RubyGems - shopify_app - Versions diffs - 7.2.0 → 17.1.0 - Mend

shopify_app 7.2.0 → 17.1.0

Files changed (199) hide show

checksums.yaml +5 -5
data/.babelrc +5 -0
data/.github/CODEOWNERS +1 -0
data/.github/ISSUE_TEMPLATE/bug-report.md +63 -0
data/.github/ISSUE_TEMPLATE/config.yml +1 -0
data/.github/ISSUE_TEMPLATE/feature-request.md +33 -0
data/.github/PULL_REQUEST_TEMPLATE.md +22 -0
data/.github/probots.yml +2 -0
data/.github/workflows/build.yml +38 -0
data/.github/workflows/release.yml +24 -0
data/.github/workflows/rubocop.yml +22 -0
data/.gitignore +4 -1
data/.nvmrc +1 -0
data/.rubocop.yml +18 -0
data/.ruby-version +1 -0
data/CHANGELOG.md +465 -0
data/CONTRIBUTING.md +76 -0
data/Gemfile +7 -0
data/Gemfile.lock +256 -0
data/README.md +73 -288
data/Rakefile +1 -0
data/SECURITY.md +59 -0
data/app/assets/images/storage_access.svg +1 -0
data/app/assets/javascripts/shopify_app/enable_cookies.js +3 -0
data/app/assets/javascripts/shopify_app/itp_helper.js +40 -0
data/app/assets/javascripts/shopify_app/partition_cookies.js +8 -0
data/app/assets/javascripts/shopify_app/redirect.js +33 -0
data/app/assets/javascripts/shopify_app/request_storage_access.js +3 -0
data/app/assets/javascripts/shopify_app/storage_access.js +154 -0
data/app/assets/javascripts/shopify_app/storage_access_redirect.js +17 -0
data/app/assets/javascripts/shopify_app/top_level.js +2 -0
data/app/assets/javascripts/shopify_app/top_level_interaction.js +11 -0
data/app/controllers/concerns/shopify_app/authenticated.rb +16 -0
data/app/controllers/concerns/shopify_app/ensure_authenticated_links.rb +26 -0
data/app/controllers/concerns/shopify_app/require_known_shop.rb +39 -0
data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb +32 -0
data/app/controllers/shopify_app/authenticated_controller.rb +5 -5
data/app/controllers/shopify_app/callback_controller.rb +196 -0
data/app/controllers/shopify_app/extension_verification_controller.rb +15 -0
data/app/controllers/shopify_app/sessions_controller.rb +190 -2
data/app/controllers/shopify_app/webhooks_controller.rb +16 -7
data/app/views/shopify_app/partials/_button_styles.html.erb +109 -0
data/app/views/shopify_app/partials/_card_styles.html.erb +33 -0
data/app/views/shopify_app/partials/_empty_state_styles.html.erb +98 -0
data/app/views/shopify_app/partials/_form_styles.html.erb +56 -0
data/app/views/shopify_app/partials/_layout_styles.html.erb +182 -0
data/app/views/shopify_app/partials/_typography_styles.html.erb +35 -0
data/app/views/shopify_app/sessions/enable_cookies.html.erb +70 -0
data/app/views/shopify_app/sessions/new.html.erb +39 -83
data/app/views/shopify_app/sessions/request_storage_access.html.erb +68 -0
data/app/views/shopify_app/sessions/top_level_interaction.html.erb +63 -0
data/app/views/shopify_app/shared/redirect.html.erb +23 -0
data/config/locales/cs.yml +23 -0
data/config/locales/da.yml +20 -0
data/config/locales/de.yml +22 -0
data/config/locales/en.yml +12 -1
data/config/locales/es.yml +21 -3
data/config/locales/fi.yml +20 -0
data/config/locales/fr.yml +23 -0
data/config/locales/hi.yml +23 -0
data/config/locales/it.yml +21 -0
data/config/locales/ja.yml +17 -0
data/config/locales/ko.yml +19 -0
data/config/locales/ms.yml +22 -0
data/config/locales/nb.yml +21 -0
data/config/locales/nl.yml +21 -0
data/config/locales/pl.yml +21 -0
data/config/locales/pt-BR.yml +21 -0
data/config/locales/pt-PT.yml +22 -0
data/config/locales/sv.yml +21 -0
data/config/locales/th.yml +20 -0
data/config/locales/tr.yml +22 -0
data/config/locales/vi.yml +22 -0
data/config/locales/zh-CN.yml +16 -0
data/config/locales/zh-TW.yml +16 -0
data/config/routes.rb +12 -1
data/docs/Quickstart.md +31 -0
data/docs/Releasing.md +21 -0
data/docs/Troubleshooting.md +16 -0
