shopify_app 11.6.0 → 11.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +93 -102
- data/app/controllers/concerns/shopify_app/authenticated.rb +1 -1
- data/app/controllers/shopify_app/callback_controller.rb +8 -2
- data/app/controllers/shopify_app/extension_verification_controller.rb +20 -0
- data/lib/generators/shopify_app/add_marketing_activity_extension/templates/marketing_activities_controller.rb +1 -1
- data/lib/generators/shopify_app/install/templates/shopify_provider.rb +1 -0
- data/lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb +16 -0
- data/lib/generators/shopify_app/user_model/templates/user.rb +7 -0
- data/lib/generators/shopify_app/user_model/templates/users.yml +4 -0
- data/lib/generators/shopify_app/user_model/user_model_generator.rb +38 -0
- data/lib/shopify_app.rb +2 -3
- data/lib/shopify_app/configuration.rb +3 -0
- data/lib/shopify_app/controller_concerns/login_protection.rb +22 -3
- data/lib/shopify_app/session/in_memory_session_store.rb +1 -1
- data/lib/shopify_app/session/session_repository.rb +2 -2
- data/lib/shopify_app/session/session_storage.rb +14 -15
- data/lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb +24 -0
- data/lib/shopify_app/session/storage_strategies/user_storage_strategy.rb +26 -0
- data/lib/shopify_app/version.rb +1 -1
- data/service.yml +1 -1
- data/shopify_app.gemspec +4 -1
- metadata +51 -3
- data/lib/shopify_app/controllers/extension_verification_controller.rb +0 -18
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d3aa1aaa2a6895d06071509e43c6fd7247705d1f8d50831c4db87384a3259df4
|
4
|
+
data.tar.gz: 50de5f631e15bad635b2b2e43a0aac22c3c3f89ff51addf6866e76a8850f7d0a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 891c47cacf32a40f6477257b35741b5cba45417a60d7347d8863809a38efd207c86728b285debe552007126c73dfd083949884296b973f9c0b4998ad1c04f2d7
|
7
|
+
data.tar.gz: 1809b3f6ba4680e23a16660a706d15bdace9b57cb20c129fc021c38850015e69b2570292e34e21297570c053d443a4fcf4f3f2dae5961ce8ee9c5527a0dbbe36
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,8 @@
|
|
1
|
+
11.7.0
|
2
|
+
-----
|
3
|
+
* Move ExtensionVerificationController from engine to app controllers, as being in the engine makes ActionController::Base get loaded before app initiates [#855](https://github.com/Shopify/shopify_app/pull/855)
|
4
|
+
* Add back per-user token support (added in 11.5.0, reverted in 11.5.1)
|
5
|
+
|
1
6
|
11.6.0
|
2
7
|
-----
|
3
8
|
* Enable SameSite=None; Secure by default on all cookies for embedded apps [#851](https://github.com/Shopify/shopify_app/pull/851)
|
data/README.md
CHANGED
@@ -12,61 +12,35 @@ Shopify Application Rails engine and generator
|
|
12
12
|
|
13
13
|
Table of Contents
|
14
14
|
-----------------
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
* [**Authenticated**](#authenticated)
|
34
|
-
* [**AppProxyVerification**](#appproxyverification)
|
35
|
-
* [Recommended Usage](#recommended-usage)
|
36
|
-
* [**Upgrading from 8.6 to 9.0.0**](#upgrading-from-86-to-900)
|
37
|
-
* [**Troubleshooting**](#troubleshooting)
|
38
|
-
* [Generator shopify_app:install hangs](#generator-shopify_appinstall-hangs)
|
39
|
-
* [**Testing an embedded app outside the Shopify admin**](#testing-an-embedded-app-outside-the-shopify-admin)
|
40
|
-
* [**Questions or problems?**](#questions-or-problems)
|
41
|
-
|
42
|
-
|
43
|
-
Description
|
15
|
+
- [Introduction](#introduction)
|
16
|
+
- [Becoming a Shopify App Developer](#becoming-a-shopify-app-developer)
|
17
|
+
- [Installation](#installation)
|
18
|
+
- [Generators](#generators)
|
19
|
+
- [Mounting the Engine](#mounting-the-engine)
|
20
|
+
- [Authentication](#authentication)
|
21
|
+
- [WebhooksManager](#webhooksmanager)
|
22
|
+
- [ScripttagsManager](#scripttagsmanager)
|
23
|
+
- [RotateShopifyTokenJob](#rotateshopifytokenjob)
|
24
|
+
- [App Tunneling](#app-tunneling)
|
25
|
+
- [AppProxyVerification](#appproxyverification)
|
26
|
+
- [Troubleshooting](#troubleshooting)
|
27
|
+
- [Testing an embedded app outside the Shopify admin](#testing-an-embedded-app-outside-the-shopify-admin)
|
28
|
+
- [Questions or problems?](#questions-or-problems-)
|
29
|
+
- [Rails 6 Compatibility](#rails-6-compatibility)
|
30
|
+
- [Upgrading from 8.6 to 9.0.0](#upgrading-from-86-to-900)
|
31
|
+
|
32
|
+
Introduction
|
44
33
|
-----------
|
45
34
|
This gem includes a Rails Engine and generators for writing Rails applications using the Shopify API. The Engine provides a SessionsController and all the required code for authenticating with a shop via Oauth (other authentication methods are not supported).
