shopify_app 21.3.0 → 21.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 89cc2a310a1182a7efc057933dafe337c0ba070732f40d920245741be7666c17
-  data.tar.gz: 2f981c756c218d2971687cd7e3f86a62b69b77fb49e343610523c8d8c77bb143
+  metadata.gz: f8bffcbbd9262af14d8b5d0c0333b2a17f4de563ad4c40134dec7b838eaf789b
+  data.tar.gz: 0ba89c4f9ff64b366c3d368b70abcfdf2e02f1e0f66c796f5b16a6a5fafdcd07
 SHA512:
-  metadata.gz: db13b7a1991ef855604d7734a79b4812f010bddc4937636c7c96594f8cbecd8daafd562ea3be6cd137887d799bb1d654eb951509334d04e17056b8c4582d4c14
-  data.tar.gz: 386345a2947c3e0c42f2ad9f2433e2702a823ede57bdd4efe73899703141c1fc58855bb451b3785c07536177f997385f6513a60e8fa1808a8de146cc33b1a294
+  metadata.gz: bc4dc9ccd6267a2eb7ff1d22e54f1527c0ab32cb61b83841bc71cc4bb79b14a33aa4021e13494e3167d0a7d20aeea86f9af9dd478ebff8400ec4b33ac1426417
+  data.tar.gz: c2154db900a3fb4321be1d224c8d44987fdce714984b3004b87b4dd5301717832fa11b907fe88b261020da82b4c3255256d4e4ba4dd5800262a8e3daa4778f91

data/.github/ISSUE_TEMPLATE/ENHANCEMENT.md

@@ -0,0 +1,9 @@
+---
+name: '📈 Enhancement'
+about: Enhancement to our codebase that isn't a adding or changing a feature
+labels: 'Type: Enhancement 📈'
+---
+
+## Overview/summary
+
+<!-- Write a short description of the enhancement here ↓ -->

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -1,63 +1,41 @@
 ---
-name: Bug report
-about: Report a technical issue with the Shopify App gem.
-labels: bug
+name: "🐛 Bug Report"
+about: Something isn't working
+labels: "Type: Bug 🐛"
 ---
 
-<!--
+# Issue summary
 
-Do you want to ask a question? Are you looking for support? The Shopify Community forum is the best place for getting support: https://community.shopify.com
+<!--
 
-You can also join the Partners Slack Community group: https://www.shopify.com/partners/community#conversation
+Write a short description of the issue here. Please provide any details or logs that
+can help us debug it.
 
-Authentication Issues: A great deal of the issues surrounding this repo are around authenticating (installing) the generated app with Shopify.
+Increase the logs as described in the README by setting log_level to :debug, and paste the relevant portion here.
 
-If you are experiencing issues with your app authenticating/installing the best way to get help fast is to create a repo with the minimal amount of code to demonstrate the issue and a clearly documented set of steps you took to arrive there. This will help us solve your problem quicker since we won't need to spend any time figuring out how to reproduce the bug. Please also include your operating system and browser.
+Learn more: https://github.com/Shopify/shopify-api-ruby#setup-shopify-context
 
 -->
 
-### Description
-
-<!-- Description of the issue -->
-
-### Steps to Reproduce
-
-1. <!-- First Step -->
-2. <!-- Second Step -->
-3. <!-- and so on… -->
-
-**Expected behavior:**
-
-<!-- What you expect to happen -->
-
-**Actual behavior:**
-
-<!-- What actually happens -->
-
-**Reproduces how often:**
-
-<!-- What percentage of the time does it reproduce? -->
-
-### Browsers
-
-<!-- Please specify the browser(s) you have tested that exhibit this behaviour. -->
-
-### Gem versions
-
-<!-- Please specify which version(s) of the gem exhibit this behaviour. -->
-
-### Additional Information
+- `shopify_api` version:
+- `shopify_app` version:
+- Ruby version:
+- Operating system:
 
-<!-- Any additional information, configuration or data that might be necessary to reproduce the issue. See common examples of important information below. -->
+```
+// Paste any relevant logs here
+```
 
-<!-- - [x] My app relies on third-party cookies -->
-<!-- - [x] My app is intended to be a non-embedded app -->
-<!-- - [x] My app uses session tokens -->
+## Expected behavior
 
+<!-- What do you think should happen? -->
 
-### Security
+## Actual behavior
 
-<!-- Please be certain to redact any private information from your logs or code snippets such as Api Keys, Api Secrets, and any authentication tokens such as shop_tokens. -->
+<!-- What actually happens? -->
 
-- [ ] I have redacted any private information from my logs or code snippets.
+## Steps to reproduce the problem
 
+1.
+1.
+1.

data/.github/ISSUE_TEMPLATE/feature-request.md

@@ -1,33 +1,9 @@
 ---
-name: Feature request
-about: Request new functionality for the Shopify App gem.
-labels: feature request
+name: "🙌 Feature Request"
+about: Suggest a new feature, or changes to an existing one
+labels: "Type: Feature Request :raised_hands:"
 ---
 
