shopify_app 22.1.0 → 22.2.1

data/lib/shopify_app/auth/token_exchange.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Auth
+    class TokenExchange
+      attr_reader :id_token
+
+      def self.perform(id_token)
+        new(id_token).perform
+      end
+
+      def initialize(id_token)
+        @id_token = id_token
+      end
+
+      def perform
+        domain = ShopifyAPI::Auth::JwtPayload.new(id_token).shopify_domain
+
+        Logger.info("Performing Token Exchange for [#{domain}] - (Offline)")
+        session = exchange_token(
+          shop: domain,
+          id_token: id_token,
+          requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::OFFLINE_ACCESS_TOKEN,
+        )
+
+        if online_token_configured?
+          Logger.info("Performing Token Exchange for [#{domain}] - (Online)")
+          session = exchange_token(
+            shop: domain,
+            id_token: id_token,
+            requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::ONLINE_ACCESS_TOKEN,
+          )
+        end
+
+        ShopifyApp.configuration.post_authenticate_tasks.perform(session)
+
+        session
+      end
+
+      private
+
+      def exchange_token(shop:, id_token:, requested_token_type:)
+        session = ShopifyAPI::Auth::TokenExchange.exchange_token(
+          shop: shop,
+          session_token: id_token,
+          requested_token_type: requested_token_type,
+        )
+
+        SessionRepository.store_session(session)
+
+        session
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        Logger.error("Invalid id token '#{id_token}' during token exchange")
+        raise
+      rescue ShopifyAPI::Errors::HttpResponseError => error
+        Logger.error(
+          "A #{error.code} error (#{error.class}) occurred during the token exchange. Response: #{error.response.body}",
+        )
+        raise
+      rescue ActiveRecord::RecordNotUnique
+        Logger.debug("Session not stored due to concurrent token exchange calls")
+        session
+      rescue => error
+        Logger.error("An error occurred during the token exchange: [#{error.class}] #{error.message}")
+        raise
+      end
+
+      def online_token_configured?
+        ShopifyApp.configuration.online_token_configured?
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -48,8 +48,8 @@ module ShopifyApp
     # takes a ShopifyApp::BillingConfiguration object
     attr_accessor :billing
 
-    # Work in Progress: enables token exchange authentication flow
-    attr_accessor :wip_new_embedded_auth_strategy
+    # Enables new authorization flow using token exchange
+    attr_accessor :new_embedded_auth_strategy
 
     def initialize
       @root_url = "/"
@@ -129,7 +129,7 @@ module ShopifyApp
     end
 
     def use_new_embedded_auth_strategy?
-      wip_new_embedded_auth_strategy && embedded_app?
+      new_embedded_auth_strategy && embedded_app?
     end
 
     def online_token_configured?

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -5,6 +5,7 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     include ShopifyApp::FrameAncestors
+    include ShopifyApp::SanitizedParams
 
     included do
       layout :embedded_app_layout
@@ -13,6 +14,22 @@ module ShopifyApp
 
     protected
 
+    def redirect_to_embed_app_in_admin
+      ShopifyApp::Logger.debug("Redirecting to embed app in admin")
+
+      host = if params[:host]
+        params[:host]
+      elsif params[:shop]
+        Base64.encode64("#{sanitized_shop_name}/admin")
+      else
+        return redirect_to(ShopifyApp.configuration.login_url)
+      end
+
+      redirect_path = ShopifyAPI::Auth.embedded_app_url(host)
+      redirect_path = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_path)
+      redirect_to(redirect_path, allow_other_host: true)
+    end
+
     def use_embedded_app_layout?
       ShopifyApp.configuration.embedded_app?
     end
@@ -27,5 +44,15 @@ module ShopifyApp
       response.set_header("P3P", 'CP="Not used"')
       response.headers.except!("X-Frame-Options")
     end
+
+    def deduced_phishing_attack?(decoded_host)
+      sanitized_host = ShopifyApp::Utils.sanitize_shop_domain(decoded_host)
+      if sanitized_host.nil?
+        message = "Host param for redirect to embed app in admin is not from a trusted domain, " \
+          "redirecting to root as this is likely a phishing attack."
+        ShopifyApp::Logger.info(message)
+      end
+      sanitized_host.nil?
+    end
   end
 end

