shopify_app 13.1.1 → 13.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0aa049c80b093fe0a9467aff641dacca475d2e752a852a980da05b7b64b764a3
-  data.tar.gz: c041d5de39c2c62026b5748d391592c74d4847c9ad00691282a66a6da7cd1fa8
+  metadata.gz: 342e069a4f4d0d9bd824403f44cbcf25e398c8e869b4c31058199c7a13daca19
+  data.tar.gz: cebba3a407077d4dd86183b6aa4fe702593cfacb5de7f630305fefb7bf0ed545
 SHA512:
-  metadata.gz: ce925fec4a16a886424e0c4233f9be474f1166ff9e2cf4fe4463825a633a373f4bac82041cab051f37d4afbf227d5ae89189fc28a104eeb035ce856576a27203
-  data.tar.gz: 23f6483d6cf1b4767ea6c66b8178c0d5458c3c40abb968d6cca22f0adbf27250257b39e20c9d87a140e562a249006f11137c93737c4e0e6e4b3b101fc93a2932
+  metadata.gz: 3d7e6c9dc9a521fe022f91e3c2761ff451a34fb67a61ebe3ac5888e5a19924d8eea912a9d644c4255ab0570c959ee8f56f6b30b98809b9d6bb9e09323f7bfec3
+  data.tar.gz: 67ed9dbc2897dce008f35c760251d64c708319a2171617692caedf01026b8366dd5f3ac9609d23c2ee8d196d2b90a34adce2bcf2974e7541bfa24a74a06c303b

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+13.2.0
+------
+* Get current shop domain from JWT header
+* Validate that the omniauth data matches the JWT data
+* Persist the token information to the session store
+
 13.1.1
 ------
 * Update browser_sniffer to 1.2.2

data/app/controllers/shopify_app/callback_controller.rb

@@ -6,10 +6,22 @@ module ShopifyApp
     include ShopifyApp::LoginProtection
 
     def callback
-      if auth_hash
-        login_shop
+      unless auth_hash
+        return respond_with_error
+      end
+
+      if jwt_request? && !valid_jwt_auth?
+        return respond_with_error
+      end
+
+      if jwt_request?
+        set_shopify_session
+        head(:ok)
+      else
+        reset_session_options
+        set_shopify_session
 
-        if ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+        if redirect_for_user_token?
           return redirect_to(login_url_with_optional_shop)
         end
 
@@ -18,17 +30,30 @@ module ShopifyApp
         perform_after_authenticate_job
 
         redirect_to(return_address)
+      end
+    end
+
+    private
+
+    def respond_with_error
+      if jwt_request?
+        head(:unauthorized)
       else
         flash[:error] = I18n.t('could_not_log_in')
         redirect_to(login_url_with_optional_shop)
       end
     end
 
-    private
+    def redirect_for_user_token?
+      ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+    end
 
-    def login_shop
-      reset_session_options
-      set_shopify_session
+    def jwt_request?
+      jwt_shopify_domain || jwt_shopify_user_id
+    end
+
+    def valid_jwt_auth?
+      auth_hash && jwt_shopify_domain == shop_name && jwt_shopify_user_id == associated_user_id
     end
 
     def auth_hash
@@ -45,6 +70,10 @@ module ShopifyApp
       auth_hash['extra']['associated_user']
     end
 
+    def associated_user_id
+      associated_user && associated_user['id']
+    end
+
     def token
       auth_hash['credentials']['token']
     end

data/app/controllers/shopify_app/sessions_controller.rb

@@ -125,7 +125,7 @@ module ShopifyApp
     end
 
     def copy_return_to_param_to_session
-      session[:return_to] = params[:return_to] if params[:return_to]
+      session[:return_to] = RedirectSafely.make_safe(params[:return_to], '/') if params[:return_to]
     end
 
     def render_invalid_shop_error

data/app/controllers/shopify_app/webhooks_controller.rb

@@ -9,7 +9,7 @@ module ShopifyApp
       params.permit!
       job_args = { shop_domain: shop_domain, webhook: webhook_params.to_h }
       webhook_job_klass.perform_later(job_args)
-      head(:no_content)
+      head(:ok)
     end
 
     private

data/docs/Releasing.md

@@ -3,6 +3,7 @@ Releasing ShopifyApp
 1. Check the Semantic Versioning page for info on how to version the new release: http://semver.org
 2. Create a pull request with the following changes:
   * Update the version of ShopifyApp in lib/shopify_app/version.rb
+  * Update the version of shopify_app in package.json
   * Add a CHANGELOG entry for the new release with the date
   * Change the title of the PR to something like: "Packaging for release X.Y.Z"
 3. Merge your pull request

data/lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -8,7 +8,7 @@ ShopifyApp.configure do |config|
   config.embedded_app = <%= embedded_app? %>
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
-  config.shop_session_repository = 'ShopifyApp::InMemoryShopSessionStore'
+  config.shop_session_repository = 'Shop'
 end
 
