shopify_app 7.4.0 → 8.5.0

data/app/assets/images/storage_access.svg

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg enable-background="new 0 0 1920 1080" version="1.1" viewBox="0 0 1920 1080" xml:space="preserve" xmlns="http://www.w3.org/2000/svg"><polygon points="1345 330.75 1345 437.24 1224.7 437.24 1224.7 676.56 873.52 676.56 874.04 643.85 1203.2 330.23" fill="#fff"/><path d="m1095.7 677.54c-18.553 0.074-37.107 0.163-55.66 0.126-18.553 0.056-37.107-0.188-55.66-0.233l-13.915-0.063-13.915 0.044-27.83 0.094c-18.553 0.128-37.107-5e-3 -55.66-0.056l-1.266-3e-3 3e-3 -1.259 0.047-22.532-0.093-22.532-0.068-11.266 6e-3 -11.266 0.019-22.532h2.703l0.111 22.532c0.053 7.511 0.06 15.022 0.038 22.532l-0.094 45.065-1.407-1.407c18.553 7e-3 37.107-0.041 55.66 0.086l27.83 0.131 13.915 0.066 13.915-0.028c18.553-8e-3 37.107-0.151 55.66-0.019 18.553 0.099 37.107 0.049 55.66-0.181v2.701z" fill="#0C1238"/><path d="m1225 677.54c-9.24 0.123-18.48 0.187-27.72 0.077l-13.86-0.213c-2.31-0.051-4.62-0.023-6.93 1e-3l-6.93 0.062c-9.24 0.156-18.48 0.076-27.72-0.054-2.31-0.034-4.62 1e-3 -6.93 2e-3l-6.93 0.121c-4.62 0.062-9.24-2e-3 -13.86 3e-3v-2.703c4.62-0.048 9.24-0.165 13.86-0.157l6.93 0.025c2.31 0.027 4.62 0.088 6.93 0.076 9.24-0.024 18.48-0.031 27.72 0.145 4.62 0.038 9.24 0.163 13.86 0.126l13.86-0.081c4.62-0.04 9.24 0.088 13.86 0.101 2.31 0.047 4.62-0.048 6.93-0.065 2.31-0.026 4.62-0.07 6.93-0.169v2.703z" fill="#0C1238"/><path d="m871.68 561.78l-0.13-115.72 0.07-115.72 1e-3 -1.414 1.411 3e-3 117.9 0.228 117.9-0.138 58.951-0.061 58.951 0.072 117.9 0.09 1.218 1e-3 4e-3 1.221 0.156 53.426-0.026 53.426h-2.703l-0.154-53.426 0.04-53.426 1.466 1.466-235.8-0.148-117.9-0.193-117.9 0.087 1.212-1.212-0.084 115.72c-0.058 19.286 0.032 38.573 0.074 57.859l0.15 57.859h-2.705z" fill="#0C1238"/><g fill="#E6E8F0"><circle cx="891.37" cy="344.49" r="6.812"/><circle cx="912.86" cy="345.01" r="6.812"/><circle cx="934.34" cy="345.54" r="6.812"/><path d="m1202.7 352.87h-186.64c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h186.64c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" stroke="#F0F3F5" stroke-miterlimit="10"/><rect x="1288.6" y="339.25" width="17.816" height="13.624"/><path d="m1327.4 352.87h-15.816c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h15.816c0.552 0 1 0.448 1 1v11.624c0 0.552-0.447 1-1 1z"/></g><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="8"><path d="m1098.3 576.8c-24.295 0-43.99-19.695-43.99-43.99v-29.485c0-2.209 1.791-4 4-4h79.98c2.209 0 4 1.791 4 4v29.485c0 24.295-19.695 43.99-43.99 43.99z"/><path d="m1066 499.33v-12.41c0-17.804 14.433-32.237 32.237-32.237s32.237 14.433 32.237 32.237v12.41"/></g><circle cx="1098.3" cy="529.08" r="8.966" fill="#8891EA"/><line x1="1098.3" x2="1098.3" y1="529.08" y2="546.68" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="8"/><polygon points="1416.1 