|
46
35
|
|
47
36
|
*Note: It's recommended to use this on a new Rails project, so that the generator won't overwrite/delete some of your files.*
|
48
37
|
|
49
|
-
|
50
|
-
Quickstart
|
51
|
-
----------
|
52
|
-
|
53
38
|
Check out this screencast on how to create and deploy a new Shopify App to Heroku in 5 minutes:
|
54
39
|
|
55
40
|
[https://www.youtube.com/watch?v=yGxeoAHlQOg](https://www.youtube.com/watch?v=yGxeoAHlQOg)
|
56
41
|
|
57
42
|
Or if you prefer text instructions the steps in the video are written out [here](https://github.com/Shopify/shopify_app/blob/master/docs/Quickstart.md)
|
58
43
|
|
59
|
-
App Tunneling
|
60
|
-
-------------
|
61
|
-
|
62
|
-
Your local app needs to be accessible from the public Internet in order to install it on a shop, use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks. Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), [Hookbin](https://hookbin.com/), etc.
|
63
|
-
|
64
|
-
For example with [ngrok](https://ngrok.com/), run this command to set up proxying to Rails' default port:
|
65
|
-
|
66
|
-
```sh
|
67
|
-
ngrok http 3000
|
68
|
-
```
|
69
|
-
|
70
44
|
Becoming a Shopify App Developer
|
71
45
|
--------------------------------
|
72
46
|
If you don't have a Shopify Partner account yet head over to http://shopify.com/partners to create one, you'll need it before you can start developing apps.
|
@@ -106,7 +80,7 @@ The default generator will run the `install`, `shop`, and `home_controller` gene
|
|
106
80
|
$ rails generate shopify_app
|
107
81
|
```
|
108
82
|
|
109
|
-
After running the generator, you will need to run `
|
83
|
+
After running the generator, you will need to run `rails db:migrate` to add tables to your database. You can start your app with `bundle exec rails server` and install your app by visiting localhost.
|
110
84
|
|
111
85
|
### API Keys
|
112
86
|
|
@@ -143,17 +117,6 @@ The generator adds ShopifyApp and the required initializers to the host Rails ap
|
|
143
117
|
After running the `install` generator, you can start your app with `bundle exec rails server` and install your app by visiting localhost.
|
144
118
|
|
145
119
|
|
146
|
-
### Shop Model Generator
|
147
|
-
|
148
|
-
```sh
|
149
|
-
$ rails generate shopify_app:shop_model
|
150
|
-
```
|
151
|
-
|
152
|
-
The `install` generator doesn't create any database tables or models for you. If you are starting a new app its quite likely that you will want a shops table and model to store the tokens when your app is installed (most of our internally developed apps do!). This generator creates a shop model and a migration. This model includes the `ShopifyApp::SessionStorage` concern which adds two methods to make it compatible as a `SessionRepository`. After running this generator you'll notice the `session_repository` in your `config/initializers/shopify_app.rb` will be set to the `Shop` model. This means that internally ShopifyApp will try and load tokens from this model.
|
153
|
-
|
154
|
-
*Note that you will need to run rake db:migrate after this generator*
|
155
|
-
|
156
|
-
|
157
120
|
### Home Controller Generator
|
158
121
|
|
159
122
|
```sh
|
@@ -245,21 +208,82 @@ ShopifyApp.configure do |config|
|
|
245
208
|
end
|
246
209
|
```
|
247
210
|
|
248
|
-
|
249
|
-
|
250
|
-
|
211
|
+
Authentication
|
212
|
+
--------------
|
213
|
+
|
214
|
+
### ShopifyApp::SessionRepository
|
215
|
+
|
216
|
+
`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are stored and retrieved for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(auth_session)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. See either the `ShopifyApp::InMemorySessionStore` class or the `ShopifyApp::SessionStorage` concern for details.
