shopify_app 21.9.0 → 22.00.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0235c0e9ef88bf1ffa1b0fde1d62f2af79c3d2bd2a0e45dfd454f9d26dc30b53
-  data.tar.gz: 1f00756ed0f26034b996b24db4cc2297e56afeffd0b3f28b6d22ecdc7f78dbe9
+  metadata.gz: 3d5156af0790e87945886e2c5edd99822d04fb05b88ad318558ab7a71aec764e
+  data.tar.gz: e192e1581b1f9f183e3f10a9a8c4c8cb337202ea1bcf1325cc1c4ea5ba06a1f9
 SHA512:
-  metadata.gz: a8c1116442619ef12195cf15ef38307f720640eb6993d2bfa174fb842878ff9af890a663271bf03aa556ee1fa86a7311956d6d29a8188e26276993c0d5e83057
-  data.tar.gz: c6d78960aeba7353bea99a234adf87d772bf371f43d027dfcd32bb8e89d38aef00879b5a31aa655fcabe3f348a8d50c3553d87b845f8ac4b1e8f12eab8bb0385
+  metadata.gz: 951051cf5170c58847b8f2fde2e779916f66afa8fba6ea3be75d9aaee605f747b334fb28022d5149909cdb96b10741fa8be8f69ab98df631fe07d3d19c24484d
+  data.tar.gz: 45bff8811720fd20cf7141441cc8ee70b0b7ca046962670b4bbf4d91e480be08220f744185e98a8e8d71ff64532f698b513a8ab534e7fc0b30126cdebee93748

data/.github/ISSUE_TEMPLATE/bug-report.md

@@ -6,36 +6,41 @@ labels: "Type: Bug 🐛"
 
 # Issue summary
 
-<!--
-
-Write a short description of the issue here. Please provide any details or logs that
-can help us debug it.
+Before opening this issue, I have:
+
+- [ ] Upgraded to the latest version of the package
+  - `shopify_app` version:
+  - Ruby version:
+  - Operating system:
+- [ ] Set `log_level: :debug` [in my configuration](https://github.com/Shopify/shopify-api-ruby#setup-shopify-context), if applicable
+- [ ] Found a reliable way to reproduce the problem that indicates it's a problem with the package
+- [ ] Looked for similar issues in this repository
+- [ ] Checked that this isn't an issue with a Shopify API
+  - If it is, please create a post in the [Shopify community forums](https://community.shopify.com/c/partners-and-developers/ct-p/appdev) or report it to [Shopify Partner Support](https://help.shopify.com/en/support/partners/org-select)
 
-Increase the logs as described in the README by setting log_level to :debug, and paste the relevant portion here.
-
-Learn more: https://github.com/Shopify/shopify-api-ruby#setup-shopify-context
+<!--
+Write a short description of the issue here.
 
+We can only fix issues for which there is a clear reproduction scenario.
+The more context you can provide, the easier it becomes for us to investigate and fix the issue.
 -->
 
-- `shopify_api` version:
-- `shopify_app` version:
-- Ruby version:
-- Operating system:
-
-```
-// Paste any relevant logs here
-```
-
 ## Expected behavior
 
-<!-- What do you think should happen? -->
+What do you think should happen?
 
 ## Actual behavior
 
-<!-- What actually happens? -->
+What actually happens?
 
 ## Steps to reproduce the problem
 
 1.
 1.
 1.
+
+## Debug logs
+
+```
+// Paste any relevant logs here
+```

data/.github/workflows/build.yml

@@ -12,7 +12,7 @@ jobs:
     name: Ruby ${{ matrix.version }}
     strategy:
       matrix:
-        version: ['2.7', '3.0', '3.1', '3.2']
+        version: ['3.0', '3.1', '3.2']
 
     steps:
       - uses: actions/checkout@v3

data/.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
     - name: Extract tag name
       id: tag
-      run: echo "::set-output name=value::${GITHUB_REF##*/}"
+      run: echo "value=${GITHUB_REF##*/}" >> "$GITHUB_OUTPUT"
     - uses: actions/checkout@v3
 