data/docs/Upgrading.md +110 -0
data/docs/shopify_app/authentication.md +124 -0
data/docs/shopify_app/engine.md +82 -0
data/docs/shopify_app/generators.md +127 -0
data/docs/shopify_app/handling-access-scopes-changes.md +8 -0
data/docs/shopify_app/script-tags.md +28 -0
data/docs/shopify_app/session-repository.md +88 -0
data/docs/shopify_app/testing.md +38 -0
data/docs/shopify_app/webhooks.md +72 -0
data/karma.conf.js +44 -0
data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb +47 -0
data/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb +11 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/add_marketing_activity_extension_generator.rb +40 -0
data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +62 -0
data/lib/generators/shopify_app/add_webhook/add_webhook_generator.rb +5 -4
data/lib/generators/shopify_app/add_webhook/templates/{webhook_job.rb → webhook_job.rb.tt} +5 -0
data/lib/generators/shopify_app/app_proxy_controller/app_proxy_controller_generator.rb +4 -3
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_controller.rb +3 -3
data/lib/generators/shopify_app/app_proxy_controller/templates/app_proxy_route.rb +10 -9
data/lib/generators/shopify_app/app_proxy_controller/templates/index.html.erb +2 -2
data/lib/generators/shopify_app/authenticated_controller/authenticated_controller_generator.rb +15 -0
data/lib/generators/shopify_app/authenticated_controller/templates/authenticated_controller.rb +5 -0
data/lib/generators/shopify_app/controllers/controllers_generator.rb +2 -1
data/lib/generators/shopify_app/home_controller/home_controller_generator.rb +31 -9
data/lib/generators/shopify_app/home_controller/templates/home_controller.rb +6 -1
data/lib/generators/shopify_app/home_controller/templates/index.html.erb +70 -6
data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb +11 -0
data/lib/generators/shopify_app/install/install_generator.rb +78 -27
data/lib/generators/shopify_app/install/templates/_flash_messages.html.erb +1 -13
data/lib/generators/shopify_app/install/templates/embedded_app.html.erb +12 -11
data/lib/generators/shopify_app/install/templates/flash_messages.js +24 -0
data/lib/generators/shopify_app/install/templates/omniauth.rb +3 -1
data/lib/generators/shopify_app/install/templates/session_store.rb +4 -0
data/lib/generators/shopify_app/install/templates/shopify_app.js +15 -0
data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt +25 -0
data/lib/generators/shopify_app/install/templates/shopify_app_index.js +2 -0
data/lib/generators/shopify_app/install/templates/shopify_provider.rb.tt +8 -0
data/lib/generators/shopify_app/install/templates/user_agent.rb +6 -0
data/lib/generators/shopify_app/products_controller/products_controller_generator.rb +19 -0
data/lib/generators/shopify_app/products_controller/templates/products_controller.rb +8 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb +16 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake +17 -0
data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb +42 -0
data/lib/generators/shopify_app/routes/routes_generator.rb +1 -0
data/lib/generators/shopify_app/routes/templates/routes.rb +10 -9
data/lib/generators/shopify_app/shop_model/shop_model_generator.rb +42 -14
data/lib/generators/shopify_app/shop_model/templates/db/migrate/add_shop_access_scopes_column.erb +5 -0
data/lib/generators/shopify_app/shop_model/templates/db/migrate/{create_shops.rb → create_shops.erb} +1 -1
data/lib/generators/shopify_app/shop_model/templates/shop.rb +6 -2
data/lib/generators/shopify_app/shopify_app_generator.rb +5 -3
data/lib/generators/shopify_app/user_model/templates/db/migrate/add_user_access_scopes_column.erb +5 -0
data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb +16 -0
