shopify_app 22.2.0 → 22.3.0

data/config/locales/pl.yml

@@ -3,19 +3,3 @@ pl:
   logged_out: Pomyślne wylogowanie
   could_not_log_in: Nie można zalogować się do sklepu Shopify
   invalid_shop_url: Nieprawidłowa domena sklepu
-  enable_cookies_heading: Włącz korzystanie z plików cookie z %{app}
-  enable_cookies_body: Aby móc korzystać z %{app} w Shopify, musisz ręcznie włączyć
-    korzystanie z plików cookie w tej przeglądarce.
-  enable_cookies_footer: Pliki cookie umożliwiają uwierzytelnianie aplikacji przez
-    tymczasowe przechowywanie preferencji i danych osobowych. Wygasają one po 30 dniach.
-  enable_cookies_action: Włącz korzystanie z plików cookie
-  top_level_interaction_heading: Twoja przeglądarka wymaga uwierzytelnienia %{app}
-  top_level_interaction_body: Twoja przeglądarka wymaga takich aplikacji jak %{app},
-    aby poprosić o dostęp do plików cookie, zanim Shopify będzie mógł ją otworzyć.
-  top_level_interaction_action: Kontynuuj
-  request_storage_access_heading: "%{app} potrzebuje dostępu do plików cookie"
-  request_storage_access_body: Dzięki temu aplikacja może Cię uwierzytelniać, tymczasowo,
-    przechowując Twoje dane osobowe. Kliknij przycisk Kontynuuj i zezwalaj na pliki
-    cookie, aby korzystać z aplikacji.
-  request_storage_access_footer: Pliki cookie wygasają po 30 dniach.
-  request_storage_access_action: Kontynuuj

data/config/locales/pt-BR.yml

@@ -3,19 +3,3 @@ pt-BR:
   logged_out: Você saiu.
   could_not_log_in: Não foi possível fazer login na Shopify store
   invalid_shop_url: Domínio de loja inválido
-  enable_cookies_heading: Habilitar cookies de %{app}
-  enable_cookies_body: Você precisa habilitar manualmente os cookies neste navegador
-    para usar %{app} dentro da Shopify.
-  enable_cookies_footer: Os cookies permitem que o app o autentique armazenando temporariamente
-    suas preferências e dados pessoais. Eles expiram depois de 30 dias.
-  enable_cookies_action: Habilitar cookies
-  top_level_interaction_heading: Seu navegador precisa autenticar %{app}
-  top_level_interaction_body: Seu navegador exige que apps como o %{app} consultem
-    você sobre o acesso a cookies antes que a Shopify os abra.
-  top_level_interaction_action: Continuar
-  request_storage_access_heading: "%{app} precisa acessar cookies"
-  request_storage_access_body: Isso permite que o app autentique você armazenando
-    temporariamente seus dados pessoais. Clique em continuar e permita os cookies
-    para usar o app.
-  request_storage_access_footer: Os cookies expiram depois de 30 dias.
-  request_storage_access_action: Continuar

data/config/locales/pt-PT.yml

@@ -3,20 +3,3 @@ pt-PT:
   logged_out: Terminou a sessão com sucesso
   could_not_log_in: Não foi possível iniciar sessão na loja da Shopify
   invalid_shop_url: Domínio de loja inválido
-  enable_cookies_heading: Ativar cookies de %{app}
-  enable_cookies_body: Tem de ativar manualmente os cookies neste navegador para utilizar
-    %{app} dentro da Shopify.
-  enable_cookies_footer: Os cookies permitem que a aplicação o autentique armazenando
-    temporariamente as suas preferências e informações pessoais. Expiram ao fim de
-    30 dias.
-  enable_cookies_action: Ativar cookies
-  top_level_interaction_heading: O seu navegador tem de autenticar %{app}
-  top_level_interaction_body: O seu navegador exige que aplicações como %{app} lhe
-    solicitem o acesso de cookies, antes que a Shopify as possa abrir.
-  top_level_interaction_action: Continuar
-  request_storage_access_heading: "%{app} tem de aceder a cookies"
-  request_storage_access_body: Isto permite que a aplicação o autentique armazenando
-    temporariamente as suas informações pessoais. Clique em continuar e permita os
-    cookies para utilizar a aplicação.
-  request_storage_access_footer: Os cookies expiram ao fim de 30 dias.
-  request_storage_access_action: Continuar