-<!--
+## Overview
 
-Do you want to ask a question? Are you looking for support? The Shopify Community forum is the best place for getting support: https://community.shopify.com
-
-You can also join the Partners Slack Community group: https://www.shopify.com/partners/community#conversation
-
----
-
-Please note that the team that maintains this gem has finite resources so it's unlikely that we'll work on feature requests. If we're interested in a particular feature however, we'll follow up and ask for more detail.
-
--->
-
-### Summary
-
-<!-- One paragraph explanation of the feature or suggestions. -->
-
-### Motivation
-
-<!-- Why is this feature or suggestion needed? What is the expected outcome? -->
-
-### Describe alternatives you've considered
-
-<!-- A clear and concise description of the alternative solutions you've considered. -->
-
-### Additional context
-
-<!-- Add any other context or screenshots about the feature request here. -->
+<!-- Write a short description of the request here ↓ -->

data/CHANGELOG.md

@@ -1,6 +1,19 @@
 Unreleased
 ----------
 
+21.4.0 (Jan 5, 2023)
+----------
+* Updated shopify_api to 12.4.0 [#1633](https://github.com/Shopify/shopify_app/pull/1633)
+* Removed Logged output for rescued JWT exceptions [#1610](https://github.com/Shopify/shopify_app/pull/1610)
+* Fixes a bug with `ShopifyApp::WebhooksManager.destroy_webhooks` causing not passing session arguments to [unregister](https://github.com/Shopify/shopify-api-ruby/blob/main/lib/shopify_api/webhooks/registry.rb#L99) method [#1569](https://github.com/Shopify/shopify_app/pull/1569)
+* Validates shop's offline session token is still valid when using `EnsureInstalled`[#1612](https://github.com/Shopify/shopify_app/pull/1612)
+* Allows use of multiple subdomains with myshopify_domain [#1620](https://github.com/Shopify/shopify_app/pull/1620)
+* Added a `setup_shopify_session` test helper to stub a valid session
+
+21.3.1 (Dec 12, 2022)
+----------
+* Fix bug with stores using the new unified admin that were falsely being flagged as phishing attempts [#1608](https://github.com/Shopify/shopify_app/pull/1608)
+
 21.3.0 (Dec 9, 2022)
 ----------
 * Move covered scopes check into user access strategy [#1600](https://github.com/Shopify/shopify_app/pull/1600)

data/Gemfile.lock

@@ -1,13 +1,14 @@
 PATH
   remote: .
   specs:
-    shopify_app (21.3.0)
+    shopify_app (21.4.0)
       activeresource
+      addressable (~> 2.7)
       browser_sniffer (~> 2.0)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
-      shopify_api (~> 12.3)
+      shopify_api (~> 12.4)
       sprockets-rails (>= 2.0.0)
 
 GEM
@@ -99,13 +100,13 @@ GEM
       activesupport (>= 5.0)
     hash_diff (1.1.1)
     hashdiff (1.0.1)
-    httparty (0.20.0)
-      mime-types (~> 3.0)
+    httparty (0.21.0)
+      mini_mime (>= 1.0.0)
       multi_xml (>= 0.5.2)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     json (2.6.3)
-    jwt (2.5.0)
+    jwt (2.6.0)
     language_server-protocol (3.17.0.2)
     loofah (2.19.0)
       crass (~> 1.0.2)
@@ -117,11 +118,8 @@ GEM
       net-smtp
     marcel (1.0.2)
     method_source (1.0.0)
-    mime-types (3.4.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
     mini_mime (1.1.2)
-    minitest (5.16.3)
+    minitest (5.17.0)
     mocha (2.0.2)
       ruby2_keywords (>= 0.0.5)
     multi_xml (0.6.0)
@@ -141,7 +139,7 @@ GEM
     nokogiri (1.13.9-x86_64-linux)
       racc (~> 1.4)
     oj (3.13.23)
-    openssl (3.0.1)
+    openssl (3.1.0)
     parallel (1.22.1)
     parser (3.1.3.0)
       ast (~> 2.4.1)
@@ -216,8 +214,8 @@ GEM
       syntax_tree (>= 4.0.2, < 5.0.0)
     ruby-progressbar (1.11.0)
     ruby2_keywords (0.0.5)
-    securerandom (0.2.1)
-    shopify_api (12.3.0)
+    securerandom (0.2.2)
+    shopify_api (12.4.0)
       activesupport
       concurrent-ruby
       hash_diff
@@ -228,7 +226,7 @@ GEM
       securerandom
       sorbet-runtime
       zeitwerk (~> 2.5, < 2.6.5)
-    sorbet-runtime (0.5.10576)
+    sorbet-runtime (0.5.10601)
     sprockets (4.1.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)

data/app/controllers/concerns/shopify_app/ensure_installed.rb

@@ -6,7 +6,7 @@ module ShopifyApp
     include ShopifyApp::RedirectForEmbedded
 
     included do
-      if ancestors.include?(ShopifyApp::LoginProtection)
+      if defined?(ShopifyApp::LoginProtection) && ancestors.include?(ShopifyApp::LoginProtection)
         message = <<~EOS
           We detected the use of incompatible concerns (EnsureInstalled and LoginProtection) in #{name},
           which may lead to unpredictable behavior. In a future release of this library this will raise an error.
@@ -17,6 +17,7 @@ module ShopifyApp
 
       before_action :check_shop_domain
       before_action :check_shop_known
+      before_action :validate_non_embedded_session
     end
 
     def current_shopify_domain
@@ -30,6 +31,10 @@ module ShopifyApp
       @shopify_domain
     end
 
