shopify_app 7.4.0 → 8.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: b534fe893fb126d699a8e2a0908cc06aab2ea3e9
-  data.tar.gz: 7da8663a89439030d2198be0f4d09e947d68ae63
+SHA256:
+  metadata.gz: 8fe2949f5e38db4532dbcab3c05f96e228e6285fdbb4b729ffefecd8e40b2aad
+  data.tar.gz: 2fefc3ce45bc58cd82c874d5217f6abfce0a70ba56cb9105084dbec011f033cb
 SHA512:
-  metadata.gz: 189dfc0d53bd7eae968b3270151b00a363a9ecd964b38cbabd378824156fa2eaf5aecb93c9932b1fa3fde2323bd35c9a8fcddec3f8b62b2c02cd6bd2001c8e1f
-  data.tar.gz: 9e11244536e4039e59b1170ab3fcf9717f9f0e53036dbd791cf30e72279d95737cb640cee2a19736e9e74da380c1209a49446aeb32cb2223baf36fe28e8eabcd
+  metadata.gz: 1a435b2541e5198fad47a247a97b2a68ce6e741b2b29a4b0b7f2cc29d256fc382a7fd8a56801e982744258e9efdfd3879a13dd4dffc033c88d432ce44d525e44
+  data.tar.gz: 1df140b61ca82e090eba2fcabac5f079cc5d87e7cb64bab657cbc725ff1063360fbd88822d4ed76c9224d2fd4e9429ba197dd3c7f6a6312b3c8dbdb060c35f26

data/.babelrc

@@ -0,0 +1,5 @@
+{
+  "babel": {
+    "presets": ["shopify/web"]
+  }
+}

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*       @shopify/platform-dev-tools-education

data/.github/probots.yml

@@ -0,0 +1,2 @@
+enabled:
+  - cla

data/.gitignore

@@ -9,3 +9,8 @@ doc/
 *.sqlite3
 test/tmp/*
 .idea
+# ignore sprockets cache
+/test/dummy/tmp/*
+/node_modules/
+.byebug_history
+

data/.nvmrc

@@ -0,0 +1 @@
+8.10.0

data/.rubocop.yml

@@ -0,0 +1,10 @@
+inherit_from:
+  - https://shopify.github.io/ruby-style-guide/rubocop.yml
+
+LineLength:
+  Exclude:
+    - test/**/*
+
+Metrics/ClassLength:
+  Exclude:
+    - test/**/*

data/.ruby-version

@@ -0,0 +1 @@
+2.5.0

data/.travis.yml

@@ -1,6 +1,29 @@
+sudo: required
+dist: trusty
+addons:
+    chrome: stable
+before_script:
+    - "sudo chown root /opt/google/chrome/chrome-sandbox"
+    - "sudo chmod 4755 /opt/google/chrome/chrome-sandbox"
 language: ruby
-cache: bundler
-sudo: false
+before_install:
+  - gem update --system
+cache:
+  bundler: true
+  directories:
+    - node_modules
+  yarn: true
 
 rvm:
-  - 2.3.1
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0
+
+install:
+  - bundle install
+  - nvm install node
+  - yarn
+
+script:
+  - yarn test
+  - bundle exec rake test

