shopify_app 22.5.2 → 23.0.0

data/lib/shopify_app/managers/script_tags_manager.rb

@@ -0,0 +1,348 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ScriptTagsManager
+    def self.queue(shop_domain, shop_token, script_tags)
+      ShopifyApp::ScriptTagsManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        # Procs cannot be serialized so we interpolate now, if necessary
+        script_tags: build_src(script_tags, shop_domain),
+      )
+    end
+
+    def self.build_src(script_tags, domain)
+      script_tags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+
+    attr_reader :required_script_tags, :shop_domain
+
+    def initialize(script_tags, shop_domain)
+      @required_script_tags = script_tags
+      @shop_domain = shop_domain
+      @session = nil
+    end
+
+    def recreate_script_tags!(session:)
+      destroy_script_tags(session: session)
+      create_script_tags(session: session)
+    end
+
+    def create_script_tags(session:)
+      @session = session
+      return unless required_script_tags.present?
+
+      template_types_to_check = required_script_tags.flat_map { |tag| tag[:template_types] }.compact.uniq
+
+      if template_types_to_check.any?
+        active_theme = fetch_active_theme
+        unless active_theme
+          ShopifyApp::Logger.debug("Failed to fetch active theme. Skipping script tag creation.")
+          return
+        end
+
+        if all_templates_support_app_blocks?(active_theme["id"], template_types_to_check)
+          ShopifyApp::Logger.info(
+            "Theme supports app blocks for templates: #{template_types_to_check.join(", ")}. " \
+              "Skipping script tag creation.",
+          )
+          return
+        end
+      end
+
+      expanded_script_tags.each do |script_tag|
+        create_script_tag(script_tag) unless script_tag_exists?(script_tag[:src])
+      end
+    end
+
+    def destroy_script_tags(session:)
+      @session = session
+      script_tags = expanded_script_tags
+      fetch_all_script_tags.each do |tag|
+        delete_script_tag(tag) if required_script_tag?(script_tags, tag)
+      end
+
+      @current_script_tags = nil
+    end
+
+    private
+
+    FILES_QUERY = <<~QUERY
+      query getFiles($themeId: ID!, $filenames: [String!]!) {
+        theme(id: $themeId) {
+          files(filenames: $filenames) {
+            nodes {
+              filename
+              body {
+                ... on OnlineStoreThemeFileBodyText {
+                  content
+                }
+              }
+            }
+          }
+        }
+      }
+    QUERY
+
+    ACTIVE_THEME_QUERY = <<~QUERY
+      {
+        themes(first: 1, roles: [MAIN]) {
+          nodes {
+            id
+            name
+          }
+        }
+      }
+    QUERY
+
+    SCRIPT_TAG_CREATE_MUTATION = <<~QUERY
+      mutation ScriptTagCreate($input: ScriptTagInput!) {
+        scriptTagCreate(input: $input) {
+          scriptTag {
+            id
+            src
+            displayScope
+            cache
+          }
+          userErrors {
+            field
+            message
+          }
+        }
+      }
+    QUERY
+
+    SCRIPT_TAG_DELETE_MUTATION = <<~QUERY
+      mutation scriptTagDelete($id: ID!) {
+        scriptTagDelete(id: $id) {
+          deletedScriptTagId
+          userErrors {
+            field
+            message
+          }
+        }
+      }
+    QUERY
+
+    SCRIPT_TAGS_QUERY = <<~QUERY
+      {
+        scriptTags(first: 250) {
+          edges {
+            node {
+              id
+              src
+              displayScope
+              cache
+            }
+          }
+        }
+      }
+    QUERY
+
+    def fetch_active_theme
+      client = graphql_client
+
+      response = client.query(query: ACTIVE_THEME_QUERY)
+
+      if response.body["errors"].present?
+        error_message = response.body["errors"].map { |e| e["message"] }.join(", ")
+        raise ShopifyAPI::Errors::InvalidGraphqlRequestError, error_message
+      end
+
+      themes = response.body["data"]["themes"]["nodes"]
+      return if themes.empty?
+
+      themes.first
+    rescue => e
+      ShopifyApp::Logger.warn("Failed to fetch active theme: #{e.message}")
+      nil
+    end
+
+    def all_templates_support_app_blocks?(theme_id, template_types)
+      client = graphql_client
+
+      template_filenames = template_types.map { |type| "templates/#{type}.json" }
+      json_templates = fetch_json_templates(client, theme_id, template_filenames)
+
+      return false if json_templates.length != template_types.length
+
+      main_sections = extract_main_sections(json_templates)
+
+      return false if main_sections.length != template_types.length
+
+      all_sections_support_app_blocks?(client, theme_id, main_sections)
+    rescue => e
+      ShopifyApp::Logger.error("Error checking template support: #{e.message}")
+      false
+    end
+
+    def fetch_json_templates(client, theme_id, template_filenames)
+      files_variables = {
+        themeId: theme_id,
+        filenames: template_filenames,
+      }
+
+      files_response = client.query(query: FILES_QUERY, variables: files_variables)
+
+      if files_response.body["errors"].present?
+        error_message = files_response.body["errors"].map { |e| e["message"] }.join(", ")
+        raise ShopifyAPI::Errors::InvalidGraphqlRequestError, error_message
+      end
+