data/lib/shopify_app/controller_concerns/ensure_billing.rb

@@ -27,7 +27,7 @@ module ShopifyApp
 
       unless has_payment
         if request.xhr?
-          add_top_level_redirection_headers(url: confirmation_url, ignore_response_code: true)
+          RedirectForEmbedded.add_app_bridge_redirect_url_header(confirmation_url, response)
           ShopifyApp::Logger.debug("Responding with 401 unauthorized")
           head(:unauthorized)
         elsif ShopifyApp.configuration.embedded_app?
@@ -45,8 +45,16 @@ module ShopifyApp
     end
 
     def handle_billing_error(error)
-      logger.info("#{error.message}: #{error.errors}")
-      redirect_to_login
+      ShopifyApp::Logger.warn("Encountered billing error - #{error.message}: #{error.errors}\n" \
+        "Redirecting to login page")
+
+      login_url = ShopifyApp.configuration.login_url
+      if request.xhr?
+        RedirectForEmbedded.add_app_bridge_redirect_url_header(login_url, response)
+        head(:unauthorized)
+      else
+        fullpage_redirect_to(login_url)
+      end
     end
 
     def has_active_payment?(session)

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -16,6 +16,7 @@ module ShopifyApp
       end
 
       rescue_from ShopifyAPI::Errors::HttpResponseError, with: :handle_http_error
+      include ShopifyApp::WithShopifyIdToken
     end
 
     ACCESS_TOKEN_REQUIRED_HEADER = "X-Shopify-API-Request-Failure-Unauthorized"
@@ -53,7 +54,7 @@ module ShopifyApp
       @current_shopify_session ||= begin
         cookie_name = ShopifyAPI::Auth::Oauth::SessionCookie::SESSION_COOKIE_NAME
         load_current_session(
-          auth_header: request.headers["HTTP_AUTHORIZATION"],
+          shopify_id_token: shopify_id_token,
           cookies: { cookie_name => cookies.encrypted[cookie_name] },
           is_online: online_token_configured?,
         )
@@ -78,13 +79,6 @@ module ShopifyApp
       response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
     end
 
-    def jwt_expire_at
-      expire_at = request.env["jwt.expire_at"]
-      return unless expire_at
-
-      expire_at - 5.seconds # 5s gap to start fetching new token in advance
-    end
-
     def add_top_level_redirection_headers(url: nil, ignore_response_code: false)
       if request.xhr? && (ignore_response_code || response.code.to_i == 401)
         ShopifyApp::Logger.debug("Adding top level redirection headers")
@@ -94,8 +88,8 @@ module ShopifyApp
           params[:shop] = if current_shopify_session
             current_shopify_session.shop
 
-          elsif (matches = request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/))
-            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(T.must(matches[1]))
+          elsif shopify_id_token
+            jwt_payload = ShopifyAPI::Auth::JwtPayload.new(shopify_id_token)
             jwt_payload.shop
           end
         end
@@ -103,21 +97,12 @@ module ShopifyApp
         url ||= login_url_with_optional_shop
 
         ShopifyApp::Logger.debug("Setting Reauthorize-Url to #{url}")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
-        response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+        RedirectForEmbedded.add_app_bridge_redirect_url_header(url, response)
       end
     end
 
     protected
 
-    def jwt_shopify_domain
-      request.env["jwt.shopify_domain"]
-    end
-
-    def jwt_shopify_user_id
-      request.env["jwt.shopify_user_id"]
-    end
-
     def host
       params[:host]
     end
@@ -273,10 +258,10 @@ module ShopifyApp
       online_token_configured?
     end
 
-    def load_current_session(auth_header: nil, cookies: nil, is_online: false)
+    def load_current_session(shopify_id_token: nil, cookies: nil, is_online: false)
       return ShopifyAPI::Context.load_private_session if ShopifyAPI::Context.private?
 