data/CHANGELOG.md

@@ -1,9 +1,104 @@
+8.5.0
+-----
+Added support for rotating Shopify access tokens:
+
+* Added a generator shopify_app:rotate_shopify_token_job for generating the job to perform token rotation
+* Extend Shopify app configuration to support a new and old secret token
+* Extended webhook validation code to support validating against new and old secret tokens
+* See the README for more details: https://github.com/Shopify/shopify_app#rotateshopifytokenjob
+
+8.4.2
+-----
+* Clear stale user session during auth callback
+
+8.4.1
+-----
+* Update README and Releasing.md
+* Allow user agent to not be set
+* Remove legacy EASDK examples
+* Add .ruby-version file
+* Clean up omniauth setup and fix examples
+* Fix infinite redirect loops if users have disabled 3rd party cookies in their browser
+
+8.4.0
+----
+* Fix embedded app session management in Safari 12.1
+* Shop names passed to OAuth are no longer case sensitive
+
+8.3.2
+----
+* Removes `read_orders` from the default scopes provided upon app generation
+
+8.3.1
+----
+* Adds the ability to customize the login URL through the initializer
+
+8.3.0
+----
+* Fix embedded app session management in Safari 12
+* Add support for translation platform
+
+8.2.6
+----
+* Sanitize the shop query param to include `.myshopify.com` if no domain was provided
+
+8.2.5
+----
+* fix iframe headers on session controller
+
+8.2.4
+-----
+* Add CSRF protection through `protect_from_forgery with: :exception` on `ShopifyApp::AuthenticatedController`
+
+8.2.3
+-----
+* Send head :forbidden instead of :unauthorized when AppProxyVerification fails
+
+8.2.2
+-----
+* Changes how the ESDK concern allows iframes. Fixes an issue with the first request for some people
+
+8.2.1
+-----
+* Bugfix: Don't logout shops from `login_again_if_different_shop` when Rails
+  params for a 'Shop' model are passed in [[#477]](https://github.com/Shopify/shopify_app/pull/477)
+
+8.2.0
+-----
+Known bug: Shop logged out when submitting a form for 'Shop' objects, fixed in 8.2.1 [[See #480 for details]](https://github.com/Shopify/shopify_app/issues/480)
+
+* Add `webhook_jobs_namespace` config option. [[#463]](https://github.com/Shopify/shopify_app/pull/463)
+* Updates login page styles to match the [Polaris](https://polaris.shopify.com/) design system. [[#474]](https://github.com/Shopify/shopify_app/pull/474)
+
+8.1.0
+-----
+Known bug: Shop logged out when submitting a form for 'Shop' objects, fixed in 8.2.1 [[See #480 for details]](https://github.com/Shopify/shopify_app/issues/480)
+
+* Add support for per_user_authentication
+* Pass the shop param in the session for authentication instead of a url param (prevents csrf). If you are upgrading from an older version of the gem you will need to update your omniauth.rb initializer file. Check the example app for what it what it should look like.
+
+8.0.0
+-----
+Known bug: Shop logged out when submitting a form for 'Shop' objects, fixed in 8.2.1 [[See #480 for details]](https://github.com/Shopify/shopify_app/issues/480)
+
+* Removed the `shopify_session_repository` initializer. The SessionRepository is now configured through the main ShopifyApp configuration object and the generated initializer
+* Moved InMemorySessionStore into the ShopifyApp namespace
+* Remove ShopifySession concern. This module made the code internal to this engine harder to follow and we want to discourage over-writing the auth code now that we have generic hooks for all extra tasks during install.
+* Changed engine controllers to subclass ActionController::Base to avoid any possible conflict with the parent application
+* Removed the `ShopifyApp::Shop` concern and added its methods to `ShopifyApp::SessionStorage`. To update for this change just remove this concern anywhere it is being used in your application.
+* Add `ShopifyApp::EmbeddedApp` controller concern which handles setting the required headers for the ESDK. Previously this was done by injecting configuration into applicaton.rb which affects the entire app.
+* Add webhooks to generated home controller. This should help new users debug issues.
+
 7.4.0
 -----
+Known bug: Shop logged out when submitting a form for 'Shop' objects, fixed in 8.2.1 [[See #480 for details]](https://github.com/Shopify/shopify_app/issues/480)
+
 * Add an after_authenticate job which will be run once the shop is authenticated. [[#431]](https://github.com/Shopify/shopify_app/pull/432)
 
 7.3.0
 -----
+Known bug: Shop logged out when submitting a form for 'Shop' objects, fixed in 8.2.1 [[See #480 for details]](https://github.com/Shopify/shopify_app/issues/480)
+
 * Bump required omniauth-shopify-oauth2 version to 1.2.0.
 * Always expect params[:shop] to be a string.
 

data/Gemfile

@@ -2,3 +2,5 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in shopify_app.gemspec
 gemspec
+
+gem 'rails-controller-testing', group: :test

data/README.md

@@ -8,12 +8,14 @@ Shopify App
 
 Shopify Application Rails engine and generator
 
+#### NOTE : Versions 8.0.0 through 8.2.3 contained a CSRF vulnerability that was addressed in version 8.2.4. Please update to version 8.2.4 if you're using an old version.
 