|
217
|
+
|
218
|
+
If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. For multi-server environments, implement one of the following token-storage strategies.
|
219
|
+
|
220
|
+
#### Shop-based token storage
|
221
|
+
Storing tokens on the store model means that any user login associated to the store will have equal access levels to whatever the original user granted the app.
|
222
|
+
```sh
|
223
|
+
$ rails generate shopify_app:shop_model
|
224
|
+
```
|
225
|
+
This will generate a shop model which will be the storage for the tokens necessary for authentication.
|
226
|
+
|
227
|
+
#### User-based token storage
|
228
|
+
A more granular control over level of access per user on an app might be necessary, to which the shop-based token strategy is not sufficient. Shopify supports a user-based token storage strategy where a unique token to each user can be managed.
|
229
|
+
```sh
|
230
|
+
$ rails generate shopify_app:user_model
|
231
|
+
```
|
232
|
+
This will generate a user model which will be the storage for the tokens necessary for authentication.
|
233
|
+
|
234
|
+
The current Shopify user will be stored in the rails session at `session[:shopify_user]`
|
235
|
+
|
236
|
+
This will change the type of token that Shopify returns and it will only be valid for a short time. Read more about `Online access` [here](https://help.shopify.com/api/getting-started/authentication/oauth). Note that this means you won't be able to use this token to respond to Webhooks.
|
237
|
+
|
238
|
+
#### Migrating from shop-based to user-based token strategy
|
239
|
+
After running the generator, ensure that configuration settings are successfully changed:
|
251
240
|
|
252
241
|
```ruby
|
242
|
+
# In the `omniauth.rb` initializer:
|
253
243
|
provider :shopify,
|
254
244
|
ShopifyApp.configuration.api_key,
|
255
245
|
ShopifyApp.configuration.secret,
|
256
246
|
scope: ShopifyApp.configuration.scope,
|
257
247
|
per_user_permissions: true
|
248
|
+
|
249
|
+
# In the `shopify_app.rb` initializer:
|
250
|
+
config.session_repository = 'User'
|
251
|
+
config.per_user_tokens = true
|
258
252
|
```
|
259
253
|
|
260
|
-
|
254
|
+
### Authenticated
|
261
255
|
|
262
|
-
|
256
|
+
The engine provides a `ShopifyApp::Authenticated` concern which should be included in any controller that is intended to be behind Shopify OAuth. It adds `before_action`s to ensure that the user is authenticated and will redirect to the Shopify login page if not. It is best practice to include this concern in a base controller inheriting from your `ApplicationController`, from which all controllers that require Shopify authentication inherit.
|
257
|
+
|
258
|
+
For backwards compatibility, the engine still provides a controller called `ShopifyApp::AuthenticatedController` which includes the `ShopifyApp::Authenticated` concern. Note that it inherits directly from `ActionController::Base`, so you will not be able to share functionality between it and your application's `ApplicationController`.
|
259
|
+
|
260
|
+
### AfterAuthenticate Job
|
261
|
+
|
262
|
+
If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job update your initializer as follows:
|
263
|
+
|
264
|
+
```ruby
|
265
|
+
ShopifyApp.configure do |config|
|
266
|
+
config.after_authenticate_job = { job: "Shopify::AfterAuthenticateJob" }
|
267
|
+
end
|
268
|
+
```
|
269
|
+
|
270
|
+
The job can be configured as either a class or a class name string.
|
271
|
+
|
272
|
+
If you need the job to run synchronously add the `inline` flag:
|
273
|
+
|
274
|
+
```ruby
|
275
|
+
ShopifyApp.configure do |config|
|
276
|
+
config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: true }
|
277
|
+
end
|
278
|
+
```
|
279
|
+
|
280
|
+
We've also provided a generator which creates a skeleton job and updates the initializer for you:
|
281
|
+
|
282
|
+
```
|
283
|
+
bin/rails g shopify_app:add_after_authenticate_job
|
284
|
+
```
|
285
|
+
|
286
|
+
If you want to perform that action only once, e.g. send a welcome email to the user when they install the app, you should make sure that this action is idempotent, meaning that it won't have an impact if run multiple times.