676.19 1358 748.57 1416.1 749.77 1225 749.77 1225 659.42 1416.1 437.19" fill="#fff"/><path d="m1415.2 497.07l-0.12-59.83 1.472 1.472-95.89-0.052-47.945-0.135c-15.982-0.023-31.963-0.14-47.945-0.085l1.2-1.2 0.139 78.077c0.086 26.026 4e-3 52.052-0.039 78.077l-0.076 78.077c0.056 26.026 0.201 52.052 0.145 78.077l-1.368-1.368 38.25 0.017v2.703l-38.251 0.1-1.444 4e-3 -6e-3 -1.454c-0.102-26.026-0.045-52.052-0.026-78.077l0.068-78.077 0.067-78.077 0.191-78.077 3e-3 -1.15h1.147l47.945-0.013 47.945-0.051 95.89 0.089 1.121 1e-3 4e-3 1.125 0.226 59.83h-2.703z" fill="#0C1238"/><path d="m1417.9 518.33c0.051 19.268 0.165 38.536 0.128 57.804l-0.022 28.902-0.134 28.902-0.134 28.902 0.061 28.902 0.087 28.902 0.046 14.451-0.034 14.451-3e-3 1.353-1.347-3e-3c-22.64-0.042-45.28-0.192-67.919-0.118l-33.96 0.144-33.96-0.025v-2.703l33.96-0.143 33.96 0.01c11.32 0.049 22.64 0.1 33.96 0.078l33.96-2e-3 -1.409 1.409c-0.03-19.268 0.125-38.536 0.178-57.804l0.103-28.902-0.051-28.902-0.051-28.902 0.081-28.902c0.128-19.268-0.116-38.536-0.204-57.804h2.704z" fill="#0C1238"/><path d="m1400.3 458.72h-160.44c-0.552 0-1-0.448-1-1v-11.624c0-0.552 0.448-1 1-1h160.44c0.552 0 1 0.448 1 1v11.624c0 0.552-0.448 1-1 1z" fill="#E6E8F0" stroke="#F0F3F5" stroke-miterlimit="10"/><path d="m1238.5 467.44c13.587-0.084 27.173-0.121 40.76-0.055l20.38 0.141c6.793 0.061 13.587-0.03 20.38-0.038 13.587-0.116 27.173-0.022 40.76 0.038 6.793 0.029 13.587-0.022 20.38-0.082 6.793-0.046 13.587 0 20.38-5e-3v1.802c-13.587 0.111-27.173 0.144-40.76 0.036-13.587 2e-3 -27.173 0.027-40.76-0.09-6.793-0.025-13.587-0.117-20.38-0.088l-20.38 0.054c-6.793 0.022-13.587-0.048-20.38-0.067-6.793-7e-3 -13.587 0.107-20.38 0.154v-1.8z" fill="#E6E8F0"/><path d="m891.69 362.56c36.392-0.084 72.784-0.121 109.18-0.055l54.588 0.141c18.196 0.062 36.392-0.034 54.588-0.043l218.35-0.043v1.802c-36.392 0.111-72.784 0.144-109.18 0.036l-109.18-0.09-54.588-0.088-54.588 0.054-54.588-0.067-54.588 0.154v-1.801z" fill="#E6E8F0"/><g fill="none" stroke="#8891EA" stroke-miterlimit="10" stroke-width="6"><path d="m1320.6 638.41c-17.878 0-32.371-14.493-32.371-32.371v-21.697c0-1.626 1.318-2.943 2.943-2.943h58.854c1.626 0 2.943 1.318 2.943 2.943v21.697c1e-3 17.878-14.491 32.371-32.369 32.371z"/><path d="m1296.9 581.4v-9.132c0-13.101 10.62-23.722 23.722-23.722 13.101 0 23.722 10.621 23.722 23.722v9.132"/></g><circle cx="1320.6" cy="604.5" r="5.88" fill="#8891EA"/><line x1="1320.6" x2="1320.6" y1="603.3" y2="616.25" fill="#fff" stroke="#8891EA" stroke-linecap="round" stroke-miterlimit="10" stroke-width="6"/><path d="m966.35 697.36l-0.029 13.745c-0.01 1.145 0.011 2.291-0.023 3.436l-0.124 3.436c-0.103 2.291 0.022 4.582 0.121 6.872l-1.912-1.912c10.168-0.857 20.337-0.478 30.505-0.36 5.084 0.104 10.168 0.133 15.252 0.178 5.084 6e-3 10.168 0.199 15.252 0.287l7.626 0.168 7.626 0.264c2.542 0.09 5.084 0.032 7.626 0.023 2.542-0.035 