-      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(auth_header, cookies, is_online)
+      session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(shopify_id_token, cookies, is_online)
       return nil unless session_id
 
       ShopifyApp::SessionRepository.load_session(session_id)

data/lib/shopify_app/controller_concerns/redirect_for_embedded.rb

@@ -4,6 +4,11 @@ module ShopifyApp
   module RedirectForEmbedded
     include ShopifyApp::SanitizedParams
 
+    def self.add_app_bridge_redirect_url_header(url, response)
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize", "1")
+      response.set_header("X-Shopify-API-Request-Failure-Reauthorize-Url", url)
+    end
+
     private
 
     def embedded_redirect_url?

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -3,139 +3,109 @@
 module ShopifyApp
   module TokenExchange
     extend ActiveSupport::Concern
+    include ShopifyApp::AdminAPI::WithTokenRefetch
+    include ShopifyApp::SanitizedParams
+    include ShopifyApp::EmbeddedApp
 
-    def activate_shopify_session
-      if current_shopify_session.blank?
-        retrieve_session_from_token_exchange
-      end
+    included do
+      include ShopifyApp::WithShopifyIdToken
+    end
 
-      if ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
-        @current_shopify_session = nil
-        retrieve_session_from_token_exchange
-      end
+    INVALID_SHOPIFY_ID_TOKEN_ERRORS = [
+      ShopifyAPI::Errors::MissingJwtTokenError,
+      ShopifyAPI::Errors::InvalidJwtTokenError,
+    ].freeze
+
+    def activate_shopify_session(&block)
+      retrieve_session_from_token_exchange if current_shopify_session.blank? || should_exchange_expired_token?
+
+      ShopifyApp::Logger.debug("Activating Shopify session")
+      ShopifyAPI::Context.activate_session(current_shopify_session)
+      with_token_refetch(current_shopify_session, shopify_id_token, &block)
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{e.message}")
+      respond_to_invalid_shopify_id_token unless performed?
+    ensure
+      ShopifyApp::Logger.debug("Deactivating session")
+      ShopifyAPI::Context.deactivate_session
+    end
 
-      begin
-        ShopifyApp::Logger.debug("Activating Shopify session")
-        ShopifyAPI::Context.activate_session(current_shopify_session)
-        yield
-      ensure
-        ShopifyApp::Logger.debug("Deactivating session")
-        ShopifyAPI::Context.deactivate_session
-      end
+    def should_exchange_expired_token?
+      ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
     end
 
     def current_shopify_session
-      @current_shopify_session ||= begin
-        session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(
-          request.headers["HTTP_AUTHORIZATION"],
-          nil,
-          online_token_configured?,
-        )
-        return nil unless session_id
-
-        ShopifyApp::SessionRepository.load_session(session_id)
-      end
+      return unless current_shopify_session_id
+
+      @current_shopify_session ||= ShopifyApp::SessionRepository.load_session(current_shopify_session_id)
     end
 
-    def current_shopify_domain
-      return if params[:shop].blank?
+    def current_shopify_session_id
+      @current_shopify_session_id ||= ShopifyAPI::Utils::SessionUtils.session_id_from_shopify_id_token(
+        id_token: shopify_id_token,
+        online: online_token_configured?,
+      )
+    end
 
-      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    def current_shopify_domain
+      sanitized_shop_name || current_shopify_session&.shop
     end
 
     private
 
     def retrieve_session_from_token_exchange
-      # TODO: Right now JWT Middleware only updates env['jwt.shopify_domain'] from request headers tokens,
-      # which won't work for new installs.
-      # we need to update the middleware to also update the env['jwt.shopify_domain'] from the query params
-      domain = ShopifyApp::JWT.new(session_token).shopify_domain
-
-      ShopifyApp::Logger.info("Performing Token Exchange for [#{domain}] - (Offline)")
-      session = exchange_token(
-        shop: domain, # TODO: use jwt_shopify_domain ?
-        session_token: session_token,
-        requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::OFFLINE_ACCESS_TOKEN,
-      )
-
-      if session && online_token_configured?
-        ShopifyApp::Logger.info("Performing Token Exchange for [#{domain}] - (Online)")
-        session = exchange_token(
-          shop: domain, # TODO: use jwt_shopify_domain ?
-          session_token: session_token,
-          requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::ONLINE_ACCESS_TOKEN,
-        )
-      end
-
-      ShopifyApp.configuration.post_authenticate_tasks.perform(session)
+      @current_shopify_session = nil
+      ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
     end
 
