shopify_app 9.0.0 → 12.0.5

data/app/assets/javascripts/shopify_app/itp_helper.js

@@ -4,31 +4,31 @@
     this.itpAction = document.getElementById('TopLevelInteractionButton');
     this.redirectUrl = opts.redirectUrl;
   }
-  
+
   ITPHelper.prototype.redirect = function() {
     sessionStorage.setItem('shopify.top_level_interaction', true);
     window.location.href = this.redirectUrl;
   }
-  
+
   ITPHelper.prototype.userAgentIsAffected = function() {
     return Boolean(document.hasStorageAccess);
   }
-  
+
   ITPHelper.prototype.canPartitionCookies = function() {
     var versionRegEx = /Version\/12\.0\.?\d? Safari/;
     return versionRegEx.test(navigator.userAgent);
   }
-  
+
   ITPHelper.prototype.setUpContent = function(onClick) {
     this.itpContent.style.display = 'block';
     this.itpAction.addEventListener('click', this.redirect.bind(this));
   }
-  
+
   ITPHelper.prototype.execute = function() {
     if (!this.itpContent) {
       return;
     }
-  
+
     if (this.userAgentIsAffected()) {
       this.setUpContent();
     } else {

data/app/assets/javascripts/shopify_app/storage_access.js

@@ -28,18 +28,47 @@
     window.parent.location.href = this.redirectData.myshopifyUrl + '/admin/apps';
   }
 
-  StorageAccessHelper.prototype.redirectToAppHome = function() {
-    window.location.href = this.redirectData.appHomeUrl;
+  StorageAccessHelper.prototype.redirectToAppTargetUrl = function() {
+    window.location.href = this.redirectData.appTargetUrl;
+  }
+
+  StorageAccessHelper.prototype.sameSiteNoneIncompatible = function(ua) {
+    return ua.includes("iPhone OS 12_") || ua.includes("iPad; CPU OS 12_") || //iOS 12
+    (ua.includes("UCBrowser/")
+        ? this.isOlderUcBrowser(ua) //UC Browser < 12.13.2
+        : (ua.includes("Chrome/5") || ua.includes("Chrome/6"))) ||
+    ua.includes("Chromium/5") || ua.includes("Chromium/6") ||
+    (ua.includes(" OS X 10_14_") &&
+        ((ua.includes("Version/") && ua.includes("Safari")) || //Safari on MacOS 10.14
+        ua.endsWith("(KHTML, like Gecko)"))); //Web view on MacOS 10.14
+  }
+
+  StorageAccessHelper.prototype.isOlderUcBrowser = function(ua) {
+    var match = ua.match(/UCBrowser\/(\d+)\.(\d+)\.(\d+)\./);
+    if (!match) return false;
+    var major = parseInt(match[1]);
+    var minor = parseInt(match[2]);
+    var build = parseInt(match[3]);
+    if (major != 12) return major < 12;
+    if (minor != 13) return minor < 13;
+    return build < 2;
+  }
+
+  StorageAccessHelper.prototype.setCookie = function(value) {
+    if(!this.sameSiteNoneIncompatible(navigator.userAgent)) {
+      value += '; secure; SameSite=None'
+    }
+    document.cookie = value;
   }
 
   StorageAccessHelper.prototype.grantedStorageAccess = function() {
     try {
       sessionStorage.setItem('shopify.granted_storage_access', true);
-      document.cookie = 'shopify.granted_storage_access=true';
+      this.setCookie('shopify.granted_storage_access=true');
       if (!document.cookie) {
         throw 'Cannot set third-party cookie.'
       }
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } catch (error) {
       console.warn('Third party cookies may be blocked.', error);
       this.redirectToAppTLD(ACCESS_DENIED_STATUS);
@@ -61,7 +90,7 @@
   StorageAccessHelper.prototype.handleHasStorageAccess = function() {
     if (sessionStorage.getItem('shopify.granted_storage_access')) {
       // If app was classified by ITP and used Storage Access API to acquire access
-      this.redirectToAppHome();
+      this.redirectToAppTargetUrl();
     } else {
       // If app has not been classified by ITP and still has storage access
       this.redirectToAppTLD(ACCESS_GRANTED_STATUS);
@@ -103,11 +132,11 @@
 
   /* ITP 2.0 solution: handles cookie partitioning */
   StorageAccessHelper.prototype.setUpHelper = function() {
-    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey});
+    return new ITPHelper({redirectUrl: window.shopOrigin + "/admin/apps/" + window.apiKey + window.returnTo});
   }
 
