shopify_app 17.2.1 → 18.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c3196fb2b6cba6107aee7ad481c745d3c76121f5f07a2f99e812f5e0dc206baa
-  data.tar.gz: 4243a519b5e601238974ba566c978badf4fe2132f5c2e5616f2dd35e2f0557ba
+  metadata.gz: 7da18fdd3924eb35146d7ca4dbd928567e377757d0f3cc11c72ef6aa732e1cec
+  data.tar.gz: 5e90219d351aab20f23e247c28d63626ecbd1a26f960157a2e91221940b09b5f
 SHA512:
-  metadata.gz: 3cd70a25dc28f3eedafe42dcf312d15a63d2775cd7f98457f6a431574aef1a7e5566fbb033c1ed67ed207ad88cb356741a38f642765b057b4fc9c288df82f008
-  data.tar.gz: a30861d15e1db1bf447c655d5a889921dc991e421723781cd9f4cceb3828a91b73a6b73aa696df95cdcefca6f23caf1fd3834ffe4e9cad5b1bb4b4a90d187ff0
+  metadata.gz: f29dcc0b4504248d2811d9d61be42fa03f2a161eb16f79dde1b044db71e6f2697847dabb80563cb1cd21cdcc3979b1eb147d6ff07e4a51baad571a8830ed4969
+  data.tar.gz: a2138081a6942f4418cf3efb72f63ed61a3de162686c2e3d1b9316ed7f292c0adf8fa5e248b8a5396504096d561248427de32a36b87d1f84bb6901fd9efca661

data/CHANGELOG.md

@@ -1,6 +1,12 @@
 Unreleased
 ----------
 
+18.0.0 (May 3, 2021)
+----------
+* Support OmniAuth 2.x 
+  * If your app has custom OmniAuth configuration, please refer to the [OmniAuth 2.0 upgrade guide](https://github.com/omniauth/omniauth/wiki/Upgrading-to-2.0).
+* Support App Bridge version 2.x in the Embedded App layout. [#1241](https://github.com/Shopify/shopify_app/pull/1241)
+
 17.2.1 (April 1, 2021)
 ----------
 * Bug fix: Lock the CDN App Bridge version to `v1.X.Y` in the Embedded App layout [#1238](https://github.com/Shopify/shopify_app/pull/1238)

data/Gemfile.lock

@@ -1,10 +1,11 @@
 PATH
   remote: .
   specs:
-    shopify_app (17.2.1)
+    shopify_app (18.0.0)
       browser_sniffer (~> 1.2.2)
-      jwt (~> 2.2.1)
-      omniauth-shopify-oauth2 (~> 2.2.2)
+      jwt (>= 2.2.3)
+      omniauth-rails_csrf_protection
+      omniauth-shopify-oauth2 (~> 2.3)
       rails (> 5.2.1, < 6.2)
       redirect_safely (~> 1.0)
       shopify_api (~> 9.4)
@@ -93,14 +94,18 @@ GEM
     crass (1.0.6)
     debug_inspector (0.0.3)
     erubi (1.10.0)
-    faraday (1.3.0)
+    faraday (1.4.1)
+      faraday-excon (~> 1.1)
       faraday-net_http (~> 1.0)
+      faraday-net_http_persistent (~> 1.1)
       multipart-post (>= 1.2, < 3)
-      ruby2_keywords
+      ruby2_keywords (>= 0.0.4)
+    faraday-excon (1.1.0)
     faraday-net_http (1.0.1)
+    faraday-net_http_persistent (1.1.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    graphql (1.12.6)
+    graphql (1.12.8)
     graphql-client (0.16.0)
       activesupport (>= 3.0)
       graphql (~> 1.8)
@@ -108,13 +113,13 @@ GEM
     hashie (4.1.0)
     i18n (1.8.9)
       concurrent-ruby (~> 1.0)
-    jwt (2.2.2)
+    jwt (2.2.3)
     loofah (2.9.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    marcel (1.0.0)
+    marcel (1.0.1)
     method_source (0.9.2)
     mini_mime (1.0.3)
     mini_portile2 (2.5.0)
@@ -133,15 +138,19 @@ GEM
       multi_json (~> 1.3)
       multi_xml (~> 0.5)
       rack (>= 1.2, < 3)
-    omniauth (1.9.1)
+    omniauth (2.0.4)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
-    omniauth-oauth2 (1.5.0)
-      oauth2 (~> 1.1)
-      omniauth (~> 1.2)
-    omniauth-shopify-oauth2 (2.2.3)
+      rack-protection
+    omniauth-oauth2 (1.7.1)
+      oauth2 (~> 1.4)
+      omniauth (>= 1.9, < 3)
+    omniauth-rails_csrf_protection (1.0.0)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth-shopify-oauth2 (2.3.2)
       activesupport
-      omniauth-oauth2 (~> 1.5.0)
+      omniauth-oauth2 (~> 1.5)
     parallel (1.20.1)
     parser (2.7.2.0)
       ast (~> 2.4.1)
@@ -156,6 +165,8 @@ GEM
     public_suffix (4.0.6)
     racc (1.5.2)
     rack (2.2.3)
+    rack-protection (2.1.0)
+      rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (6.1.3.1)