 Table of Contents
 -----------------
 * [**Description**](#description)
 * [**Quickstart**](#quickstart)
 * [**Becoming a Shopify App Developer**](#becoming-a-shopify-app-developer)
+* [**App Tunneling**](#app-tunneling)
 * [**Installation**](#installation)
   * [Rails Compatibility](#rails-compatibility)
 * [**Generators**](#generators)
@@ -35,7 +37,6 @@ Table of Contents
 * [**Troubleshooting**](#troubleshooting)
  * [Generator shopify_app:install hangs](#generator-shopify_appinstall-hangs)
 * [**Testing an embedded app outside the Shopify admin**](#testing-an-embedded-app-outside-the-shopify-admin)
-* [**App Tunneling**](#app-tunneling)
 * [**Questions or problems?**](#questions-or-problems)
 
 
@@ -53,30 +54,26 @@ Quickstart
 
 Check out this screencast on how to create and deploy a new Shopify App to Heroku in 5 minutes:
 
-[https://vimeo.com/130247240](https://vimeo.com/130247240)
+[https://www.youtube.com/watch?v=yGxeoAHlQOg](https://www.youtube.com/watch?v=yGxeoAHlQOg)
 
 Or if you prefer text instructions the steps in the video are written out [here](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md)
 
-Becoming a Shopify App Developer
---------------------------------
-If you don't have a Shopify Partner account yet head over to http://shopify.com/partners to create one, you'll need it before you can start developing apps.
-
-Once you have a Partner account create a new application to get an Api key and other Api credentials. To create a development application set the Application Callback URL to
+App Tunneling
+-------------
 
-```
-http://localhost:3000/
-```
+Your local app needs to be accessible from the public Internet in order to install it on a shop, use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks. Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), [Hookbin](https://hookbin.com/), etc.
 
-and the `redirect_uri` to
+For example with [ngrok](https://ngrok.com/), run this command to set up proxying to Rails' default port:
 
-```
-http://localhost:3000/auth/shopify/callback
+```sh
+ngrok http 3000
 ```
 
-This way you'll be able to run the app on your local machine.
-
-Also note, ShopifyApp creates embedded apps by default, so remember to check `enabled` for the embedded settings.
+Becoming a Shopify App Developer
+--------------------------------
+If you don't have a Shopify Partner account yet head over to http://shopify.com/partners to create one, you'll need it before you can start developing apps.
 
+Once you have a Partner account create a new application to get an API key and other API credentials. To create a development application set the `App URL` to the URL provided by [your tunnel](#app-tunneling) or `http://localhost:3000/` if you are not embeddeding your app inside the admin or receiving webhooks and the `Whitelisted redirection URL(s)` to contain `<App URL>/auth/shopify/callback`. Ensure you are using `https://` URLs if you are using tunneling.
 
 Installation
 ------------
@@ -111,6 +108,7 @@ The default generator will run the `install`, `shop`, and `home_controller` gene
 $ rails generate shopify_app --api_key <your_api_key> --secret <your_app_secret>
 ```
 
+After running the generator, you will need to run `rake db:migrate` to add tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting localhost.
 
 ### Install Generator
 
@@ -123,9 +121,9 @@ $ rails generate shopify_app:install --api_key <your_api_key> --secret <your_app
 ```
 
 Other options include:
-* `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)  
-* `scope` - the Oauth access scope required for your app, eg **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space, and can be supplied with or without double-quotes  
-(e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)  
+* `application_name` - the name of your app, it can be supplied with or without double-quotes if a whitespace is present. (e.g. `--application_name Example App` or `--application_name "Example App"`)
+* `scope` - the Oauth access scope required for your app, eg **read_products, write_orders**. *Multiple options* need to be delimited by a comma-space, and can be supplied with or without double-quotes
+(e.g. `--scope read_products, write_orders, write_products` or `--scope "read_products, write_orders, write_products"`)
 For more information, refer the [docs](http://docs.shopify.com/api/tutorials/oauth).
 * `embedded` - the default is to generate an [embedded app](http://docs.shopify.com/embedded-app-sdk), if you want a legacy non-embedded app then set this to false, `--embedded false`
 
@@ -142,7 +140,7 @@ After running the `install` generator, you can start your app with `bundle exec
 $ rails generate shopify_app:shop_model
 ```
 
-The install generator doesn't create any database models for you and if you are starting a new app its quite likely that you will want one (most of our internally developed apps do!). This generator creates a simple shop model and a migration. It also creates a model called `SessionStorage` which interacts with `ShopifyApp::SessionRepository`. Check out the later section to learn more about `ShopifyApp::SessionRepository`
+The `install` generator doesn't create any database tables or models for you. If you are starting a new app its quite likely that you will want a shops table and model to store the tokens when your app is installed (most of our internally developed apps do!). This generator creates a shop model and a migration. This model includes the `ShopifyApp::SessionStorage` concern which adds two methods to make it compatible as a `SessionRepository`. After running this generator you'll notice the `session_repository` in your `config/initializers/shopify_app.rb` will be set to the `Shop` model. This means that internally ShopifyApp will try and load tokens from this model.
 