     - name: Create Release

data/.github/workflows/rubocop.yml

@@ -8,10 +8,10 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Ruby 2.7
+    - name: Set up Ruby 3.2
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.7
+        ruby-version: 3.2
         bundler-cache: true
     - name: Install gems
       run: |

data/CHANGELOG.md

@@ -1,7 +1,26 @@
 Unreleased
 ----------
 
-21.9.0 (January 16, 2023)
+22.00.0 (March 5, 2024)
+----------
+* ⚠️ [Breaking] Bumps minimum supported Ruby version to 3.0. Bumps `shopify_api` to 14.0 [1801](https://github.com/Shopify/shopify_app/pull/1801)
+* ⚠️ [Breaking] Removes deprecated controller concerns that were renamed in `v21.10.0`. [1805](https://github.com/Shopify/shopify_app/pull/1805)
+* ⚠️ [Breaking] Removes deprecated `ScripttagManager`. We realize there was communication error in our logging where we logged future deprecation instead of our inteded removal. Since we have been logging that for 2 years we felt we'd move forward with the removal instead pushing this off until the next major release. [1806](https://github.com/Shopify/shopify_app/pull/1806)
+* ⚠️ [Breaking] Removes ITP controller concern and `browser_sniffer` dependency.[1810](https://github.com/Shopify/shopify_app/pull/1810)
+* ⚠️ [Breaking] Removes Marketing Extensions generator [1810](https://github.com/Shopify/shopify_app/pull/1810)
+* ⚠️ [Breaking] Thows an error if a controller includes incompatible concerns (LoginProtection/EnsureInstalled) [1809](https://github.com/Shopify/shopify_app/pull/1809)
+* ⚠️ [Breaking] No longer rescues non-shopify API errors during OAuth
+  callback [1807](https://github.com/Shopify/shopify_app/pull/1807)
+* Make type param for webhooks route optional. This will fix a bug with CLI initiated webhooks.[1786](https://github.com/Shopify/shopify_app/pull/1786)
+* Fix redirecting to login when we catch a 401 response from Shopify, so that it can also handle cases where the app is already embedded when that happens.[1787](https://github.com/Shopify/shopify_app/pull/1787)
+* Always register webhooks with offline sessions.[1788](https://github.com/Shopify/shopify_app/pull/1788)
+
+21.10.0 (January 24, 2024)
+----------
+* Fix session deletion for users with customized session storage[#1773](https://github.com/Shopify/shopify_app/pull/1773)
+* Add configuration flag `check_session_expiry_date` to trigger a re-auth when the (user) session is expired. The session expiry date must be stored and retrieved for this flag to be effective. When the `UserSessionStorageWithScopes` concern is used, a DB migration can be generated with `rails generate shopify_app:user_model --skip` and should be applied before enabling that flag[#1757](https://github.com/Shopify/shopify_app/pull/1757)
+
+21.9.0 (January 16, 2024)
 ----------
 * Fix `add_webhook` generator to create the webhook jobs under the correct directory[#1748](https://github.com/Shopify/shopify_app/pull/1748)
 * Add support for metafield_namespaces in webhook registration [#1745](https://github.com/Shopify/shopify_app/pull/1745)

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,46 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all
+people who contribute through reporting issues, posting feature
+requests, updating documentation, submitting pull requests or patches,
+and other activities.
+
+We are committed to making participation in this project a
+harassment-free experience for everyone, regardless of level of
+experience, gender, gender identity and expression, sexual orientation,
+disability, personal appearance, body size, race, ethnicity, age,
+religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+- The use of sexualized language or imagery
+- Personal attacks
+- Trolling or insulting/derogatory comments
+- Public or private harassment
+- Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+- Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit,
+or reject comments, commits, code, wiki edits, issues, and other
+contributions that are not aligned to this Code of Conduct, or to ban
+temporarily or permanently any contributor for other behaviors that they
+deem inappropriate, threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves
+to fairly and consistently applying these principles to every aspect of
+managing this project. Project maintainers who do not follow or enforce
+the Code of Conduct may be permanently removed from the project team.
+
+This Code of Conduct applies both within project spaces and in public
+spaces when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may
+be reported by contacting a project maintainer at <opensource@shopify.com>.
+All complaints will be reviewed and investigated and will result in a response
+that is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an incident.
+
+This Code of Conduct is adapted from the Contributor Covenant, version
+1.3.0, available from http://contributor-covenant.org/version/1/3/0/

