shopify_app 22.0.1 → 22.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ea486458223aad4ec68fd15a99a340d79ae306e95b8596ca7b9f447b0ac237c
-  data.tar.gz: 7cfc9f51c225a89a3aacf87fc6cd3724c3c69399c60588cab9ac821f32b9bde0
+  metadata.gz: d0b7ce0abe557e14db6582b5cefd0bde0837c6e7f380934ddf9754311e8696a5
+  data.tar.gz: 215ce18139c607e2282f2ecf19cbc365f2fff92012bc4ea5e04cc5d3fe33f4ec
 SHA512:
-  metadata.gz: 6c3c7f2426c24946ab299bb2499e5065c16828fe72ff8160f7d114c96ba7ff658d032494f418d58668ff0ad2fc53288a237fa92f35950e8028aeb0cd551b9d4d
-  data.tar.gz: e86005c3bde23478adc4444ff93274f3c6e4646f063399eb80f9165ab2a0b56765209038d49174889d2e026519296f4b44a929ce0201be5bc25c2c98470f3258
+  metadata.gz: 3ac07379b157096ad6d8c1817058ff2d49401d82af7309c36963b184d2e65053854d02de70cfbebd164a79fa72147a9bda14f209acbb7aadf971f31da9438a1f
+  data.tar.gz: ae2126091214107335550b527ec183499dd38e96bbcee3ac6a5585b287403b74a14c7a260d1929c65abbe6060f243ef64ebf62ba8adf8c8de3c7392316241e83

data/.github/workflows/rubocop.yml

@@ -8,10 +8,9 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    - name: Set up Ruby 3.2
+    - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 3.2
         bundler-cache: true
     - name: Install gems
       run: |

data/.rubocop.yml

@@ -2,7 +2,6 @@ inherit_gem:
     rubocop-shopify: rubocop.yml
 
 AllCops:
-  TargetRubyVersion: 2.7
   Exclude:
     - 'test/tmp/**/*'
     - 'vendor/bundle/**/*'

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased
 ----------
 
+22.1.0 (April 9,2024)
+----------
+* Extracted class - `PostAuthenticateTasks` to handle post authenticate tasks. To learn more, see [post authenticate tasks](/docs/shopify_app/authentication.md#post-authenticate-tasks). [1819](https://github.com/Shopify/shopify_app/pull/1819)
+* Bumps shopify_api dependency to 14.1.0 [1826](https://github.com/Shopify/shopify_app/pull/1826)
+
 22.0.1 (March 12, 2024)
 ----------
 * Bumps `shopify_api` to `14.0.1` [1813](https://github.com/Shopify/shopify_app/pull/1813)

data/Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: .
   specs:
-    shopify_app (22.0.1)
+    shopify_app (22.1.0)
       activeresource
       addressable (~> 2.7)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
-      shopify_api (>= 14.0.1, < 15.0)
+      shopify_api (>= 14.1.0, < 15.0)
       sprockets-rails (>= 2.0.0)
 
