RubyGems - shopify_app - Versions diffs - 13.3.0 → 13.4.0 - Mend

shopify_app 13.3.0 → 13.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +1 -2
data/app/controllers/concerns/shopify_app/authenticated.rb +1 -0
data/docs/Quickstart.md +2 -3
data/lib/generators/shopify_app/install/templates/flash_messages.js +0 -2
data/lib/shopify_app.rb +1 -0
data/lib/shopify_app/controller_concerns/csrf_protection.rb +15 -0
data/lib/shopify_app/version.rb +1 -1
data/package.json +1 -1
metadata +3 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6666c7899ac8e3332bf950ce28d445e2fc40886c811631a4bfb3f1e446c286e0
-  data.tar.gz: f85b1b7ed7a77e2430ed955ed0f65bd30b5021d85614da8943332077a999d38e
+  metadata.gz: 3f4300bbcbbf4e0e2c6b64d3943a83f8eda2774615016551b109880b21cb32d6
+  data.tar.gz: 68eca06abf0153e592b7a167bcaf0b60720213e351355737c59eafba01f65e82
 SHA512:
-  metadata.gz: 6582a20d5b5340e7259aef06660e0a2673f31cc0b9413d6d8fda0a7c7fa34982f7dc08cd69f78cad2a0d4e322aedddcc6e472ba368ac4066f1215dc5daaacc4d
-  data.tar.gz: c9bf293b825e474f3ef73353428309baa0c3536c7781597b58ca083fc03b587e210e05dbbdc398edf235b225a537dd3dd02bb612176625d42743a2ae1978aeec
+  metadata.gz: 9052491aa073afeacbb8cc6dc5bd6e12fe73c4935ed36e823ed5b3966df8c240d1e1a48e9adf02444c79e4aacada04b85e0de8184ea8148b9227589ef600fc6c
+  data.tar.gz: a78d6b3a5fb2a02c3122afabd2a4b2e564f5e5d0c7cb530622004e39143f695e0fbb804a9be20379a245e600330e08e3e8837dfb9dafe0ad8ceeade613c07c3d

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+13.4.0
+------
+* Skip CSRF protection if a valid signed JWT token is present as we trust Shopify to be the only source that can sign it securely. [#994](https://github.com/Shopify/shopify_app/pull/994)
 13.3.0
 ------
 * Added Payload Verification module [#992](https://github.com/Shopify/shopify_app/pull/992)

data/README.md CHANGED

@@ -58,8 +58,7 @@ $ rails new my_shopify_app
 $ cd my_shopify_app
 # Add the gem shopify_app to your Gemfile
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 Now we are ready to run any of the [generators](#generators) included with `shopify_app`. The following section explains the generators and what you can do with them.

data/app/controllers/concerns/shopify_app/authenticated.rb CHANGED

@@ -7,6 +7,7 @@ module ShopifyApp
     included do
       include ShopifyApp::Localization
       include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       before_action :login_again_if_different_user_or_shop
       around_action :activate_shopify_session

data/docs/Quickstart.md CHANGED

@@ -40,11 +40,10 @@ $ heroku create name
 4. Add ShopifyApp to Gemfile
 ----------------------------
-Run these commands to add the `shopify_app` Gem to your app:
+Run this command to add the `shopify_app` Gem to your app:
 ```sh
-$ echo "gem 'shopify_app'" >> Gemfile
-$ bundle install
+$ bundle add shopify_app
 ```
 **Note:** we recommend using the latest version of Shopify Gem. Check the [Git tags](https://github.com/Shopify/shopify_app/tags) to see the latest release version and then add it to your Gemfile e.g `gem 'shopify_app', '~> 7.0.0'`

data/lib/generators/shopify_app/install/templates/flash_messages.js CHANGED

@@ -20,7 +20,5 @@ if (!document.documentElement.hasAttribute("data-turbolinks-preview")) {
         isError: true,
       }).dispatch(Toast.Action.SHOW);
     }
-    document.removeEventListener(eventName, flash)
   });
 }

data/lib/shopify_app.rb CHANGED

@@ -27,6 +27,7 @@ module ShopifyApp
   require 'shopify_app/utils'
   # controller concerns
+  require 'shopify_app/controller_concerns/csrf_protection'
   require 'shopify_app/controller_concerns/localization'
   require 'shopify_app/controller_concerns/itp'
   require 'shopify_app/controller_concerns/login_protection'

data/lib/shopify_app/controller_concerns/csrf_protection.rb ADDED

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+module ShopifyApp
+  module CsrfProtection
+    extend ActiveSupport::Concern
+    included do
+      protect_from_forgery with: :exception, unless: :valid_session_token?
+    end
+    private
+    def valid_session_token?
+      request.env['jwt.shopify_domain']
+    end
+  end
+end

data/lib/shopify_app/version.rb CHANGED

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '13.3.0'
+  VERSION = '13.4.0'
 end

data/package.json CHANGED

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "13.3.0",
+  "version": "13.4.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 13.3.0
+  version: 13.4.0
 platform: ruby
 authors:
 - Shopify
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-06-01 00:00:00.000000000 Z
+date: 2020-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -358,6 +358,7 @@ files:
 - lib/shopify_app.rb
 - lib/shopify_app/configuration.rb
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
+- lib/shopify_app/controller_concerns/csrf_protection.rb
 - lib/shopify_app/controller_concerns/embedded_app.rb
 - lib/shopify_app/controller_concerns/itp.rb
 - lib/shopify_app/controller_concerns/localization.rb