 *Note that you will need to run rake db:migrate after this generator*
 
@@ -172,7 +170,7 @@ The last group of generators are for your convenience if you want to start overr
 Mounting the Engine
 -------------------
 
-Mounting the Engine will provide the basic routes to authenticating a shop with your custom application. It will provide:
+Mounting the Engine will provide the basic routes to authenticating a shop with your application. By default it will provide:
 
 | Verb   | Route                         | Action                       |
 |--------|-------------------------------|------------------------------|
@@ -182,31 +180,58 @@ Mounting the Engine will provide the basic routes to authenticating a shop with
 |GET     |'/logout'                      |Logout                        |
 |POST    |'/webhooks/:type'              |Webhook Callback              |
 
+### Nested Routes
 
-The default routes of the Shopify rails engine, which is mounted to the root, can be altered to mount on a different route. The `config/routes.rb` can be modified to put these under a nested route (say `/app-name`) as:
+The engine may also be mounted at a nested route, for example:
 
 ```ruby
 mount ShopifyApp::Engine, at: '/nested'
 ```
 
-This will create the Shopify engine routes under the specified subpath, as a result it will redirect new consumers to `/nested/login`. If you mount the engine at a subpath you'll also need to update the omniauth initializer to include a custom `callback_path` e.g:
+This will create the Shopify engine routes under the specified subpath. You'll also need to make some updates to your `shopify_app.rb` and `omniauth.rb` initializers. First update the shopify_app initializer to include a custom `root_url` e.g.:
 
 ```ruby
-  provider :shopify,
-    ShopifyApp.configuration.api_key,
-    ShopifyApp.configuration.secret,
-    scope: ShopifyApp.configuration.scope,
-    callback_path: '/nested/auth/shopify/callback'
+ShopifyApp.configure do |config|
+  config.root_url = '/nested'
+end
 ```
 
-To use named routes with the engine so that it can route between the application and the engine's routes it should be prefixed with `main_app` or `shopify_app`.
+then update the omniauth initializer to include a custom `callback_path` e.g.:
 
 ```ruby
-main_app.login_path # For a named login route on the rails app.
+provider :shopify,
+  ShopifyApp.configuration.api_key,
+  ShopifyApp.configuration.secret,
+  scope: ShopifyApp.configuration.scope,
+  callback_path: '/nested/auth/shopify/callback'
+```
+
+### Custom login URL
 
-shopify_app.login_path # For the shopify app store login route.
+While you can customize the login view by creating a `/app/views/shopify_app/sessions/new.html.erb` file, you may also want to customize the URL entirely. You can modify your `shopify_app.rb` initializer to provide a custom `login_url` e.g.:
+
+```ruby
+ShopifyApp.configure do |config|
+  config.login_url = 'https://my.domain.com/nested/login'
+end
 ```
 
+Per User Authentication
+-----------------------
+To enable per user authentication you need to update the `omniauth.rb` initializer:
+
+```ruby
+provider :shopify,
+  ShopifyApp.configuration.api_key,
+  ShopifyApp.configuration.secret,
+  scope: ShopifyApp.configuration.scope,
+  per_user_permissions: true
+```
+
+The current Shopify user will be stored in the rails session at `session[:shopify_user]`
+
+This will change the type of token that Shopify returns and it will only be valid for a short time. Read more about `Online access` [here](https://help.shopify.com/api/getting-started/authentication/oauth). Note that this means you won't be able to use this token to respond to Webhooks.
+
 Managing Api Keys
 -----------------
 
@@ -217,7 +242,7 @@ ShopifyApp.configure do |config|
   config.application_name = 'Your app name' # Optional
   config.api_key = ENV['SHOPIFY_CLIENT_API_KEY']
   config.secret = ENV['SHOPIFY_CLIENT_API_SECRET']
-  config.scope = 'read_customers, read_orders, write_products'
+  config.scope = 'read_customers, write_products'
   config.embedded_app = true
 end
 ```
@@ -226,7 +251,7 @@ end
 WebhooksManager
 ---------------
 
-ShopifyApp can manage your app's webhooks for you by setting which webhooks you require in the initializer:
+ShopifyApp can manage your app's webhooks for you if you set which webhooks you require in the initializer:
 