data/lib/generators/shopify_app/user_model/templates/user.rb +8 -0
data/lib/generators/shopify_app/user_model/templates/users.yml +4 -0
data/lib/generators/shopify_app/user_model/user_model_generator.rb +70 -0
data/lib/generators/shopify_app/views/views_generator.rb +2 -1
data/lib/shopify_app/access_scopes/noop_strategy.rb +13 -0
data/lib/shopify_app/access_scopes/shop_strategy.rb +24 -0
data/lib/shopify_app/access_scopes/user_strategy.rb +41 -0
data/lib/shopify_app/configuration.rb +69 -5
data/lib/shopify_app/{app_proxy_verification.rb → controller_concerns/app_proxy_verification.rb} +4 -9
data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
data/lib/shopify_app/controller_concerns/embedded_app.rb +20 -0
data/lib/shopify_app/controller_concerns/itp.rb +45 -0
data/lib/shopify_app/controller_concerns/localization.rb +23 -0
data/lib/shopify_app/controller_concerns/login_protection.rb +244 -0
data/lib/shopify_app/controller_concerns/payload_verification.rb +24 -0
data/lib/shopify_app/controller_concerns/webhook_verification.rb +23 -0
data/lib/shopify_app/engine.rb +40 -0
data/lib/shopify_app/jobs/scripttags_manager_job.rb +16 -0
data/lib/shopify_app/{webhooks_manager_job.rb → jobs/webhooks_manager_job.rb} +3 -2
data/lib/shopify_app/{scripttags_manager.rb → managers/scripttags_manager.rb} +25 -8
data/lib/shopify_app/{webhooks_manager.rb → managers/webhooks_manager.rb} +6 -5
data/lib/shopify_app/middleware/jwt_middleware.rb +42 -0
data/lib/shopify_app/middleware/same_site_cookie_middleware.rb +34 -0
data/lib/shopify_app/omniauth/omniauth_configuration.rb +64 -0
data/lib/shopify_app/session/in_memory_session_store.rb +31 -0
data/lib/shopify_app/session/in_memory_shop_session_store.rb +16 -0
data/lib/shopify_app/session/in_memory_user_session_store.rb +16 -0
data/lib/shopify_app/session/jwt.rb +63 -0
data/lib/shopify_app/session/null_user_session_store.rb +22 -0
data/lib/shopify_app/session/session_repository.rb +56 -0
data/lib/shopify_app/session/session_storage.rb +20 -0
data/lib/shopify_app/session/shop_session_storage.rb +42 -0
data/lib/shopify_app/session/shop_session_storage_with_scopes.rb +58 -0
data/lib/shopify_app/session/user_session_storage.rb +42 -0
data/lib/shopify_app/session/user_session_storage_with_scopes.rb +58 -0
data/lib/shopify_app/test_helpers/all.rb +2 -0
data/lib/shopify_app/test_helpers/webhook_verification_helper.rb +17 -0
data/lib/shopify_app/utils.rb +24 -4
data/lib/shopify_app/version.rb +2 -1
data/lib/shopify_app.rb +65 -24
data/package.json +27 -0
data/service.yml +7 -0
data/shipit.rubygems.yml +3 -0
data/shopify_app.gemspec +20 -9
data/translation.yml +7 -0
data/webpack.config.js +24 -0
data/yarn.lock +5215 -0
metadata +274 -43
data/.travis.yml +0 -17
data/Gemfile.rails50 +0 -5
data/Gemfile.ruby22 +0 -6
data/Gemfile.ruby22.rails50 +0 -9
data/ISSUE_TEMPLATE.md +0 -14
data/QUICKSTART.md +0 -72
data/RELEASING +0 -13
data/lib/generators/shopify_app/home_controller/templates/shopify_app_ready_script.html.erb +0 -11
data/lib/generators/shopify_app/install/templates/shopify_app.rb +0 -9
data/lib/generators/shopify_app/install/templates/shopify_provider.rb +0 -4
data/lib/generators/shopify_app/install/templates/shopify_session_repository.rb +0 -23
data/lib/generators/shopify_app/shop_model/templates/shopify_session_repository.rb +0 -7
data/lib/shopify_app/in_memory_session_store.rb +0 -25
data/lib/shopify_app/login_protection.rb +0 -103
data/lib/shopify_app/scripttags_manager_job.rb +0 -15
data/lib/shopify_app/session_storage.rb +0 -23
data/lib/shopify_app/sessions_concern.rb +0 -101
data/lib/shopify_app/shop.rb +0 -15
data/lib/shopify_app/shopify_session_repository.rb +0 -34
data/lib/shopify_app/webhook_verification.rb +0 -39

