shopify_app 9.0.0 → 13.0.0

data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb

@@ -0,0 +1,16 @@
+class CreateUsers < ActiveRecord::Migration[<%= rails_migration_version %>]
+  def self.up
+    create_table :users do |t|
+      t.bigint :shopify_user_id, null: false
+      t.string :shopify_domain, null: false
+      t.string :shopify_token, null: false
+      t.timestamps
+    end
+
+    add_index :users, :shopify_user_id, unique: true
+  end
+
+  def self.down
+    drop_table :users
+  end
+end

data/lib/generators/shopify_app/user_model/templates/user.rb

@@ -0,0 +1,7 @@
+class User < ActiveRecord::Base
+  include ShopifyApp::UserSessionStorage
+
+  def api_version
+    ShopifyApp.configuration.api_version
+  end
+end

data/lib/generators/shopify_app/user_model/templates/users.yml

@@ -0,0 +1,4 @@
+regular_user:
+  shopify_domain: 'regular-shop.myshopify.com'
+  shopify_token: 'token'
+  shopify_user_id: 1

data/lib/generators/shopify_app/user_model/user_model_generator.rb

@@ -0,0 +1,38 @@
+require 'rails/generators/base'
+require 'rails/generators/active_record'
+
+module ShopifyApp
+  module Generators
+    class UserModelGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+      source_root File.expand_path('../templates', __FILE__)
+
+      def create_user_model
+        copy_file 'user.rb', 'app/models/user.rb'
+      end
+
+      def create_user_migration
+        migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
+      end
+
+      def update_shopify_app_initializer
+        gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemoryUserSessionStore', 'User'
+      end
+
+      def create_user_fixtures
+        copy_file 'users.yml', 'test/fixtures/users.yml'
+      end
+
+      private
+
+      def rails_migration_version
+        Rails.version.match(/\d\.\d/)[0]
+      end
+
+      # for generating a timestamp when using `create_migration`
+      def self.next_migration_number(dir)
+        ActiveRecord::Generators::Base.next_migration_number(dir)
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -5,7 +5,7 @@ module ShopifyApp
     # for the app in your Shopify Partners page. Change your settings in
     # `config/initializers/shopify_app.rb`
     attr_accessor :application_name
-    attr_accessor :api_key
+    attr_accessor  :api_key
     attr_accessor :secret
     attr_accessor :old_secret
     attr_accessor :scope
@@ -14,7 +14,8 @@ module ShopifyApp
     attr_accessor :webhooks
     attr_accessor :scripttags
     attr_accessor :after_authenticate_job
-    attr_accessor :session_repository
+    attr_reader :shop_session_repository
+    attr_reader :user_session_repository
     attr_accessor :api_version
 
     # customise urls
@@ -28,28 +29,35 @@ module ShopifyApp
     # configure myshopify domain for local shopify development
     attr_accessor :myshopify_domain
 
+    # ability to have webpacker installed but not used in this gem and the generators
+    attr_accessor :disable_webpacker
+
     # allow namespacing webhook jobs
     attr_accessor :webhook_jobs_namespace
 
+    # allow enabling of same site none on cookies
+    attr_accessor :enable_same_site_none
+
     def initialize
       @root_url = '/'
       @myshopify_domain = 'myshopify.com'
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
+      @disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
     end
 
     def login_url
       @login_url || File.join(@root_url, 'login')
     end
 
-    def session_repository=(klass)
-      if Rails.configuration.cache_classes
-        ShopifyApp::SessionRepository.storage = klass
-      else
-        ActiveSupport::Reloader.to_prepare do
-          ShopifyApp::SessionRepository.storage = klass
-        end
-      end
+    def user_session_repository=(klass)
+      @user_session_repository = klass
+      ShopifyApp::SessionRepository.user_storage = klass
+    end
+
+    def shop_session_repository=(klass)
+      @shop_session_repository = klass
+      ShopifyApp::SessionRepository.shop_storage = klass
     end
 
     def has_webhooks?
@@ -59,6 +67,10 @@ module ShopifyApp
     def has_scripttags?
       scripttags.present?
     end
+
+    def enable_same_site_none
+      !Rails.env.test? && (@enable_same_site_none.nil? ? embedded_app? : @enable_same_site_none)
+    end
   end
 
   def self.configuration

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -14,26 +14,48 @@ module ShopifyApp
       rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
     end
 
-    def shopify_session
-      return redirect_to_login unless shop_session
+    def activate_shopify_session
+      return redirect_to_login if current_shopify_session.blank?
       clear_top_level_oauth_cookie
 
       begin
-        ShopifyAPI::Base.activate_session(shop_session)
+        ShopifyAPI::Base.activate_session(current_shopify_session)
         yield
       ensure
         ShopifyAPI::Base.clear_session
       end
     end
 