+      files_response.body["data"]["theme"]["files"]["nodes"]
+    end
+
+    def extract_main_sections(json_templates)
+      main_sections = []
+
+      json_templates.each do |template|
+        template_content = template["body"]["content"]
+        template_data = JSON.parse(template_content)
+
+        main_section = nil
+        template_data["sections"].each do |id, section|
+          if id == "main" || section["type"].to_s.start_with?("main-")
+            main_section = "sections/#{section["type"]}.liquid"
+            break
+          end
+        end
+
+        main_sections << main_section if main_section
+      rescue => e
+        ShopifyApp::Logger.error("Error extracting main section from template #{template["filename"]}: #{e.message}")
+      end
+
+      main_sections
+    end
+
+    def all_sections_support_app_blocks?(client, theme_id, section_filenames)
+      return false if section_filenames.empty?
+
+      section_variables = {
+        themeId: theme_id,
+        filenames: section_filenames,
+      }
+
+      section_response = client.query(query: FILES_QUERY, variables: section_variables)
+
+      if section_response.body["errors"].present?
+        error_message = section_response.body["errors"].map { |e| e["message"] }.join(", ")
+        raise ShopifyAPI::Errors::InvalidGraphqlRequestError, error_message
+      end
+
+      section_files = section_response.body["data"]["theme"]["files"]["nodes"]
+
+      return false if section_files.length != section_filenames.length
+
+      # Check if all sections support app blocks
+      section_files.all? do |file|
+        section_content = file["body"]["content"]
+        schema_match = section_content.match(/\{\%\s+schema\s+\%\}([\s\S]*?)\{\%\s+endschema\s+\%\}/m)
+        next false unless schema_match
+
+        schema = JSON.parse(schema_match[1])
+        schema["blocks"]&.any? { |block| block["type"] == "@app" } || false
+      end
+    rescue => e
+      ShopifyApp::Logger.error("Error checking section support: #{e.message}")
+      false
+    end
+
+    def expanded_script_tags
+      self.class.build_src(required_script_tags, shop_domain)
+    end
+
+    def required_script_tag?(script_tags, tag)
+      script_tags.map { |w| w[:src] }.include?(tag["src"])
+    end
+
+    def create_script_tag(attributes)
+      client = graphql_client
+
+      variables = {
+        input: {
+          src: attributes[:src],
+          displayScope: "ONLINE_STORE",
+          cache: attributes[:cache] || false,
+        },
+      }
+
+      response = client.query(query: SCRIPT_TAG_CREATE_MUTATION, variables: variables)
+
+      if response.body["errors"].present?
+        error_messages = response.body["errors"].map { |e| e["message"] }.join(", ")
+        raise ::ShopifyApp::CreationFailed, "ScriptTag creation failed: #{error_messages}"
+      end
+
+      if response.body["data"]["scriptTagCreate"]["userErrors"].any?
+        errors = response.body["data"]["scriptTagCreate"]["userErrors"]
+        error_messages = errors.map { |e| "#{e["field"]}: #{e["message"]}" }.join(", ")
+        raise ::ShopifyApp::CreationFailed, "ScriptTag creation failed: #{error_messages}"
+      end
+
+      response.body["data"]["scriptTagCreate"]["scriptTag"]
+    rescue ShopifyAPI::Errors::HttpResponseError => e
+      raise ::ShopifyApp::CreationFailed, e.message
+    end
+
+    def delete_script_tag(tag)
+      client = graphql_client
+
+      variables = { id: tag["id"] }
+
+      response = client.query(query: SCRIPT_TAG_DELETE_MUTATION, variables: variables)
+
+      if response.body["errors"].present?
+        error_messages = response.body["errors"].map { |e| e["message"] }.join(", ")
+        ShopifyApp::Logger.error("Failed to delete script tag: #{error_messages}")
+        return
+      end
+
+      if response.body["data"]["scriptTagDelete"]["userErrors"].any?
+        errors = response.body["data"]["scriptTagDelete"]["userErrors"]
+        error_messages = errors.map { |e| "#{e["field"]}: #{e["message"]}" }.join(", ")
+        ShopifyApp::Logger.error("Failed to delete script tag: #{error_messages}")
+        return
+      end
+
+      response.body["data"]["scriptTagDelete"]["deletedScriptTagId"]
+    rescue ShopifyAPI::Errors::HttpResponseError => e
+      ShopifyApp::Logger.error("Failed to delete script tag: #{e.message}")
+    end
+
+    def script_tag_exists?(src)
+      current_script_tags[src]
+    end
+
+    def current_script_tags
+      @current_script_tags ||= fetch_all_script_tags.index_by { |tag| tag["src"] }
+    end
+
+    def fetch_all_script_tags
+      client = graphql_client
+
+      response = client.query(query: SCRIPT_TAGS_QUERY)
+
+      if response.body["errors"].present?
+        error_messages = response.body["errors"].map { |e| e["message"] }.join(", ")
+        ShopifyApp::Logger.warn("GraphQL error fetching script tags: #{error_messages}")
+        return []
+      end
+
+      response.body["data"]["scriptTags"]["edges"].map { |edge| edge["node"] }
+    rescue => e
+      ShopifyApp::Logger.warn("Error fetching script tags: #{e.message}")
+      []
+    end
+
+    def graphql_client
+      ShopifyAPI::Clients::Graphql::Admin.new(session: @session)
+    end
+  end
+end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -9,10 +9,46 @@ module ShopifyApp
       validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
     end
 