data/lib/shopify_app/{app_proxy_verification.rb → controller_concerns/app_proxy_verification.rb} RENAMED Viewed

@@ -1,19 +1,14 @@
+# frozen_string_literal: true
 module ShopifyApp
   module AppProxyVerification
     extend ActiveSupport::Concern
     included do
-      if Rails.version >= '5.0'
-        skip_before_action :verify_authenticity_token, raise: false
-      else
-        skip_before_action :verify_authenticity_token
-      end
+      skip_before_action :verify_authenticity_token, raise: false
       before_action :verify_proxy_request
     end
     def verify_proxy_request
-      return head :unauthorized unless query_string_valid?(request.query_string)
+      return head(:forbidden) unless query_string_valid?(request.query_string)
     end
     private
@@ -31,7 +26,7 @@ module ShopifyApp
     end
     def calculated_signature(query_hash_without_signature)
-      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join
+      sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join
       OpenSSL::HMAC.hexdigest(
         OpenSSL::Digest.new('sha256'),

data/lib/shopify_app/controller_concerns/csrf_protection.rb ADDED Viewed

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+    private
+    def valid_session_token?
+      request.env['jwt.shopify_domain']
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/embedded_app.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module EmbeddedApp
+    extend ActiveSupport::Concern
+    included do
+      if ShopifyApp.configuration.embedded_app?
+        after_action(:set_esdk_headers)
+        layout('embedded_app')
+      end
+    end
+    private
+    def set_esdk_headers
+      response.set_header('P3P', 'CP="Not used"')
+      response.headers.except!('X-Frame-Options')
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/itp.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+module ShopifyApp
+  # Cookie management helpers required for ITP implementation
+  module Itp
+    private
+    def set_test_cookie
+      return unless ShopifyApp.configuration.embedded_app?
+      return unless user_agent_can_partition_cookies
+      session['shopify.cookies_persist'] = true
+    end
+    def set_top_level_oauth_cookie
+      session['shopify.top_level_oauth'] = true
+    end
+    def clear_top_level_oauth_cookie
+      session.delete('shopify.top_level_oauth')
+    end
+    def user_agent_is_mobile
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+      user_agent[:name].to_s.match(/Shopify\sMobile/)
+    end
+    def user_agent_is_pos
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+      user_agent[:name].to_s.match(/Shopify\sPOS/)
+    end
+    def user_agent_can_partition_cookies
+      user_agent = BrowserSniffer.new(request.user_agent).browser_info
+      is_safari = user_agent[:name].to_s.match(/Safari/)
+      return false unless is_safari
+      user_agent[:version].to_s.match(/12\.0/)
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/localization.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module Localization
+    extend ActiveSupport::Concern
+    included do
+      before_action :set_locale
+    end
+    private
+    def set_locale
+      if params[:locale]
+        session[:locale] = params[:locale]
+      else
+        session[:locale] ||= I18n.default_locale
+      end
+      I18n.locale = session[:locale]
+    rescue I18n::InvalidLocale
+      I18n.locale = I18n.default_locale
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/login_protection.rb ADDED Viewed

