shopify_app 22.0.1 → 22.2.0

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TokenExchange
+    extend ActiveSupport::Concern
+    include ShopifyApp::AdminAPI::WithTokenRefetch
+    include ShopifyApp::SanitizedParams
+    include ShopifyApp::EmbeddedApp
+
+    included do
+      include ShopifyApp::WithShopifyIdToken
+    end
+
+    INVALID_SHOPIFY_ID_TOKEN_ERRORS = [
+      ShopifyAPI::Errors::MissingJwtTokenError,
+      ShopifyAPI::Errors::InvalidJwtTokenError,
+    ].freeze
+
+    def activate_shopify_session(&block)
+      retrieve_session_from_token_exchange if current_shopify_session.blank? || should_exchange_expired_token?
+
+      ShopifyApp::Logger.debug("Activating Shopify session")
+      ShopifyAPI::Context.activate_session(current_shopify_session)
+      with_token_refetch(current_shopify_session, shopify_id_token, &block)
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{e.message}")
+      respond_to_invalid_shopify_id_token unless performed?
+    ensure
+      ShopifyApp::Logger.debug("Deactivating session")
+      ShopifyAPI::Context.deactivate_session
+    end
+
+    def should_exchange_expired_token?
+      ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
+    end
+
+    def current_shopify_session
+      return unless current_shopify_session_id
+
+      @current_shopify_session ||= ShopifyApp::SessionRepository.load_session(current_shopify_session_id)
+    end
+
+    def current_shopify_session_id
+      @current_shopify_session_id ||= ShopifyAPI::Utils::SessionUtils.session_id_from_shopify_id_token(
+        id_token: shopify_id_token,
+        online: online_token_configured?,
+      )
+    end
+
+    def current_shopify_domain
+      sanitized_shop_name || current_shopify_session&.shop
+    end
+
+    private
+
+    def retrieve_session_from_token_exchange
+      @current_shopify_session = nil
+      ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
+    end
+
+    def respond_to_invalid_shopify_id_token
+      if request.headers["HTTP_AUTHORIZATION"].blank?
+        if missing_embedded_param?
+          redirect_to_embed_app_in_admin
+        else
+          redirect_to_bounce_page
+        end
+      else
+        ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
+        response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+        unauthorized_response = { message: :unauthorized }
+        render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      end
+    end
+
+    def redirect_to_bounce_page
+      ShopifyApp::Logger.debug("Redirecting to bounce page for patching Shopify ID token")
+      patch_shopify_id_token_url =
+        "#{ShopifyAPI::Context.host}#{ShopifyApp.configuration.root_url}/patch_shopify_id_token"
+      patch_shopify_id_token_params = request.query_parameters.except(:id_token)
+
+      bounce_url = "#{request.path}?#{patch_shopify_id_token_params.to_query}"
+
+      # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
+      patch_shopify_id_token_params["shopify-reload"] = bounce_url
+
+      redirect_to(
+        "#{patch_shopify_id_token_url}?#{patch_shopify_id_token_params.to_query}",
+        allow_other_host: true,
+      )
+    end
+
+    def missing_embedded_param?
+      !params[:embedded].present? || params[:embedded] != "1"
+    end
+
+    def online_token_configured?
+      ShopifyApp.configuration.online_token_configured?
+    end
+
+    def fullpage_redirect_to(url)
+      raise ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil?
+
+      render(
+        "shopify_app/shared/redirect",
+        layout: false,
+        locals: { url: url, current_shopify_domain: current_shopify_domain },
+      )
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/with_shopify_id_token.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module WithShopifyIdToken
+    extend ActiveSupport::Concern
+
+    def shopify_id_token
+      @shopify_id_token ||= id_token_from_request_env || id_token_from_authorization_header || id_token_from_url_param
+    end
+
+    def jwt_shopify_domain
+      request.env["jwt.shopify_domain"]
+    end
+
+    def jwt_shopify_user_id
+      request.env["jwt.shopify_user_id"]
+    end
+
+    def jwt_expire_at
+      expire_at = request.env["jwt.expire_at"]
+      return unless expire_at
+
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
+    end
+
+    private
+
+    def id_token_from_request_env
+      # This is set from ShopifyApp::JWTMiddleware
+      request.env["jwt.token"]
+    end
+
+    def id_token_from_authorization_header
+      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
+    end
+
+    def id_token_from_url_param
+      params["id_token"]
+    end
+  end
+end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -2,16 +2,17 @@
 
 module ShopifyApp
   class JWTMiddleware
-    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    TOKEN_REGEX = /^Bearer (.+)$/
+    ID_TOKEN_QUERY_PARAM = "id_token"
 
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      return call_next(env) unless authorization_header(env)
+      return call_next(env) unless ShopifyApp.configuration.embedded_app?
 
-      token = extract_token(env)
+      token = token_from_authorization_header(env) || token_from_query_string(env)
       return call_next(env) unless token
 
       set_env_variables(token, env)
@@ -24,21 +25,24 @@ module ShopifyApp
       @app.call(env)
     end
 
-    def authorization_header(env)
-      env["HTTP_AUTHORIZATION"]
+    def token_from_authorization_header(env)
+      env["HTTP_AUTHORIZATION"]&.match(TOKEN_REGEX)&.[](1)
     end
 
-    def extract_token(env)
-      match = authorization_header(env).match(TOKEN_REGEX)
-      match && match[1]
+    def token_from_query_string(env)
+      Rack::Utils.parse_nested_query(env["QUERY_STRING"])[ID_TOKEN_QUERY_PARAM]
     end
 
     def set_env_variables(token, env)
-      jwt = ShopifyApp::JWT.new(token)
+      jwt = ShopifyAPI::Auth::JwtPayload.new(token)
 