5.084 0.047 7.626 0.065 10.168 0.377 20.337-0.052 30.505 0.201l7.626 0.04c2.542 6e-3 5.084-0.283 7.626-0.394 5.084-0.14 10.168-0.184 15.252-0.268 5.084-0.072 10.168-0.071 15.252-0.204 2.542-0.07 5.084-0.088 7.626-0.118 2.542-0.019 5.084 0.1 7.626 0.143 10.168 0.462 20.337-0.303 30.505 0.192 2.542 0.145 5.084 0.163 7.626 0.139 2.542 0 5.084-0.038 7.626-0.099l15.252-0.314v3.936l-15.252 0.106c-5.084 0.024-10.168 0.012-15.252 0.3-10.168 0.483-20.337-0.281-30.505-0.213-20.337-1.165-40.673 0.704-61.01-0.137-2.542 0.117-5.084 0.33-7.626 0.382-2.542 0.092-5.084 0.173-7.626-0.018s-5.084-0.219-7.626-0.183c-2.542-2e-3 -5.084 0.099-7.626 0.081-2.542-0.027-5.084 0.026-7.626-0.066-1.271-0.039-2.542-0.079-3.813-0.09-1.271-0.022-2.542-0.05-3.813 0.018-2.542 0.097-5.084 0.355-7.626 0.327-1.271-0.037-2.542-0.06-3.813-0.12l-3.813-0.238c-2.542-0.162-5.084-0.324-7.626-0.268-2.542 0.109-5.084-0.092-7.626-0.222-2.542-0.112-5.084-0.326-7.626-0.371-2.542-0.094-5.084-0.061-7.626-0.038-5.084 0.101-10.168 0.266-15.252 0.414-2.542 0.071-5.084 0.122-7.626 0.123l-7.626-0.19-1.598-0.04 0.032-1.527c0.047-2.291 0.153-4.582 9e-3 -6.872l-0.162-3.436c-0.047-1.145-0.04-2.291-0.062-3.436l-0.186-13.745h3.934z" fill="#E6E8F0"/><path d="m1434.8 722.88l16.096 0.019 8.048 0.01c2.683 0.018 5.365-0.029 8.048 0.05l-1.89 1.89c0.07-3.44 0.218-6.88 0.086-10.32l-0.312-10.32c-0.261-6.88-0.364-13.76-0.339-20.639l0.314-41.279c0.052-6.88 0.033-13.76 0.144-20.639l0.275-20.639c0.057-6.88 0.274-13.76 0.375-20.639 0.058-6.88-0.069-13.76 0.033-20.639l0.226-20.639-0.071-10.32-0.046-5.16 0.032-5.16 0.11-20.639c0.012-3.44 0.045-6.88-0.068-10.32-0.149-3.44-0.261-6.88-0.361-10.32l-0.328-41.279c-0.074-6.88-0.188-13.76-0.211-20.639 0.028-6.88 0.177-13.76 0.261-20.639l1.77 1.77c-4.37-0.095-8.74 1e-3 -13.111 1e-3l-13.111 0.063c-4.37 1e-3 -8.74 0.084-13.111 0.016l-13.111-0.231c-4.37-0.118-8.74-0.058-13.111-0.055-4.37-4e-3 -8.74 0.077-13.111 0.113l-26.221 0.29v-3.936l26.221-0.107 13.111-0.052c4.37-0.026 8.74 2e-3 13.111-0.14l13.111-0.262c4.37-0.066 8.74 0.04 13.111 0.051l26.221 0.283 2.211 0.024-0.016 2.172c-0.049 6.88-0.045 13.76-0.139 20.639-0.152 6.88-0.325 13.76-0.304 20.639l0.499 41.279c-0.024 1.72-0.037 3.44-0.138 5.16l-0.297 5.16c-0.137 3.44-0.045 6.88 0.01 10.32 0.12 6.88 0.479 13.76 0.59 20.639 0.273 6.88-0.127 13.76-0.227 20.639-0.014 6.88 0.146 13.76 0.091 20.639 0.051 6.88-0.202 13.76-0.162 20.639 0.04 3.44 0.226 6.88 0.324 10.32 0.061 3.44 4e-3 6.88-0.082 10.32l-0.356 10.32c-0.047 1.72-0.141 3.44-0.149 5.16l2e-3 5.16c-0.012 1.72 0.032 3.44-0.026 5.16l-0.164 5.16-0.335 10.32c-0.306 13.76 0.065 27.519 0.289 41.279 0.074 3.44 0.091 6.88 0.13 10.32 0.059 3.44-0.071 6.88-0.098 10.32l-0.153 10.32c-0.053 1.72 0.021 3.44 0.049 5.16l0.139 5.16 0.044 1.627-1.73 0.06c-2.683 0.093-5.365 0.065-8.048 0.1l-8.048 0.061-16.096 0.121v-3.941z" fill="#E6E8F0"/></svg>