@@ -0,0 +1,244 @@
+# frozen_string_literal: true
+require 'browser_sniffer'
+module ShopifyApp
+  module LoginProtection
+    extend ActiveSupport::Concern
+    include ShopifyApp::Itp
+    class ShopifyDomainNotFound < StandardError; end
+    included do
+      after_action :set_test_cookie
+      rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
+    end
+    ACCESS_TOKEN_REQUIRED_HEADER = 'X-Shopify-API-Request-Failure-Unauthorized'
+    def activate_shopify_session
+      if user_session_expected? && user_session.blank?
+        signal_access_token_required
+        return redirect_to_login
+      end
+      return redirect_to_login if current_shopify_session.blank?
+      clear_top_level_oauth_cookie
+      begin
+        ShopifyAPI::Base.activate_session(current_shopify_session)
+        yield
+      ensure
+        ShopifyAPI::Base.clear_session
+      end
+    end
+    def current_shopify_session
+      @current_shopify_session ||= begin
+        user_session || shop_session
+      end
+    end
+    def user_session
+      user_session_by_jwt || user_session_by_cookie
+    end
+    def user_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_user_id
+      ShopifyApp::SessionRepository.retrieve_user_session_by_shopify_user_id(jwt_shopify_user_id)
+    end
+    def user_session_by_cookie
+      return unless ShopifyApp.configuration.allow_cookie_authentication
+      return unless session[:user_id].present?
+      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    end
+    def shop_session
+      shop_session_by_jwt || shop_session_by_cookie
+    end
+    def shop_session_by_jwt
+      return unless ShopifyApp.configuration.allow_jwt_authentication
+      return unless jwt_shopify_domain
+      ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(jwt_shopify_domain)
+    end
+    def shop_session_by_cookie
+      return unless ShopifyApp.configuration.allow_cookie_authentication
+      return unless session[:shop_id].present?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
+    end
+    def login_again_if_different_user_or_shop
+      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        clear_session = session[:user_session] != params[:session] # current user is different from stored user
+      end
+      if current_shopify_session &&
+        params[:shop] && params[:shop].is_a?(String) &&
+        (current_shopify_session.domain != params[:shop])
+        clear_session = true
+      end
+      if clear_session
+        clear_shopify_session
+        redirect_to_login
+      end
+    end
+    def signal_access_token_required
+      response.set_header(ACCESS_TOKEN_REQUIRED_HEADER, "true")
+    end
+    protected
+    def jwt_shopify_domain
+      request.env['jwt.shopify_domain']
+    end
+    def jwt_shopify_user_id
+      request.env['jwt.shopify_user_id']
+    end
+    def redirect_to_login
+      if request.xhr?
+        head(:unauthorized)
+      else
+        if request.get?
+          path = request.path
+          query = sanitized_params.to_query
+        else
+          referer = URI(request.referer || "/")
+          path = referer.path
+          query = "#{referer.query}&#{sanitized_params.to_query}"
+        end
+        session[:return_to] = query.blank? ? path.to_s : "#{path}?#{query}"
+        redirect_to(login_url_with_optional_shop)
+      end
+    end
+    def close_session
+      clear_shopify_session
+      redirect_to(login_url_with_optional_shop)
+    end
+    def clear_shopify_session
+      session[:shop_id] = nil
+      session[:user_id] = nil
+      session[:shopify_domain] = nil
+      session[:shopify_user] = nil
+      session[:user_session] = nil
+    end
+    def login_url_with_optional_shop(top_level: false)
+      url = ShopifyApp.configuration.login_url
+      query_params = login_url_params(top_level: top_level)
+      url = "#{url}?#{query_params.to_query}" if query_params.present?
+      url
+    end
+    def login_url_params(top_level:)
+      query_params = {}
+      query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
+      return_to = RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
+      if return_to.present? && return_to_param_required?
+        query_params[:return_to] = return_to
+      end
+      has_referer_shop_name = referer_sanitized_shop_name.present?
+      if has_referer_shop_name
+        query_params[:shop] ||= referer_sanitized_shop_name
+      end
+      query_params[:top_level] = true if top_level
+      query_params
+    end
+    def return_to_param_required?
+      native_params = %i[shop hmac timestamp locale protocol return_to]
+      request.path != '/' || sanitized_params.except(*native_params).any?
+    end
+    def fullpage_redirect_to(url)
+      if ShopifyApp.configuration.embedded_app?
+        render('shopify_app/shared/redirect', layout: false,
+               locals: { url: url, current_shopify_domain: current_shopify_domain })
+      else
+        redirect_to(url)
+      end
+    end
+    def current_shopify_domain
+      shopify_domain = sanitized_shop_name ||
+        jwt_shopify_domain ||
+        session[:shopify_domain]
+      return shopify_domain if shopify_domain.present?
+      raise ShopifyDomainNotFound
+    end
+    def sanitized_shop_name
+      @sanitized_shop_name ||= sanitize_shop_param(params)
+    end
+    def referer_sanitized_shop_name
+      return unless request.referer.present?
+      @referer_sanitized_shop_name ||= begin
+        referer_uri = URI(request.referer)
+        query_params = Rack::Utils.parse_query(referer_uri.query)
+        sanitize_shop_param(query_params.with_indifferent_access)
+      end
+    end
+    def sanitize_shop_param(params)
+      return unless params[:shop].present?
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+    def sanitized_params
+      request.query_parameters.clone.tap do |query_params|
+        if params[:shop].is_a?(String)
+          query_params[:shop] = sanitize_shop_param(params)
+        end
+      end
+    end
+    def return_address
+      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
+      return_address_with_params(shop: current_shopify_domain)
+    rescue ShopifyDomainNotFound
+      base_return_address
+    end
+    def base_return_address
+      session.delete(:return_to) || ShopifyApp.configuration.root_url
+    end
+    def return_address_with_params(params)
+      uri = URI(base_return_address)
+      uri.query = CGI.parse(uri.query.to_s)
+        .symbolize_keys
+        .transform_values { |v| v.one? ? v.first : v }
+        .merge(params)
+        .to_query
+      uri.to_s
+    end
+    private
+    def user_session_expected?
+      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/payload_verification.rb ADDED Viewed