 GEM
@@ -104,7 +104,7 @@ GEM
       multi_xml (>= 0.5.2)
     i18n (1.13.0)
       concurrent-ruby (~> 1.0)
-    json (2.6.3)
+    json (2.7.2)
     jwt (2.7.0)
     language_server-protocol (3.17.0.3)
     loofah (2.21.3)
@@ -140,9 +140,10 @@ GEM
       racc (~> 1.4)
     oj (3.14.3)
     openssl (3.1.0)
-    parallel (1.23.0)
-    parser (3.2.2.1)
+    parallel (1.24.0)
+    parser (3.3.0.5)
       ast (~> 2.4.1)
+      racc
     prettier_print (1.2.1)
     pry (0.14.2)
       coderay (~> 1.1)
@@ -192,20 +193,21 @@ GEM
     rb-readline (0.5.5)
     redirect_safely (1.0.0)
       activemodel
-    regexp_parser (2.8.0)
-    rexml (3.2.5)
-    rubocop (1.51.0)
+    regexp_parser (2.9.0)
+    rexml (3.2.6)
+    rubocop (1.62.1)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.1)
-      parser (>= 3.2.1.0)
+    rubocop-ast (1.31.2)
+      parser (>= 3.3.0.4)
     rubocop-shopify (2.13.0)
       rubocop (~> 1.50)
     ruby-lsp (0.5.1)
@@ -215,7 +217,7 @@ GEM
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.2.2)
-    shopify_api (14.0.1)
+    shopify_api (14.1.0)
       activesupport
       concurrent-ruby
       hash_diff
@@ -234,16 +236,16 @@ GEM
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.6.3-arm64-darwin)
-    sqlite3 (1.6.3-x86_64-darwin)
-    sqlite3 (1.6.3-x86_64-linux)
+    sqlite3 (1.7.3-arm64-darwin)
+    sqlite3 (1.7.3-x86_64-darwin)
+    sqlite3 (1.7.3-x86_64-linux)
     syntax_tree (6.1.1)
       prettier_print (>= 1.2.0)
     thor (1.2.2)
     timeout (0.3.2)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
     webmock (3.18.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -256,6 +258,7 @@ GEM
 PLATFORMS
   arm64-darwin-21
   arm64-darwin-22
+  arm64-darwin-23
   x86_64-darwin-19
   x86_64-darwin-20
   x86_64-darwin-21

data/app/controllers/concerns/shopify_app/ensure_has_session.rb

@@ -6,14 +6,20 @@ module ShopifyApp
 
     included do
       include ShopifyApp::Localization
-      include ShopifyApp::LoginProtection
+
+      if ShopifyApp.configuration.use_new_embedded_auth_strategy?
+        include ShopifyApp::TokenExchange
+        around_action :activate_shopify_session
+      else
+        include ShopifyApp::LoginProtection
+        before_action :login_again_if_different_user_or_shop
+        around_action :activate_shopify_session
+        after_action :add_top_level_redirection_headers
+      end
+
       include ShopifyApp::CsrfProtection
       include ShopifyApp::EmbeddedApp
       include ShopifyApp::EnsureBilling
-
-      before_action :login_again_if_different_user_or_shop
-      around_action :activate_shopify_session
-      after_action :add_top_level_redirection_headers
     end
   end
 end

data/app/controllers/concerns/shopify_app/ensure_installed.rb

@@ -16,8 +16,13 @@ module ShopifyApp
       end
 
       before_action :check_shop_domain
-      before_action :check_shop_known
-      before_action :validate_non_embedded_session
+
+      unless ShopifyApp.configuration.use_new_embedded_auth_strategy?
+        # TODO: Add support to use new embedded auth strategy here when invalid
+        # session token can be handled by AppBridge app reload
+        before_action :check_shop_known
+        before_action :validate_non_embedded_session
+      end
     end
 
     def current_shopify_domain

data/app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb

@@ -6,7 +6,11 @@ module ShopifyApp
     include ShopifyApp::RedirectForEmbedded
 
     included do
-      before_action :login_on_scope_changes
+      # Embedded auth strategy uses Shopify managed install to ensure latest access scopes,
+      # This will be handled automatically through token exchange
+      unless ShopifyApp.configuration.use_new_embedded_auth_strategy?
+        before_action :login_on_scope_changes
+      end
     end
 
     protected

data/app/controllers/shopify_app/callback_controller.rb

@@ -23,7 +23,16 @@ module ShopifyApp
 
       return respond_with_user_token_flow if start_user_token_flow?(api_session)
 
-      perform_post_authenticate_jobs(api_session)
+      if ShopifyApp::VERSION < "23.0"
+        # deprecated in 23.0
+        if ShopifyApp.configuration.custom_post_authenticate_tasks.present?
+          ShopifyApp.configuration.post_authenticate_tasks.perform(api_session)
+        else
+          perform_post_authenticate_jobs(api_session)
+        end
+      else
+        ShopifyApp.configuration.post_authenticate_tasks.perform(api_session)
+      end
       redirect_to_app if check_billing(api_session)
     end
 

data/app/controllers/shopify_app/sessions_controller.rb

@@ -37,6 +37,22 @@ module ShopifyApp
     def authenticate
       return render_invalid_shop_error unless sanitized_shop_name.present?
 