+    def with_shopify_session(auto_refresh: true, &block)
+      refresh_token_if_expired! if auto_refresh
+      super(&block)
+    end
+
+    def refresh_token_if_expired!
+      return unless should_refresh?
+      raise RefreshTokenExpiredError if refresh_token_expired?
+
+      # Acquire row lock to prevent concurrent refreshes
+      with_lock do
+        reload
+        # Check again after lock - token might have been refreshed by another process
+        return unless should_refresh?
+
+        perform_token_refresh!
+      end
+    end
+
     class_methods do
       def store(auth_session, *_args)
         shop = find_or_initialize_by(shopify_domain: auth_session.shop)
         shop.shopify_token = auth_session.access_token
+
+        if shop.has_attribute?(:access_scopes)
+          shop.access_scopes = auth_session.scope.to_s
+        end
+
+        if shop.has_attribute?(:expires_at)
+          shop.expires_at = auth_session.expires
+        end
+
+        if shop.has_attribute?(:refresh_token)
+          shop.refresh_token = auth_session.refresh_token
+        end
+
+        if shop.has_attribute?(:refresh_token_expires_at)
+          shop.refresh_token_expires_at = auth_session.refresh_token_expires
+        end
+
         shop.save!
         shop.id
       end
@@ -36,11 +72,57 @@ module ShopifyApp
       def construct_session(shop)
         return unless shop
 