data/config/locales/sv.yml

@@ -3,19 +3,3 @@ sv:
   logged_out: Har loggats ut
   could_not_log_in: Det gick inte att logga in i Shopify-butiken
   invalid_shop_url: Ogiltig butiksdomän
-  enable_cookies_heading: Aktivera cookies från %{app}
-  enable_cookies_body: Du måste aktivera cookies manuellt i den här webbläsaren för
-    att kunna använda %{app} inom Shopify.
-  enable_cookies_footer: Cookies låter appen autentisera dig genom att tillfälligt
-    lagra dina inställningar och personuppgifter. De upphör efter 30 dagar.
-  enable_cookies_action: Aktivera cookies
-  top_level_interaction_heading: Din webbläsare måste verifiera %{app}
-  top_level_interaction_body: Din webbläsare kräver att appar som %{app} frågar dig
-    om tillgång till cookies innan Shopify kan öppna den för dig.
-  top_level_interaction_action: Fortsätt
-  request_storage_access_heading: "%{app} behöver tillgång till cookies"
-  request_storage_access_body: Detta gör det möjligt för appen att autentisera dig
-    genom att tillfälligt lagra din personliga information. Klicka på fortsätt och
-    tillåta cookies att använda appen.
-  request_storage_access_footer: Cookies upphör efter 30 dagar.
-  request_storage_access_action: Fortsätt

data/config/locales/th.yml

@@ -3,18 +3,3 @@ th:
   logged_out: ออกจากระบบสำเร็จ
   could_not_log_in: ไม่สามารถเข้าสู่ระบบร้านค้า Shopify ได้
   invalid_shop_url: โดเมนร้านค้าไม่ถูกต้อง
-  enable_cookies_heading: เปิดใช้คุกกี้จาก %{app}
-  enable_cookies_body: คุณต้องเปิดใช้คุกกี้ด้วยตนเองในเบราว์เซอร์นี้เพื่อใช้งาน %{app}
-    ภายใน Shopify
-  enable_cookies_footer: คุกกี้ช่วยให้แอปตรวจสอบความถูกต้องของคุณด้วยการจัดเก็บความชื่นชอบและข้อมูลส่วนตัวของคุณชั่วคราว
-    คุกกี้จะหมดอายุหลังจาก 30 วัน
-  enable_cookies_action: เปิดใช้คุกกี้
-  top_level_interaction_heading: เบราว์เซอร์ของคุณต้องรับรองความถูกต้องของ %{app}
-  top_level_interaction_body: เบราว์เซอร์ของคุณต้องการแอปอย่าง %{app} เพื่อขอให้คุณเข้าถึงคุกกี้ก่อนที่
-    Shopify จะสามารถเปิดมันให้คุณได้
-  top_level_interaction_action: ดำเนินการต่อ
-  request_storage_access_heading: "%{app} ต้องการสิทธิ์การเข้าถึงคุกกี้"
-  request_storage_access_body: สิ่งนี้ช่วยให้แอปตรวจสอบความถูกต้องของคุณด้วยการจัดเก็บข้อมูลส่วนตัวของคุณชั่วคราว
-    คลิกดำเนินการต่อและอนุญาตให้คุกกี้ใช้แอป
-  request_storage_access_footer: คุกกี้จะหมดอายุหลังจาก 30 วัน
-  request_storage_access_action: ดำเนินการต่อ