+      if ShopifyApp.configuration.use_new_embedded_auth_strategy?
+        ShopifyApp::Logger.debug("Starting OAuth - Redirecting to Shopify managed install")
+        start_install
+      else
+        ShopifyApp::Logger.debug("Starting OAuth - Redirecting to begin auth")
+        start_oauth
+      end
+    end
+
+    def start_install
+      shop_name = sanitized_shop_name.split(".").first
+      install_path = "https://admin.shopify.com/store/#{shop_name}/oauth/install?client_id=#{ShopifyApp.configuration.api_key}"
+      redirect_to(install_path, allow_other_host: true)
+    end
+
+    def start_oauth
       copy_return_to_param_to_session
 
       if embedded_redirect_url?
@@ -44,16 +60,16 @@ module ShopifyApp
         if embedded_param?
           redirect_for_embedded
         else
-          start_oauth
+          redirect_to_begin_oauth
         end
       elsif top_level?
-        start_oauth
+        redirect_to_begin_oauth
       else
         redirect_auth_to_top_level
       end
     end
 
-    def start_oauth
+    def redirect_to_begin_oauth
       callback_url = ShopifyApp.configuration.login_callback_url.gsub(%r{^/}, "")
       ShopifyApp::Logger.debug("Starting OAuth with the following callback URL: #{callback_url}")
 

data/docs/Upgrading.md

@@ -40,6 +40,17 @@ We also recommend the use of a staging site which matches your production enviro
 
 If you do run into issues, we recommend looking at our [debugging tips.](https://github.com/Shopify/shopify_app/blob/main/docs/Troubleshooting.md#debugging-tips)
 
+## Unreleased
+#### (v23.0.0) - Deprecated methods in CallbackController
+The following methods from `ShopifyApp::CallbackController` have been deprecated in `v23.0.0`
+- `perform_after_authenticate_job`
+- `install_webhooks`
+- `perform_post_authenticate_jobs`
+
+If you have overwritten these methods in your callback controller to modify the behavior of the inherited `CallbackController`, you will need to
+update your app to use configurable option `config.custom_post_authenticate_tasks` instead. See [post authenticate tasks](/docs/shopify_app/authentication.md#post-authenticate-tasks)
+for more information.
+
 ## Upgrading to `v22.0.0`
 #### Dropped support for Ruby 2.x
 Support for Ruby 2.x has been dropped as it is no longer supported. You'll need to upgrade to 3.x.x

data/docs/shopify_app/authentication.md

@@ -12,7 +12,7 @@ See [*Getting started with session token authentication*](https://shopify.dev/do
 
 * [OAuth callback](#oauth-callback)
   * [Customizing callback controller](#customizing-callback-controller)
-* [Run jobs after the OAuth flow](#run-jobs-after-the-oauth-flow)
+* [Run jobs after the OAuth flow](#post-authenticate-tasks)
 * [Rotate API credentials](#rotate-api-credentials)
 * [Making authenticated API requests after authorization](#making-authenticated-api-requests-after-authorization)
 
@@ -26,15 +26,11 @@ The default callback controller [`ShopifyApp::CallbackController`](../../app/con
 
 1. Logging into the shop and resetting the session
 2. Storing the session to the `SessionRepository`
-3. [Installing Webhooks](/docs/shopify_app/webhooks.md)
-4. [Setting Scripttags](/docs/shopify_app/script-tags.md)
-5. [Run jobs after the OAuth flow](#run-jobs-after-the-oauth-flow)
-6. Redirecting to the return address
-
+3. [Post authenticate tasks](#post-authenticate-tasks)
+4. Redirecting to the return address
 
 #### Customizing callback controller
-If the app needs to do some extra work, it can define and configure the route to a custom callback controller.
-Inheriting from `ShopifyApp::CallbackController` and hook into or override any of the defined helper methods.
+If you need to define a custom callback controller to handle your app's use case, you can configure the callback route to your controller.
 
