shopify_app 21.6.0 → 22.5.0

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -1,24 +1,22 @@
 # frozen_string_literal: true
 
-require "browser_sniffer"
-
 module ShopifyApp
   module LoginProtection
     extend ActiveSupport::Concern
     include ShopifyApp::SanitizedParams
 
     included do
-      if defined?(ShopifyApp::RequireKnownShop) &&
-          defined?(ShopifyApp::EnsureInstalled) &&
-          ancestors.include?(ShopifyApp::RequireKnownShop || ShopifyApp::EnsureInstalled)
+      if defined?(ShopifyApp::EnsureInstalled) &&
+          ancestors.include?(ShopifyApp::EnsureInstalled)
         message = <<~EOS
-          We detected the use of incompatible concerns (RequireKnownShop/EnsureInstalled and LoginProtection) in #{name},
-          which may lead to unpredictable behavior. In a future release of this library this will raise an error.
+          We detected the use of incompatible concerns (EnsureInstalled and LoginProtection) in #{name},
+          which leads to unpredictable behavior. You cannot include both concerns in the same controller.
         EOS
-        ShopifyApp::Logger.deprecated(message, "22.0.0")
+        raise message
       end
 
       rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
+      include ShopifyApp::WithShopifyIdToken
     end
 
     ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
@@ -30,6 +28,12 @@ module ShopifyApp
         return redirect_to_login
       end
 
+      if ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
+        ShopifyApp::Logger.debug("Session expired, redirecting to login")
+        clear_shopify_session
+        return redirect_to_login
+      end
+
       if ShopifyApp.configuration.reauth_on_access_scope_changes &&
           !ShopifyApp.configuration.user_access_scopes_strategy.covers_scopes?(current_shopify_session)
         clear_shopify_session
@@ -50,7 +54,7 @@ module ShopifyApp
       @current_shopify_session ||= begin
         cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
         load_current_session(
-          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          shopify_id_token: shopify_id_token,
           cookies: { cookie_name => cookies.encrypted[cookie_name] },
           is_online: online_token_configured?,
         )
@@ -75,13 +79,6 @@ module ShopifyApp
       response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
     end
 
-    def jwt_expire_at
-      expire_at = request.env["jwt.expire_at"]
-      return unless expire_at
-
-      expire_at - 5.seconds # 5s gap to start fetching new token in advance
-    end
-
     def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
       if request.xhr? && (ignore_response_code || response.code.to_i == 401)
         ShopifyApp::Logger.debug("Adding top level redirection headers")
@@ -91,8 +88,8 @@ module ShopifyApp
           params[:shop] = if current_shopify_session
             current_shopify_session.shop
 
-          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
-            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+          elsif shopify_id_token
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
             jwt_payload.shop
           end
         end
@@ -100,21 +97,12 @@ module ShopifyApp
         url ||= login_url_with_optional_shop
 
         ShopifyApp::Logger.debug("Setting Reauthorize-Url to #{url}")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+        RedirectForEmbedded.add_app_bridge_redirect_url_header(url, response)
       end
     end
 
     protected
 
-    def jwt_shopify_domain
-      request.env["jwt.shopify_domain"]
-    end
-
-    def jwt_shopify_user_id
-      request.env["jwt.shopify_user_id"]
-    end
-
     def host
       params[:host]
     end
@@ -134,17 +122,25 @@ module ShopifyApp
           query = Rack::Utils.parse_nested_query(referer.query)
           query = query.merge(sanitized_params).to_query
         end
-        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
+        session[:return_to] = return_to_url(path, query)
         ShopifyApp::Logger.debug("Redirecting to #{login_url_with_optional_shop}")
         redirect_to(login_url_with_optional_shop)
       end
     end
 
+    # Apps which use cookies for session storage, and thus have a 4kB session data
+    # limit, may choose to override this method to prevent excessively-long `query`
+    # strings from causing a CookieOverflow error.
+    def return_to_url(path, query)
+      query.blank? ? path.to_s : "#{path}?#{query}"
+    end
+
     def close_session
-      clear_shopify_session
       ShopifyApp::Logger.debug("Closing session")
-      ShopifyApp::Logger.debug("Redirecting to #{login_url_with_optional_shop}")
-      redirect_to(login_url_with_optional_shop)
+      clear_shopify_session
+
+      ShopifyApp::Logger.debug("Redirecting to login")
+      redirect_to_login
     end
 
     def handle_http_error(error)
@@ -208,7 +204,7 @@ module ShopifyApp
         render(
           "shopify_app/shared/redirect",
           layout: false,
-          locals: { url: url, current_shopify_domain: current_shopify_domain },
+          locals: { url: url, current_shopify_domain: current_shopify_domain, is_iframe: embedded? },
         )
       else
         redirect_to(url)
@@ -259,7 +255,7 @@ module ShopifyApp
     end
 
     def online_token_configured?
-      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+      ShopifyApp.configuration.online_token_configured?
     end
 
     def user_session_expected?
@@ -269,10 +265,10 @@ module ShopifyApp
       online_token_configured?
     end
 
-    def load_current_session(auth_header: nil, cookies: nil, is_online: false)
+    def load_current_session(shopify_id_token: nil, cookies: nil, is_online: false)
       return ShopifyAPI::Context.load_private_session if ShopifyAPI::Context.private?
 