 ```ruby
 ShopifyApp.configure do |config|
@@ -238,7 +263,15 @@ end
 
 When the oauth callback is completed successfully ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every oauth callback it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
-ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the webhook url. For example if you register the webhook from above then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params `shop_domain` and `webhook` which is the webhook body.
+ShopifyApp also provides a WebhooksController that receives webhooks and queues a job based on the received topic. For example if you register the webhook from above then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
+
+If you would like to namespace your jobs you may set `webhook_jobs_namespace` in the config. For example if your app handles webhooks from other ecommerce applications as well, and you want Shopify cart update webhooks to be processed by a job living in `jobs/shopify/webhooks/carts_update_job.rb` rather than `jobs/carts_update_job.rb`):
+
+```ruby
+ShopifyApp.configure do |config|
+  config.webhook_jobs_namespace = 'shopify/webhooks'
+end
+```
 
 If you are only interested in particular fields, you can optionally filter the data sent by Shopify by specifying the `fields` parameter in `config/webhooks`. Note that you will still receive a webhook request from Shopify every time the resource is updated, but only the specified fields will be sent.
 
@@ -250,20 +283,27 @@ ShopifyApp.configure do |config|
 end
 ```
 
-If you'd rather implement your own controller then you'll want to use the WebhookVerfication module to verify your webhooks:
+If you'd rather implement your own controller then you'll want to use the WebhookVerfication module to verify your webhooks, example:
 
 ```ruby
 class CustomWebhooksController < ApplicationController
   include ShopifyApp::WebhookVerification
 
   def carts_update
-    SomeJob.perform_later(shopify_domain: shop_domain, webhook: params)
-    head :ok
+    params.permit!
+    SomeJob.perform_later(shop_domain: shop_domain, webhook: webhook_params.to_h)
+    head :no_content
+  end
+
+  private
+
+  def webhook_params
+    params.except(:controller, :action, :type)
   end
 end
 ```
 
-The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify.
+The module skips the `verify_authenticity_token` before_action and adds an action to verify that the webhook came from Shopify. You can now add a post route to your application pointing to the controller and action to accept the webhook data from Shopify.
 
 The WebhooksManager uses ActiveJob, if ActiveJob is not configured then by default Rails will run the jobs inline. However it is highly recommended to configure a proper background processing queue like sidekiq or resque in production.
 
@@ -283,7 +323,7 @@ As with webhooks, ShopifyApp can manage your app's scripttags for you by setting
 ```ruby
 ShopifyApp.configure do |config|
   config.scripttags = [
-    {event:'onload', src: 'https://my-shopifyapp.herokuapp.com/fancy.js'}
+    {event:'onload', src: 'https://my-shopifyapp.herokuapp.com/fancy.js'},
     {event:'onload', src: ->(domain) { dynamic_tag_url(domain) } }
   ]
 end
@@ -306,7 +346,7 @@ If your app needs to perform specific actions after it is installed ShopifyApp c
 
 ```ruby
 ShopifyApp.configure do |config|
-  config.add_after_authenticate_job = { job: Shopify::AfterAuthenticateJob }
+  config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob }
 end
 ```
 
@@ -314,7 +354,7 @@ If you need the job to run synchronously add the `inline` flag:
 
 ```ruby
 ShopifyApp.configure do |config|
-  config.add_after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: true }
+  config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: true }
 end
 ```
 