 # ShopifyApp::Utils.fetch_known_api_versions                        # Uncomment to fetch known api versions from shopify servers on boot

data/lib/shopify_app.rb

@@ -4,6 +4,7 @@ require 'shopify_app/version'
 # deps
 require 'shopify_api'
 require 'omniauth-shopify-oauth2'
+require 'redirect_safely'
 
 module ShopifyApp
   def self.rails6?
@@ -42,6 +43,7 @@ module ShopifyApp
   require 'shopify_app/managers/scripttags_manager'
 
   # middleware
+  require 'shopify_app/middleware/jwt_middleware'
   require 'shopify_app/middleware/same_site_cookie_middleware'
 
   # session

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -83,17 +83,11 @@ module ShopifyApp
     protected
 
     def jwt_shopify_domain
-      return unless jwt
-      @jwt_shopify_domain ||= JWT.new(jwt).shopify_domain
+      request.env['jwt.shopify_domain']
     end
 
     def jwt_shopify_user_id
-      return unless jwt
-      @jwt_user_id ||= JWT.new(jwt).shopify_user_id
-    end
-
-    def jwt
-      @jwt ||= authenticate_with_http_token { |token| token }
+      request.env['jwt.shopify_user_id']
     end
 
     def redirect_to_login
@@ -139,7 +133,7 @@ module ShopifyApp
       query_params = {}
       query_params[:shop] = sanitized_params[:shop] if params[:shop].present?
 
-      return_to = session[:return_to] || params[:return_to]
+      return_to = RedirectSafely.make_safe(session[:return_to] || params[:return_to], nil)
 
       if return_to.present? && return_to_param_required?
         query_params[:return_to] = return_to
@@ -170,7 +164,10 @@ module ShopifyApp
     end
 
     def current_shopify_domain
-      shopify_domain = sanitized_shop_name || session[:shopify_domain]
+      shopify_domain = sanitized_shop_name ||
+        jwt_shopify_domain ||
+        session[:shopify_domain]
+
       return shopify_domain if shopify_domain.present?
 
       raise ShopifyDomainNotFound

data/lib/shopify_app/engine.rb

@@ -16,6 +16,10 @@ module ShopifyApp
 
     initializer "shopify_app.middleware" do |app|
       app.config.middleware.insert_after(::Rack::Runtime, ShopifyApp::SameSiteCookieMiddleware)
+
+      if ShopifyApp.configuration.allow_jwt_authentication
+        app.config.middleware.insert_after(ShopifyApp::SameSiteCookieMiddleware, ShopifyApp::JWTMiddleware)
+      end
     end
   end
 end

data/lib/shopify_app/middleware/jwt_middleware.rb

@@ -0,0 +1,41 @@
+module ShopifyApp
+  class JWTMiddleware
+    TOKEN_REGEX = /^Bearer\s+(.*?)$/
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      return call_next(env) unless authorization_header(env)
+
+      token = extract_token(env)
+      return call_next(env) unless token
+
+      set_env_variables(token, env)
+      call_next(env)
+    end
+
+    private
+
+    def call_next(env)
+      @app.call(env)
+    end
+
+    def authorization_header(env)
+      env['HTTP_AUTHORIZATION']
+    end
+
+    def extract_token(env)
+      match = authorization_header(env).match(TOKEN_REGEX)
+      match && match[1]
+    end
+
+    def set_env_variables(token, env)
+      jwt = ShopifyApp::JWT.new(token)
+
+      env['jwt.shopify_domain'] = jwt.shopify_domain
+      env['jwt.shopify_user_id'] = jwt.shopify_user_id
+    end
+  end
+end

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '13.1.1'
+  VERSION = '13.2.0'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "13.1.1",
+  "version": "13.2.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -15,9 +15,10 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
   s.add_runtime_dependency('rails', '> 5.2.1')
-  s.add_runtime_dependency('shopify_api', '~> 9.0.2')
+  s.add_runtime_dependency('shopify_api', '~> 9.1.0')
   s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
   s.add_runtime_dependency('jwt', '~> 2.2.1')
+  s.add_runtime_dependency('redirect_safely', '~> 1.0')
 
   s.add_development_dependency('rake')
   s.add_development_dependency('byebug')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 13.1.1
+  version: 13.2.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-05-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 9.0.2
+        version: 9.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 9.0.2
+        version: 9.1.0
 - !ruby/object:Gem::Dependency
   name: omniauth-shopify-oauth2
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.2.1
+- !ruby/object:Gem::Dependency
+  name: redirect_safely
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -351,6 +365,7 @@ files:
 - lib/shopify_app/jobs/webhooks_manager_job.rb
 - lib/shopify_app/managers/scripttags_manager.rb
 - lib/shopify_app/managers/webhooks_manager.rb
+- lib/shopify_app/middleware/jwt_middleware.rb
 - lib/shopify_app/middleware/same_site_cookie_middleware.rb
 - lib/shopify_app/session/in_memory_session_store.rb
 - lib/shopify_app/session/in_memory_shop_session_store.rb