+    def installed_shop_session
+      @installed_shop_session ||= SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+    end
+
     private
 
     def check_shop_domain
@@ -37,7 +42,7 @@ module ShopifyApp
     end
 
     def check_shop_known
-      @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
+      @shop = installed_shop_session
       unless @shop
         if embedded_param?
           redirect_for_embedded
@@ -58,5 +63,16 @@ module ShopifyApp
 
       url.to_s
     end
+
+    def validate_non_embedded_session
+      return if loaded_directly_from_admin?
+
+      client = ShopifyAPI::Clients::Rest::Admin.new(session: installed_shop_session)
+      client.get(path: "shop")
+    rescue ShopifyAPI::Errors::HttpResponseError => error
+      ShopifyApp::Logger.info("Shop offline session no longer valid. Redirecting to OAuth install")
+      redirect_to(shop_login) if error.code == 401
+      raise error if error.code != 401
+    end
   end
 end

data/app/controllers/shopify_app/callback_controller.rb

@@ -85,6 +85,10 @@ module ShopifyApp
     # host param doesn't match the configured myshopify_domain
     def deduced_phishing_attack?
       sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(URI(decoded_host).host)
+      if sanitized_host.nil?
+        ShopifyApp::Logger.info("host param from callback is not from a trusted domain")
+        ShopifyApp::Logger.info("redirecting to root as this is likely a phishing attack")
+      end
       sanitized_host.nil?
     end
 

data/docs/shopify_app/engine.md

@@ -27,24 +27,15 @@ The engine may also be mounted at a nested route, for example:
 mount ShopifyApp::Engine, at: '/nested'
 ```
 
-This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First, update the shopify_app initializer to include a custom `root_url` e.g.:
+This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb`. Update the shopify_app initializer to include a custom `root_url` and `login_callback_url` e.g.:
 
 ```ruby
 ShopifyApp.configure do |config|
   config.root_url = '/nested'
+  config.login_callback_url = '/nested/auth/shopify/callback'
 end
 ```
 
-then update the omniauth initializer to include a custom `callback_path` e.g.:
-
-```ruby
-provider :shopify,
-  ShopifyApp.configuration.api_key,
-  ShopifyApp.configuration.secret,
-  scope: ShopifyApp.configuration.scope,
-  callback_path: '/nested/auth/shopify/callback'
-```
-
 You may also need to change your `config/routes.rb` to render a view for `/nested`, since this is what will be rendered in the Shopify Admin of any shops that have installed your app.  The engine itself doesn't have a view for this, so you'll need something like this:
 
 ```ruby

data/docs/shopify_app/session-repository.md

@@ -72,17 +72,8 @@ end
 
 1. Run the `user_model` generator as mentioned above.
 2. Ensure that both your `Shop` model and `User` model includes the necessary concerns `ShopifyApp::ShopSessionStorage` and `ShopifyApp::UserSessionStorage`.
-3. Make changes to 2 initializer files as shown below:
+3. Make changes to the `shopify_app.rb` initializer file as shown below:
 ```ruby
-# In the `omniauth.rb` initializer:
-provider :shopify,
-  ...
-  setup: lambda { |env|
-    configuration = ShopifyApp::OmniAuthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
-    configuration.build_options
-  }
-
-# In the `shopify_app.rb` initializer:
 config.shop_session_repository = {YOUR_SHOP_MODEL_CLASS}
 config.user_session_repository = {YOUR_USER_MODEL_CLASS}
 ```

data/docs/shopify_app/testing.md

@@ -11,20 +11,42 @@
 A test helper that will allow you to test `ShopifyApp::WebhookVerification` in the controller from your app, to use this test, you need to `require` it directly inside your app `test/controllers/webhook_verification_test.rb`.
 
 ```ruby
-    require 'test_helper'
-    require 'action_controller'
-    require 'action_controller/base'
-    require 'shopify_app/test_helpers/webhook_verification_helper'
+require 'test_helper'
+require 'action_controller'
+require 'action_controller/base'
+require 'shopify_app/test_helpers/webhook_verification_helper'
 ```
 
-Or you can require in your `test/test_helper.rb`.
+A test helper that allows you to stub out a shopify_app session in controllers that include `ShopifyApp::LoginProtection`, to use this helper, you need to `require` it directly.
+
+Example Usage:
+
+```ruby
+require 'shopify_app/test_helpers/shopify_session_helper'
+
+class MyAuthenticatedControllerTest < ActionController::TestCase
+  include ShopifyApp::TestHelpers::ShopifySessionHelper
+
+  test "does not redirect when there is a valid shopify session" do
+    # note shop_domain should be the same as your shopify domain
+    shop_domain = "my-shop.myshopify.com"
+    setup_shopify_session(session_id: "1", shop_domain: shop_domain)
+
+    get :index
+
+    assert_response :ok
+  end
+end
+```
+
+Or you can require all shopify_app test helpers in your `test/test_helper.rb`.
 
 ```ruby
-  ENV['RAILS_ENV'] ||= 'test'
-  require_relative '../config/environment'
-  require 'rails/test_help'
-  require 'byebug'
-  require 'shopify_app/test_helpers/all'
+ENV['RAILS_ENV'] ||= 'test'
+require_relative '../config/environment'
+require 'rails/test_help'
+require 'byebug'
+require 'shopify_app/test_helpers/all'
 ```
 
 With `lib/shopify_app/test_helpers/all'` more tests can be added and will only need to be required in once in your library.

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -8,7 +8,9 @@ module ShopifyApp
     include ShopifyApp::SanitizedParams
 
     included do
-      if ancestors.include?(ShopifyApp::RequireKnownShop || ShopifyApp::EnsureInstalled)
+      if defined?(ShopifyApp::RequireKnownShop) &&
+          defined?(ShopifyApp::EnsureInstalled) &&
+          ancestors.include?(ShopifyApp::RequireKnownShop || ShopifyApp::EnsureInstalled)
         message = <<~EOS
           We detected the use of incompatible concerns (RequireKnownShop/EnsureInstalled and LoginProtection) in #{name},
           which may lead to unpredictable behavior. In a future release of this library this will raise an error.