data/app/assets/javascripts/shopify_app/enable_cookies.js

@@ -0,0 +1,3 @@
+//= require ./itp_helper.js
+//= require ./storage_access.js
+//= require ./partition_cookies.js

data/app/assets/javascripts/shopify_app/itp_helper.js

@@ -0,0 +1,40 @@
+(function() {
+  function ITPHelper(opts) {
+    this.itpContent = document.getElementById('TopLevelInteractionContent');
+    this.itpAction = document.getElementById('TopLevelInteractionButton');
+    this.redirectUrl = opts.redirectUrl;
+  }
+  
+  ITPHelper.prototype.redirect = function() {
+    sessionStorage.setItem('shopify.top_level_interaction', true);
+    window.location.href = this.redirectUrl;
+  }
+  
+  ITPHelper.prototype.userAgentIsAffected = function() {
+    return Boolean(document.hasStorageAccess);
+  }
+  
+  ITPHelper.prototype.canPartitionCookies = function() {
+    var versionRegEx = /Version\/12\.0\.?\d? Safari/;
+    return versionRegEx.test(navigator.userAgent);
+  }
+  
+  ITPHelper.prototype.setUpContent = function(onClick) {
+    this.itpContent.style.display = 'block';
+    this.itpAction.addEventListener('click', this.redirect.bind(this));
+  }
+  
+  ITPHelper.prototype.execute = function() {
+    if (!this.itpContent) {
+      return;
+    }
+  
+    if (this.userAgentIsAffected()) {
+      this.setUpContent();
+    } else {
+      this.redirect();
+    }
+  }
+
+  this.ITPHelper = ITPHelper;
+})(window);

data/app/assets/javascripts/shopify_app/partition_cookies.js

@@ -0,0 +1,7 @@
+(function() {
+  document.addEventListener("DOMContentLoaded", function() {
+    var storageAccessHelper = new StorageAccessHelper();
+    storageAccessHelper.execute();
+  });
+})();
+

data/app/assets/javascripts/shopify_app/redirect.js

@@ -0,0 +1,33 @@
+(function() {
+  function redirect() {
+    var redirectTargetElement = document.getElementById("redirection-target");
+
+    if (!redirectTargetElement) {
+      return;
+    }
+
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+
+    if (window.top == window.self) {
+      // If the current window is the 'parent', change the URL by setting location.href
+      window.top.location.href = targetInfo.url;
+    } else {
+      // If the current window is the 'child', change the parent's URL with postMessage
+      normalizedLink = document.createElement('a');
+      normalizedLink.href = targetInfo.url;
+
+      data = JSON.stringify({
+        message: 'Shopify.API.remoteRedirect',
+        data: {location: normalizedLink.href}
+      });
+      window.parent.postMessage(data, targetInfo.myshopifyUrl);
+    }
+  }
+
+  document.addEventListener("DOMContentLoaded", redirect);
+
+  // In the turbolinks context, neither DOMContentLoaded nor turbolinks:load
+  // consistently fires. This ensures that we at least attempt to fire in the
+  // turbolinks situation as well.
+  redirect();
+})();

data/app/assets/javascripts/shopify_app/request_storage_access.js

@@ -0,0 +1,3 @@
+//= require ./itp_helper.js
+//= require ./storage_access.js
+//= require ./storage_access_redirect.js