@@ -324,17 +364,43 @@ We've also provided a generator which creates a skeleton job and updates the ini
 bin/rails g shopify_app:add_after_authenticate_job
 ```
 
+RotateShopifyTokenJob
+---------------------
+
+If your Shopify secret key is leaked, you can use the RotateShopifyTokenJob to perform [API Credential Rotation](https://help.shopify.com/en/api/getting-started/authentication/oauth/api-credential-rotation).
+
+Before running the job, you'll need to generate a new secret key from your Shopify Partner dashboard, and update the `/config/initializers/shopify_app.rb` to hold your new and old secret keys:
+
+```ruby
+config.secret = Rails.application.secrets.shopify_secret
+config.old_secret = Rails.application.secrets.old_shopify_secret
+```
+
+We've provided a generator which creates the job and an example rake task:
+
+```sh
+bin/rails g shopify_app:rotate_shopify_token_job
+```
+
+The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token.rake` and is provided strictly for example purposes. It might not work with your application out of the box without some configuration.
+
+⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/intializers/omniauth.rb`:
+
+```ruby
+strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+```
+
 ShopifyApp::SessionRepository
 -----------------------------
 
-`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are retrieved and stored for a shop. The `SessionRepository` is configured using the `config/initializers/shopify_session_repository.rb` file and can be set to any object that implements `self.store(shopify_session)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. See either the `InMemorySessionStore` or the `SessionStorage` module for examples.
+`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are retrieved and stored for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(shopify_session)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. See either the `ShopifyApp::InMemorySessionStore` class or the `ShopifyApp::SessionStorage` concern for examples.
 
-If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. If you ran all the generators including the shop_model generator then the Shop model itself will be the `SessionRepository`. If you look at the implementation of the generated shop model you'll see that this gem provides an activerecord mixin for the `SessionRepository`. You can use this mixin on any model that responds to `shopify_domain` and `shopify_token`.
+If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. If you ran all the generators including the shop_model generator then the `Shop` model itself will be the `SessionRepository`. If you look at the implementation of the generated shop model you'll see that this gem provides a concern for the `SessionRepository`. You can use this concern on any model that responds to `shopify_domain` and `shopify_token`.
 
 AuthenticatedController
 -----------------------
 
-The engine includes a controller called `ShopifyApp::AuthenticatedController` which inherits from `ApplicationController`. It adds some before_filters which ensure the user is authenticated and will redirect to the login page if not. It is best practice to have all controllers that belong to the Shopify part of your app inherit from this controller. The HomeController that is generated already inherits from AuthenticatedController.
+The engine includes a controller called `ShopifyApp::AuthenticatedController` which inherits from `ActionController::Base`. It adds some before_filters which ensure the user is authenticated and will redirect to the login page if not. It is best practice to have all controllers that belong to the Shopify part of your app inherit from this controller. The HomeController that is generated already inherits from AuthenticatedController.
 
 AppProxyVerification
 --------------------
@@ -365,23 +431,14 @@ see [TROUBLESHOOTING.md](https://github.com/Shopify/shopify_app/blob/master/docs
 Testing an embedded app outside the Shopify admin
 -------------------------------------------------
 
-By default, loading your embedded app will redirect to the Shopify admin, with the app view loaded in an `iframe`. If you need to load your app outside of the Shopify admin (e.g., for performance testing), you can change `forceRedirect: false` to `true` in `ShopifyApp.init` block in the `embedded_app` view. To keep the redirect on in production but off in your `development` and `test` environments, you can use:
+By default, loading your embedded app will redirect to the Shopify admin, with the app view loaded in an `iframe`. If you need to load your app outside of the Shopify admin (e.g., for performance testing), you can change `forceRedirect: true` to `false` in `ShopifyApp.init` block in the `embedded_app` view. To keep the redirect on in production but off in your `development` and `test` environments, you can use:
 
 ```javascript
 forceRedirect: <%= Rails.env.development? || Rails.env.test? ? 'false' : 'true' %>
 ```
 
-App Tunneling
--------------
-
-For certain features like Application Proxy or Webhooks to receive requests from Shopify, your app needs to be on a publicly visible URL. This can be a hurdle during development or testing on a local machine. Fortunately, this can be overcome by employing a tunneling service like [Forward](https://forwardhq.com/), [RequestBin](https://requestb.in/), [ngrok](https://ngrok.com/) etc. These tools allow you to create a secure tunnel from the public Internet to your local machine.
-
-Tunneling is also useful for working the the embedded app sdk to solve mixed content issues since most tunnles provide ssl.
-
 Questions or problems?
 ----------------------
-http://api.shopify.com <= Read up on the possible API calls!
-
-http://ecommerce.shopify.com/c/shopify-apis-and-technology <= Ask questions!
 
-http://docs.shopify.com/api/the-basics/getting-started <= Read the docs!
+- [Ask questions!](https://ecommerce.shopify.com/c/shopify-apis-and-technology)
+- [Read the docs!](https://help.shopify.com/api/guides)