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -11,7 +11,11 @@ module ShopifyApp
     end
 
     def embedded_param?
-      embedded_redirect_url? && params[:embedded].present? && params[:embedded] == "1"
+      embedded_redirect_url? && params[:embedded].present? && loaded_directly_from_admin?
+    end
+
+    def loaded_directly_from_admin?
+      ShopifyApp.configuration.embedded_app? && params[:embedded] == "1"
     end
 
     def redirect_for_embedded

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -21,7 +21,7 @@ module ShopifyApp
       end
 
       def recreate_webhooks!(session:)
-        destroy_webhooks
+        destroy_webhooks(session: session)
         return unless ShopifyApp.configuration.has_webhooks?
 
         add_registrations
@@ -30,12 +30,12 @@ module ShopifyApp
         ShopifyAPI::Webhooks::Registry.register_all(session: session)
       end
 
-      def destroy_webhooks
+      def destroy_webhooks(session:)
         return unless ShopifyApp.configuration.has_webhooks?
 
         ShopifyApp::Logger.debug("Destroying webhooks")
         ShopifyApp.configuration.webhooks.each do |attributes|
-          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic])
+          ShopifyAPI::Webhooks::Registry.unregister(topic: attributes[:topic], session: session)
         end
       end
 

data/lib/shopify_app/session/jwt.rb

@@ -34,8 +34,7 @@ module ShopifyApp
     def set_payload
       payload, _ = parse_token_data(ShopifyApp.configuration&.secret, ShopifyApp.configuration&.old_secret)
       @payload = validate_payload(payload)
-    rescue *WARN_EXCEPTIONS => error
-      ShopifyApp::Logger.warn("Failed to validate JWT: [#{error.class}] #{error}")
+    rescue *WARN_EXCEPTIONS
       nil
     end
 

data/lib/shopify_app/test_helpers/all.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 
 require "shopify_app/test_helpers/webhook_verification_helper"
+require "shopify_app/test_helpers/shopify_session_helper"

data/lib/shopify_app/test_helpers/shopify_session_helper.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TestHelpers
+    module ShopifySessionHelper
+      def setup_shopify_session(session_id:, shop_domain:)
+        ShopifyAPI::Auth::Session.new(id: session_id, shop: shop_domain).tap do |session|
+          ShopifyApp::SessionRepository.stubs(:load_session).returns(session)
+          ShopifyAPI::Utils::SessionUtils.stubs(:current_session_id).returns(session.id)
+          ShopifyAPI::Context.activate_session(session)
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/utils.rb

@@ -2,30 +2,69 @@
 
 module ShopifyApp
   module Utils
-    def self.sanitize_shop_domain(shop_domain)
-      myshopify_domain = ShopifyApp.configuration.myshopify_domain
-      name = shop_domain.to_s.downcase.strip
-      name += ".#{myshopify_domain}" if !name.include?(myshopify_domain.to_s) && !name.include?(".")
-      name.sub!(%r|https?://|, "")
-
-      u = URI("http://#{name}")
-      u.host if u.host&.match(/^[a-z0-9][a-z0-9\-]*[a-z0-9]\.#{Regexp.escape(myshopify_domain)}$/)
-    rescue URI::InvalidURIError
-      nil
-    end
+    class << self
+      TRUSTED_SHOPIFY_DOMAINS = [
+        "shopify.com",
+        "myshopify.io",
+        "myshopify.com",
+        "spin.dev",
+      ].freeze
+
+      def sanitize_shop_domain(shop_domain)
+        uri = uri_from_shop_domain(shop_domain)
+        return nil if uri.nil?
+
+        trusted_domains.each do |trusted_domain|
+          no_shop_name_in_subdomain = uri.host == trusted_domain
+          from_trusted_domain = trusted_domain == uri.domain
+
+          return nil if no_shop_name_in_subdomain || uri.host&.empty?
+          return uri.host if from_trusted_domain
+        end
+
+        nil
+      end
+
+      def shop_login_url(shop:, host:, return_to:)
+        return ShopifyApp.configuration.login_url unless shop
+
+        url = URI(ShopifyApp.configuration.login_url)
+
+        url.query = URI.encode_www_form(
+          shop: shop,
+          host: host,
+          return_to: return_to,
+        )
+
+        url.to_s
+      end
+
+      private
+
+      def myshopify_domain
+        ShopifyApp.configuration.myshopify_domain
+      end
 
-    def self.shop_login_url(shop:, host:, return_to:)
-      return ShopifyApp.configuration.login_url unless shop
+      def trusted_domains
+        trusted_domains = TRUSTED_SHOPIFY_DOMAINS.dup
+        trusted_domains.append(myshopify_domain).uniq! if myshopify_domain
+        trusted_domains
+      end
 
-      url = URI(ShopifyApp.configuration.login_url)
+      def uri_from_shop_domain(shop_domain)
+        name = shop_domain.to_s.downcase.strip
+        name += ".#{myshopify_domain}" if !name.include?(myshopify_domain.to_s) && !name.include?(".")
+        uri = Addressable::URI.parse(name)
 
-      url.query = URI.encode_www_form(
-        shop: shop,
-        host: host,
-        return_to: return_to,
-      )
+        if uri.scheme.nil?
+          name = "https://" + name
+          uri = Addressable::URI.parse(name)
+        end
 
-      url.to_s
+        uri
+      rescue Addressable::URI::InvalidURIError
+        nil
+      end
     end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "21.3.0"
+  VERSION = "21.4.0"
 end

data/lib/shopify_app.rb

@@ -5,6 +5,7 @@ require "shopify_app/version"
 # deps
 require "shopify_api"
 require "redirect_safely"
+require "addressable"
 
 module ShopifyApp
   def self.rails6?