-      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(auth_header, cookies, is_online)
+      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(shopify_id_token, cookies, is_online)
       return nil unless session_id
 
       ShopifyApp::SessionRepository.load_session(session_id)
@@ -280,8 +276,8 @@ module ShopifyApp
 
     def requested_by_javascript?
       request.xhr? ||
-        request.content_type == "text/javascript" ||
-        request.content_type == "application/javascript"
+        request.media_type == "text/javascript" ||
+        request.media_type == "application/javascript"
     end
   end
 end

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -4,6 +4,11 @@ module ShopifyApp
   module RedirectForEmbedded
     include ShopifyApp::SanitizedParams
 
+    def self.add_app_bridge_redirect_url_header(url, response)
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+    end
+
     private
 
     def embedded_redirect_url?

data/lib/shopify_app/controller_concerns/sanitized_params.rb

@@ -33,5 +33,9 @@ module ShopifyApp
         end
       end
     end
+
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
+    end
   end
 end

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TokenExchange
+    extend ActiveSupport::Concern
+    include ShopifyApp::AdminAPI::WithTokenRefetch
+    include ShopifyApp::SanitizedParams
+    include ShopifyApp::EmbeddedApp
+
+    included do
+      include ShopifyApp::WithShopifyIdToken
+    end
+
+    INVALID_SHOPIFY_ID_TOKEN_ERRORS = [
+      ShopifyAPI::Errors::MissingJwtTokenError,
+      ShopifyAPI::Errors::InvalidJwtTokenError,
+    ].freeze
+
+    def activate_shopify_session(&block)
+      retrieve_session_from_token_exchange if current_shopify_session.blank? || should_exchange_expired_token?
+
+      ShopifyApp::Logger.debug("Activating Shopify session")
+      ShopifyAPI::Context.activate_session(current_shopify_session)
+      with_token_refetch(current_shopify_session, shopify_id_token, &block)
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      respond_to_invalid_shopify_id_token(e)
+    ensure
+      ShopifyApp::Logger.debug("Deactivating session")
+      ShopifyAPI::Context.deactivate_session
+    end
+
+    def should_exchange_expired_token?
+      ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
+    end
+
+    def current_shopify_session
+      return unless current_shopify_session_id
+
+      @current_shopify_session ||= ShopifyApp::SessionRepository.load_session(current_shopify_session_id)
+    end
+
+    def current_shopify_session_id
+      @current_shopify_session_id ||= ShopifyAPI::Utils::SessionUtils.session_id_from_shopify_id_token(
+        id_token: shopify_id_token,
+        online: online_token_configured?,
+      )
+    end
+
+    def current_shopify_domain
+      sanitized_shop_name || current_shopify_session&.shop
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      respond_to_invalid_shopify_id_token(e)
+    end
+
+    private
+
+    def retrieve_session_from_token_exchange
+      @current_shopify_session = nil
+      ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
+    end
+
+    def respond_to_invalid_shopify_id_token(error)
+      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{error.message}")
+      return if performed?
+
+      if request.headers["HTTP_AUTHORIZATION"].blank?
+        if embedded?
+          redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
+        end
+      else
+        ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
+        response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+        unauthorized_response = { message: :unauthorized }
+        render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      end
+    end
+
+    def redirect_to_bounce_page
+      ShopifyApp::Logger.debug("Redirecting to bounce page for patching Shopify ID token")
+      patch_shopify_id_token_url =
+        "#{ShopifyAPI::Context.host}#{ShopifyApp.configuration.root_url}/patch_shopify_id_token"
+      patch_shopify_id_token_params = request.query_parameters.except(:id_token)
+
+      bounce_url = "#{request.path}?#{patch_shopify_id_token_params.to_query}"
+
+      # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
+      patch_shopify_id_token_params["shopify-reload"] = bounce_url
+
+      redirect_to(
+        "#{patch_shopify_id_token_url}?#{patch_shopify_id_token_params.to_query}",
+        allow_other_host: true,
+      )
+    end
+
+    def online_token_configured?
+      ShopifyApp.configuration.online_token_configured?
+    end
+
+    def fullpage_redirect_to(url)
+      raise ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil?
+
+      render(
+        "shopify_app/shared/redirect",
+        layout: false,
+        locals: { url: url, current_shopify_domain: current_shopify_domain, is_iframe: embedded? },
+      )
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/with_shopify_id_token.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module WithShopifyIdToken
+    extend ActiveSupport::Concern
+
+    def shopify_id_token
+      return @shopify_id_token if defined?(@shopify_id_token)
+
+      @shopify_id_token = id_token_from_authorization_header || id_token_from_url_param
+    end
+
+    def jwt_payload
+      return @jwt_payload if defined?(@jwt_payload)
+
+      @jwt_payload = shopify_id_token.present? ? ShopifyAPI::Auth::JwtPayload.new(shopify_id_token) : nil
+    end
+
+    def jwt_shopify_domain
+      return @jwt_shopify_domain if defined?(@jwt_shopify_domain)
+
+      @jwt_shopify_domain = if jwt_payload.present?
+        ShopifyApp::Utils.sanitize_shop_domain(jwt_payload.shopify_domain)
+      end
+    end
+
+    def jwt_shopify_user_id
+      jwt_payload&.shopify_user_id
+    end
+
+    def jwt_expire_at
+      expire_at = jwt_payload&.expire_at
+      return unless expire_at
+
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
+    end
+
+    private
+
+    def id_token_from_authorization_header
+      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
+    end
+
+    def id_token_from_url_param
+      params["id_token"]
+    end
+  end
+end