data/config/locales/tr.yml

@@ -3,20 +3,3 @@ tr:
   logged_out: Oturum başarıyla kapatıldı
   could_not_log_in: Shopify mağazasında oturum açılamadı
   invalid_shop_url: Geçersiz mağaza alan adı
-  enable_cookies_heading: "%{app} uygulamasından çerezleri etkinleştir"
-  enable_cookies_body: "%{app} uygulamasını Shopify içinde kullanabilmek için bu tarayıcıda
-    çerezleri manuel olarak etkinleştirmelisiniz."
-  enable_cookies_footer: Çerezler, tercihlerinizi ve kişisel bilgilerinizi geçici
-    olarak saklayıp uygulamanın kimliğinizi doğrulamasına imkan tanır. Çerezlerin
-    süresi 30 gün sonra sonra sona erer.
-  enable_cookies_action: Çerezleri etkinleştir
-  top_level_interaction_heading: Tarayıcınızın %{app} kimliğini doğrulaması gerekiyor
-  top_level_interaction_body: Tarayıcınız, Shopify tarafından açılmadan önce %{app}
-    gibi uygulamaların sizden çerezlere erişim izni istemesini zorunlu tutuyor.
-  top_level_interaction_action: Devam
-  request_storage_access_heading: "%{app} uygulamasının çerezlere erişmesi gerekiyor"
-  request_storage_access_body: Böylece uygulama, kişisel bilgilerinizi geçici olarak
-    saklayıp kimliğinizi doğrulayabilir. Devam et'e tıklayın ve çerezlerin uygulamayı
-    kullanmasına izin verin.
-  request_storage_access_footer: Çerezlerin süresi 30 gün sonra sonra sona erer.
-  request_storage_access_action: Devam

data/config/locales/vi.yml

@@ -3,20 +3,3 @@ vi:
   logged_out: Đã đăng xuất thành công
   could_not_log_in: Không thể đăng nhập vào cửa hàng trên Shopify
   invalid_shop_url: Miền cửa hàng không hợp lệ
-  enable_cookies_heading: Bật cookie từ %{app}
-  enable_cookies_body: Bạn phải bật cookie trong trình duyệt này theo cách thủ công
-    để sử dụng %{app} trong Shopify.
-  enable_cookies_footer: Cookie cho phép ứng dụng xác thực bạn bằng cách tạm thời
-    lưu trữ tùy chọn và thông tin cá nhân của bạn. Những thông tin này sẽ hết hạn
-    sau 30 ngày.
-  enable_cookies_action: Bật cookie
-  top_level_interaction_heading: Trình duyệt của bạn cần xác thực %{app}
-  top_level_interaction_body: Trình duyệt của bạn cần các ứng dụng như %{app} để yêu
-    cầu quyền truy cập vào cookie thì Shopify mới có thể mở giúp bạn.
-  top_level_interaction_action: Tiếp tục
-  request_storage_access_heading: "%{app} cần quyền truy cập cookie"
-  request_storage_access_body: Nhờ vậy, ứng dụng có thể xác thực bạn bằng cách tạm
-    thời lưu trữ thông tin cá nhân của bạn. Nhấp vào tiếp tục và cho phép cookie sử
-    dụng ứng dụng.
-  request_storage_access_footer: Cookie sẽ hết hạn sau 30 ngày.
-  request_storage_access_action: Tiếp tục

data/config/locales/zh-CN.yml

@@ -3,14 +3,3 @@ zh-CN:
   logged_out: 已成功退出
   could_not_log_in: 无法登录到 Shopify 商店
   invalid_shop_url: 商店域名无效
-  enable_cookies_heading: 从 %{app} 启用 Cookie
-  enable_cookies_body: 您必须在此浏览器中手动启用 Cookie 才能在 Shopify 中使用 %{app}。
-  enable_cookies_footer: Cookie 使此应用能够通过暂时存储您的偏好设置和个人信息来验证您的身份。这些信息将在 30 天后过期。
-  enable_cookies_action: 启用 Cookie
-  top_level_interaction_heading: 您的浏览器需要对 %{app} 进行验证
-  top_level_interaction_body: 您的浏览器要求类似 %{app} 的应用向您申请访问 Cookie，之后 Shopify 才能为您打开它。
-  top_level_interaction_action: 继续
-  request_storage_access_heading: "%{app} 需要访问 Cookie"
-  request_storage_access_body: 这使此应用能够通过暂时存储您的个人信息来验证您的身份。点击继续并启用 Cookie 以使用此应用。
-  request_storage_access_footer: Cookie 将在 30 天后过期。
-  request_storage_access_action: 继续