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "21.0.0",
+  "version": "21.4.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -15,11 +15,12 @@ Gem::Specification.new do |s|
   s.metadata["allowed_push_host"] = "https://rubygems.org"
 
   s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
+  s.add_runtime_dependency("addressable", "~> 2.7")
   s.add_runtime_dependency("browser_sniffer", "~> 2.0")
   s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
-  s.add_runtime_dependency("shopify_api", "~> 12.3")
+  s.add_runtime_dependency("shopify_api", "~> 12.4")
   s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
 
   s.add_development_dependency("byebug")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 21.3.0
+  version: 21.4.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-09 00:00:00.000000000 Z
+date: 2023-01-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '12.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '12.4'
 - !ruby/object:Gem::Dependency
   name: sprockets-rails
   requirement: !ruby/object:Gem::Requirement
@@ -270,6 +284,7 @@ extra_rdoc_files: []
 files:
 - ".babelrc"
 - ".github/CODEOWNERS"
+- ".github/ISSUE_TEMPLATE/ENHANCEMENT.md"
 - ".github/ISSUE_TEMPLATE/bug-report.md"
 - ".github/ISSUE_TEMPLATE/config.yml"
 - ".github/ISSUE_TEMPLATE/feature-request.md"
@@ -298,16 +313,7 @@ files:
 - app/assets/javascripts/shopify_app/app_bridge_3.1.1.js
 - app/assets/javascripts/shopify_app/app_bridge_redirect.js
 - app/assets/javascripts/shopify_app/app_bridge_utils_3.1.1.js
-- app/assets/javascripts/shopify_app/enable_cookies.js
-- app/assets/javascripts/shopify_app/itp_helper.js
-- app/assets/javascripts/shopify_app/partition_cookies.js
-- app/assets/javascripts/shopify_app/post_redirect.js
 - app/assets/javascripts/shopify_app/redirect.js
-- app/assets/javascripts/shopify_app/request_storage_access.js
-- app/assets/javascripts/shopify_app/storage_access.js
-- app/assets/javascripts/shopify_app/storage_access_redirect.js
-- app/assets/javascripts/shopify_app/top_level.js
-- app/assets/javascripts/shopify_app/top_level_interaction.js
 - app/controllers/concerns/shopify_app/authenticated.rb
 - app/controllers/concerns/shopify_app/ensure_authenticated_links.rb
 - app/controllers/concerns/shopify_app/ensure_has_session.rb
@@ -325,11 +331,7 @@ files:
 - app/views/shopify_app/partials/_form_styles.html.erb
 - app/views/shopify_app/partials/_layout_styles.html.erb
 - app/views/shopify_app/partials/_typography_styles.html.erb
-- app/views/shopify_app/sessions/enable_cookies.html.erb
 - app/views/shopify_app/sessions/new.html.erb
-- app/views/shopify_app/sessions/request_storage_access.html.erb
-- app/views/shopify_app/sessions/top_level_interaction.html.erb
-- app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb
 - app/views/shopify_app/shared/redirect.html.erb
 - config/locales/cs.yml
 - config/locales/da.yml
@@ -458,6 +460,7 @@ files:
 - lib/shopify_app/session/user_session_storage.rb
 - lib/shopify_app/session/user_session_storage_with_scopes.rb
 - lib/shopify_app/test_helpers/all.rb
+- lib/shopify_app/test_helpers/shopify_session_helper.rb
 - lib/shopify_app/test_helpers/webhook_verification_helper.rb
 - lib/shopify_app/utils.rb
 - lib/shopify_app/version.rb

data/app/assets/javascripts/shopify_app/enable_cookies.js

@@ -1,3 +0,0 @@
-//= require ./itp_helper.js
-//= require ./storage_access.js
-//= require ./partition_cookies.js

data/app/assets/javascripts/shopify_app/itp_helper.js

@@ -1,40 +0,0 @@
-(function() {
-  function ITPHelper(opts) {
-    this.itpContent = document.getElementById('TopLevelInteractionContent');
-    this.itpAction = document.getElementById('TopLevelInteractionButton');
-    this.redirectUrl = opts.redirectUrl;
-  }
-
-  ITPHelper.prototype.redirect = function() {
-    sessionStorage.setItem('shopify.top_level_interaction', true);
-    window.location.href = this.redirectUrl;
-  }
-
-  ITPHelper.prototype.userAgentIsAffected = function() {
-    return Boolean(document.hasStorageAccess);
-  }
-
-  ITPHelper.prototype.canPartitionCookies = function() {
-    var versionRegEx = /Version\/12\.0\.?\d? Safari/;
-    return versionRegEx.test(navigator.userAgent);
-  }
-
-  ITPHelper.prototype.setUpContent = function(onClick) {
-    this.itpContent.style.display = 'block';
-    this.itpAction.addEventListener('click', this.redirect.bind(this));
-  }
-
-  ITPHelper.prototype.execute = function() {
-    if (!this.itpContent) {
-      return;
-    }
-
-    if (this.userAgentIsAffected()) {
-      this.setUpContent();
-    } else {
-      this.redirect();
-    }
-  }
-
-  this.ITPHelper = ITPHelper;
-})(window);

data/app/assets/javascripts/shopify_app/partition_cookies.js

@@ -1,8 +0,0 @@
-(function() {
-  document.addEventListener("DOMContentLoaded", function() {
-    var redirectTargetElement = document.getElementById("redirection-target");
-    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
-    var storageAccessHelper = new StorageAccessHelper(targetInfo);
-    storageAccessHelper.execute();
-  });
-})();

data/app/assets/javascripts/shopify_app/post_redirect.js

@@ -1,9 +0,0 @@
-(function() {
-  function redirect() {
-    var form = document.getElementById("redirect-form");
-    if (form) {
-      form.submit();
-    }
-  }
-  document.addEventListener("DOMContentLoaded", redirect);
-})();

data/app/assets/javascripts/shopify_app/request_storage_access.js

@@ -1,3 +0,0 @@
-//= require ./itp_helper.js
-//= require ./storage_access.js
-//= require ./storage_access_redirect.js