   StorageAccessHelper.prototype.setCookieAndRedirect = function() {
-    document.cookie = "shopify.cookies_persist=true";
+    this.setCookie('shopify.cookies_persist=true');
     var helper = this.setUpHelper();
     helper.redirect();
   }

data/app/controllers/concerns/shopify_app/authenticated.rb

@@ -8,7 +8,7 @@ module ShopifyApp
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
       include ShopifyApp::EmbeddedApp
-      before_action :login_again_if_different_shop
+      before_action :login_again_if_different_user_or_shop
       around_action :shopify_session
     end
   end

data/app/controllers/shopify_app/callback_controller.rb

@@ -15,7 +15,7 @@ module ShopifyApp
         redirect_to return_address
       else
         flash[:error] = I18n.t('could_not_log_in')
-        redirect_to login_url
+        redirect_to(login_url_with_optional_shop)
       end
     end
 
@@ -55,10 +55,16 @@ module ShopifyApp
         token: token,
         api_version: ShopifyApp.configuration.api_version
       )
-
-      session[:shopify] = ShopifyApp::SessionRepository.store(session_store)
+      session[:shopify] = ShopifyApp::SessionRepository.store(session_store, user: associated_user)
       session[:shopify_domain] = shop_name
       session[:shopify_user] = associated_user
+
+      if ShopifyApp.configuration.per_user_tokens?
+        # Adds the user_session to the session to determine if the logged in user has changed
+        user_session = auth_hash&.extra&.session
+        raise IndexError, "Missing user session signature" if user_session.nil?
+        session[:user_session] = user_session
+      end
     end
 
     def install_webhooks
@@ -86,10 +92,13 @@ module ShopifyApp
 
       return unless config && config[:job].present?
 
+      job = config[:job]
+      job = job.constantize if job.is_a?(String)
+
       if config[:inline] == true
-        config[:job].perform_now(shop_domain: session[:shopify_domain])
+        job.perform_now(shop_domain: session[:shopify_domain])
       else
-        config[:job].perform_later(shop_domain: session[:shopify_domain])
+        job.perform_later(shop_domain: session[:shopify_domain])
       end
     end
   end

data/app/controllers/shopify_app/extension_verification_controller.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  class ExtensionVerificationController < ActionController::Base
+    protect_from_forgery with: :null_session
+    before_action :verify_request
+
+    private
+
+    def verify_request
+      hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
+      request_body = request.body.read
+      secret = ShopifyApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+
+      expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
+      head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
+    end
+  end
+end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -20,16 +20,20 @@ module ShopifyApp
 
       render(:enable_cookies, layout: false, locals: {
         does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
         ),
-        has_storage_access_url: login_url(top_level: true),
-        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-        current_shopify_domain: current_shopify_domain,
+        has_storage_access_url: login_url_with_optional_shop(top_level: true),
+        app_target_url: granted_storage_access_path(
+          shop: sanitized_shop_name,
+          return_to: params[:return_to]
+        ),
+        current_shopify_domain: current_shopify_domain
       })
     end
 
     def top_level_interaction
-      @url = login_url(top_level: true)
+      @url = login_url_with_optional_shop(top_level: true)
       validate_shop
     end
 
@@ -38,14 +42,15 @@ module ShopifyApp
 
       session['shopify.granted_storage_access'] = true
 
-      params = { shop: @shop }
-      redirect_to "#{ShopifyApp.configuration.root_url}?#{params.to_query}"
+      copy_return_to_param_to_session
+
+      redirect_to(return_address_with_params({ shop: @shop }))
     end
 
     def destroy
       reset_session
       flash[:notice] = I18n.t('.logged_out')
-      redirect_to login_url
+      redirect_to(login_url_with_optional_shop)
     end
 
     private
@@ -54,6 +59,8 @@ module ShopifyApp
       return render_invalid_shop_error unless sanitized_shop_name.present?
       session['shopify.omniauth_params'] = { shop: sanitized_shop_name }
 
+      copy_return_to_param_to_session
+
       if user_agent_can_partition_cookies
         authenticate_with_partitioning
       else
@@ -77,7 +84,7 @@ module ShopifyApp
         authenticate_in_context
       else
         set_top_level_oauth_cookie
-        fullpage_redirect_to enable_cookies_path(shop: sanitized_shop_name)
+        enable_cookie_access
       end
     end
 
@@ -91,17 +98,28 @@ module ShopifyApp
       true
     end
 
+    def copy_return_to_param_to_session
+      session[:return_to] = params[:return_to] if params[:return_to]
+    end
+
     def render_invalid_shop_error
       flash[:error] = I18n.t('invalid_shop_url')
       redirect_to return_address
     end
 