-        ShopifyAPI::Auth::Session.new(
+        session_attrs = {
           shop: shop.shopify_domain,
           access_token: shop.shopify_token,
-        )
+        }
+
+        if shop.has_attribute?(:access_scopes)
+          session_attrs[:scope] = shop.access_scopes
+        end
+
+        if shop.has_attribute?(:expires_at)
+          session_attrs[:expires] = shop.expires_at
+        end
+
+        if shop.has_attribute?(:refresh_token)
+          session_attrs[:refresh_token] = shop.refresh_token
+        end
+
+        if shop.has_attribute?(:refresh_token_expires_at)
+          session_attrs[:refresh_token_expires] = shop.refresh_token_expires_at
+        end
+
+        ShopifyAPI::Auth::Session.new(**session_attrs)
       end
     end
+
+    def perform_token_refresh!
+      new_session = ShopifyAPI::Auth::RefreshToken.refresh_access_token(
+        shop: shopify_domain,
+        refresh_token: refresh_token,
+      )
+
+      update!(
+        shopify_token: new_session.access_token,
+        expires_at: new_session.expires,
+        refresh_token: new_session.refresh_token,
+        refresh_token_expires_at: new_session.refresh_token_expires,
+      )
+    end
+
+    def should_refresh?
+      return false unless has_attribute?(:expires_at) && expires_at.present?
+      return false unless has_attribute?(:refresh_token) && refresh_token.present?
+      return false unless has_attribute?(:refresh_token_expires_at) && refresh_token_expires_at.present?
+
+      expires_at <= Time.now
+    end
+
+    def refresh_token_expired?
+      return false unless has_attribute?(:refresh_token_expires_at) && refresh_token_expires_at.present?
+
+      refresh_token_expires_at <= Time.now
+    end
   end
 end

data/lib/shopify_app/session/shop_session_storage_with_scopes.rb

@@ -6,6 +6,12 @@ module ShopifyApp
     include ::ShopifyApp::SessionStorage
 
     included do
+      ShopifyApp::Logger.deprecated(
+        "ShopSessionStorageWithScopes is deprecated and will be removed in v24.0.0. " \
+          "Use ShopSessionStorage instead, which now handles access_scopes, expires_at, " \
+          "refresh_token, and refresh_token_expires_at automatically.",
+        "24.0.0",
+      )
       validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
     end
 

data/lib/shopify_app/session/user_session_storage.rb

@@ -14,6 +14,15 @@ module ShopifyApp
         user = find_or_initialize_by(shopify_user_id: user.id)
         user.shopify_token = auth_session.access_token
         user.shopify_domain = auth_session.shop
+
+        if user.has_attribute?(:access_scopes)
+          user.access_scopes = auth_session.scope.to_s
+        end
+
+        if user.has_attribute?(:expires_at)
+          user.expires_at = auth_session.expires
+        end
+
         user.save!
         user.id
       end
@@ -48,11 +57,21 @@ module ShopifyApp
           collaborator: false,
         )
 