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -1,148 +0,0 @@
-//= require ./app_bridge_redirect.js
-
-(function() {
-  var ACCESS_GRANTED_STATUS = 'storage_access_granted';
-  var ACCESS_DENIED_STATUS = 'storage_access_denied';
-
-  function StorageAccessHelper(redirectData) {
-    this.redirectData = redirectData;
-  }
-
-  StorageAccessHelper.prototype.setNormalizedLink = function(storageAccessStatus) {
-    return storageAccessStatus === ACCESS_GRANTED_STATUS ? this.redirectData.hasStorageAccessUrl : this.redirectData.doesNotHaveStorageAccessUrl;
-  }
-
-  StorageAccessHelper.prototype.redirectToAppTLD = function(storageAccessStatus) {
-    var normalizedLink = document.createElement('a');
-
-    window.appBridgeRedirect(this.setNormalizedLink(storageAccessStatus));
-  }
-
-  StorageAccessHelper.prototype.redirectToAppsIndex = function() {
-    window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
-  }
-
-  StorageAccessHelper.prototype.redirectToAppTargetUrl = function() {
-    window.location.href = this.redirectData.appTargetUrl;
-  }
-
-  StorageAccessHelper.prototype.sameSiteNoneIncompatible = function(ua) {
-    return ua.includes("iPhone OS 12_") || ua.includes("iPad; CPU OS 12_") || //iOS 12
-    (ua.includes("UCBrowser/")
-        ? this.isOlderUcBrowser(ua) //UC Browser < 12.13.2
-        : (ua.includes("Chrome/5") || ua.includes("Chrome/6"))) ||
-    ua.includes("Chromium/5") || ua.includes("Chromium/6") ||
-    (ua.includes(" OS X 10_14_") &&
-        ((ua.includes("Version/") && ua.includes("Safari")) || //Safari on MacOS 10.14
-        ua.endsWith("(KHTML, like Gecko)"))); //Web view on MacOS 10.14
-  }
-
-  StorageAccessHelper.prototype.isOlderUcBrowser = function(ua) {
-    var match = ua.match(/UCBrowser\/(\d+)\.(\d+)\.(\d+)\./);
-    if (!match) return false;
-    var major = parseInt(match[1]);
-    var minor = parseInt(match[2]);
-    var build = parseInt(match[3]);
-    if (major != 12) return major < 12;
-    if (minor != 13) return minor < 13;
-    return build < 2;
-  }
-
-  StorageAccessHelper.prototype.setCookie = function(value) {
-    if(!this.sameSiteNoneIncompatible(navigator.userAgent)) {
-      value += '; secure; SameSite=None'
-    }
-    document.cookie = value;
-  }
-
-  StorageAccessHelper.prototype.grantedStorageAccess = function() {
-    try {
-      sessionStorage.setItem('shopify.granted_storage_access', true);
-      this.setCookie('shopify.granted_storage_access=true');
-      if (!document.cookie) {
-        throw 'Cannot set third-party cookie.'
-      }
-      this.redirectToAppTargetUrl();
-    } catch (error) {
-      console.warn('Third party cookies may be blocked.', error);
-      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
-    }
-  }
-
-  StorageAccessHelper.prototype.handleRequestStorageAccess = function() {
-    return document.requestStorageAccess().then(this.grantedStorageAccess.bind(this), this.redirectToAppsIndex.bind(this, ACCESS_DENIED_STATUS));
-  }
-
-  StorageAccessHelper.prototype.setupRequestStorageAccess = function() {
-    var requestContent = document.getElementById('RequestStorageAccess');
-    var requestButton = document.getElementById('TriggerAllowCookiesPrompt');
-
-    requestButton.addEventListener('click', this.handleRequestStorageAccess.bind(this));
-    requestContent.style.display = 'block';
-  }
-
-  StorageAccessHelper.prototype.handleHasStorageAccess = function() {
-    if (sessionStorage.getItem('shopify.granted_storage_access')) {
-      // If app was classified by ITP and used Storage Access API to acquire access
-      this.redirectToAppTargetUrl();
-    } else {
-      // If app has not been classified by ITP and still has storage access
-      this.redirectToAppTLD(ACCESS_GRANTED_STATUS);
-    }
-  }
-
-  StorageAccessHelper.prototype.handleGetStorageAccess = function() {
-    if (sessionStorage.getItem('shopify.top_level_interaction')) {
-      // If merchant has been redirected to interact with TLD (requirement for prompting request to gain storage access)
-      this.setupRequestStorageAccess();
-    } else {
-      // If merchant has not been redirected to interact with TLD (requirement for prompting request to gain storage access)
-      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
-    }
-  }
-
-  StorageAccessHelper.prototype.manageStorageAccess = function() {
-    return document.hasStorageAccess().then(function(hasAccess) {
-      if (hasAccess) {
-        this.handleHasStorageAccess();
-      } else {
-        this.handleGetStorageAccess();
-      }
-    }.bind(this));
-  }
-
-  StorageAccessHelper.prototype.execute = function() {
-    if (ITPHelper.prototype.canPartitionCookies()) {
-      this.setUpCookiePartitioning();
-      return;
-    }
-
-    if (ITPHelper.prototype.userAgentIsAffected()) {
-      this.manageStorageAccess();
-    } else {
-      this.grantedStorageAccess();
-    }
-  }
-
-  /* ITP 2.0 solution: handles cookie partitioning */
-  StorageAccessHelper.prototype.setUpHelper = function() {
-    var shopifyData = document.body.dataset;
-    return new ITPHelper({redirectUrl: "https://" + shopifyData.shopOrigin + "/admin/apps/" + shopifyData.apiKey + shopifyData.returnTo});
-  }
-
-  StorageAccessHelper.prototype.setCookieAndRedirect = function() {
-    this.setCookie('shopify.cookies_persist=true');
-    var helper = this.setUpHelper();
-    helper.redirect();
-  }
-
-  StorageAccessHelper.prototype.setUpCookiePartitioning = function() {
-    var itpContent = document.getElementById('CookiePartitionPrompt');
-    itpContent.style.display = 'block';
-
-    var button = document.getElementById('AcceptCookies');
-    button.addEventListener('click', this.setCookieAndRedirect.bind(this));
-  }
-
-  this.StorageAccessHelper = StorageAccessHelper;
-})(window);