data/app/controllers/shopify_app/sessions_controller.rb

@@ -150,7 +150,11 @@ module ShopifyApp
     end
 
     def authenticate_in_context
-      redirect_to("#{main_app.root_path}auth/shopify")
+      post_redirect_to_auth_shopify
+    end
+
+    def post_redirect_to_auth_shopify
+      render('shopify_app/shared/post_redirect_to_auth_shopify', layout: false)
     end
 
     def authenticate_at_top_level

data/app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <base target="_top">
+  <title>Redirecting…</title>
+  <script>
+    function redirect() {
+      var form = document.getElementById("redirect-form");
+      if (form) {
+        form.submit();
+      }
+    }
+    document.addEventListener("DOMContentLoaded", redirect);
+  </script>
+</head>
+<body>
+  <%= form_tag '/auth/shopify', id: 'redirect-form' %>
+</body>
+</html>

data/docs/Troubleshooting.md

@@ -16,6 +16,8 @@
   * [My app is still using cookies to authenticate](#my-app-is-still-using-cookies-to-authenticate)
   * [My app can't make requests to the Shopify API](#my-app-cant-make-requests-to-the-shopify-api)
 
+[Migrating to App Bridge 2.0](#migrating-to-app-bridge-2.0)
+
 ## Generators
 
 ### The shopify_app:install generator hangs
@@ -138,4 +140,15 @@ _Example:_ If your embedded app cannot handle server-side XHR redirects, then co
 X-Shopify-API-Request-Failure-Unauthorized: true
 ```
 
-Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+Then, use the [Shopify App Bridge Redirect](https://shopify.dev/tools/app-bridge/actions/navigation/redirect) action to redirect your app frontend to the app login URL if this header is set.
+
+## Migrating to App Bridge 2.0
+
+In order to upgrade your embedded app to the latest App Bridge 2.0 version, please refer to the [migration guide](https://shopify.dev/tutorials/migrate-your-app-to-app-bridge-2).
+
+To ensure that your app's embedded layout doesn't import App Bridge 2.0 before fully migrating, make the following change to bind it to v1.x.
+
+```diff
+ - <script src="https://unpkg.com/@shopify/app-bridge"></script>
+ + <script src="https://unpkg.com/@shopify/app-bridge@1"></script>
+``` 

data/lib/generators/shopify_app/home_controller/templates/home_controller.rb

@@ -3,8 +3,16 @@
 class HomeController < AuthenticatedController
   include ShopifyApp::ShopAccessScopesVerification
 
+  before_action :set_host
+
   def index
     @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
     @webhooks = ShopifyAPI::Webhook.find(:all)
   end
+
+  private
+
+  def set_host
+    @host = params[:host]
+  end
 end

data/lib/generators/shopify_app/home_controller/templates/index.html.erb

@@ -18,7 +18,7 @@
 
         // Save a session token for future requests
         window.sessionToken = await new Promise((resolve) => {
-          app.subscribe(SessionToken.ActionType.RESPOND, (data) => {
+          app.subscribe(SessionToken.Action.RESPOND, (data) => {
             resolve(data.sessionToken || "");
           });
         });

data/lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -7,5 +7,6 @@ class HomeController < ApplicationController
 
   def index
     @shop_origin = current_shopify_domain
+    @host = params[:host]
   end
 end

data/lib/generators/shopify_app/install/templates/embedded_app.html.erb

@@ -24,11 +24,12 @@
 
     <%= render 'layouts/flash_messages' %>
 
-    <script src="https://unpkg.com/@shopify/app-bridge@1"></script>
+    <script src="https://unpkg.com/@shopify/app-bridge@2"></script>
 
     <%= content_tag(:div, nil, id: 'shopify-app-init', data: {
       api_key: ShopifyApp.configuration.api_key,
       shop_origin: @shop_origin || (@current_shopify_session.domain if @current_shopify_session),
+      host: @host,
       debug: Rails.env.development?
     } ) %>
 

data/lib/generators/shopify_app/install/templates/shopify_app.js

@@ -4,7 +4,7 @@ document.addEventListener('DOMContentLoaded', () => {
   var createApp = AppBridge.default;
   window.app = createApp({
     apiKey: data.apiKey,
-    shopOrigin: data.shopOrigin,
+    host: data.host,
   });
 
   var actions = AppBridge.actions;

data/lib/shopify_app.rb

@@ -3,6 +3,7 @@ require 'shopify_app/version'
 
 # deps
 require 'shopify_api'
+require 'omniauth/rails_csrf_protection'
 require 'omniauth-shopify-oauth2'