data/Gemfile.lock

@@ -1,14 +1,13 @@
 PATH
   remote: .
   specs:
-    shopify_app (21.9.0)
+    shopify_app (22.00.0)
       activeresource
       addressable (~> 2.7)
-      browser_sniffer (~> 2.0)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
-      shopify_api (~> 13.4)
+      shopify_api (~> 14)
       sprockets-rails (>= 2.0.0)
 
 GEM
@@ -86,7 +85,6 @@ GEM
     ast (2.4.2)
     binding_of_caller (1.0.0)
       debug_inspector (>= 0.0.1)
-    browser_sniffer (2.2.0)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -134,11 +132,11 @@ GEM
     net-smtp (0.3.3)
       net-protocol
     nio4r (2.5.9)
-    nokogiri (1.15.0-arm64-darwin)
+    nokogiri (1.16.2-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.15.0-x86_64-darwin)
+    nokogiri (1.16.2-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.15.0-x86_64-linux)
+    nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
     oj (3.14.3)
     openssl (3.1.0)
@@ -155,7 +153,7 @@ GEM
       binding_of_caller (~> 1.0)
       pry (~> 0.13)
     public_suffix (5.0.1)
-    racc (1.6.2)
+    racc (1.7.3)
     rack (2.2.7)
     rack-test (2.1.0)
       rack (>= 1.3)
@@ -217,7 +215,7 @@ GEM
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.2.2)
-    shopify_api (13.4.0)
+    shopify_api (14.0.0)
       activesupport
       concurrent-ruby
       hash_diff

data/README.md

@@ -106,7 +106,6 @@ You can find documentation on gem usage, concepts, mixins, installation, and mor
   * [Engine](/docs/shopify_app/engine.md)
   * [Controller Concerns](/docs/shopify_app/controller-concerns.md)
   * [Generators](/docs/shopify_app/generators.md)
-  * [ScriptTags](/docs/shopify_app/script-tags.md)
   * [Sessions](/docs/shopify_app/sessions.md)
   * [Handling changes in access scopes](/docs/shopify_app/handling-access-scopes-changes.md)
   * [Testing](/docs/shopify_app/testing.md)

data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -20,11 +20,15 @@ module ShopifyApp
     end
 
     def splash_page_with_params(params)
-      uri = URI(root_path)
+      uri = URI(base_url)
       uri.query = params.compact.to_query
       uri.to_s
     end
 
+    def base_url
+      ShopifyApp.configuration.root_url.presence || root_path
+    end
+
     def redirect_to_splash_page
       redirect_to(splash_page)
     rescue ::ShopifyApp::ShopifyDomainNotFound => error

data/app/controllers/concerns/shopify_app/ensure_installed.rb

@@ -9,10 +9,10 @@ module ShopifyApp
       if defined?(ShopifyApp::LoginProtection) && ancestors.include?(ShopifyApp::LoginProtection)
         message = <<~EOS
           We detected the use of incompatible concerns (EnsureInstalled and LoginProtection) in #{name},
-          which may lead to unpredictable behavior. In a future release of this library this will raise an error.
+          which leads to unpredictable behavior. You cannot include both concerns in the same controller.
         EOS
 
-        ShopifyApp::Logger.deprecated(message, "22.0.0")
+        raise message
       end
 
       before_action :check_shop_domain

data/app/controllers/shopify_app/callback_controller.rb

@@ -10,8 +10,12 @@ module ShopifyApp
       begin
         api_session, cookie = validated_auth_objects
       rescue => error
-        deprecate_callback_rescue(error) unless error.class.module_parent == ShopifyAPI::Errors
-        return respond_with_error
+        if error.class.module_parent == ShopifyAPI::Errors
+          callback_rescue(error)
+          return respond_with_error
+        else
+          raise error
+        end
       end
 