data/app/assets/javascripts/shopify_app/storage_access_redirect.js

@@ -1,17 +0,0 @@
-(function() {
-  function redirect() {
-    var redirectTargetElement = document.getElementById("redirection-target");
-
-    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
-
-    if (window.top == window.self) {
-      // If the current window is the 'parent', change the URL by setting location.href
-      window.top.location.href = targetInfo.hasStorageAccessUrl;
-    } else {
-        var storageAccessHelper = new StorageAccessHelper(targetInfo);
-        storageAccessHelper.execute();
-    }
-  }
-
-  document.addEventListener("DOMContentLoaded", redirect);
-})();

data/app/assets/javascripts/shopify_app/top_level.js

@@ -1,2 +0,0 @@
-//= require ./itp_helper.js
-//= require ./top_level_interaction.js

data/app/assets/javascripts/shopify_app/top_level_interaction.js

@@ -1,11 +0,0 @@
-(function() {
-  function setUpTopLevelInteraction() {
-    var TopLevelInteraction = new ITPHelper({
-      redirectUrl: document.body.dataset.redirectUrl,
-    });
-
-    TopLevelInteraction.execute();
-  }
-
-  document.addEventListener("DOMContentLoaded", setUpTopLevelInteraction);
-})();

data/app/views/shopify_app/sessions/enable_cookies.html.erb

@@ -1,70 +0,0 @@
-<!DOCTYPE html>
-<html lang="<%= I18n.locale %>">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <base target="_top">
-  <title>Redirecting…</title>
-  <%= render 'shopify_app/partials/layout_styles' %>
-  <%= render 'shopify_app/partials/typography_styles' %>
-  <%= render 'shopify_app/partials/card_styles' %>
-  <%= render 'shopify_app/partials/button_styles' %>
-  <style>
-    #CookiePartitionPrompt {
-      display: none;
-    }
-  </style>
-
-  <%= javascript_include_tag('shopify_app/enable_cookies', crossorigin: 'anonymous', integrity: true) %>
-</head>
-<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="<%= @shop %>" data-redirect-url="<%= @url %>" data-host="<%= params[:host] %>" data-return-to="<%= params[:return_to] %>">
-  <%=
-    content_tag(
-      :div, nil,
-      id: 'redirection-target',
-      data: {
-        target: {
-          myshopifyUrl: "https://#{current_shopify_domain}",
-          hasStorageAccessUrl: "#{has_storage_access_url}",
-          doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-          appTargetUrl: "#{app_target_url}"
-        },
-      },
-    )
-  %>
-  <main id="CookiePartitionPrompt">
-    <div class="Polaris-Page">
-      <div class="Polaris-Page__Content">
-        <div class="Polaris-Layout">
-          <div class="Polaris-Layout__Section">
-            <div class="Polaris-Stack Polaris-Stack--vertical">
-              <div class="Polaris-Stack__Item">
-                <div class="Polaris-Card">
-                  <div class="Polaris-Card__Header">
-                    <h1 class="Polaris-Heading"><%= I18n.t('enable_cookies_heading', app: ShopifyApp.configuration.application_name) %></h1>
-                  </div>
-                  <div class="Polaris-Card__Section">
-                    <p><%= I18n.t('enable_cookies_body', app: ShopifyApp.configuration.application_name) %></p>
-                  </div>
-                  <div class="Polaris-Card__Section Polaris-Card__Section--subdued">
-                    <p><%= I18n.t('enable_cookies_footer') %></p>
-                  </div>
-                </div>
-              </div>
-              <div class="Polaris-Stack__Item">
-                <div class="Polaris-Stack Polaris-Stack--distributionTrailing Polaris-Stack--distributionTrailingCustomSpacing">
-                  <div class="Polaris-Stack__Item">
-                    <button type="button" class="Polaris-Button Polaris-Button--primary" id="AcceptCookies">
-                      <span class="Polaris-Button__Content"><span><%= I18n.t('enable_cookies_action') %></span></span>
-                    </button>
-                  </div>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  </main>
-</body>
-</html>