 Example:
 
@@ -42,11 +38,9 @@ Example:
 ```ruby
 # web/app/controllers/my_custom_callback_controller.rb
 
-class MyCustomCallbackController < ShopifyApp::CallbackController
-  private
-
-  def install_webhooks(session)
-    # My custom override/definition to install webhooks
+class MyCustomCallbackController
+  def callback
+    # My custom callback logic
   end
 end
 ```
@@ -69,11 +63,39 @@ Rails.application.routes.draw do
 end
 ```
 
-### Run jobs after the OAuth flow
+### Post Authenticate tasks
+After authentication is complete, a few tasks are run by default by PostAuthenticateTasks:
+1. [Installing Webhooks](/docs/shopify_app/webhooks.md)
+2. [Run configured after_authenticate_job](#after_authenticate_job)
+
+The [PostAuthenticateTasks](https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/auth/post_authenticate_tasks.rb)
+class is responsible for triggering the webhooks manager for webhooks registration, and enqueue jobs from [after_authenticate_job](#after_authenticate_job).
+
+If you simply need to enqueue more jobs to run after authenticate, use [after_authenticate_job](#after_authenticate_job) to define these jobs.
+
+If your post authentication tasks is more complex and is different than just installing webhooks and enqueuing jobs,
+you can customize the post authenticate tasks by creating a new class that has a `self.perform(session)` method,
+and configuring `custom_post_authenticate_tasks` in the initializer.
+
+```ruby
+# my_custom_post_authenticate_task.rb
+class MyCustomPostAuthenticateTask
+  def self.perform(session)
+    # This will be triggered after OAuth callback and token exchange completion
+  end
+end
+
+# config/initializers/shopify_app.rb
+ShopifyApp.configure do |config|
+  config.custom_post_authenticate_tasks = "MyCustomPostAuthenticateTask"
+end
+```
+
+#### after_authenticate_job
 
 See [`ShopifyApp::AfterAuthenticateJob`](/lib/generators/shopify_app/add_after_authenticate_job/templates/after_authenticate_job.rb).
 
-If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing (note that we already provide support for automatically creating Webhooks and Scripttags). To configure the after authenticate job, update your initializer as follows:
+If your app needs to perform specific actions after the user is authenticated successfully (i.e. every time a new session is created), ShopifyApp can queue or run a job of your choosing. To configure the after authenticate job, update your initializer as follows:
 