+    def current_shopify_session
+      if session[:user_id].present?
+        @current_shopify_session ||= user_session
+      else
+        @current_shopify_session ||= shop_session
+      end
+    end
+
+    def user_session
+      return if session[:user_id].blank?
+      ShopifyApp::SessionRepository.retrieve_user_session(session[:user_id])
+    end
+
     def shop_session
-      return unless session[:shopify]
-      @shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
+      return if session[:shop_id].blank?
+      ShopifyApp::SessionRepository.retrieve_shop_session(session[:shop_id])
     end
 
-    def login_again_if_different_shop
-      if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
-        clear_shop_session
+    def login_again_if_different_user_or_shop
+      if session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
+        clear_session = session[:user_session] != params[:session] # current user is different from stored user
+
+      end
+
+      if current_shopify_session && params[:shop] && params[:shop].is_a?(String) && (current_shopify_session.domain != params[:shop])
+        clear_session = true
+      end
+
+      if clear_session
+        clear_shopify_session
         redirect_to_login
       end
     end
@@ -45,24 +67,32 @@ module ShopifyApp
         head :unauthorized
       else
         if request.get?
-          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+          path = request.path
+          query = sanitized_params.to_query
+        else
+          referer = URI(request.referer || "/")
+          path = referer.path
+          query = "#{referer.query}&#{sanitized_params.to_query}"
         end
-        redirect_to login_url
+        session[:return_to] = "#{path}?#{query}"
+        redirect_to(login_url_with_optional_shop)
       end
     end
 
     def close_session
-      clear_shop_session
-      redirect_to login_url
+      clear_shopify_session
+      redirect_to(login_url_with_optional_shop)
     end
 
-    def clear_shop_session
-      session[:shopify] = nil
+    def clear_shopify_session
+      session[:shop_id] = nil
+      session[:user_id] = nil
       session[:shopify_domain] = nil
       session[:shopify_user] = nil
+      session[:user_session] = nil
     end
 
-    def login_url(top_level: false)
+    def login_url_with_optional_shop(top_level: false)
       url = ShopifyApp.configuration.login_url
 
       query_params = login_url_params(top_level: top_level)
@@ -75,6 +105,12 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
+      return_to = session[:return_to] || params[:return_to]
+
+      if return_to.present? && return_to_param_required?
+        query_params[:return_to] = return_to
+      end
+
       has_referer_shop_name = referer_sanitized_shop_name.present?
 
       if has_referer_shop_name
@@ -85,6 +121,11 @@ module ShopifyApp
       query_params
     end
 
+    def return_to_param_required?
+      native_params = %i[shop hmac timestamp locale protocol return_to]
+      request.path != '/' || sanitized_params.except(*native_params).any?
+    end
+
     def fullpage_redirect_to(url)
       if ShopifyApp.configuration.embedded_app?
         render 'shopify_app/shared/redirect', layout: false, locals: { url: url, current_shopify_domain: current_shopify_domain }
@@ -131,5 +172,15 @@ module ShopifyApp
     def return_address
       session.delete(:return_to) || ShopifyApp.configuration.root_url
     end
+
+    def return_address_with_params(params)
+      uri = URI(return_address)
+      uri.query = CGI.parse(uri.query.to_s)
+        .symbolize_keys
+        .transform_values { |v| v.one? ? v.first : v }
+        .merge(params)
+        .to_query
+      uri.to_s
+    end
   end
 end

data/lib/shopify_app/engine.rb

@@ -12,5 +12,9 @@ module ShopifyApp
         storage_access.svg
       ]
     end
+
+    initializer "shopify_app.middleware" do |app|
+      app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+    end
   end
 end

data/lib/shopify_app/managers/webhooks_manager.rb

@@ -55,7 +55,7 @@ module ShopifyApp
     end
 
     def current_webhooks
-      @current_webhooks ||= ShopifyAPI::Webhook.all.index_by(&:topic)
+      @current_webhooks ||= ShopifyAPI::Webhook.all.to_a.index_by(&:topic)
     end
   end
 end

data/lib/shopify_app/middleware/same_site_cookie_middleware.rb

@@ -0,0 +1,33 @@
+module ShopifyApp
+  class SameSiteCookieMiddleware
+    COOKIE_SEPARATOR = "\n"
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+      user_agent = env['HTTP_USER_AGENT']
+
+      if headers && headers['Set-Cookie'] &&
+          BrowserSniffer.new(user_agent).same_site_none_compatible? &&
+          ShopifyApp.configuration.enable_same_site_none &&
+          Rack::Request.new(env).ssl?
+
+        set_cookies = headers['Set-Cookie']
+          .split(COOKIE_SEPARATOR)
+          .compact
+          .map do |cookie|
+            cookie << '; Secure' if not cookie =~ /;\s*secure/i
+            cookie << '; SameSite=None' unless cookie =~ /;\s*samesite=/i
+            cookie
+          end
+
+        headers['Set-Cookie'] = set_cookies.join(COOKIE_SEPARATOR)
+      end
+
+      [status, headers, body]
+    end
+  end
+end