       save_session(api_session) if api_session
@@ -25,6 +29,10 @@ module ShopifyApp
 
     private
 
+    def callback_rescue(error)
+      ShopifyApp::Logger.debug("#{error.class} was rescued and redirected to login_url_with_optional_shop")
+    end
+
     def deprecate_callback_rescue(error)
       message = <<~EOS
         An error of type #{error.class} was rescued. This is not part of `ShopifyAPI::Errors`, which could indicate a
@@ -130,8 +138,11 @@ module ShopifyApp
     end
 
     def perform_post_authenticate_jobs(session)
-      install_webhooks(session)
-      install_scripttags(session)
+      # Ensure we use the shop session to install webhooks
+      session_for_shop = session.online? ? shop_session : session
+
+      install_webhooks(session_for_shop)
+
       perform_after_authenticate_job(session)
     end
 
@@ -141,16 +152,6 @@ module ShopifyApp
       WebhooksManager.queue(session.shop, session.access_token)
     end
 
-    def install_scripttags(session)
-      return unless ShopifyApp.configuration.has_scripttags?
-
-      ScripttagsManager.queue(
-        session.shop,
-        session.access_token,
-        ShopifyApp.configuration.scripttags,
-      )
-    end
-
     def perform_after_authenticate_job(session)
       config = ShopifyApp.configuration.after_authenticate_job
 

data/config/routes.rb

@@ -26,6 +26,6 @@ ShopifyApp::Engine.routes.draw do
   end
 
   namespace :webhooks do
-    post ":type" => :receive
+    post "(:type)" => :receive
   end
 end

data/docs/Upgrading.md

@@ -8,6 +8,8 @@ This file documents important changes needed to upgrade your app's Shopify App v
 
 [Unreleased](#unreleased)
 
+[Upgrading to `v22.0.0`](#upgrading-to-v2200)
+
 [Upgrading to `v20.3.0`](#upgrading-to-v2030)
 
 [Upgrading to `v20.2.0`](#upgrading-to-v2020)
@@ -38,8 +40,30 @@ We also recommend the use of a staging site which matches your production enviro
 
 If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips)
 
+## Upgrading to `v22.0.0`
+#### Dropped support for Ruby 2.x
+Support for Ruby 2.x has been dropped as it is no longer supported. You'll need to upgrade to 3.x.x
+
+#### Renamed Controller Concerns
+The following controller concerns have been renamed/replaced in `v21.10.0` and have now been removed. To upgrade, please rename any usage in your apps's controllers that include them to the following:
+
+|Old Deprecated Controller Concern |Replaced By New Controller Concern|
+|---|---|
+|`Authenticated`|`EnsureHasSession`|
+|`RequireKnownShop`|`EnsureInstalled`|
+
+The new names better reflect what assurances the including the controller concern provide. The new concern provide similar if not identical functionality as the concerns they replaced.
+
+#### Remove ScripttagManager
+Script tag usage has largely been replaced with the adoption of [theme app extensions](https://shopify.dev/docs/apps/online-store/theme-app-extensions) and [thank you order status customization](https://shopify.dev/docs/apps/checkout/thank-you-order-status). The manager has been removed with this major release due to effective replacement and a goal to have parity in supported functionality across language stacks.
+
+If you find yourself still using Scipt Tags and want to continue the pattern of declarative management of script tags this gem used to use, we recommend porting the logic [the manager used in prior versions](https://github.com/Shopify/shopify_app/blob/2336fabc6d0b45a4dee3f336455dace4d2d88bc4/lib/shopify_app/managers/scripttags_manager.rb#L4) and implementing it in a [post authentication job](https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/authentication.md#run-jobs-after-the-oauth-flow). This is the recommended flow to create script tags (or any other logic) for stores that install your app.
+
+#### No longer rescue non-shopify API errors during customized OAuth flow
+If you have customized authentication logic and are counting on the `CallbackController` to catch your error and redirect to login, you'll need to catch that error and redirect to `login_url_with_optional_shop`.
+
 ## Upgrading to 21.3.0
-The `Itp` controller concern has been removed from `LoginProtection` which is included by the `Authenticated` controller concern.
+The `Itp` controller concern has been removed from `LoginProtection` which is included by the `Authenticated`/`EnsureHasSession` controller concern.
 If any of your controllers are dependant on methods from `Itp` then you can include `ShopifyApp::Itp` directly.
 You may notice a deprecation notice saying, `Itp will be removed in an upcoming version`.
 This is because we intend on removing `Itp` completely in `v22.0.0`, but this will work in the meantime.