 ```ruby
 ShopifyApp.configure do |config|

data/docs/shopify_app/webhooks.md

@@ -18,7 +18,7 @@ ShopifyApp.configure do |config|
 end
 ```
 
-When the [OAuth callback](/docs/shopify_app/authentication.md#oauth-callback) is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
+When the [OAuth callback](/docs/shopify_app/authentication.md#oauth-callback) or token exchange is completed successfully, ShopifyApp will queue a background job which will ensure all the specified webhooks exist for that shop. Because this runs on every OAuth callback, it means your app will always have the webhooks it needs even if the user uninstalls and re-installs the app.
 
 ShopifyApp also provides a [WebhooksController](/app/controllers/shopify_app/webhooks_controller.rb) that receives webhooks and queues a job based on the received topic. For example, if you register the webhook from above, then all you need to do is create a job called `CartsUpdateJob`. The job will be queued with 2 params: `shop_domain` and `webhook` (which is the webhook body).
 

data/lib/shopify_app/auth/post_authenticate_tasks.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module Auth
+    class PostAuthenticateTasks
+      class << self
+        def perform(session)
+          ShopifyApp::Logger.debug("Performing post authenticate tasks")
+          # Ensure we use the shop session to install webhooks
+          session_for_shop = session.online? ? shop_session(session) : session
+
+          install_webhooks(session_for_shop)
+
+          perform_after_authenticate_job(session)
+        end
+
+        private
+
+        def shop_session(session)
+          ShopifyApp::SessionRepository.retrieve_shop_session_by_shopify_domain(session.shop)
+        end
+
+        def install_webhooks(session)
+          ShopifyApp::Logger.debug("PostAuthenticateTasks: Installing webhooks")
+          return unless ShopifyApp.configuration.has_webhooks?
+
+          WebhooksManager.queue(session.shop, session.access_token)
+        end
+
+        def perform_after_authenticate_job(session)
+          ShopifyApp::Logger.debug("PostAuthenticateTasks: Performing after_authenticate_job")
+          config = ShopifyApp.configuration.after_authenticate_job
+
+          return unless config && config[:job].present?
+
+          job = config[:job]
+          job = job.constantize if job.is_a?(String)
+
+          if config[:inline] == true
+            job.perform_now(shop_domain: session.shop)
+          else
+            job.perform_later(shop_domain: session.shop)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -29,6 +29,9 @@ module ShopifyApp
     attr_writer :login_callback_url
     attr_accessor :embedded_redirect_url
 
+    # customize post authenticate tasks
+    attr_accessor :custom_post_authenticate_tasks
+
     # customise ActiveJob queue names
     attr_accessor :scripttags_manager_queue_name
     attr_accessor :webhooks_manager_queue_name
@@ -54,6 +57,8 @@ module ShopifyApp
       @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
       @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
       @disable_webpacker = ENV["SHOPIFY_APP_DISABLE_WEBPACKER"].present?
+
+      log_callback_controller_method_deprecation
     end
 
     def login_url
@@ -126,6 +131,52 @@ module ShopifyApp
     def use_new_embedded_auth_strategy?
       wip_new_embedded_auth_strategy && embedded_app?
     end
+
+    def online_token_configured?
+      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+    end
+
+    def post_authenticate_tasks
+      @post_authenticate_tasks || begin
+        if custom_post_authenticate_tasks
+          custom_class = if custom_post_authenticate_tasks.respond_to?(:safe_constantize)
+            custom_post_authenticate_tasks.safe_constantize
+          else
+            custom_post_authenticate_tasks
+          end
+        end
+
+        task_class = custom_class || ShopifyApp::Auth::PostAuthenticateTasks
+
+        [
+          :perform,
+        ].each do |method|
+          raise(
+            ::ShopifyApp::ConfigurationError,
+            "Missing method - '#{method}' for custom_post_authenticate_tasks",
+          ) unless task_class.respond_to?(method)
+        end
+
+        task_class
+      end
+    end
+
+    private
+
+    def log_callback_controller_method_deprecation
+      return unless Rails.env.development?
+
+      # TODO: Remove this before releasing v23.0.0
+      message = <<~EOS
+        ================================================
+        => Upcoming deprecation in v23.0:
+        * 'CallbackController::perform_after_authenticate_job' and related methods 'install_webhooks', 'perform_after_authenticate_job'
