain}'")
+      
+      raise ActiveRecord::RecordNotFound, "Shop Not Found"
+    end
+
+    shop.with_shopify_session do
+    end
+  end
+end