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -0,0 +1,121 @@
+(function() {
+  var ACCESS_GRANTED_STATUS = 'storage_access_granted';
+  var ACCESS_DENIED_STATUS = 'storage_access_denied';
+
+  function StorageAccessHelper(redirectData) {
+    this.redirectData = redirectData;
+  }
+
+  StorageAccessHelper.prototype.setNormalizedLink = function(storageAccessStatus) {
+    return storageAccessStatus === ACCESS_GRANTED_STATUS ? this.redirectData.hasStorageAccessUrl : this.redirectData.doesNotHaveStorageAccessUrl;
+  }
+
+  StorageAccessHelper.prototype.redirectToAppTLD = function(storageAccessStatus) {
+    var normalizedLink = document.createElement('a');
+
+    normalizedLink.href = this.setNormalizedLink(storageAccessStatus);
+
+    data = JSON.stringify({
+      message: 'Shopify.API.remoteRedirect',
+      data: {
+        location: normalizedLink.href,
+      }
+    });
+    window.parent.postMessage(data, this.redirectData.myshopifyUrl);
+  }
+
+  StorageAccessHelper.prototype.redirectToAppsIndex = function() {
+    window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
+  }
+
+  StorageAccessHelper.prototype.redirectToAppHome = function() {
+    window.location.href = this.redirectData.appHomeUrl;
+  }
+
+  StorageAccessHelper.prototype.grantedStorageAccess = function() {
+    try {
+      sessionStorage.setItem('shopify.granted_storage_access', true);
+      document.cookie = 'shopify.granted_storage_access=true';
+      this.redirectToAppHome();
+    } catch (error) {
+      console.warn('Third party cookies may be blocked.', error);
+      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.handleRequestStorageAccess = function() {
+    return document.requestStorageAccess().then(this.grantedStorageAccess.bind(this), this.redirectToAppsIndex.bind(this, ACCESS_DENIED_STATUS));
+  }
+
+  StorageAccessHelper.prototype.setupRequestStorageAccess = function() {
+    var requestContent = document.getElementById('RequestStorageAccess');
+    var requestButton = document.getElementById('TriggerAllowCookiesPrompt');
+
+    requestButton.addEventListener('click', this.handleRequestStorageAccess.bind(this));
+    requestContent.style.display = 'block';
+  }
+
+  StorageAccessHelper.prototype.handleHasStorageAccess = function() {
+    if (sessionStorage.getItem('shopify.granted_storage_access')) {
+      // If app was classified by ITP and used Storage Access API to acquire access
+      this.redirectToAppHome();
+    } else {
+      // If app has not been classified by ITP and still has storage access
+      this.redirectToAppTLD(ACCESS_GRANTED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.handleGetStorageAccess = function() {
+    if (sessionStorage.getItem('shopify.top_level_interaction')) {
+      // If merchant has been redirected to interact with TLD (requirement for prompting request to gain storage access)
+      this.setupRequestStorageAccess();
+    } else {
+      // If merchant has not been redirected to interact with TLD (requirement for prompting request to gain storage access)
+      this.redirectToAppTLD(ACCESS_DENIED_STATUS);
+    }
+  }
+
+  StorageAccessHelper.prototype.manageStorageAccess = function() {
+    return document.hasStorageAccess().then(function(hasAccess) {
+      if (hasAccess) {
+        this.handleHasStorageAccess();
+      } else {
+        this.handleGetStorageAccess();
+      }
+    }.bind(this));
+  }
+
+  StorageAccessHelper.prototype.execute = function() {
+    if (ITPHelper.prototype.canPartitionCookies()) {
+      this.setUpCookiePartitioning();
+      return;
+    }
+
+    if (ITPHelper.prototype.userAgentIsAffected()) {
+      this.manageStorageAccess();
+    } else {
+      this.grantedStorageAccess();
+    }
+  }
+
+  /* ITP 2.0 solution: handles cookie partitioning */
+  StorageAccessHelper.prototype.setUpHelper = function() {
+    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey});
+  }
+
+  StorageAccessHelper.prototype.setCookieAndRedirect = function() {
+    document.cookie = "shopify.cookies_persist=true";
+    var helper = this.setUpHelper();
+    helper.redirect();
+  }
+
+  StorageAccessHelper.prototype.setUpCookiePartitioning = function() {
+    var itpContent = document.getElementById('CookiePartitionPrompt');
+    itpContent.style.display = 'block';
+
+    var button = document.getElementById('AcceptCookies');
+    button.addEventListener('click', this.setCookieAndRedirect.bind(this));
+  }
+
+  this.StorageAccessHelper = StorageAccessHelper;
+})(window);