+        * will be deprecated from CallbackController in the next major release. If you need to customize
+        * post authentication tasks, see https://github.com/Shopify/shopify_app/blob/main/docs/shopify_app/authentication.md#post-authenticate-tasks
+        ================================================
+      EOS
+      puts message
+    end
   end
 
   class BillingConfiguration

data/lib/shopify_app/controller_concerns/app_proxy_verification.rb

@@ -9,7 +9,7 @@ module ShopifyApp
     end
 
     def verify_proxy_request
-      return head(:forbidden) unless query_string_valid?(request.query_string)
+      head(:forbidden) unless query_string_valid?(request.query_string)
     end
 
     private

data/lib/shopify_app/controller_concerns/login_protection.rb

@@ -263,7 +263,7 @@ module ShopifyApp
     end
 
     def online_token_configured?
-      !ShopifyApp.configuration.user_session_repository.blank? && ShopifyApp::SessionRepository.user_storage.present?
+      ShopifyApp.configuration.online_token_configured?
     end
 
     def user_session_expected?

data/lib/shopify_app/controller_concerns/token_exchange.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module TokenExchange
+    extend ActiveSupport::Concern
+
+    def activate_shopify_session
+      if current_shopify_session.blank?
+        retrieve_session_from_token_exchange
+      end
+
+      if ShopifyApp.configuration.check_session_expiry_date && current_shopify_session.expired?
+        @current_shopify_session = nil
+        retrieve_session_from_token_exchange
+      end
+
+      begin
+        ShopifyApp::Logger.debug("Activating Shopify session")
+        ShopifyAPI::Context.activate_session(current_shopify_session)
+        yield
+      ensure
+        ShopifyApp::Logger.debug("Deactivating session")
+        ShopifyAPI::Context.deactivate_session
+      end
+    end
+
+    def current_shopify_session
+      @current_shopify_session ||= begin
+        session_id = ShopifyAPI::Utils::SessionUtils.current_session_id(
+          request.headers["HTTP_AUTHORIZATION"],
+          nil,
+          online_token_configured?,
+        )
+        return nil unless session_id
+
+        ShopifyApp::SessionRepository.load_session(session_id)
+      end
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    private
+
+    def retrieve_session_from_token_exchange
+      # TODO: Right now JWT Middleware only updates env['jwt.shopify_domain'] from request headers tokens,
+      # which won't work for new installs.
+      # we need to update the middleware to also update the env['jwt.shopify_domain'] from the query params
+      domain = ShopifyApp::JWT.new(session_token).shopify_domain
+
+      ShopifyApp::Logger.info("Performing Token Exchange for [#{domain}] - (Offline)")
+      session = exchange_token(
+        shop: domain, # TODO: use jwt_shopify_domain ?
+        session_token: session_token,
+        requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::OFFLINE_ACCESS_TOKEN,
+      )
+
+      if session && online_token_configured?
+        ShopifyApp::Logger.info("Performing Token Exchange for [#{domain}] - (Online)")
+        session = exchange_token(
+          shop: domain, # TODO: use jwt_shopify_domain ?
+          session_token: session_token,
+          requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::ONLINE_ACCESS_TOKEN,
+        )
+      end
+
+      ShopifyApp.configuration.post_authenticate_tasks.perform(session)
+    end
+
+    def exchange_token(shop:, session_token:, requested_token_type:)
+      if session_token.blank?
+        # respond_to_invalid_session_token
+        return
+      end
+
+      begin
+        session = ShopifyAPI::Auth::TokenExchange.exchange_token(
+          shop: shop,
+          session_token: session_token,
+          requested_token_type: requested_token_type,
+        )
+      rescue ShopifyAPI::Errors::InvalidJwtTokenError
+        # respond_to_invalid_session_token
+        return
+      rescue ShopifyAPI::Errors::HttpResponseError => error
+        ShopifyApp::Logger.error(
+          "A #{error.code} error (#{error.class}) occurred during the token exchange. Response: #{error.response.body}",
+        )
+        raise
+      rescue => error
+        ShopifyApp::Logger.error("An error occurred during the token exchange: #{error.message}")
+        raise
+      end
+
+      if session
+        begin
+          ShopifyApp::SessionRepository.store_session(session)
+        rescue ActiveRecord::RecordNotUnique
+          ShopifyApp::Logger.debug("Session not stored due to concurrent token exchange calls")