 require 'redirect_safely'
 

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -9,6 +9,8 @@ module ShopifyApp
 
     class ShopifyDomainNotFound < StandardError; end
 
+    class ShopifyHostNotFound < StandardError; end
+
     included do
       after_action :set_test_cookie
       rescue_from ActiveResource::UnauthorizedAccess, with: :close_session
@@ -103,6 +105,12 @@ module ShopifyApp
       request.env['jwt.shopify_user_id']
     end
 
+    def host
+      return params[:host] if params[:host].present?
+
+      raise ShopifyHostNotFound
+    end
+
     def redirect_to_login
       if request.xhr?
         head(:unauthorized)
@@ -215,9 +223,8 @@ module ShopifyApp
     end
 
     def return_address
-      return base_return_address unless ShopifyApp.configuration.allow_jwt_authentication
-      return_address_with_params(shop: current_shopify_domain)
-    rescue ShopifyDomainNotFound
+      return_address_with_params(shop: current_shopify_domain, host: host)
+    rescue ShopifyDomainNotFound, ShopifyHostNotFound
       base_return_address
     end
 

data/lib/shopify_app/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module ShopifyApp
-  VERSION = '17.2.1'
+  VERSION = '18.0.0'
 end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "17.2.1",
+  "version": "18.0.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/service.yml

@@ -1,7 +1,4 @@
 audience: partner
 classification: library
-org_line: App & Partner Platform
-owners:
-  - Shopify/platform-dev-tools-education
 slack_channels:
-  - dev-tools-education
+- core-build-extend

data/shopify_app.gemspec

@@ -14,10 +14,11 @@ Gem::Specification.new do |s|
   s.metadata['allowed_push_host'] = 'https://rubygems.org'
 
   s.add_runtime_dependency('browser_sniffer', '~> 1.2.2')
+  s.add_runtime_dependency('omniauth-rails_csrf_protection')
   s.add_runtime_dependency('rails', '> 5.2.1', '< 6.2')
   s.add_runtime_dependency('shopify_api', '~> 9.4')
-  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.2.2')
-  s.add_runtime_dependency('jwt', '~> 2.2.1')
+  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.3')
+  s.add_runtime_dependency('jwt', '>= 2.2.3')
   s.add_runtime_dependency('redirect_safely', '~> 1.0')
 
   s.add_development_dependency('rake')

data/yarn.lock

@@ -4519,9 +4519,9 @@ sprintf-js@~1.0.2:
   integrity sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=
 
 ssri@^6.0.1:
-  version "6.0.1"
-  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.1.tgz#2a3c41b28dd45b62b63676ecb74001265ae9edd8"
-  integrity sha512-3Wge10hNcT1Kur4PDFwEieXSCMCJs/7WvSACcrMYrNp+b8kDL1/0wJch5Ni2WrtwEa2IO8OsVfeKIciKCDx/QA==
+  version "6.0.2"
+  resolved "https://registry.yarnpkg.com/ssri/-/ssri-6.0.2.tgz#157939134f20464e7301ddba3e90ffa8f7728ac5"
+  integrity sha512-cepbSq/neFK7xB6A50KHN0xHDotYzq58wWCa5LeWqnPrHG8GzfEjO/4O8kpmcGW+oaxkvhEJCWgbgNk4/ZV93Q==
   dependencies:
     figgy-pudding "^3.5.1"
 
@@ -5115,9 +5115,9 @@ xtend@^4.0.0, xtend@~4.0.1:
   integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==
 
 y18n@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.0.tgz#95ef94f85ecc81d007c264e190a120f0a3c8566b"
-  integrity sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==
+  version "4.0.3"
+  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.3.tgz#b5f259c82cd6e336921efd7bfd8bf560de9eeedf"
+  integrity sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==
 
 yallist@^3.0.2:
   version "3.1.1"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 17.2.1
+  version: 18.0.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-01 00:00:00.000000000 Z
+date: 2021-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.2.2
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -64,28 +78,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.2.1
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: redirect_safely
   requirement: !ruby/object:Gem::Requirement
@@ -297,6 +311,7 @@ files:
 - app/views/shopify_app/sessions/new.html.erb
 - app/views/shopify_app/sessions/request_storage_access.html.erb
 - app/views/shopify_app/sessions/top_level_interaction.html.erb
+- app/views/shopify_app/shared/post_redirect_to_auth_shopify.html.erb
 - app/views/shopify_app/shared/redirect.html.erb
 - config/locales/cs.yml
 - config/locales/da.yml