data/docs/shopify_app/controller-concerns.md

@@ -64,5 +64,26 @@ Implements Rails' [protect_from_forgery](https://api.rubyonrails.org/classes/Act
 #### EmbeddedApp
 If your ShopifyApp configuration has the `embedded_app` config set to true, [P3P header](https://www.w3.org/P3P/) and [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) are handled for you.
 
+By default, the `EmbeddedApp` concern also sets the layout file to be `app/views/layouts/embedded_app.html.erb`.
+
+Sometimes one wants to run an embedded app in non-embedded mode. For example:
+
+- When the remote environment is a CI;
+- When the remote environment is a preview/PR app;
+- When the developer wants to run the app in a non-embedded mode for testing.
+
+To use the same application layout for every application controller, a developer can now overwrite the `#use_embedded_app_layout?` method.
+
+```ruby
+class ApplicationController
+  # Ensures every controller is using the standard app/views/layouts/application.html.erb layout.
+  #
+  # @return [true, false]
+  def use_embedded_app_layout?
+    false
+  end
+end
+```
+
 #### EnsureBilling
 If billing is enabled for the app, the active payment for the session is queried and enforced if needed. If billing is required the user will be redirected to a page requesting payment.

data/docs/shopify_app/generators.md

@@ -68,13 +68,13 @@ Specify whether the app is an embedded app. Apps are embedded by default.
 
 #### `$ rails generate shopify_app:shop_model`
 
-This generator creates a `Shop` model and a migration to store shop installation records. See [*Shop-based token strategy*](/docs/shopify_app/session-repository.md#shop-based-token-storage) to learn more.
+This generator creates a `Shop` model and a migration to store shop installation records. See [*Shop-based token strategy*](/docs/shopify_app/sessions.md#shop-offline-token-storage) to learn more.
 
 ---
 
 #### `$ rails generate shopify_app:user_model`
 
-This generator creates a `User` model and a migration to store user records. See [*User-based token strategy*](/docs/shopify_app/session-repository.md#user-based-token-storage) to learn more.
+This generator creates a `User` model and a migration to store user records. See [*User-based token strategy*](/docs/shopify_app/sessions.md#user-online-token-storage) to learn more.
 
 ---
 

data/docs/shopify_app/sessions.md

@@ -4,23 +4,27 @@ Sessions are used to make contextual API calls for either a shop (offline sessio
 