+        end
+      end
+
+      session
+    end
+
+    def session_token
+      @session_token ||= id_token_header
+    end
+
+    def id_token_header
+      request.headers["HTTP_AUTHORIZATION"]&.match(/^Bearer (.+)$/)&.[](1)
+    end
+
+    def respond_to_invalid_session_token
+      # TODO: Implement this method to handle invalid session tokens
+
+      # if request.xhr?
+      # response.set_header("X-Shopify-Retry-Invalid-Session-Request", 1)
+      # unauthorized_response = { message: :unauthorized }
+      # render(json: { errors: [unauthorized_response] }, status: :unauthorized)
+      # else
+      # patch_session_token_url = "#{ShopifyAPI::Context.host}/patch_session_token"
+      # patch_session_token_params = request.query_parameters.except(:id_token)
+
+      # bounce_url = "#{ShopifyAPI::Context.host}#{request.path}?#{patch_session_token_params.to_query}"
+
+      # # App Bridge will trigger a fetch to the URL in shopify-reload, with a new session token in headers
+      # patch_session_token_params["shopify-reload"] = bounce_url
+
+      # redirect_to("#{patch_session_token_url}?#{patch_session_token_params.to_query}", allow_other_host: true)
+      # end
+    end
+
+    def online_token_configured?
+      ShopifyApp.configuration.online_token_configured?
+    end
+  end
+end

data/lib/shopify_app/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module ShopifyApp
-  VERSION = "22.0.1"
+  VERSION = "22.1.0"
 end

data/lib/shopify_app.rb

@@ -52,6 +52,10 @@ module ShopifyApp
   require "shopify_app/controller_concerns/payload_verification"
   require "shopify_app/controller_concerns/app_proxy_verification"
   require "shopify_app/controller_concerns/webhook_verification"
+  require "shopify_app/controller_concerns/token_exchange"
+
+  # Auth helpers
+  require "shopify_app/auth/post_authenticate_tasks"
 
   # jobs
   require "shopify_app/jobs/webhooks_manager_job"

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shopify_app",
-  "version": "22.0.1",
+  "version": "22.1.0",
   "repository": "git@github.com:Shopify/shopify_app.git",
   "author": "Shopify",
   "license": "MIT",

data/shopify_app.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("jwt", ">= 2.2.3")
   s.add_runtime_dependency("rails", "> 5.2.1")
   s.add_runtime_dependency("redirect_safely", "~> 1.0")
-  s.add_runtime_dependency("shopify_api", ">= 14.0.1", "< 15.0")
+  s.add_runtime_dependency("shopify_api", ">= 14.1.0", "< 15.0")
   s.add_runtime_dependency("sprockets-rails", ">= 2.0.0")
 
   s.add_development_dependency("byebug")

data/yarn.lock

@@ -2040,9 +2040,9 @@ flatted@^3.2.7:
   integrity sha512-36yxDn5H7OFZQla0/jFJmbIKTdZAQHngCedGxiMmpNfEZM0sdEeT+WczLQrjK6D7o2aiyLYDnkw0R3JK0Qv1RQ==
 
 follow-redirects@^1.0.0:
-  version "1.15.4"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
-  integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
+  version "1.15.6"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b"
+  integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==
 
 fs-extra@^8.1.0:
   version "8.1.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 22.0.1
+  version: 22.1.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-12 00:00:00.000000000 Z
+date: 2024-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -86,7 +86,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 14.0.1
+        version: 14.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '15.0'
@@ -96,7 +96,7 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 14.0.1
+        version: 14.1.0
     - - "<"
       - !ruby/object:Gem::Version
         version: '15.0'
@@ -414,6 +414,7 @@ files:
 - lib/shopify_app/access_scopes/noop_strategy.rb
 - lib/shopify_app/access_scopes/shop_strategy.rb
 - lib/shopify_app/access_scopes/user_strategy.rb
+- lib/shopify_app/auth/post_authenticate_tasks.rb
 - lib/shopify_app/configuration.rb
 - lib/shopify_app/controller_concerns/app_proxy_verification.rb
 - lib/shopify_app/controller_concerns/csrf_protection.rb
@@ -425,6 +426,7 @@ files:
 - lib/shopify_app/controller_concerns/payload_verification.rb
 - lib/shopify_app/controller_concerns/redirect_for_embedded.rb
 - lib/shopify_app/controller_concerns/sanitized_params.rb
+- lib/shopify_app/controller_concerns/token_exchange.rb
 - lib/shopify_app/controller_concerns/webhook_verification.rb
 - lib/shopify_app/engine.rb
 - lib/shopify_app/errors.rb
@@ -474,7 +476,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.6
+rubygems_version: 3.5.7
 signing_key: 
 specification_version: 4
 summary: This gem is used to get quickly started with the Shopify API