data/lib/shopify_app/engine.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     private
 
     def args_info(job)
-      log_disabled_classes = ["ShopifyApp::ScripttagsManagerJob", "ShopifyApp::WebhooksManagerJob"]
+      log_disabled_classes = ["ShopifyApp::WebhooksManagerJob"]
       return "" if log_disabled_classes.include?(job.class.name)
 
       super
@@ -16,26 +16,20 @@ module ShopifyApp
     engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
+    end
+
     initializer "shopify_app.assets.precompile" do |app|
       app.config.assets.precompile += [
         "shopify_app/redirect.js",
-        "shopify_app/post_redirect.js",
-        "shopify_app/top_level.js",
-        "shopify_app/enable_cookies.js",
-        "shopify_app/request_storage_access.js",
-        "storage_access.svg",
       ]
     end
 
-    initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
-    end
-
     initializer "shopify_app.redact_job_params" do
       ActiveSupport.on_load(:active_job) do
         if ActiveJob::Base.respond_to?(:log_arguments?)
           WebhooksManagerJob.log_arguments = false
-          ScripttagsManagerJob.log_arguments = false
         elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
           ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
         end

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -26,6 +26,7 @@ module ShopifyApp
 
         ShopifyApp::Logger.debug("Recreating webhooks")
         add_registrations
+        create_webhooks(session: session)
       end
 
       def destroy_webhooks(session:)
@@ -43,13 +44,16 @@ module ShopifyApp
         ShopifyApp::Logger.debug("Adding registrations to webhooks")
         ShopifyApp.configuration.webhooks.each do |attributes|
           webhook_path = path(attributes)
+          delivery_method = attributes[:delivery_method] || :http
 
           ShopifyAPI::Webhooks::Registry.add_registration(
             topic: attributes[:topic],
-            delivery_method: attributes[:delivery_method] || :http,
+            delivery_method: delivery_method,
             path: webhook_path,
-            handler: webhook_job_klass(webhook_path),
+            handler: delivery_method == :http ? webhook_job_klass(webhook_path) : nil,
             fields: attributes[:fields],
+            filter: attributes[:filter],
+            metafield_namespaces: attributes[:metafield_namespaces],
           )
         end
       end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -2,16 +2,17 @@
 
 module ShopifyApp
   class JWTMiddleware
-    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    TOKEN_REGEX = /^Bearer (.+)$/
+    ID_TOKEN_QUERY_PARAM = "id_token"
 
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      return call_next(env) unless authorization_header(env)
+      return call_next(env) unless ShopifyApp.configuration.embedded_app?
 
-      token = extract_token(env)
+      token = token_from_authorization_header(env) || token_from_query_string(env)
       return call_next(env) unless token
 
       set_env_variables(token, env)
@@ -24,21 +25,24 @@ module ShopifyApp
       @app.call(env)
     end
 
-    def authorization_header(env)
-      env["HTTP_AUTHORIZATION"]
+    def token_from_authorization_header(env)
+      env["HTTP_AUTHORIZATION"]&.match(TOKEN_REGEX)&.[](1)
     end
 
-    def extract_token(env)
-      match = authorization_header(env).match(TOKEN_REGEX)
-      match && match[1]
+    def token_from_query_string(env)
+      Rack::Utils.parse_nested_query(env["QUERY_STRING"])[ID_TOKEN_QUERY_PARAM]
     end
 
     def set_env_variables(token, env)
-      jwt = ShopifyApp::JWT.new(token)
+      jwt = ShopifyAPI::Auth::JwtPayload.new(token)
 