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module PayloadVerification
+    extend ActiveSupport::Concern
+    private
+    def shopify_hmac
+      request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+    end
+    def hmac_valid?(data)
+      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
+      secrets.any? do |secret|
+        digest = OpenSSL::Digest.new('sha256')
+        ActiveSupport::SecurityUtils.secure_compare(
+          shopify_hmac,
+          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+        )
+      end
+    end
+  end
+end

data/lib/shopify_app/controller_concerns/webhook_verification.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module WebhookVerification
+    extend ActiveSupport::Concern
+    include ShopifyApp::PayloadVerification
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_request
+    end
+    private
+    def verify_request
+      data = request.raw_post
+      return head(:unauthorized) unless hmac_valid?(data)
+    end
+    def shop_domain
+      request.headers['HTTP_X_SHOPIFY_SHOP_DOMAIN']
+    end
+  end
+end

data/lib/shopify_app/engine.rb CHANGED Viewed

@@ -1,6 +1,46 @@
+# frozen_string_literal: true
 module ShopifyApp
+  module RedactJobParams
+    private
+    def args_info(job)
+      log_disabled_classes = %w(ShopifyApp::ScripttagsManagerJob ShopifyApp::WebhooksManagerJob)
+      return "" if log_disabled_classes.include?(job.class.name)
+      super
+    end
+  end
   class Engine < Rails::Engine
     engine_name 'shopify_app'
     isolate_namespace ShopifyApp
+    initializer "shopify_app.assets.precompile" do |app|
+      app.config.assets.precompile += %w[
+        shopify_app/redirect.js
+        shopify_app/top_level.js
+        shopify_app/enable_cookies.js
+        shopify_app/request_storage_access.js
+        storage_access.svg
+      ]
+    end
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+      if ShopifyApp.configuration.allow_jwt_authentication
+        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+      end
+    end
+    initializer "shopify_app.redact_job_params" do
+      ActiveSupport.on_load(:active_job) do
+        if ActiveJob::Base.respond_to?(:log_arguments?)
+          WebhooksManagerJob.log_arguments = false
+          ScripttagsManagerJob.log_arguments = false
+        elsif ActiveJob::Logging::LogSubscriber.private_method_defined?(:args_info)
+          ActiveJob::Logging::LogSubscriber.prepend(RedactJobParams)
+        end
+      end
+    end
   end
 end

data/lib/shopify_app/jobs/scripttags_manager_job.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class ScripttagsManagerJob < ActiveJob::Base
+    queue_as do
+      ShopifyApp.configuration.scripttags_manager_queue_name
+    end
+    def perform(shop_domain:, shop_token:, scripttags:)
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
+        manager = ScripttagsManager.new(scripttags, shop_domain)
+        manager.create_scripttags
+      end
+    end
+  end
+end

data/lib/shopify_app/{webhooks_manager_job.rb → jobs/webhooks_manager_job.rb} RENAMED Viewed

@@ -1,12 +1,13 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManagerJob < ActiveJob::Base
     queue_as do
       ShopifyApp.configuration.webhooks_manager_queue_name
     end
     def perform(shop_domain:, shop_token:, webhooks:)
-      ShopifyAPI::Session.temp(shop_domain, shop_token) do
+      api_version = ShopifyApp.configuration.api_version
+      ShopifyAPI::Session.temp(domain: shop_domain, token: shop_token, api_version: api_version) do
         manager = WebhooksManager.new(webhooks)
         manager.create_webhooks
       end

data/lib/shopify_app/{scripttags_manager.rb → managers/scripttags_manager.rb} RENAMED Viewed