data/app/views/shopify_app/sessions/request_storage_access.html.erb

@@ -1,68 +0,0 @@
-<!DOCTYPE html>
-<html lang="<%= I18n.locale %>">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <base target="_top">
-  <title>Redirecting…</title>
-  <%= render 'shopify_app/partials/layout_styles' %>
-  <%= render 'shopify_app/partials/typography_styles' %>
-  <%= render 'shopify_app/partials/card_styles' %>
-  <%= render 'shopify_app/partials/button_styles' %>
-  <style>
-    #RequestStorageAccess {
-      display: none;
-    }
-  </style>
-</head>
-<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="<%= current_shopify_domain %>" data-host="<%= params[:host] %>" data-return-to="<%= params[:return_to] %>">
-<%=
-  content_tag(:div, nil,
-    id: 'redirection-target',
-    data: {
-      target: {
-        myshopifyUrl: "https://#{current_shopify_domain}",
-        hasStorageAccessUrl: "#{has_storage_access_url}",
-        doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-        appTargetUrl: "#{app_target_url}"
-      },
-    },
-  )
-%>
-<main id="RequestStorageAccess">
-  <div class="Polaris-Page">
-    <div class="Polaris-Page__Content">
-      <div class="Polaris-Layout">
-        <div class="Polaris-Layout__Section">
-          <div class="Polaris-Stack Polaris-Stack--vertical">
-            <div class="Polaris-Stack__Item">
-              <div class="Polaris-Card">
-                <div class="Polaris-Card__Header">
-                  <h1 class="Polaris-Heading"><%= I18n.t('request_storage_access_heading', app: ShopifyApp.configuration.application_name) %></h1>
-                </div>
-                <div class="Polaris-Card__Section">
-                  <p><%= I18n.t('request_storage_access_body', app: ShopifyApp.configuration.application_name) %></p>
-                </div>
-                <div class="Polaris-Card__Section Polaris-Card__Section--subdued">
-                  <p><%= I18n.t('request_storage_access_footer') %></p>
-                </div>
-              </div>
-            </div>
-            <div class="Polaris-Stack__Item">
-              <div class="Polaris-Stack Polaris-Stack--distributionTrailing Polaris-Stack--distributionTrailingCustomSpacing">
-                <div class="Polaris-Stack__Item">
-                  <button type="button" class="Polaris-Button Polaris-Button--primary" id="TriggerAllowCookiesPrompt">
-                    <span class="Polaris-Button__Content"><span><%= I18n.t('request_storage_access_action') %></span></span>
-                  </button>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-</main>
-<%= javascript_include_tag('shopify_app/request_storage_access', crossorigin: 'anonymous', integrity: true) %>
-</body>
-</html>

data/app/views/shopify_app/sessions/top_level_interaction.html.erb

@@ -1,63 +0,0 @@
-<!DOCTYPE html>
-<html lang="<%= I18n.locale %>">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <base target="_top">
-  <title>Redirecting…</title>
-  <%= render 'shopify_app/partials/card_styles' %>
-  <%= render 'shopify_app/partials/layout_styles' %>
-  <%= render 'shopify_app/partials/typography_styles' %>
-  <%= render 'shopify_app/partials/button_styles' %>
-  <%= render 'shopify_app/partials/empty_state_styles' %>
-  <style>
-    #TopLevelInteractionContent {
-      display: none;
-    }
-  </style>
-
-  <%= javascript_include_tag('shopify_app/top_level', crossorigin: 'anonymous', integrity: true) %>
-</head>
-<body data-api-key="<%= ShopifyApp.configuration.api_key %>" data-shop-origin="https://<%= @shop %>" data-host="<%= @host %>" data-redirect-url="<%= @url %>">
-  <main id="TopLevelInteractionContent">
-    <div class="Polaris-Page">
-      <div class="Polaris-Page__Content">
-        <div class="Polaris-Layout">
-          <div class="Polaris-Layout__Section">
-            <div class="Polaris-Stack Polaris-Stack--vertical">
-              <div class="Polaris-Stack__Item">
-                <div class="Polaris-Card">
-                  <div class="Polaris-Card__Section">
-                    <div class="Polaris-EmptyState">
-                      <div class="Polaris-EmptyState__Section">
-                        <div class="Polaris-EmptyState__DetailsContainer">
-                          <div class="Polaris-EmptyState__Details">
-                            <div class="Polaris-TextContainer">
-                              <h1 class="Polaris-DisplayText Polaris-DisplayText--sizeSmall"><%= I18n.t('top_level_interaction_heading', app: ShopifyApp.configuration.application_name) %></h1>
-                              <div class="Polaris-EmptyState__Content">
-                                <p><%= I18n.t('top_level_interaction_body', app: ShopifyApp.configuration.application_name) %></p>
-                              </div>
-                            </div>
-                            <div class="Polaris-EmptyState__Actions">
-                              <div class="Polaris-Stack Polaris-Stack--alignmentCenter">
-                                <div class="Polaris-Stack__Item"><button type="button" id="TopLevelInteractionButton" class="Polaris-Button Polaris-Button--primary Polaris-Button--sizeLarge"><span class="Polaris-Button__Content"><span class="Polaris-Button__Icon"></span><span><%= I18n.t('top_level_interaction_action') %></span></span></button></div>
-                              </div>
-                            </div>
-                          </div>
-                        </div>
-                        <div class="Polaris-EmptyState__ImageContainer">
-                          <%= image_tag 'storage_access.svg', role: "presentation", alt: "", class: "Polaris-EmptyState__Image" %>
-                        </div>
-                      </div>
-                    </div>
-                  </div>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  </main>
-</body>
-</html>

data/app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb

@@ -1,13 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1" />
-  <base target="_top">
-  <title>Redirecting…</title>
-  <%= javascript_include_tag('shopify_app/post_redirect', crossorigin: 'anonymous', integrity: true) %>
-</head>
-<body>
-  <%= form_tag '/auth/shopify', id: 'redirect-form' %>
-</body>
-</html>