data/config/locales/zh-TW.yml

@@ -3,14 +3,3 @@ zh-TW:
   logged_out: 登出成功
   could_not_log_in: 無法登入 Shopify 商店
   invalid_shop_url: 商店網域無效
-  enable_cookies_heading: 啟用 %{app} 的 Cookie
-  enable_cookies_body: 您必須在此瀏覽器中手動啟用 Cookie，才能夠在 Shopify 使用 %{app}。
-  enable_cookies_footer: Cookie 可讓應用程式暫時儲存您的偏好設定和個人資訊，藉此驗證您的身分，這些資料會在 30 天後失效。
-  enable_cookies_action: 啟用 Cookie
-  top_level_interaction_heading: 您的瀏覽器需要驗證 %{app}
-  top_level_interaction_body: 您的瀏覽器要求 %{app} 等應用程式向您請求 Cookie 的存取權限，才能讓 Shopify 為您開啟該應用程式。
-  top_level_interaction_action: 繼續
-  request_storage_access_heading: "%{app} 需要 Cookie 存取權限"
-  request_storage_access_body: Cookie 可讓應用程式暫時儲存您的個人資訊，藉此驗證您的身分。按一下繼續並允許 Cookie 使用此應用程式。
-  request_storage_access_footer: Cookie 將於 30 天後失效。
-  request_storage_access_action: 繼續

data/docs/Upgrading.md

@@ -43,6 +43,7 @@ We also recommend the use of a staging site which matches your production enviro
 If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips)
 
 ## Unreleased
+
 #### (v23.0.0) - Deprecated methods in CallbackController
 The following methods from `ShopifyApp::CallbackController` have been deprecated in `v23.0.0`
 - `perform_after_authenticate_job`
@@ -53,17 +54,30 @@ If you have overwritten these methods in your callback controller to modify the
 update your app to use configurable option `config.custom_post_authenticate_tasks` instead. See [post authenticate tasks](/docs/shopify_app/authentication.md#post-authenticate-tasks)
 for more information.
 
+#### (v23.0.0) - Removed `ShopifyApp::JWTMiddleware`
+The `ShopifyApp::JWTMiddleware` middleware has been removed in `v23.0.0`. This middleware was used to populate the following environment variables from the JWT session token:
+- `request.env["jwt.token"]`
+- `request.env["jwt.shopify_domain"]`
+- `request.env["jwt.shopify_user_id"]`
+- `request.env["jwt.expire_at"]`
+
+If you are using any of these variables in your app, you'll need to replace them. You can instead include the `ShopifyApp::WithShopifyIdToken` concern, which does the same JWT parsing as the middleware, and exposes the same values in the following helper methods:
+- `shopify_id_token`
+- `jwt_shopify_domain`
+- `jwt_shopify_user_id`
+- `jwt_expire_at`
+
 #### (v23.0.0) - Deprecated "ShopifyApp::JWT" class
 The `ShopifyApp::JWT` class has been deprecated in `v23.0.0`. Use [ShopifyAPI::Auth::JwtPayload](https://github.com/Shopify/shopify-api-ruby/blob/main/lib/shopify_api/auth/jwt_payload.rb)
 class from the `shopify_api` gem instead. A search and replace should be enough for this migration.
-  - `ShopifyAPI::Auth::JwtPayload` is a superset of the `ShopifyApp::JWT` class, and contains methods that were available in `ShopifyApp::JWT`. 
+  - `ShopifyAPI::Auth::JwtPayload` is a superset of the `ShopifyApp::JWT` class, and contains methods that were available in `ShopifyApp::JWT`.
   - `ShopifyAPI::Auth::JwtPayload` raises `ShopifyAPI::Errors::InvalidJwtTokenError` if the token is invalid.
 
 ## Upgrading to `v22.2.0`
 #### Added new feature for zero redirect embedded app authorization flow - Token Exchange
-A new embedded app authorization strategy has been introduced in `v22.2.0` that eliminates the redirects that were previously necessary for OAuth. 
+A new embedded app authorization strategy has been introduced in `v22.2.0` that eliminates the redirects that were previously necessary for OAuth.
 It can replace the existing installation and authorization code grant flow.
-See [new embedded app authorization strategy](./README.md#new-embedded-app-authorization-strategy) for more information.
+See [new embedded app authorization strategy](/README.md#new-embedded-app-authorization-strategy-token-exchange) for more information.
 