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class ScripttagsManager
     class CreationFailed < StandardError; end
@@ -6,14 +7,25 @@ module ShopifyApp
       ShopifyApp::ScripttagsManagerJob.perform_later(
         shop_domain: shop_domain,
         shop_token: shop_token,
-        scripttags: scripttags
+        # Procs cannot be serialized so we interpolate now, if necessary
+        scripttags: build_src(scripttags, shop_domain)
       )
     end
-    attr_reader :required_scripttags
+    def self.build_src(scripttags, domain)
+      scripttags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+    attr_reader :required_scripttags, :shop_domain
-    def initialize(scripttags)
+    def initialize(scripttags, shop_domain)
       @required_scripttags = scripttags
+      @shop_domain = shop_domain
     end
     def recreate_scripttags!
@@ -24,14 +36,15 @@ module ShopifyApp
     def create_scripttags
       return unless required_scripttags.present?
-      required_scripttags.each do |scripttag|
+      expanded_scripttags.each do |scripttag|
         create_scripttag(scripttag) unless scripttag_exists?(scripttag[:src])
       end
     end
     def destroy_scripttags
-      ShopifyAPI::ScriptTag.all.each do |scripttag|
-        ShopifyAPI::ScriptTag.delete(scripttag.id) if is_required_scripttag?(scripttag)
+      scripttags = expanded_scripttags
+      ShopifyAPI::ScriptTag.all.each do |tag|
+        ShopifyAPI::ScriptTag.delete(tag.id) if required_scripttag?(scripttags, tag)
       end
       @current_scripttags = nil
@@ -39,8 +52,12 @@ module ShopifyApp
     private
-    def is_required_scripttag?(scripttag)
-      required_scripttags.map{ |w| w[:src] }.include? scripttag.src
+    def expanded_scripttags
+      self.class.build_src(required_scripttags, shop_domain)
+    end
+    def required_scripttag?(scripttags, tag)
+      scripttags.map { |w| w[:src] }.include?(tag.src)
     end
     def create_scripttag(attributes)

data/lib/shopify_app/{webhooks_manager.rb → managers/webhooks_manager.rb} RENAMED Viewed

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 module ShopifyApp
   class WebhooksManager
     class CreationFailed < StandardError; end
@@ -30,8 +31,8 @@ module ShopifyApp
     end
     def destroy_webhooks
-      ShopifyAPI::Webhook.all.each do |webhook|
-        ShopifyAPI::Webhook.delete(webhook.id) if is_required_webhook?(webhook)
+      ShopifyAPI::Webhook.all.to_a.each do |webhook|
+        ShopifyAPI::Webhook.delete(webhook.id) if required_webhook?(webhook)
       end
       @current_webhooks = nil
@@ -39,8 +40,8 @@ module ShopifyApp
     private
-    def is_required_webhook?(webhook)
-      required_webhooks.map{ |w| w[:address] }.include? webhook.address
+    def required_webhook?(webhook)
+      required_webhooks.map { |w| w[:address] }.include?(webhook.address)
     end
     def create_webhook(attributes)
@@ -55,7 +56,7 @@ module ShopifyApp
     end
     def current_webhooks
-      @current_webhooks ||= ShopifyAPI::Webhook.all.index_by(&:topic)
+      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
     end
   end
 end

data/lib/shopify_app/middleware/jwt_middleware.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+      token = extract_token(env)
+      return call_next(env) unless token
+      set_env_variables(token, env)
+      call_next(env)
+    end
+    private
+    def call_next(env)
+      @app.call(env)
+    end
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb ADDED Viewed

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    COOKIE_SEPARATOR = "\n"
+    def initialize(app)
+      @app = app
+    end
+    def call(env)
+      status, headers, body = @app.call(env)
+      user_agent = env['HTTP_USER_AGENT']
+      if headers && headers['Set-Cookie'] &&
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
+        set_cookies = headers['Set-Cookie']
+          .split(COOKIE_SEPARATOR)
+          .compact
+          .map do |cookie|
+            cookie << '; Secure' unless cookie =~ /;\s*secure/i
+            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie
+          end
+        headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
+      end
+      [status, headers, body]
+    end
+  end
+end