data/app/assets/javascripts/shopify_app/storage_access_redirect.js

@@ -0,0 +1,17 @@
+(function() {
+  function redirect() {
+    var redirectTargetElement = document.getElementById("redirection-target");
+
+    var targetInfo = JSON.parse(redirectTargetElement.dataset.target)
+
+    if (window.top == window.self) {
+      // If the current window is the 'parent', change the URL by setting location.href
+      window.top.location.href = targetInfo.hasStorageAccessUrl;
+    } else {
+        var storageAccessHelper = new StorageAccessHelper(targetInfo);
+        storageAccessHelper.execute();
+    }
+  }
+
+  document.addEventListener("DOMContentLoaded", redirect);
+})();

data/app/assets/javascripts/shopify_app/top_level.js

@@ -0,0 +1,2 @@
+//= require ./itp_helper.js
+//= require ./top_level_interaction.js

data/app/assets/javascripts/shopify_app/top_level_interaction.js

@@ -0,0 +1,11 @@
+(function() {
+  function setUpTopLevelInteraction() {
+    var TopLevelInteraction = new ITPHelper({
+      redirectUrl: window.redirectUrl,
+    });
+
+    TopLevelInteraction.execute();
+  }
+
+  document.addEventListener("DOMContentLoaded", setUpTopLevelInteraction);
+})();

data/app/controllers/shopify_app/authenticated_controller.rb

@@ -1,12 +1,11 @@
 module ShopifyApp
-  class AuthenticatedController < ApplicationController
+  class AuthenticatedController < ActionController::Base
     include ShopifyApp::Localization
     include ShopifyApp::LoginProtection
+    include ShopifyApp::EmbeddedApp
 
-    before_action :set_locale
+    protect_from_forgery with: :exception
     before_action :login_again_if_different_shop
     around_action :shopify_session
-
-    layout ShopifyApp.configuration.embedded_app? ? 'embedded_app' : 'application'
   end
 end

data/{lib/shopify_app/sessions_concern.rb → app/controllers/shopify_app/callback_controller.rb}

@@ -1,19 +1,9 @@
-module ShopifyApp
-  module SessionsConcern
-    extend ActiveSupport::Concern
-
-    included do
-      include ShopifyApp::LoginProtection
-      layout false, only: :new
-    end
+# frozen_string_literal: true
 
-    def new
-      authenticate if sanitized_shop_name.present?
-    end
-
-    def create
-      authenticate
-    end
+module ShopifyApp
+  # Performs login after OAuth completes
+  class CallbackController < ActionController::Base
+    include ShopifyApp::LoginProtection
 
     def callback
       if auth_hash
@@ -29,27 +19,11 @@ module ShopifyApp
       end
     end
 
-    def destroy
-      session[:shopify] = nil
-      session[:shopify_domain] = nil
-      flash[:notice] = I18n.t('.logged_out')
-      redirect_to login_url
-    end
-
-    protected
-
-    def authenticate
-      if sanitized_shop_name.present?
-        fullpage_redirect_to "#{main_app.root_path}auth/shopify?shop=#{sanitized_shop_name}"
-      else
-        redirect_to return_address
-      end
-    end
+    private
 
     def login_shop
-      sess = ShopifyAPI::Session.new(shop_name, token)
-      session[:shopify] = ShopifyApp::SessionRepository.store(sess)
-      session[:shopify_domain] = shop_name
+      reset_session_options
+      set_shopify_session
     end
 
     def auth_hash
@@ -60,10 +34,29 @@ module ShopifyApp
       auth_hash.uid
     end
 