 #### Table of contents
 
-- [Sessions](#sessions-1)
-  - [Types of session tokens](#types-of-session-tokens) - Shop (offline) v.s. User (online)
-  - [Session token storage](#session-token-storage)
-      - [Shop (offline) token storage](#shop-offline-token-storage)
-      - [User (online) token storage](#user-online-token-storage)
-      - [In-Memory Session Storage for Testing](#in-memory-session-storage-for-testing)
-      - [Customizing Session Storage with `ShopifyApp::SessionRepository`](#customizing-session-storage-with-shopifyappsessionrepository)
-  - [Loading Sessions](#loading-sessions)
+- [Sessions](#sessions)
+      - [Table of contents](#table-of-contents)
+  - [Sessions](#sessions-1)
+      - [Types of session tokens](#types-of-session-tokens)
+      - [Session token storage](#session-token-storage)
+        - [Shop (offline) token storage](#shop-offline-token-storage)
+        - [User (online) token storage](#user-online-token-storage)
+        - [In-memory Session Storage for testing](#in-memory-session-storage-for-testing)
+        - [Customizing Session Storage with `ShopifyApp::SessionRepository`](#customizing-session-storage-with-shopifyappsessionrepository)
+        - [⚠️  Custom Session Storage Requirements](#️--custom-session-storage-requirements)
+        - [Available `ActiveSupport::Concerns` that contains implementation of the above methods](#available-activesupportconcerns-that-contains-implementation-of-the-above-methods)
+    - [Loading Sessions](#loading-sessions)
       - [Getting Sessions with Controller Concerns](#getting-sessions-with-controller-concerns)
-        - [Shop session - "EnsureInstalled" ](#shop-sessions---ensureinstalled)
-        - [User session - "EnsureHasSession" ](#user-sessions---ensurehassession)
-      - [Getting Sessions from a Shop or User model record - "with_shopify_session"](#getting-sessions-from-a-shop-or-user-model-record---with_shopify_session)
-- [Access scopes](#access-scopes)
-  - [`ShopifyApp::ShopSessionStorageWithScopes`](#shopifyappshopsessionstoragewithscopes)
-  - [``ShopifyApp::UserSessionStorageWithScopes``](#shopifyappusersessionstoragewithscopes)
-- [Migrating from shop-based to user-based token strategy](#migrating-from-shop-based-to-user-based-token-strategy)
-- [Migrating from ShopifyApi::Auth::SessionStorage to ShopifyApp::SessionStorage](#migrating-from-shopifyapiauthsessionstorage-to-shopifyappsessionstorage)
+        - [**Shop Sessions - `EnsureInstalled`**](#shop-sessions---ensureinstalled)
+        - [User Sessions - `EnsureHasSession`](#user-sessions---ensurehassession)
+      - [Getting sessions from a Shop or User model record - 'with\_shopify\_session'](#getting-sessions-from-a-shop-or-user-model-record---with_shopify_session)
+  - [Access scopes](#access-scopes)
+    - [`ShopifyApp::ShopSessionStorageWithScopes`](#shopifyappshopsessionstoragewithscopes)
+    - [`ShopifyApp::UserSessionStorageWithScopes`](#shopifyappusersessionstoragewithscopes)
+  - [Migrating from shop-based to user-based token strategy](#migrating-from-shop-based-to-user-based-token-strategy)
+  - [Migrating from `ShopifyApi::Auth::SessionStorage` to `ShopifyApp::SessionStorage`](#migrating-from-shopifyapiauthsessionstorage-to-shopifyappsessionstorage)
 
 ## Sessions
 #### Types of session tokens
@@ -103,6 +107,7 @@ The custom **Shop** repository must implement the following methods:
 | `self.store(auth_session)`                        | `auth_session` (ShopifyAPI::Auth::Session) | -                         |
 | `self.retrieve(id)`                               | `id` (String)                              | ShopifyAPI::Auth::Session |
 | `self.retrieve_by_shopify_domain(shopify_domain)` | `shopify_domain` (String)                  | ShopifyAPI::Auth::Session |
+| `self.destroy_by_shopify_domain(shopify_domain)`  | `shopify_domain` (String)                  | -                         |
 
 The custom **User** repository must implement the following methods:
 | Method                                      | Parameters                          | Return Type                  |
@@ -110,6 +115,7 @@ The custom **User** repository must implement the following methods:
 | `self.store(auth_session, user)`            | <li>`auth_session` (ShopifyAPI::Auth::Session)<br><li>`user` (ShopifyAPI::Auth::AssociatedUser) | - |
 | `self.retrieve(id)`                         | `id` (String)                       | `ShopifyAPI::Auth::Session`  |
 | `self.retrieve_by_shopify_user_id(user_id)` | `user_id` (String)                  | `ShopifyAPI::Auth::Session`  |
+| `self.destroy_by_shopify_user_id(user_id)`  | `user_id` (String)                  | -                            |
 