data/lib/shopify_app/session/in_memory_session_store.rb

@@ -6,7 +6,7 @@ module ShopifyApp
       repo[id]
     end
 
-    def self.store(session)
+    def self.store(session, *args)
       id = SecureRandom.uuid
       repo[id] = session
       id

data/lib/shopify_app/session/in_memory_shop_session_store.rb

@@ -0,0 +1,4 @@
+module ShopifyApp
+  class InMemoryShopSessionStore < InMemorySessionStore
+  end
+end

data/lib/shopify_app/session/in_memory_user_session_store.rb

@@ -0,0 +1,4 @@
+module ShopifyApp
+  class InMemoryUserSessionStore < InMemorySessionStore
+  end
+end

data/lib/shopify_app/session/session_repository.rb

@@ -3,31 +3,56 @@ module ShopifyApp
     class ConfigurationError < StandardError; end
 
     class << self
-      def storage=(storage)
-        @storage = storage
+      def shop_storage=(storage)
+        @shop_storage = storage
 
-        unless storage.nil? || self.storage.respond_to?(:store) && self.storage.respond_to?(:retrieve)
-          raise ArgumentError, "storage must respond to :store and :retrieve"
+        unless storage.nil? || self.shop_storage.respond_to?(:store) && self.shop_storage.respond_to?(:retrieve)
+          raise ArgumentError, "shop storage must respond to :store and :retrieve"
         end
       end
 
-      def retrieve(id)
-        storage.retrieve(id)
+      def user_storage=(storage)
+        @user_storage = storage
+
+        unless storage.nil? || self.user_storage.respond_to?(:store) && self.user_storage.respond_to?(:retrieve)
+          raise ArgumentError, "user storage must respond to :store and :retrieve"
+        end
+      end
+
+      def retrieve_shop_session(id)
+        shop_storage.retrieve(id)
+      end
+
+      def retrieve_user_session(id)
+        user_storage.retrieve(id)
       end
 
-      def store(session)
-        storage.store(session)
+      def store_shop_session(session)
+        shop_storage.store(session)
       end
 
-      def storage
-        load_storage || raise(ConfigurationError.new("ShopifySessionRepository.storage is not configured!"))
+      def store_user_session(session, user)
+        user_storage.store(session, user)
+      end
+
+      def shop_storage
+        load_shop_storage || raise(ConfigurationError.new("ShopifySessionRepository.shop_storage is not configured!"))
+      end
+
+      def user_storage
+        load_user_storage
       end
 
       private
 
-      def load_storage
-        return unless @storage
-        @storage.respond_to?(:safe_constantize) ? @storage.safe_constantize : @storage
+      def load_shop_storage
+        return unless @shop_storage
+        @shop_storage.respond_to?(:safe_constantize) ? @shop_storage.safe_constantize : @shop_storage
+      end
+
+      def load_user_storage
+        return unless @user_storage
+        @user_storage.respond_to?(:safe_constantize) ? @user_storage.safe_constantize : @user_storage
       end
     end
   end

data/lib/shopify_app/session/session_storage.rb

@@ -3,7 +3,6 @@ module ShopifyApp
     extend ActiveSupport::Concern
 
     included do
-      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
       validates :shopify_token, presence: true
       validates :api_version, presence: true
     end
@@ -16,26 +15,5 @@ module ShopifyApp
         &block
       )
     end
-
-    class_methods do
-      def store(session)
-        shop = find_or_initialize_by(shopify_domain: session.domain)
-        shop.shopify_token = session.token
-        shop.save!
-        shop.id
-      end
-
-      def retrieve(id)
-        return unless id
-
-        if shop = self.find_by(id: id)
-          ShopifyAPI::Session.new(
-            domain: shop.shopify_domain,
-            token: shop.shopify_token,
-            api_version: shop.api_version
-          )
-        end
-      end
-    end
   end
 end

data/lib/shopify_app/session/shop_session_storage.rb

@@ -0,0 +1,30 @@
+module ShopifyApp
+  module ShopSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
+    end
+
+    class_methods do
+      def store(auth_session, *args)
+        shop = find_or_initialize_by(shopify_domain: auth_session.domain)
+        shop.shopify_token = auth_session.token
+        shop.save!
+        shop.id
+      end
+
+      def retrieve(id)
+        return unless id
+        if shop = self.find_by(id: id)
+          ShopifyAPI::Session.new(
+            domain: shop.shopify_domain,
+            token: shop.shopify_token,
+            api_version: shop.api_version
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/session/user_session_storage.rb