|
263
287
|
|
264
288
|
|
265
289
|
WebhooksManager
|
@@ -353,36 +377,6 @@ Scripttags are created in the same way as the Webhooks, with a background job wh
|
|
353
377
|
|
354
378
|
If `src` responds to `call` its return value will be used as the scripttag's source. It will be called on scripttag creation and deletion.
|
355
379
|
|
356
|
-
AfterAuthenticate Job
|
357
|
-
---------------------
|
358
|
-
|
359
|
-
If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job update your initializer as follows:
|
360
|
-
|
361
|
-
```ruby
|
362
|
-
ShopifyApp.configure do |config|
|
363
|
-
config.after_authenticate_job = { job: "Shopify::AfterAuthenticateJob" }
|
364
|
-
end
|
365
|
-
```
|
366
|
-
|
367
|
-
The job can be configured as either a class or a class name string.
|
368
|
-
|
369
|
-
If you need the job to run synchronously add the `inline` flag:
|
370
|
-
|
371
|
-
```ruby
|
372
|
-
ShopifyApp.configure do |config|
|
373
|
-
config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: true }
|
374
|
-
end
|
375
|
-
```
|
376
|
-
|
377
|
-
We've also provided a generator which creates a skeleton job and updates the initializer for you:
|
378
|
-
|
379
|
-
```
|
380
|
-
bin/rails g shopify_app:add_after_authenticate_job
|
381
|
-
```
|
382
|
-
|
383
|
-
If you want to perform that action only once, e.g. send a welcome email to the user when they install the app, you should make sure that this action is idempotent, meaning that it won't have an impact if run multiple times.
|
384
|
-
|
385
|
-
|
386
380
|
RotateShopifyTokenJob
|
387
381
|
---------------------
|
388
382
|
|
@@ -409,19 +403,16 @@ The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token
|
|
409
403
|
strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
|
410
404
|
```
|
411
405
|
|
412
|
-
|
413
|
-
-----------------------------
|
414
|
-
|
415
|
-
`ShopifyApp::SessionRepository` allows you as a developer to define how your sessions are retrieved and stored for shops. The `SessionRepository` is configured in the `config/initializers/shopify_app.rb` file and can be set to any object that implements `self.store(shopify_session)` which stores the session and returns a unique identifier and `self.retrieve(id)` which returns a `ShopifyAPI::Session` for the passed id. See either the `ShopifyApp::InMemorySessionStore` class or the `ShopifyApp::SessionStorage` concern for examples.
|
416
|
-
|
417
|
-
If you only run the install generator then by default you will have an in memory store but it **won't work** on multi-server environments including Heroku. If you ran all the generators including the shop_model generator then the `Shop` model itself will be the `SessionRepository`. If you look at the implementation of the generated shop model you'll see that this gem provides a concern for the `SessionRepository`. You can use this concern on any model that responds to `shopify_domain`, `shopify_token` and `api_version`.
|
418
|
-
|
419
|
-
Authenticated
|
406
|
+
App Tunneling
|
420
407
|
-------------
|
421
408
|
|
422
|
-
|
409
|
+
Your local app needs to be accessible from the public Internet in order to install it on a shop, use the [App Proxy Controller](#app-proxy-controller-generator) or receive Webhooks. Use a tunneling service like [ngrok](https://ngrok.com/), [Forward](https://forwardhq.com/), [Beeceptor](https://beeceptor.com/), [Mockbin](http://mockbin.org/), [Hookbin](https://hookbin.com/), etc.
|
423
410
|
|
424
|
-
For
|
411
|
+
For example with [ngrok](https://ngrok.com/), run this command to set up proxying to Rails' default port:
|
412
|
+
|
413
|
+
```sh
|
414
|
+
ngrok http 3000
|
415
|
+
```
|
425
416
|
|
426
417
|
AppProxyVerification
|
427
418
|
--------------------
|
@@ -465,7 +456,7 @@ Questions or problems?