 ## Upgrading to `v22.0.0`
 #### Dropped support for Ruby 2.x

data/docs/shopify_app/sessions.md

@@ -59,7 +59,10 @@ If your app has user interactions and would like to control permission based on
 
 [Shop (offline) tokens must still be maintained](#shop-offline-token-storage).
 
-1. Run the following generator to create a user model to store the individual based access tokens
+1. Run the following generator to create a user model to store the individual based access tokens.
+
+⚠️ If you started from the [Ruby App Template](https://github.com/Shopify/shopify-app-template-ruby), you don't need to run the generator as it's already included in the template. You can skip this step.
+
 ```sh
 rails generate shopify_app:user_model
 ```

data/karma.conf.js

@@ -16,9 +16,6 @@ module.exports = function(config) {
     exclude: [
       // Exclude JS files that create 'DOMContentLoaded' event listeners
       'app/assets/javascripts/**/redirect.js',
-      'app/assets/javascripts/**/storage_access_redirect.js',
-      'app/assets/javascripts/**/top_level_interaction.js',
-      'app/assets/javascripts/**/partition_cookies.js',
     ],
     mochaReporter: {
       output: 'autowatch',

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -32,8 +32,8 @@ ShopifyApp.configure do |config|
   #   amount: 5,
   #   interval: ShopifyApp::BillingConfiguration::INTERVAL_EVERY_30_DAYS,
   #   currency_code: "USD", # Only supports USD for now
-  #   trial_days: 0
-  #   test: ENV.fetch('SHOPIFY_TEST_CHARGES', !Rails.env.production?)
+  #   trial_days: 0,
+  #   test: !ENV['SHOPIFY_TEST_CHARGES'].nil? ? ["true", "1"].include?(ENV['SHOPIFY_TEST_CHARGES']) : !Rails.env.production?
   # )
 
   if defined? Rails::Server

data/lib/shopify_app/admin_api/with_token_refetch.rb

@@ -11,8 +11,7 @@ module ShopifyApp
           ShopifyApp::Logger.debug("Encountered error: #{error.code} - #{error.response.inspect}, re-raising")
         elsif retrying
           ShopifyApp::Logger.debug("Shopify API returned a 401 Unauthorized error that was not corrected " \
-            "with token exchange, deleting current session and re-raising")
-          ShopifyApp::SessionRepository.delete_session(session.id)
+            "with token exchange, re-raising error")
         else
           retrying = true
           ShopifyApp::Logger.debug("Shopify API returned a 401 Unauthorized error, exchanging token and " \

data/lib/shopify_app/configuration.rb

@@ -58,7 +58,7 @@ module ShopifyApp
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
       @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
 
-      log_callback_controller_method_deprecation
+      log_v23_deprecations
     end
 
     def login_url
@@ -163,16 +163,18 @@ module ShopifyApp
 
     private
 
-    def log_callback_controller_method_deprecation
+    def log_v23_deprecations
       return unless Rails.env.development?
 
       # TODO: Remove this before releasing v23.0.0
       message = <<~EOS
         ================================================
-        => Upcoming deprecation in v23.0:
+        => Upcoming changes in v23.0:
         * 'CallbackController::perform_after_authenticate_job' and related methods 'install_webhooks', 'perform_after_authenticate_job'
-        * will be deprecated from CallbackController in the next major release. If you need to customize
+        * are deprecated and  will be removed from CallbackController in the next major release. If you need to customize
         * post authentication tasks, see https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/authentication.md#post-authenticate-tasks
+
+        * ShopifyApp::JWTMiddleware will be removed, use ShopifyApp::WithShopifyIdToken instead.
         ================================================
       EOS
       puts message

data/lib/shopify_app/controller_concerns/csrf_protection.rb

@@ -4,13 +4,14 @@ module ShopifyApp
   module CsrfProtection
     extend ActiveSupport::Concern
     included do
+      include ShopifyApp::WithShopifyIdToken
       protect_from_forgery with: :exception, unless: :valid_session_token?
     end
 
     private
 
     def valid_session_token?
-      request.env["jwt.shopify_domain"]
+      jwt_payload.present?
     end
   end
 end

data/lib/shopify_app/controller_concerns/embedded_app.rb

@@ -25,7 +25,11 @@ module ShopifyApp
         return redirect_to(ShopifyApp.configuration.login_url)
       end
 