-        ShopifyAPI::Auth::Session.new(
+        session_attrs = {
           shop: user.shopify_domain,
           access_token: user.shopify_token,
           associated_user: associated_user,
-        )
+        }
+
+        if user.has_attribute?(:access_scopes)
+          session_attrs[:scope] = user.access_scopes
+        end
+
+        if user.has_attribute?(:expires_at)
+          session_attrs[:expires] = user.expires_at
+        end
+
+        ShopifyAPI::Auth::Session.new(**session_attrs)
       end
     end
   end

data/lib/shopify_app/session/user_session_storage_with_scopes.rb

@@ -6,6 +6,12 @@ module ShopifyApp
     include ::ShopifyApp::SessionStorage
 
     included do
+      ShopifyApp::Logger.deprecated(
+        "UserSessionStorageWithScopes is deprecated and will be removed in v24.0.0. " \
+          "Use UserSessionStorage instead, which now handles access_scopes and expires_at automatically.",
+        "24.0.0",
+      )
+
       validates :shopify_domain, presence: true
     end
 

data/lib/shopify_app/utils.rb

@@ -13,7 +13,7 @@ module ShopifyApp
 
       def sanitize_shop_domain(shop_domain)
         uri = uri_from_shop_domain(shop_domain)
-        return nil if uri.nil? || uri.host.nil?
+        return if uri.nil? || uri.host.nil?
 
         trusted_domains.each do |trusted_domain|
           no_shop_name_in_subdomain = uri.host == trusted_domain

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.5.2"
+  VERSION = "23.0.0"
 end

data/lib/shopify_app.rb

@@ -26,6 +26,17 @@ module ShopifyApp
       !configuration.disable_webpacker
   end
 
+  def self.add_csp_directives(policy)
+    # Get current script-src directives
+    current_script_src = policy.directives["script-src"] || []
+
+    # Add App Bridge script source if not already present
+    app_bridge_url = "https://cdn.shopify.com/shopifycloud/app-bridge.js"
+    unless current_script_src.include?(app_bridge_url)
+      policy.script_src(*current_script_src, app_bridge_url)
+    end
+  end
+
   # config
   require "shopify_app/configuration"
 
@@ -62,20 +73,14 @@ module ShopifyApp
   require "shopify_app/auth/post_authenticate_tasks"
   require "shopify_app/auth/token_exchange"
 
-  # jobs
-  require "shopify_app/jobs/webhooks_manager_job"
-
   # managers
   require "shopify_app/managers/webhooks_manager"
-
-  # middleware
-  require "shopify_app/middleware/jwt_middleware"
+  require "shopify_app/managers/script_tags_manager"
 
   # session
   require "shopify_app/session/in_memory_session_store"
   require "shopify_app/session/in_memory_shop_session_store"
   require "shopify_app/session/in_memory_user_session_store"
-  require "shopify_app/session/jwt"
   require "shopify_app/session/null_user_session_store"
   require "shopify_app/session/session_repository"
   require "shopify_app/session/session_storage"

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "22.5.2",
+  "version": "23.0.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -10,29 +10,28 @@ Gem::Specification.new do |s|
   s.author      = "Shopify"
   s.summary     = "This gem is used to get quickly started with the Shopify API"
 
-  s.required_ruby_version = ">= 3.0"
+  s.required_ruby_version = ">= 3.2"
 
   s.metadata["allowed_push_host"] = "https://rubygems.org"
 
-  s.add_runtime_dependency("activeresource") # TODO: Remove this once all active resource dependencies are removed
   s.add_runtime_dependency("addressable", "~> 2.7")
-  s.add_runtime_dependency("rails", "> 5.2.1")
+  s.add_runtime_dependency("rails", ">= 7.1", "< 9")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
-  s.add_runtime_dependency("shopify_api", ">= 14.7.0", "< 15.0")
-  s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
-  # Deprecated: move to development dependencies when releasing v23
-  s.add_runtime_dependency("jwt", ">= 2.2.3")
-
+  s.add_runtime_dependency("shopify_api", "~> 16.0")
+  s.add_runtime_dependency("sprockets-rails")
   s.add_development_dependency("byebug")
+  s.add_development_dependency("csv")
+  s.add_development_dependency("jwt", ">= 2.2.3")
   s.add_development_dependency("minitest")
-  s.add_development_dependency("mocha")
+  s.add_development_dependency("mocha", ">= 2.1.0")
+  s.add_development_dependency("mutex_m")
   s.add_development_dependency("pry")
   s.add_development_dependency("pry-nav")
   s.add_development_dependency("pry-stack_explorer")
   s.add_development_dependency("rake")
   s.add_development_dependency("rb-readline")
   s.add_development_dependency("ruby-lsp")
-  s.add_development_dependency("sqlite3", "~> 1.4")
+  s.add_development_dependency("sqlite3")
   s.add_development_dependency("webmock")
 