+      env["jwt.token"] = token
       env["jwt.shopify_domain"] = jwt.shopify_domain
       env["jwt.shopify_user_id"] = jwt.shopify_user_id
       env["jwt.expire_at"] = jwt.expire_at
+    rescue ShopifyAPI::Errors::InvalidJwtTokenError
+      # ShopifyApp::JWT did not raise any exceptions, ensuring behaviour does not change
+      nil
     end
   end
 end

data/lib/shopify_app/session/jwt.rb

@@ -13,6 +13,7 @@ module ShopifyApp
     ]
 
     def initialize(token)
+      warn_deprecation
       @token = token
       set_payload
     end
@@ -60,5 +61,13 @@ module ShopifyApp
 
       payload
     end
+
+    def warn_deprecation
+      message = <<~EOS
+        "ShopifyApp::JWT will be deprecated, use ShopifyAPI::Auth::JwtPayload to parse JWT token instead."
+      EOS
+
+      ShopifyApp::Logger.deprecated(message, "23.0.0")
+    end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.0.1"
+  VERSION = "22.2.0"
 end

data/lib/shopify_app.rb

@@ -40,6 +40,9 @@ module ShopifyApp
 
   require "shopify_app/logger"
 
+  # Admin API helpers
+  require "shopify_app/admin_api/with_token_refetch"
+
   # controller concerns
   require "shopify_app/controller_concerns/csrf_protection"
   require "shopify_app/controller_concerns/localization"
@@ -52,6 +55,12 @@ module ShopifyApp
   require "shopify_app/controller_concerns/payload_verification"
   require "shopify_app/controller_concerns/app_proxy_verification"
   require "shopify_app/controller_concerns/webhook_verification"
+  require "shopify_app/controller_concerns/token_exchange"
+  require "shopify_app/controller_concerns/with_shopify_id_token"
+
+  # Auth helpers
+  require "shopify_app/auth/post_authenticate_tasks"
+  require "shopify_app/auth/token_exchange"
 
   # jobs
   require "shopify_app/jobs/webhooks_manager_job"

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "22.0.1",
+  "version": "22.2.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
-  s.add_runtime_dependency("shopify_api", ">= 14.0.1", "< 15.0")
+  s.add_runtime_dependency("shopify_api", ">= 14.3.0", "< 15.0")
   s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
 
   s.add_development_dependency("byebug")

data/yarn.lock

@@ -2040,9 +2040,9 @@ flatted@^3.2.7:
   integrity sha512-36yxDn5H7OFZQla0/jFJmbIKTdZAQHngCedGxiMmpNfEZM0sdEeT+WczLQrjK6D7o2aiyLYDnkw0R3JK0Qv1RQ==
 
 follow-redirects@^1.0.0:
-  version "1.15.4"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
-  integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
+  version "1.15.6"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
+  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
 
 fs-extra@^8.1.0:
   version "8.1.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 22.0.1
+  version: 22.2.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-12 00:00:00.000000000 Z
+date: 2024-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -86,7 +86,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 14.0.1
+        version: 14.3.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '15.0'
@@ -96,7 +96,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 14.0.1
+        version: 14.3.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '15.0'
@@ -314,6 +314,7 @@ files:
 - app/controllers/shopify_app/extension_verification_controller.rb
 - app/controllers/shopify_app/sessions_controller.rb
 - app/controllers/shopify_app/webhooks_controller.rb
+- app/views/shopify_app/layouts/app_bridge.html.erb
 - app/views/shopify_app/partials/_button_styles.html.erb
 - app/views/shopify_app/partials/_card_styles.html.erb
 - app/views/shopify_app/partials/_empty_state_styles.html.erb
@@ -321,6 +322,7 @@ files:
 - app/views/shopify_app/partials/_layout_styles.html.erb
 - app/views/shopify_app/partials/_typography_styles.html.erb
 - app/views/shopify_app/sessions/new.html.erb
+- app/views/shopify_app/sessions/patch_shopify_id_token.html.erb
 - app/views/shopify_app/shared/redirect.html.erb
 - config/locales/cs.yml
 - config/locales/da.yml
@@ -414,6 +416,9 @@ files:
 - lib/shopify_app/access_scopes/noop_strategy.rb
 - lib/shopify_app/access_scopes/shop_strategy.rb
 - lib/shopify_app/access_scopes/user_strategy.rb
+- lib/shopify_app/admin_api/with_token_refetch.rb
+- lib/shopify_app/auth/post_authenticate_tasks.rb
+- lib/shopify_app/auth/token_exchange.rb
 - lib/shopify_app/configuration.rb
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
 - lib/shopify_app/controller_concerns/csrf_protection.rb
@@ -425,7 +430,9 @@ files:
 - lib/shopify_app/controller_concerns/payload_verification.rb
 - lib/shopify_app/controller_concerns/redirect_for_embedded.rb
 - lib/shopify_app/controller_concerns/sanitized_params.rb
+- lib/shopify_app/controller_concerns/token_exchange.rb
 - lib/shopify_app/controller_concerns/webhook_verification.rb
+- lib/shopify_app/controller_concerns/with_shopify_id_token.rb
 - lib/shopify_app/engine.rb
 - lib/shopify_app/errors.rb
 - lib/shopify_app/jobs/webhooks_manager_job.rb
@@ -474,7 +481,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.6
+rubygems_version: 3.5.9
 signing_key: 
 specification_version: 4
 summary: This gem is used to get quickly started with the Shopify API