@@ -0,0 +1,31 @@
+module ShopifyApp
+  module UserSessionStorage
+    extend ActiveSupport::Concern
+    include ::ShopifyApp::SessionStorage
+
+    included do
+      validates :shopify_domain, presence: true
+    end
+
+    class_methods do
+      def store(auth_session, user)
+        user = find_or_initialize_by(shopify_user_id: user[:id])
+        user.shopify_token = auth_session.token
+        user.shopify_domain = auth_session.domain
+        user.save!
+        user.id
+      end
+
+      def retrieve(id)
+        return unless id
+        if user = find_by(id: id)
+          ShopifyAPI::Session.new(
+            domain: user.shopify_domain,
+            token: user.shopify_token,
+            api_version: user.api_version
+          )
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/utils.rb

@@ -12,5 +12,12 @@ module ShopifyApp
       nil
     end
 
+    def self.fetch_known_api_versions
+      Rails.logger.info("[ShopifyAPI::ApiVersion] Fetching known Admin API Versions from Shopify...")
+      ShopifyAPI::ApiVersion.fetch_known_versions
+      Rails.logger.info("[ShopifyAPI::ApiVersion] Known API Versions: #{ShopifyAPI::ApiVersion.versions.keys}")
+      rescue ActiveResource::ConnectionError
+        logger.error( "[ShopifyAPI::ApiVersion] Unable to fetch api_versions from Shopify")
+    end
   end
 end

data/lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '9.0.0'.freeze
+  VERSION = '13.0.0'.freeze
 end

data/lib/shopify_app.rb

@@ -4,32 +4,51 @@ require 'shopify_app/version'
 require 'shopify_api'
 require 'omniauth-shopify-oauth2'
 
-# config
-require 'shopify_app/configuration'
-
-# engine
-require 'shopify_app/engine'
-
-# utils
-require 'shopify_app/utils'
-
-# controller concerns
-require 'shopify_app/controller_concerns/localization'
-require 'shopify_app/controller_concerns/itp'
-require 'shopify_app/controller_concerns/login_protection'
-require 'shopify_app/controller_concerns/embedded_app'
-require 'shopify_app/controller_concerns/webhook_verification'
-require 'shopify_app/controller_concerns/app_proxy_verification'
-
-# jobs
-require 'shopify_app/jobs/webhooks_manager_job'
-require 'shopify_app/jobs/scripttags_manager_job'
-
-# managers
-require 'shopify_app/managers/webhooks_manager'
-require 'shopify_app/managers/scripttags_manager'
-
-# session
-require 'shopify_app/session/session_storage'
-require 'shopify_app/session/session_repository'
-require 'shopify_app/session/in_memory_session_store'
+module ShopifyApp
+  def self.rails6?
+    Rails::VERSION::MAJOR >= 6
+  end
+
+  def self.use_webpacker?
+    rails6? &&
+      defined?(Webpacker) == 'constant' &&
+      !configuration.disable_webpacker
+  end
+
+  # config
+  require 'shopify_app/configuration'
+
+  # engine
+  require 'shopify_app/engine'
+
+  # utils
+  require 'shopify_app/utils'
+
+  # controller concerns
+  require 'shopify_app/controller_concerns/localization'
+  require 'shopify_app/controller_concerns/itp'
+  require 'shopify_app/controller_concerns/login_protection'
+  require 'shopify_app/controller_concerns/embedded_app'
+  require 'shopify_app/controller_concerns/webhook_verification'
+  require 'shopify_app/controller_concerns/app_proxy_verification'
+
+  # jobs
+  require 'shopify_app/jobs/webhooks_manager_job'
+  require 'shopify_app/jobs/scripttags_manager_job'
+
+  # managers
+  require 'shopify_app/managers/webhooks_manager'
+  require 'shopify_app/managers/scripttags_manager'
+
+  # middleware
+  require 'shopify_app/middleware/same_site_cookie_middleware'
+
+  # session
+  require 'shopify_app/session/session_storage'
+  require 'shopify_app/session/shop_session_storage'
+  require 'shopify_app/session/user_session_storage'
+  require 'shopify_app/session/session_repository'
+  require 'shopify_app/session/in_memory_session_store'
+  require 'shopify_app/session/in_memory_shop_session_store'
+  require 'shopify_app/session/in_memory_user_session_store'
+end