|
|
465
456
|
- [Read the docs!](https://help.shopify.com/api/guides)
|
466
457
|
|
467
458
|
Rails 6 Compatibility
|
468
|
-
|
459
|
+
---------------------
|
469
460
|
|
470
461
|
### Disable Webpacker
|
471
462
|
If you are using sprockets in rails 6 or want to generate a shopify_app without webpacker run the install task by running
|
@@ -8,7 +8,7 @@ module ShopifyApp
|
|
8
8
|
include ShopifyApp::Localization
|
9
9
|
include ShopifyApp::LoginProtection
|
10
10
|
include ShopifyApp::EmbeddedApp
|
11
|
-
before_action :
|
11
|
+
before_action :login_again_if_different_user_or_shop
|
12
12
|
around_action :shopify_session
|
13
13
|
end
|
14
14
|
end
|
@@ -55,10 +55,16 @@ module ShopifyApp
|
|
55
55
|
token: token,
|
56
56
|
api_version: ShopifyApp.configuration.api_version
|
57
57
|
)
|
58
|
-
|
59
|
-
session[:shopify] = ShopifyApp::SessionRepository.store(session_store)
|
58
|
+
session[:shopify] = ShopifyApp::SessionRepository.store(session_store, user: associated_user)
|
60
59
|
session[:shopify_domain] = shop_name
|
61
60
|
session[:shopify_user] = associated_user
|
61
|
+
|
62
|
+
if ShopifyApp.configuration.per_user_tokens?
|
63
|
+
# Adds the user_session to the session to determine if the logged in user has changed
|
64
|
+
user_session = auth_hash&.extra&.session
|
65
|
+
raise IndexError, "Missing user session signature" if user_session.nil?
|
66
|
+
session[:user_session] = user_session
|
67
|
+
end
|
62
68
|
end
|
63
69
|
|
64
70
|
def install_webhooks
|
@@ -0,0 +1,20 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module ShopifyApp
|
4
|
+
class ExtensionVerificationController < ActionController::Base
|
5
|
+
protect_from_forgery with: :null_session
|
6
|
+
before_action :verify_request
|
7
|
+
|
8
|
+
private
|
9
|
+
|
10
|
+
def verify_request
|
11
|
+
hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
|
12
|
+
request_body = request.body.read
|
13
|
+
secret = ShopifyApp.configuration.secret
|
14
|
+
digest = OpenSSL::Digest.new('sha256')
|
15
|
+
|
16
|
+
expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
|
17
|
+
head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
class CreateUsers < ActiveRecord::Migration[<%= rails_migration_version %>]
|
2
|
+
def self.up
|
3
|
+
create_table :users do |t|
|
4
|
+
t.bigint :shopify_user_id, null: false
|
5
|
+
t.string :shopify_domain, null: false
|
6
|
+
t.string :shopify_token, null: false
|
7
|
+
t.timestamps
|
8
|
+
end
|
9
|
+
|
10
|
+
add_index :users, :shopify_user_id, unique: true
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.down
|
14
|
+
drop_table :users
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'rails/generators/base'
|
2
|
+
require 'rails/generators/active_record'
|
3
|
+
|
4
|
+
module ShopifyApp
|
5
|
+
module Generators
|
6
|
+
class UserModelGenerator < Rails::Generators::Base
|
7
|
+
include Rails::Generators::Migration
|
8
|
+
source_root File.expand_path('../templates', __FILE__)
|
9
|
+
|
10
|
+
def create_user_model
|
11
|
+
copy_file 'user.rb', 'app/models/user.rb'
|
12
|
+
end
|
13
|
+
|
14
|
+
def create_user_migration
|
15
|
+
migration_template 'db/migrate/create_users.erb', 'db/migrate/create_users.rb'
|
16
|
+
end
|
17
|
+
|
18
|
+
def update_shopify_app_initializer
|
19
|
+
gsub_file 'config/initializers/shopify_app.rb', 'ShopifyApp::InMemorySessionStore', 'User'
|
20
|
+
end
|
21
|
+
|
22
|
+
def create_user_fixtures
|
23
|
+
copy_file 'users.yml', 'test/fixtures/users.yml'
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def rails_migration_version
|
29
|
+
Rails.version.match(/\d\.\d/)[0]
|
30
|
+
end
|
31
|
+
|
32
|
+
# for generating a timestamp when using `create_migration`
|
33
|
+
def self.next_migration_number(dir)
|
34
|
+
ActiveRecord::Generators::Base.next_migration_number(dir)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
data/lib/shopify_app.rb
CHANGED
@@ -24,9 +24,6 @@ module ShopifyApp