+    def enable_cookie_access
+      fullpage_redirect_to(enable_cookies_path(
+        shop: sanitized_shop_name,
+        return_to: session[:return_to]
+      ))
+    end
+
     def authenticate_in_context
       redirect_to "#{main_app.root_path}auth/shopify"
     end
 
     def authenticate_at_top_level
-      fullpage_redirect_to login_url(top_level: true)
+      fullpage_redirect_to(login_url_with_optional_shop(top_level: true))
     end
 
     def authenticate_in_context?
@@ -119,14 +137,22 @@ module ShopifyApp
     end
 
     def redirect_to_request_storage_access
-      render :request_storage_access, layout: false, locals: {
-        does_not_have_storage_access_url: top_level_interaction_path(
-          shop: sanitized_shop_name
-        ),
-        has_storage_access_url: login_url(top_level: true),
-        app_home_url: granted_storage_access_path(shop: sanitized_shop_name),
-        current_shopify_domain: current_shopify_domain
-      }
+      render(
+        :request_storage_access,
+        layout: false,
+        locals: {
+          does_not_have_storage_access_url: top_level_interaction_path(
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
+          ),
+          has_storage_access_url: login_url_with_optional_shop(top_level: true),
+          app_target_url: granted_storage_access_path(
+            shop: sanitized_shop_name,
+            return_to: session[:return_to]
+          ),
+          current_shopify_domain: current_shopify_domain
+        }
+      )
     end
   end
 end

data/app/views/shopify_app/sessions/enable_cookies.html.erb

@@ -2,6 +2,7 @@
 <html lang="<%= I18n.locale %>">
 <head>
   <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
   <%= render 'shopify_app/partials/layout_styles' %>
@@ -16,6 +17,7 @@
   <script>
     window.apiKey = "<%= ShopifyApp.configuration.api_key %>";
     window.shopOrigin = "https://<%= @shop %>";
+    window.returnTo = "<%= params[:return_to] %>"
   </script>
 
   <%= javascript_include_tag('shopify_app/enable_cookies', crossorigin: 'anonymous', integrity: true) %>
@@ -30,7 +32,7 @@
           myshopifyUrl: "https://#{current_shopify_domain}",
           hasStorageAccessUrl: "#{has_storage_access_url}",
           doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-          appHomeUrl: "#{app_home_url}"
+          appTargetUrl: "#{app_target_url}"
         },
       },
     )

data/app/views/shopify_app/sessions/request_storage_access.html.erb

@@ -2,6 +2,7 @@
 <html lang="<%= I18n.locale %>">
 <head>
   <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
   <%= render 'shopify_app/partials/layout_styles' %>
@@ -23,7 +24,7 @@
                       myshopifyUrl: "https://#{current_shopify_domain}",
                       hasStorageAccessUrl: "#{has_storage_access_url}",
                       doesNotHaveStorageAccessUrl: "#{does_not_have_storage_access_url}",
-                      appHomeUrl: "#{app_home_url}"
+                      appTargetUrl: "#{app_target_url}"
                   },
               },
               )

data/app/views/shopify_app/sessions/top_level_interaction.html.erb

@@ -2,6 +2,7 @@
 <html lang="<%= I18n.locale %>">
 <head>
   <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
   <%= render 'shopify_app/partials/layout_styles' %>

data/app/views/shopify_app/shared/redirect.html.erb

@@ -2,6 +2,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
   <base target="_top">
   <title>Redirecting…</title>
   <%= javascript_include_tag('shopify_app/redirect', crossorigin: 'anonymous', integrity: true) %>

data/config/locales/cs.yml

@@ -0,0 +1,23 @@
+---
+cs:
+  logged_out: Odhlášení proběhlo úspěšně
+  could_not_log_in: Nelze se přihlásit do obchodu Shopify
+  invalid_shop_url: Neplatná doména obchodu
+  enable_cookies_heading: Zapnout soubory cookie z aplikace %{app}
+  enable_cookies_body: Pokud chcete v Shopify používat aplikaci %{app}, musíte soubory
+    cookie v tomto prohlížeči povolit ručně.
+  enable_cookies_footer: Soubory cookie umožňují, aby vás aplikace ověřila pomocí
+    dočasného uchování preferencí a osobních údajů. Jejich platnost vyprší po 30 dnech.
+  enable_cookies_action: Povolit soubory cookie
+  top_level_interaction_heading: Váš prohlížeč potřebuje ověřit aplikaci %{app}
+  top_level_interaction_body: Váš prohlížeč vyžaduje, aby si od vás aplikace, jako
+    je %{app}, nejdřív vyžádaly přístup k souborům cookie, než je pro vás Shopify
+    otevře.
+  top_level_interaction_action: Pokračovat
+  request_storage_access_heading: Aplikace %{app} potřebuje získat přístup k souborům
+    cookie
+  request_storage_access_body: Tato aplikace vám umožní ověření prostřednictvím dočasného
+    uchování vašich osobních údajů. Pokud chcete používat tuto aplikaci, klikněte
+    na tlačítko Pokračovat a povolte soubory cookie.
+  request_storage_access_footer: Platnost souborů cookie vyprší po 30 dnech.
+  request_storage_access_action: Pokračovat