-      redirect_path = ShopifyAPI::Auth.embedded_app_url(host)
+      original_path = request.path
+      original_params = request.query_parameters.except(:host, :shop, :id_token)
+      original_path += "?#{original_params.to_query}" if original_params.present?
+
+      redirect_path = ShopifyAPI::Auth.embedded_app_url(host) + original_path.to_s
       redirect_path = ShopifyApp.configuration.root_url if deduced_phishing_attack?(redirect_path)
       redirect_to(redirect_path, allow_other_host: true)
     end

data/lib/shopify_app/controller_concerns/localization.rb

@@ -11,7 +11,7 @@ module ShopifyApp
     private
 
     def set_locale(&action)
-      locale = params[:locale] || I18n.default_locale
+      locale = params[:locale] || session[:locale] || I18n.default_locale
 
       # Fallback to the 2 letter language code if the requested locale unavailable
       unless I18n.available_locales.include?(locale.to_sym)

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -122,12 +122,19 @@ module ShopifyApp
           query = Rack::Utils.parse_nested_query(referer.query)
           query = query.merge(sanitized_params).to_query
         end
-        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
+        session[:return_to] = return_to_url(path, query)
         ShopifyApp::Logger.debug("Redirecting to #{login_url_with_optional_shop}")
         redirect_to(login_url_with_optional_shop)
       end
     end
 
+    # Apps which use cookies for session storage, and thus have a 4kB session data
+    # limit, may choose to override this method to prevent excessively-long `query`
+    # strings from causing a CookieOverflow error.
+    def return_to_url(path, query)
+      query.blank? ? path.to_s : "#{path}?#{query}"
+    end
+
     def close_session
       ShopifyApp::Logger.debug("Closing session")
       clear_shopify_session

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -23,8 +23,7 @@ module ShopifyApp
       ShopifyAPI::Context.activate_session(current_shopify_session)
       with_token_refetch(current_shopify_session, shopify_id_token, &block)
     rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
-      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{e.message}")
-      respond_to_invalid_shopify_id_token unless performed?
+      respond_to_invalid_shopify_id_token(e)
     ensure
       ShopifyApp::Logger.debug("Deactivating session")
       ShopifyAPI::Context.deactivate_session
@@ -49,6 +48,8 @@ module ShopifyApp
 
     def current_shopify_domain
       sanitized_shop_name || current_shopify_session&.shop
+    rescue *INVALID_SHOPIFY_ID_TOKEN_ERRORS => e
+      respond_to_invalid_shopify_id_token(e)
     end
 
     private
@@ -58,12 +59,15 @@ module ShopifyApp
       ShopifyApp::Auth::TokenExchange.perform(shopify_id_token)
     end
 
-    def respond_to_invalid_shopify_id_token
+    def respond_to_invalid_shopify_id_token(error)
+      ShopifyApp::Logger.debug("Responding to invalid Shopify ID token: #{error.message}")
+      return if performed?
+
       if request.headers["HTTP_AUTHORIZATION"].blank?
-        if missing_embedded_param?
-          redirect_to_embed_app_in_admin
-        else
+        if embedded?
           redirect_to_bounce_page
+        else
+          redirect_to_embed_app_in_admin
         end
       else
         ShopifyApp::Logger.debug("Responding to invalid Shopify ID token with unauthorized response")
@@ -90,8 +94,8 @@ module ShopifyApp
       )
     end
 
-    def missing_embedded_param?
-      !params[:embedded].present? || params[:embedded] != "1"
+    def embedded?
+      params[:embedded] == "1" || request.env["HTTP_SEC_FETCH_DEST"] == "iframe"
     end
 
     def online_token_configured?