|
|
24
24
|
# utils
|
25
25
|
require 'shopify_app/utils'
|
26
26
|
|
27
|
-
# controllers
|
28
|
-
require 'shopify_app/controllers/extension_verification_controller'
|
29
|
-
|
30
27
|
# controller concerns
|
31
28
|
require 'shopify_app/controller_concerns/localization'
|
32
29
|
require 'shopify_app/controller_concerns/itp'
|
@@ -47,6 +44,8 @@ module ShopifyApp
|
|
47
44
|
require 'shopify_app/middleware/same_site_cookie_middleware'
|
48
45
|
|
49
46
|
# session
|
47
|
+
require 'shopify_app/session/storage_strategies/shop_storage_strategy'
|
48
|
+
require 'shopify_app/session/storage_strategies/user_storage_strategy'
|
50
49
|
require 'shopify_app/session/session_storage'
|
51
50
|
require 'shopify_app/session/session_repository'
|
52
51
|
require 'shopify_app/session/in_memory_session_store'
|
@@ -15,6 +15,8 @@ module ShopifyApp
|
|
15
15
|
attr_accessor :scripttags
|
16
16
|
attr_accessor :after_authenticate_job
|
17
17
|
attr_reader :session_repository
|
18
|
+
attr_accessor :per_user_tokens
|
19
|
+
alias_method :per_user_tokens?, :per_user_tokens
|
18
20
|
attr_accessor :api_version
|
19
21
|
|
20
22
|
# customise urls
|
@@ -42,6 +44,7 @@ module ShopifyApp
|
|
42
44
|
@myshopify_domain = 'myshopify.com'
|
43
45
|
@scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
|
44
46
|
@webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
|
47
|
+
@per_user_tokens = false
|
45
48
|
@disable_webpacker = ENV['SHOPIFY_APP_DISABLE_WEBPACKER'].present?
|
46
49
|
end
|
47
50
|
|
@@ -27,12 +27,30 @@ module ShopifyApp
|
|
27
27
|
end
|
28
28
|
|
29
29
|
def shop_session
|
30
|
-
|
31
|
-
|
30
|
+
if ShopifyApp.configuration.per_user_tokens?
|
31
|
+
return unless session[:shopify_user]
|
32
|
+
@shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify_user]['id'])
|
33
|
+
else
|
34
|
+
return unless session[:shopify]
|
35
|
+
@shop_session ||= ShopifyApp::SessionRepository.retrieve(session[:shopify])
|
36
|
+
end
|
32
37
|
end
|
33
38
|
|
34
|
-
def
|
39
|
+
def login_again_if_different_user_or_shop
|
40
|
+
if ShopifyApp.configuration.per_user_tokens?
|
41
|
+
valid_session_data = session[:user_session].present? && params[:session].present? # session data was sent/stored correctly
|
42
|
+
sessions_do_not_match = session[:user_session] != params[:session] # current user is different from stored user
|
43
|
+
|
44
|
+
if valid_session_data && sessions_do_not_match
|
45
|
+
clear_session = true
|
46
|
+
end
|
47
|
+
end
|
48
|
+
|
35
49
|
if shop_session && params[:shop] && params[:shop].is_a?(String) && (shop_session.domain != params[:shop])
|
50
|
+
clear_session = true
|
51
|
+
end
|
52
|
+
|
53
|
+
if clear_session
|
36
54
|
clear_shop_session
|
37
55
|
redirect_to_login
|
38
56
|
end
|
@@ -60,6 +78,7 @@ module ShopifyApp
|
|
60
78
|
session[:shopify] = nil
|
61
79
|
session[:shopify_domain] = nil
|
62
80
|
session[:shopify_user] = nil
|
81
|
+
session[:user_session] = nil
|
63
82
|
end
|
64
83
|
|
65
84
|
def login_url_with_optional_shop(top_level: false)
|
@@ -3,9 +3,12 @@ module ShopifyApp
|
|
3
3
|
extend ActiveSupport::Concern
|
4
4
|
|
5
5
|
included do
|
6
|
-
validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false }
|
7
6
|
validates :shopify_token, presence: true
|
8
7
|
validates :api_version, presence: true
|
8
|
+
validates :shopify_domain, presence: true,
|
9
|
+
if: Proc.new {|_| ShopifyApp.configuration.per_user_tokens? }
|
10
|
+
validates :shopify_domain, presence: true, uniqueness: { case_sensitive: false },
|
11
|
+
if: Proc.new {|_| !ShopifyApp.configuration.per_user_tokens? }
|
9
12
|
end
|
10
13
|
|
11
14
|
def with_shopify_session(&block)
|
@@ -18,23 +21,19 @@ module ShopifyApp
|
|
18
21
|
end
|
19
22
|
|
20
23
|
class_methods do
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
24
|
+
|
25
|
+
def strategy_klass
|
26
|
+
ShopifyApp.configuration.per_user_tokens? ?