+      env["jwt.token"] = token
       env["jwt.shopify_domain"] = jwt.shopify_domain
       env["jwt.shopify_user_id"] = jwt.shopify_user_id
       env["jwt.expire_at"] = jwt.expire_at
+    rescue ShopifyAPI::Errors::InvalidJwtTokenError
+      # ShopifyApp::JWT did not raise any exceptions, ensuring behaviour does not change
+      nil
     end
   end
 end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     class << self
       def store(session, user)
         id = super
-        repo[user.shopify_user_id] = session
+        repo[user.id.to_s] = session
         id
       end
 

data/lib/shopify_app/session/jwt.rb

@@ -13,6 +13,7 @@ module ShopifyApp
     ]
 
     def initialize(token)
+      warn_deprecation
       @token = token
       set_payload
     end
@@ -60,5 +61,13 @@ module ShopifyApp
 
       payload
     end
+
+    def warn_deprecation
+      message = <<~EOS
+        "ShopifyApp::JWT will be deprecated, use ShopifyAPI::Auth::JwtPayload to parse JWT token instead."
+      EOS
+
+      ShopifyApp::Logger.deprecated(message, "23.0.0")
+    end
   end
 end

data/lib/shopify_app/session/session_repository.rb

@@ -23,6 +23,14 @@ module ShopifyApp
         user_storage.retrieve_by_shopify_user_id(user_id)
       end
 
+      def destroy_shop_session_by_domain(shopify_domain)
+        shop_storage.destroy_by_shopify_domain(shopify_domain)
+      end
+
+      def destroy_user_session_by_shopify_user_id(user_id)
+        user_storage.destroy_by_shopify_user_id(user_id)
+      end
+
       def store_shop_session(session)
         shop_storage.store(session)
       end
@@ -34,7 +42,8 @@ module ShopifyApp
       def shop_storage
         load_shop_storage || raise(
           ::ShopifyApp::ConfigurationError,
-          "ShopifySessionRepository.shop_storage is not configured!",
+          "ShopifyApp::Configuration.shop_session_repository is not configured!\n
+          See docs here: https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/sessions.md#sessions",
         )
       end
 
@@ -72,18 +81,17 @@ module ShopifyApp
       def delete_session(id)
         match = id.match(/^offline_(.*)/)
 
-        record = if match
+        if match
           domain = match[1]
           ShopifyApp::Logger.debug("Destroying session by domain - domain: #{domain}")
-          Shop.find_by(shopify_domain: match[1])
+          destroy_shop_session_by_domain(domain)
+
         else
           shopify_user_id = id.split("_").last
           ShopifyApp::Logger.debug("Destroying session by user - user_id: #{shopify_user_id}")
-          User.find_by(shopify_user_id: shopify_user_id)
+          destroy_user_session_by_shopify_user_id(shopify_user_id)
         end
 
-        record.destroy
-
         true
       end
 
@@ -92,13 +100,46 @@ module ShopifyApp
       def load_shop_storage
         return unless @shop_storage
 
-        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+        shop_storage_class =
+          @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+
+        [
+          :store,
+          :retrieve,
+          :retrieve_by_shopify_domain,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            missing_method_message("shop", method.to_s),
+          ) unless shop_storage_class.respond_to?(method)
+        end
+
+        shop_storage_class
       end
 
       def load_user_storage
         return NullUserSessionStore unless @user_storage
 
-        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+        user_storage_class =
+          @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
+
+        [
+          :store,
+          :retrieve,
+          :retrieve_by_shopify_user_id,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            missing_method_message("user", method.to_s),
+          ) unless user_storage_class.respond_to?(method)
+        end
+
+        user_storage_class
+      end
+
+      def missing_method_message(type, method)
+        "Missing method - '#{method}' implementation for #{type}_storage_repository\n
+        See docs here: https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/sessions.md#sessions"
       end
     end
   end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -27,6 +27,10 @@ module ShopifyApp
         construct_session(shop)
       end
 
+      def destroy_by_shopify_domain(domain)
+        destroy_by(shopify_domain: domain)
+      end
+
       private
 
       def construct_session(shop)

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -29,6 +29,10 @@ module ShopifyApp
         construct_session(shop)
       end
 
+      def destroy_by_shopify_domain(domain)
+        destroy_by(shopify_domain: domain)
+      end
+
       private
 
       def construct_session(shop)

data/lib/shopify_app/session/user_session_storage.rb

@@ -28,6 +28,10 @@ module ShopifyApp
         construct_session(user)
       end
 
+      def destroy_by_shopify_user_id(user_id)
+        destroy_by(shopify_user_id: user_id)
+      end
+
       private
 
       def construct_session(user)