+    def associated_user
+      return unless auth_hash['extra'].present?
+
+      auth_hash['extra']['associated_user']
+    end
+
     def token
       auth_hash['credentials']['token']
     end
 
+    def reset_session_options
+      request.session_options[:renew] = true
+      session.delete(:_csrf_token)
+    end
+
+    def set_shopify_session
+      session_store = ShopifyAPI::Session.new(shop_name, token)
+
+      session[:shopify] = ShopifyApp::SessionRepository.store(session_store)
+      session[:shopify_domain] = shop_name
+      session[:shopify_user] = associated_user
+    end
+
     def install_webhooks
       return unless ShopifyApp.configuration.has_webhooks?
 
@@ -84,10 +77,6 @@ module ShopifyApp
       )
     end
 
-    def return_address
-      session.delete(:return_to) || main_app.root_url
-    end
-
     def perform_after_authenticate_job
       config = ShopifyApp.configuration.after_authenticate_job
 

data/app/controllers/shopify_app/sessions_controller.rb

@@ -1,5 +1,123 @@
 module ShopifyApp
-  class SessionsController < ApplicationController
-    include ShopifyApp::SessionsConcern
+  class SessionsController < ActionController::Base
+    include ShopifyApp::LoginProtection
+
+    layout false, only: :new
+    after_action only: [:new, :create] do |controller|
+      controller.response.headers.except!('X-Frame-Options')
+    end
+
+    def new
+      authenticate if sanitized_shop_name.present?
+    end
+
+    def create
+      authenticate
+    end
+
+    def enable_cookies
+      validate_shop
+    end
+
+    def top_level_interaction
+      @url = login_url(top_level: true)
+      validate_shop
+    end
+
+    def granted_storage_access
+      return unless validate_shop
+
+      session['shopify.granted_storage_access'] = true
+
+      params = { shop: @shop }
+      redirect_to "#{ShopifyApp.configuration.root_url}?#{params.to_query}"
+    end
+
+    def destroy
+      reset_session
+      flash[:notice] = I18n.t('.logged_out')
+      redirect_to login_url
+    end
+
+    private
+
+    def authenticate
+      return render_invalid_shop_error unless sanitized_shop_name.present?
+      session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
+
+      if user_agent_can_partition_cookies
+        authenticate_with_partitioning
+      else
+        authenticate_normally
+      end
+    end
+
+    def authenticate_normally
+      if request_storage_access?
+        redirect_to_request_storage_access
+      elsif authenticate_in_context?
+        authenticate_in_context
+      else
+        authenticate_at_top_level
+      end
+    end
+
+    def authenticate_with_partitioning
+      if session['shopify.cookies_persist']
+        clear_top_level_oauth_cookie
+        authenticate_in_context
+      else
+        set_top_level_oauth_cookie
+        fullpage_redirect_to enable_cookies_path(shop: sanitized_shop_name)
+      end
+    end
+
+    def validate_shop
+      @shop = sanitized_shop_name
+      unless @shop
+        render_invalid_shop_error
+        return false
+      end
+
+      true
+    end
+
+    def render_invalid_shop_error
+      flash[:error] = I18n.t('invalid_shop_url')
+      redirect_to return_address
+    end
+
+    def authenticate_in_context
+      redirect_to "#{main_app.root_path}auth/shopify"
+    end
+
+    def authenticate_at_top_level
+      fullpage_redirect_to login_url(top_level: true)
+    end
+
+    def authenticate_in_context?
+      return true unless ShopifyApp.configuration.embedded_app?
+      params[:top_level]
+    end
+
+    def request_storage_access?
+      return false unless ShopifyApp.configuration.embedded_app?
+      return false if params[:top_level]
+      return false if user_agent_is_mobile
+      return false if user_agent_is_pos
+
+      !session['shopify.granted_storage_access']
+    end
+
+    def redirect_to_request_storage_access
+      render :request_storage_access, layout: false, locals: {
+        does_not_have_storage_access_url: top_level_interaction_path(
+          shop: sanitized_shop_name
+        ),
+        has_storage_access_url: login_url(top_level: true),
+        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
+        current_shopify_domain: current_shopify_domain
+      }
+    end
   end
 end