-    def exchange_token(shop:, session_token:, requested_token_type:)
-      if session_token.blank?
-        # respond_to_invalid_session_token
-        return
-      end
-
-      begin
-        session = ShopifyAPI::Auth::TokenExchange.exchange_token(
-          shop: shop,
-          session_token: session_token,
-          requested_token_type: requested_token_type,
-        )
-      rescue ShopifyAPI::Errors::InvalidJwtTokenError
-        # respond_to_invalid_session_token
-        return
-      rescue ShopifyAPI::Errors::HttpResponseError => error
-        ShopifyApp::Logger.error(
-          "A #{error.code} error (#{error.class}) occurred during the token exchange. Response: #{error.response.body}",
-        )
-        raise
-      rescue => error
-        ShopifyApp::Logger.error("An error occurred during the token exchange: #{error.message}")
-        raise
-      end
-
-      if session
-        begin
-          ShopifyApp::SessionRepository.store_session(session)
-        rescue ActiveRecord::RecordNotUnique
-          ShopifyApp::Logger.debug("Session not stored due to concurrent token exchange calls")
+    def respond_to_invalid_shopify_id_token
+      if request.headers["HTTP_AUTHORIZATION"].blank?
+        if missing_embedded_param?
+          redirect_to_embed_app_in_admin
+        else
+          redirect_to_bounce_page
         end
+      else
+        ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
+        response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+        unauthorized_response = { message: :unauthorized }
+        render(json: { errors: [unauthorized_response] }, status: :unauthorized)
       end
-
-      session
-    end
-
-    def session_token
-      @session_token ||= id_token_header
     end
 
-    def id_token_header
-      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
-    end
+    def redirect_to_bounce_page
+      ShopifyApp::Logger.debug("Redirecting to bounce page for patching Shopify ID token")
+      patch_shopify_id_token_url =
+        "#{ShopifyAPI::Context.host}#{ShopifyApp.configuration.root_url}/patch_shopify_id_token"
+      patch_shopify_id_token_params = request.query_parameters.except(:id_token)
 
-    def respond_to_invalid_session_token
-      # TODO: Implement this method to handle invalid session tokens
+      bounce_url = "#{request.path}?#{patch_shopify_id_token_params.to_query}"
 
-      # if request.xhr?
-      # response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
-      # unauthorized_response = { message: :unauthorized }
-      # render(json: { errors: [unauthorized_response] }, status: :unauthorized)
-      # else
-      # patch_session_token_url = "#{ShopifyAPI::Context.host}/patch_session_token"
-      # patch_session_token_params = request.query_parameters.except(:id_token)
+      # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
+      patch_shopify_id_token_params["shopify-reload"] = bounce_url
 
-      # bounce_url = "#{ShopifyAPI::Context.host}#{request.path}?#{patch_session_token_params.to_query}"
-
-      # # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
-      # patch_session_token_params["shopify-reload"] = bounce_url
+      redirect_to(
+        "#{patch_shopify_id_token_url}?#{patch_shopify_id_token_params.to_query}",
+        allow_other_host: true,
+      )
+    end
 
-      # redirect_to("#{patch_session_token_url}?#{patch_session_token_params.to_query}", allow_other_host: true)
-      # end
+    def missing_embedded_param?
+      !params[:embedded].present? || params[:embedded] != "1"
     end
 
     def online_token_configured?
       ShopifyApp.configuration.online_token_configured?
     end
+
+    def fullpage_redirect_to(url)
+      raise ShopifyApp::ShopifyDomainNotFound if current_shopify_domain.nil?
+
+      render(
+        "shopify_app/shared/redirect",
+        layout: false,
+        locals: { url: url, current_shopify_domain: current_shopify_domain },
+      )
+    end
   end
 end