data/lib/shopify_app/controller_concerns/with_shopify_id_token.rb

@@ -5,19 +5,31 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     def shopify_id_token
-      @shopify_id_token ||= id_token_from_request_env || id_token_from_authorization_header || id_token_from_url_param
+      return @shopify_id_token if defined?(@shopify_id_token)
+
+      @shopify_id_token = id_token_from_authorization_header || id_token_from_url_param
+    end
+
+    def jwt_payload
+      return @jwt_payload if defined?(@jwt_payload)
+
+      @jwt_payload = shopify_id_token.present? ? ShopifyAPI::Auth::JwtPayload.new(shopify_id_token) : nil
     end
 
     def jwt_shopify_domain
-      request.env["jwt.shopify_domain"]
+      return @jwt_shopify_domain if defined?(@jwt_shopify_domain)
+
+      @jwt_shopify_domain = if jwt_payload.present?
+        ShopifyApp::Utils.sanitize_shop_domain(jwt_payload.shopify_domain)
+      end
     end
 
     def jwt_shopify_user_id
-      request.env["jwt.shopify_user_id"]
+      jwt_payload&.shopify_user_id
     end
 
     def jwt_expire_at
-      expire_at = request.env["jwt.expire_at"]
+      expire_at = jwt_payload&.expire_at
       return unless expire_at
 
       expire_at - 5.seconds # 5s gap to start fetching new token in advance
@@ -25,11 +37,6 @@ module ShopifyApp
 
     private
 
-    def id_token_from_request_env
-      # This is set from ShopifyApp::JWTMiddleware
-      request.env["jwt.token"]
-    end
-
     def id_token_from_authorization_header
       request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
     end

data/lib/shopify_app/engine.rb

@@ -16,21 +16,16 @@ module ShopifyApp
     engine_name "shopify_app"
     isolate_namespace ShopifyApp
 
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
+    end
+
     initializer "shopify_app.assets.precompile" do |app|
       app.config.assets.precompile += [
         "shopify_app/redirect.js",
-        "shopify_app/post_redirect.js",
-        "shopify_app/top_level.js",
-        "shopify_app/enable_cookies.js",
-        "shopify_app/request_storage_access.js",
-        "storage_access.svg",
       ]
     end
 
-    initializer "shopify_app.middleware" do |app|
-      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::JWTMiddleware)
-    end
-
     initializer "shopify_app.redact_job_params" do
       ActiveSupport.on_load(:active_job) do
         if ActiveJob::Base.respond_to?(:log_arguments?)

data/lib/shopify_app/utils.rb

@@ -12,7 +12,7 @@ module ShopifyApp
 
       def sanitize_shop_domain(shop_domain)
         uri = uri_from_shop_domain(shop_domain)
-        return nil if uri.nil?
+        return nil if uri.nil? || uri.host.nil?
 
         trusted_domains.each do |trusted_domain|
           no_shop_name_in_subdomain = uri.host == trusted_domain
@@ -39,6 +39,15 @@ module ShopifyApp
         url.to_s
       end
 
+      def unified_admin_path(shop)
+        spin_env = ENV.fetch("SPIN_FQDN", nil)
+        if spin_env
+          "https://admin.web.#{spin_env}/store/#{shop}"
+        else
+          "https://admin.shopify.com/store/#{shop}"
+        end
+      end
+
       private
 
       def myshopify_domain

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.2.0"
+  VERSION = "22.3.0"
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "22.2.0",
+  "version": "22.3.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -16,11 +16,12 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
   s.add_runtime_dependency("addressable", "~> 2.7")
-  s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
   s.add_runtime_dependency("shopify_api", ">= 14.3.0", "< 15.0")
   s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
+  # Deprecated: move to development dependencies when releasing v23
+  s.add_runtime_dependency("jwt", ">= 2.2.3")
 
   s.add_development_dependency("byebug")
   s.add_development_dependency("minitest")

data/yarn.lock

@@ -1549,11 +1549,11 @@ brace-expansion@^2.0.1:
     balanced-match "^1.0.0"
 
 braces@^3.0.2, braces@~3.0.2:
-  version "3.0.2"
-  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107"
-  integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789"
+  integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==
   dependencies:
-    fill-range "^7.0.1"
+    fill-range "^7.1.1"
 
 browser-stdout@1.3.1:
   version "1.3.1"
@@ -1984,10 +1984,10 @@ fast-levenshtein@^2.0.6:
   resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
   integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
 
-fill-range@^7.0.1:
-  version "7.0.1"
-  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40"
-  integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==
+fill-range@^7.1.1:
+  version "7.1.1"
+  resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292"
+  integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==
   dependencies:
     to-regex-range "^5.0.1"