   s.files         = %x(git ls-files).split("\n").reject { |f| f.match(%r{^(test|example)/}) }

data/translation.yml

@@ -3,6 +3,7 @@ target_languages: [cs, da, de, es, fi, fr, it, ja, ko, nb, nl, pl, pt-BR, pt-PT,
 async_pr_mode: per_pr
 components:
   - name: 'merchant'
+    audience: merchant
     paths:
       - config/locales/{{language}}.yml
       - config/locales/**/{{language}}.yml

data/yarn.lock

@@ -2644,9 +2644,9 @@ mime@^2.5.2:
   integrity sha512-USPkMeET31rOMiarsBNIHZKLGgvKc/LrjofAnBlOttf5ajRvqiRA8QsenbcooctK6d6Ts6aqZXBA+XbkKthiQg==
 
 min-document@^2.19.0:
-  version "2.19.0"
-  resolved "https://registry.yarnpkg.com/min-document/-/min-document-2.19.0.tgz#7bd282e3f5842ed295bb748cdd9f1ffa2c824685"
-  integrity sha512-9Wy1B3m3f66bPPmU5hdA4DR4PB2OfDU/+GS3yAB7IQozE3tqXaVv2zOjgla7MEGSRv95+ILmOuvhLkOK6wJtCQ==
+  version "2.19.2"
+  resolved "https://registry.yarnpkg.com/min-document/-/min-document-2.19.2.tgz#f95db44639eaae3ac8ea85ae6809ae85ff7e3b81"
+  integrity sha512-8S5I8db/uZN8r9HSLFVWPdJCvYOejMcEC82VIzNUc6Zkklf/d1gg2psfE79/vyhWOj4+J8MtwmoOz3TmvaGu5A==
   dependencies:
     dom-walk "^0.1.0"
 
@@ -3022,7 +3022,7 @@ rfdc@^1.3.0:
   resolved "https://registry.yarnpkg.com/rfdc/-/rfdc-1.3.0.tgz#d0b7c441ab2720d05dc4cf26e01c89631d9da08b"
   integrity sha512-V2hovdzFbOi77/WajaSMXk2OLm+xNIeQdMMuB7icj7bk6zi2F8GGAxigcnDFpJHbNyNcgyJDiP+8nOrY5cZGrA==
 
-rimraf@^3.0.0, rimraf@^3.0.2:
+rimraf@^3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/rimraf/-/rimraf-3.0.2.tgz#f1a5402ba6220ad52cc1282bac1ae3aa49fd061a"
   integrity sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==
@@ -3280,11 +3280,9 @@ terser@^5.31.1:
     source-map-support "~0.5.20"
 
 tmp@^0.2.1:
-  version "0.2.1"
-  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.1.tgz#8457fc3037dcf4719c251367a1af6500ee1ccf14"
-  integrity sha512-76SUhtfqR2Ijn+xllcI5P1oyannHNHByD80W1q447gU3mp9G9PSpGdWmjUOHRDPiHYacIk66W7ubDTuPF3BEtQ==
-  dependencies:
-    rimraf "^3.0.0"
+  version "0.2.4"
+  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.4.tgz#c6db987a2ccc97f812f17137b36af2b6521b0d13"
+  integrity sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==
 
 to-fast-properties@^2.0.0:
   version "2.0.0"