data/lib/shopify_app/controller_concerns/with_shopify_id_token.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module WithShopifyIdToken
+    extend ActiveSupport::Concern
+
+    def shopify_id_token
+      @shopify_id_token ||= id_token_from_request_env || id_token_from_authorization_header || id_token_from_url_param
+    end
+
+    def jwt_shopify_domain
+      request.env["jwt.shopify_domain"]
+    end
+
+    def jwt_shopify_user_id
+      request.env["jwt.shopify_user_id"]
+    end
+
+    def jwt_expire_at
+      expire_at = request.env["jwt.expire_at"]
+      return unless expire_at
+
+      expire_at - 5.seconds # 5s gap to start fetching new token in advance
+    end
+
+    private
+
+    def id_token_from_request_env
+      # This is set from ShopifyApp::JWTMiddleware
+      request.env["jwt.token"]
+    end
+
+    def id_token_from_authorization_header
+      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
+    end
+
+    def id_token_from_url_param
+      params["id_token"]
+    end
+  end
+end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -2,16 +2,17 @@
 
 module ShopifyApp
   class JWTMiddleware
-    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    TOKEN_REGEX = /^Bearer (.+)$/
+    ID_TOKEN_QUERY_PARAM = "id_token"
 
     def initialize(app)
       @app = app
     end
 
     def call(env)
-      return call_next(env) unless authorization_header(env)
+      return call_next(env) unless ShopifyApp.configuration.embedded_app?
 
-      token = extract_token(env)
+      token = token_from_authorization_header(env) || token_from_query_string(env)
       return call_next(env) unless token
 
       set_env_variables(token, env)
@@ -24,21 +25,24 @@ module ShopifyApp
       @app.call(env)
     end
 
-    def authorization_header(env)
-      env["HTTP_AUTHORIZATION"]
+    def token_from_authorization_header(env)
+      env["HTTP_AUTHORIZATION"]&.match(TOKEN_REGEX)&.[](1)
     end
 
-    def extract_token(env)
-      match = authorization_header(env).match(TOKEN_REGEX)
-      match && match[1]
+    def token_from_query_string(env)
+      Rack::Utils.parse_nested_query(env["QUERY_STRING"])[ID_TOKEN_QUERY_PARAM]
     end
 
     def set_env_variables(token, env)
-      jwt = ShopifyApp::JWT.new(token)
+      jwt = ShopifyAPI::Auth::JwtPayload.new(token)
 
+      env["jwt.token"] = token
       env["jwt.shopify_domain"] = jwt.shopify_domain
       env["jwt.shopify_user_id"] = jwt.shopify_user_id
       env["jwt.expire_at"] = jwt.expire_at
+    rescue ShopifyAPI::Errors::InvalidJwtTokenError
+      # ShopifyApp::JWT did not raise any exceptions, ensuring behaviour does not change
+      nil
     end
   end
 end

data/lib/shopify_app/session/jwt.rb

@@ -13,6 +13,7 @@ module ShopifyApp
     ]
 
     def initialize(token)
+      warn_deprecation
       @token = token
       set_payload
     end
@@ -60,5 +61,13 @@ module ShopifyApp
 
       payload
     end
+
+    def warn_deprecation
+      message = <<~EOS
+        "ShopifyApp::JWT will be deprecated, use ShopifyAPI::Auth::JwtPayload to parse JWT token instead."
+      EOS
+
+      ShopifyApp::Logger.deprecated(message, "23.0.0")
+    end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.1.0"
+  VERSION = "22.2.1"
 end

data/lib/shopify_app.rb

@@ -40,6 +40,9 @@ module ShopifyApp
 
   require "shopify_app/logger"
 
+  # Admin API helpers
+  require "shopify_app/admin_api/with_token_refetch"
+
   # controller concerns
   require "shopify_app/controller_concerns/csrf_protection"
   require "shopify_app/controller_concerns/localization"
@@ -53,9 +56,11 @@ module ShopifyApp
   require "shopify_app/controller_concerns/app_proxy_verification"
   require "shopify_app/controller_concerns/webhook_verification"
   require "shopify_app/controller_concerns/token_exchange"
+  require "shopify_app/controller_concerns/with_shopify_id_token"
 
   # Auth helpers
   require "shopify_app/auth/post_authenticate_tasks"
+  require "shopify_app/auth/token_exchange"
 
   # jobs
   require "shopify_app/jobs/webhooks_manager_job"

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "22.1.0",
+  "version": "22.2.1",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
-  s.add_runtime_dependency("shopify_api", ">= 14.1.0", "< 15.0")
+  s.add_runtime_dependency("shopify_api", ">= 14.3.0", "< 15.0")
   s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
 
   s.add_development_dependency("byebug")