 
 These methods are already implemented as a part of the `User` and `Shop` models generated from this gem's generator.
@@ -153,7 +159,7 @@ end
 ```
 
 ##### User Sessions - `EnsureHasSession`
-- [EnsureHasSession](https://github.com/Shopify/shopify_app/blob/main/app/controllers/concerns/shopify_app/ensure_has_session.rb) controller concern will load a user session via `current_shopify_session`. As part of loading this session, this concern will also ensure that the user session has the appropriate scopes needed for the application. If the user isn't found or has fewer permitted scopes than are required, they will be prompted to authorize the application.
+- [EnsureHasSession](https://github.com/Shopify/shopify_app/blob/main/app/controllers/concerns/shopify_app/ensure_has_session.rb) controller concern will load a user session via `current_shopify_session`. As part of loading this session, this concern will also ensure that the user session has the appropriate scopes needed for the application and that it is not expired (when `check_session_expiry_date` is enabled). If the user isn't found or has fewer permitted scopes than are required, they will be prompted to authorize the application.
 - This controller concern should be used if you don't need your app to make calls on behalf of a user. With that in mind, there are a few other embedded concerns that are mixed in to ensure that embedding, CSRF, localization, and billing allow the action for the user.
 - Example
 ```ruby
@@ -228,6 +234,9 @@ class User < ActiveRecord::Base
 end
 ```
 
+## Expiry date
+When the configuration flag `check_session_expiry_date` is set to true, the user session expiry date will be checked to trigger a re-auth and get a fresh user token when it is expired. This requires the `ShopifyAPI::Auth::Session` `expires` attribute to be stored. When the `User` model includes the `UserSessionStorageWithScopes` concern, a DB migration can be generated with `rails generate shopify_app:user_model --skip` to add the `expires_at` attribute to the model.
+
 ## Migrating from shop-based to user-based token strategy
 
 1. Run the `user_model` generator as [mentioned above](#user-online-token-storage).

data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_expires_at_column.erb

@@ -0,0 +1,5 @@
+class AddUserExpiresAtColumn < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def change
+    add_column :users, :expires_at, :datetime
+  end
+end

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -40,6 +40,26 @@ module ShopifyApp
         end
       end
 
+      def create_expires_at_storage_in_user_model
+        expires_at_column_prompt = <<~PROMPT
+          It is highly recommended that apps record the User session expiry date. \
+          This will allow to check if the session has expired and re-authenticate \
+          without a first call to Shopify.
+
+          After running the migration, the `check_session_expiry_date` configuration can be enabled.
+
+          The following migration will add an `expires_at` column to the User model. \
+          Do you want to include this migration? [y/n]
+        PROMPT
+
+        if new_shopify_cli_app? || Rails.env.test? || yes?(expires_at_column_prompt)
+          migration_template(
+            "db/migrate/add_user_expires_at_column.erb",
+            "db/migrate/add_user_expires_at_column.rb",
+          )
+        end
+      end
+
       def update_shopify_app_initializer
         gsub_file("config/initializers/shopify_app.rb", "ShopifyApp::InMemoryUserSessionStore", "User")
       end

data/lib/shopify_app/configuration.rb

@@ -20,6 +20,7 @@ module ShopifyApp
     attr_accessor :api_version
 
     attr_accessor :reauth_on_access_scope_changes
+    attr_accessor :check_session_expiry_date
     attr_accessor :log_level
 
     # customise urls
@@ -44,6 +45,9 @@ module ShopifyApp
     # takes a ShopifyApp::BillingConfiguration object
     attr_accessor :billing
 
+    # Work in Progress: enables token exchange authentication flow
+    attr_accessor :wip_new_embedded_auth_strategy
+
     def initialize
       @root_url = "/"
       @myshopify_domain = "myshopify.com"
@@ -118,6 +122,10 @@ module ShopifyApp
     def user_access_scopes
       @user_access_scopes || scope
     end
+
+    def use_new_embedded_auth_strategy?
+      wip_new_embedded_auth_strategy && embedded_app?
+    end
   end
 
   class BillingConfiguration

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -7,14 +7,22 @@ module ShopifyApp
     include ShopifyApp::FrameAncestors
 
     included do
-      if ShopifyApp.configuration.embedded_app?
-        after_action(:set_esdk_headers)
-        layout("embedded_app")
-      end
+      layout :embedded_app_layout
+      after_action :set_esdk_headers, if: -> { ShopifyApp.configuration.embedded_app? }
+    end
+
+    protected
+
+    def use_embedded_app_layout?
+      ShopifyApp.configuration.embedded_app?
     end
 
     private
 
+    def embedded_app_layout
+      "embedded_app" if use_embedded_app_layout?
+    end
+
     def set_esdk_headers
       response.set_header("P3P", 'CP="Not used"')
       response.headers.except!("X-Frame-Options")