data/config/locales/da.yml

@@ -0,0 +1,20 @@
+---
+da:
+  logged_out: Logget ud
+  could_not_log_in: Kunne ikke logge ind på Shopify-butik
+  invalid_shop_url: Ugyldig butiksdomæne
+  enable_cookies_heading: Aktivér cookies fra %{app}
+  enable_cookies_body: Du skal manuelt aktivere cookies i denne browser for at kunne
+    bruge %{app} i Shopify.
+  enable_cookies_footer: Cookies lader appen godkende dig ved at gemme dine præferencer
+    og personlige oplysninger midlertidigt. De udløber efter 30 dage.
+  enable_cookies_action: Aktivér cookies
+  top_level_interaction_heading: Din browser skal godkende %{app}
+  top_level_interaction_body: Din browser kræver, at apps som f.eks. %{app} spørger
+    dig om adgang til cookies, inden Shopify kan åbne den for dig.
+  top_level_interaction_action: Fortsæt
+  request_storage_access_heading: "%{app} skal have adgang til cookies"
+  request_storage_access_body: Det lader appen godkende dig ved at gemme dine personlige
+    oplysninger midlertidigt. Klik på forsæt, og tillad cookies for at bruge appen.
+  request_storage_access_footer: Cookies udløber efter 30 dage.
+  request_storage_access_action: Fortsæt

data/config/locales/de.yml

@@ -7,16 +7,16 @@ de:
   enable_cookies_body: Sie müssen Cookies in diesem Browser manuell aktivieren, um
     %{app} in Shopify verwenden zu können.
   enable_cookies_footer: Mithilfe von Cookies kann die App Sie authentifizieren, indem
-    Ihre Einstellungen und persönlichen Informationen vorübergehend gespeichert werden.
+    Ihre Einstellungen und personenbezogenen Daten vorübergehend gespeichert werden.
     Sie laufen nach 30 Tagen ab.
   enable_cookies_action: Cookies aktivieren
   top_level_interaction_heading: Ihr Browser muss %{app} authentifizieren
-  top_level_interaction_body: Ihr Browser verlangt, dass Apps von Drittanbietern wie
-    %{app} Sie um Zugriff auf Cookies bitten, bevor Shopify sie für Sie öffnen kann.
+  top_level_interaction_body: Ihr Browser verlangt, dass Apps wie %{app} Sie um Zugriff
+    auf Cookies bitten, bevor Shopify sie für Sie öffnen kann.
   top_level_interaction_action: Weiter
   request_storage_access_heading: "%{app} braucht Zugriff auf Cookies"
   request_storage_access_body: Damit kann die App Sie authentifizieren, indem Ihre
-    Einstellungen und persönlichen Informationen vorübergehend gespeichert werden.
-    Klicken Sie auf "Weiter" und erlauben Sie den Cookies, die App zu verwenden.
+    Einstellungen und personenbezogenen Daten vorübergehend gespeichert werden. Klicken
+    Sie auf "Weiter" und erlauben Sie den Cookies, die App zu verwenden.
   request_storage_access_footer: Cookies laufen nach 30 Tagen ab.
   request_storage_access_action: Weiter

data/config/locales/en.yml

@@ -7,7 +7,7 @@ en:
   enable_cookies_footer: 'Cookies let the app authenticate you by temporarily storing your preferences and personal information. They expire after 30 days.'
   enable_cookies_action: 'Enable cookies'
   top_level_interaction_heading: "Your browser needs to authenticate %{app}"
-  top_level_interaction_body: "Your browser requires third-party apps like %{app} to ask you for access to cookies before Shopify can open it for you."
+  top_level_interaction_body: "Your browser requires apps like %{app} to ask you for access to cookies before Shopify can open it for you."
   top_level_interaction_action: 'Continue'
   request_storage_access_heading: "%{app} needs access to cookies"
   request_storage_access_body: "This lets the app authenticate you by temporarily storing your personal information. Click continue and allow cookies to use the app."