|
27
|
+
ShopifyApp::SessionStorage::UserStorageStrategy :
|
28
|
+
ShopifyApp::SessionStorage::ShopStorageStrategy
|
26
29
|
end
|
27
30
|
|
28
|
-
def
|
29
|
-
|
31
|
+
def store(auth_session, user: nil)
|
32
|
+
strategy_klass.store(auth_session, user)
|
33
|
+
end
|
30
34
|
|
31
|
-
|
32
|
-
|
33
|
-
domain: shop.shopify_domain,
|
34
|
-
token: shop.shopify_token,
|
35
|
-
api_version: shop.api_version
|
36
|
-
)
|
37
|
-
end
|
35
|
+
def retrieve(id)
|
36
|
+
strategy_klass.retrieve(id)
|
38
37
|
end
|
39
38
|
end
|
40
39
|
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
module ShopifyApp
|
2
|
+
module SessionStorage
|
3
|
+
class ShopStorageStrategy
|
4
|
+
|
5
|
+
def self.store(auth_session, *args)
|
6
|
+
shop = Shop.find_or_initialize_by(shopify_domain: auth_session.domain)
|
7
|
+
shop.shopify_token = auth_session.token
|
8
|
+
shop.save!
|
9
|
+
shop.id
|
10
|
+
end
|
11
|
+
|
12
|
+
def self.retrieve(id)
|
13
|
+
return unless id
|
14
|
+
if shop = Shop.find_by(id: id)
|
15
|
+
ShopifyAPI::Session.new(
|
16
|
+
domain: shop.shopify_domain,
|
17
|
+
token: shop.shopify_token,
|
18
|
+
api_version: shop.api_version
|
19
|
+
)
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module ShopifyApp
|
2
|
+
module SessionStorage
|
3
|
+
class UserStorageStrategy
|
4
|
+
|
5
|
+
def self.store(auth_session, user)
|
6
|
+
user = User.find_or_initialize_by(shopify_user_id: user[:id])
|
7
|
+
user.shopify_token = auth_session.token
|
8
|
+
user.shopify_domain = auth_session.domain
|
9
|
+
user.save!
|
10
|
+
user.id
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.retrieve(id)
|
14
|
+
return unless id
|
15
|
+
if user = User.find_by(shopify_user_id: id)
|
16
|
+
ShopifyAPI::Session.new(
|
17
|
+
domain: user.shopify_domain,
|
18
|
+
token: user.shopify_token,
|
19
|
+
api_version: user.api_version
|
20
|
+
)
|
21
|
+
end
|
22
|
+
end
|
23
|
+
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
data/lib/shopify_app/version.rb
CHANGED
data/service.yml
CHANGED
data/shopify_app.gemspec
CHANGED
@@ -18,6 +18,9 @@ Gem::Specification.new do |s|
|
|
18
18
|
s.add_development_dependency('rake')
|
19
19
|
s.add_development_dependency('byebug')
|
20
20
|
s.add_development_dependency('pry')
|
21
|
+
s.add_development_dependency('pry-nav')
|
22
|
+
s.add_development_dependency('pry-stack_explorer')
|
23
|
+
s.add_development_dependency('rb-readline')
|
21
24
|
s.add_development_dependency('sqlite3', '~> 1.4')
|
22
25
|
s.add_development_dependency('minitest')
|
23
26
|
s.add_development_dependency('mocha')
|
@@ -26,4 +29,4 @@ Gem::Specification.new do |s|
|
|
26
29
|
s.files = `git ls-files`.split("\n").reject { |f| f.match(%r{^(test|example)/}) }
|
27
30
|
s.test_files = `git ls-files -- {test}/*`.split("\n")
|
28
31
|
s.require_paths = ["lib"]
|
29
|
-
end
|
32
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: shopify_app
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 11.
|
4
|
+
version: 11.7.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Shopify
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-01-
|
11
|
+
date: 2020-01-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: browser_sniffer
|
@@ -108,6 +108,48 @@ dependencies:
|
|
108
108
|
- - ">="
|
109
109
|
- !ruby/object:Gem::Version
|
110
110
|
version: '0'
|
111
|
+
- !ruby/object:Gem::Dependency
|
112
|
+
name: pry-nav
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
114
|
+
requirements:
|
115
|
+
- - ">="
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
type: :development
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
requirements:
|
122
|
+
- - ">="
|
123
|
+
- !ruby/object:Gem::Version
|
124
|
+
version: '0'
|
125
|
+
- !ruby/object:Gem::Dependency
|
126
|
+
name: pry-stack_explorer
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
128
|
+
requirements:
|
129
|
+
- - ">="
|
130
|
+
- !ruby/object:Gem::Version
|
131
|
+
version: '0'
|
132
|
+
type: :development
|
133
|
+
prerelease: false
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
135
|
+
requirements:
|
136
|
+
- - ">="
|
137
|
+
- !ruby/object:Gem::Version
|
138
|
+
version: '0'
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: rb-readline
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - ">="
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: '0'
|
146
|
+
type: :development
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - ">="
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: '0'
|
111
153
|
- !ruby/object:Gem::Dependency
|
112
154
|
name: sqlite3
|
113
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -197,6 +239,7 @@ files:
|
|
197
239
|
- app/controllers/concerns/shopify_app/authenticated.rb
|
198
240
|
- app/controllers/shopify_app/authenticated_controller.rb
|
199
241
|
- app/controllers/shopify_app/callback_controller.rb
|
242
|
+
- app/controllers/shopify_app/extension_verification_controller.rb
|
200
243
|
- app/controllers/shopify_app/sessions_controller.rb
|
201
244
|
- app/controllers/shopify_app/webhooks_controller.rb
|
202
245
|
- app/views/shopify_app/partials/_button_styles.html.erb
|
@@ -275,6 +318,10 @@ files:
|
|
275
318
|
- lib/generators/shopify_app/shop_model/templates/shop.rb
|
276
319
|
- lib/generators/shopify_app/shop_model/templates/shops.yml
|
277
320
|
- lib/generators/shopify_app/shopify_app_generator.rb
|
321
|
+
- lib/generators/shopify_app/user_model/templates/db/migrate/create_users.erb
|
322
|
+
- lib/generators/shopify_app/user_model/templates/user.rb
|
323
|
+
- lib/generators/shopify_app/user_model/templates/users.yml
|
324
|
+
- lib/generators/shopify_app/user_model/user_model_generator.rb
|
278
325
|
- lib/generators/shopify_app/views/views_generator.rb
|
279
326
|
- lib/shopify_app.rb
|
280
327
|
- lib/shopify_app/configuration.rb
|
@@ -284,7 +331,6 @@ files:
|
|
284
331
|
- lib/shopify_app/controller_concerns/localization.rb
|
285
332
|
- lib/shopify_app/controller_concerns/login_protection.rb
|
286
333
|
- lib/shopify_app/controller_concerns/webhook_verification.rb
|
287
|
-
- lib/shopify_app/controllers/extension_verification_controller.rb
|
288
334
|
- lib/shopify_app/engine.rb
|
289
335
|
- lib/shopify_app/jobs/scripttags_manager_job.rb
|
290
336
|
- lib/shopify_app/jobs/webhooks_manager_job.rb
|
@@ -294,6 +340,8 @@ files:
|
|
294
340
|
- lib/shopify_app/session/in_memory_session_store.rb
|
295
341
|
- lib/shopify_app/session/session_repository.rb
|
296
342
|
- lib/shopify_app/session/session_storage.rb
|
343
|
+
- lib/shopify_app/session/storage_strategies/shop_storage_strategy.rb
|
344
|
+
- lib/shopify_app/session/storage_strategies/user_storage_strategy.rb
|
297
345
|
- lib/shopify_app/utils.rb
|
298
346
|
- lib/shopify_app/version.rb
|
299
347
|
- package-lock.json
|
@@ -1,18 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
class ExtensionVerificationController < ActionController::Base
|
4
|
-
protect_from_forgery with: :null_session
|
5
|
-
before_action :verify_request
|
6
|
-
|
7
|
-
private
|
8
|
-
|
9
|
-
def verify_request
|
10
|
-
hmac_header = request.headers['HTTP_X_SHOPIFY_HMAC_SHA256']
|
11
|
-
request_body = request.body.read
|
12
|
-
secret = ShopifyApp.configuration.secret
|
13
|
-
digest = OpenSSL::Digest.new('sha256')
|
14
|
-
|
15
|
-
expected_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, request_body))
|
16
|
-
head(:unauthorized) unless ActiveSupport::SecurityUtils.secure_compare(expected_hmac, hmac_header)
|
17
|
-
end
|
18
|
-
end
|