shopify_app 8.4.2 → 8.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 28cc5c500b3efa9576e3808c7dbec511d7269631ed6b5b5fa7d02c6aae1aa854
-  data.tar.gz: d064aee1e329a10d558890ca8444793e3785783f061ce2ad8e9c9327c9948826
+  metadata.gz: 8fe2949f5e38db4532dbcab3c05f96e228e6285fdbb4b729ffefecd8e40b2aad
+  data.tar.gz: 2fefc3ce45bc58cd82c874d5217f6abfce0a70ba56cb9105084dbec011f033cb
 SHA512:
-  metadata.gz: 87b40ecda005295ecbd2237c8d9e460b935122f961c6e914709de79fa733a34452dcfb71f302b8e58f9b79cc7b076f9fc29f7be58daace8fcaa4d33a42c5b5fa
-  data.tar.gz: 833a0937d92fd51eef51419848e3067eef2c2f8fc48076111134c4d80e0c47ca448c4123a069a08550c6231850e3d1c588a372cdb32910111f4ae1dc9276625b
+  metadata.gz: 1a435b2541e5198fad47a247a97b2a68ce6e741b2b29a4b0b7f2cc29d256fc382a7fd8a56801e982744258e9efdfd3879a13dd4dffc033c88d432ce44d525e44
+  data.tar.gz: 1df140b61ca82e090eba2fcabac5f079cc5d87e7cb64bab657cbc725ff1063360fbd88822d4ed76c9224d2fd4e9429ba197dd3c7f6a6312b3c8dbdb060c35f26

data/.gitignore

@@ -12,3 +12,5 @@ test/tmp/*
 # ignore sprockets cache
 /test/dummy/tmp/*
 /node_modules/
+.byebug_history
+

data/.rubocop.yml

@@ -1,3 +1,6 @@
+inherit_from:
+  - https://shopify.github.io/ruby-style-guide/rubocop.yml
+
 LineLength:
   Exclude:
     - test/**/*

data/CHANGELOG.md

@@ -1,3 +1,12 @@
+8.5.0
+-----
+Added support for rotating Shopify access tokens:
+
+* Added a generator shopify_app:rotate_shopify_token_job for generating the job to perform token rotation
+* Extend Shopify app configuration to support a new and old secret token
+* Extended webhook validation code to support validating against new and old secret tokens
+* See the README for more details: https://github.com/Shopify/shopify_app#rotateshopifytokenjob
+
 8.4.2
 -----
 * Clear stale user session during auth callback

data/README.md

@@ -364,6 +364,32 @@ We've also provided a generator which creates a skeleton job and updates the ini
 bin/rails g shopify_app:add_after_authenticate_job
 ```
 
+RotateShopifyTokenJob
+---------------------
+
+If your Shopify secret key is leaked, you can use the RotateShopifyTokenJob to perform [API Credential Rotation](https://help.shopify.com/en/api/getting-started/authentication/oauth/api-credential-rotation).
+
+Before running the job, you'll need to generate a new secret key from your Shopify Partner dashboard, and update the `/config/initializers/shopify_app.rb` to hold your new and old secret keys:
+
+```ruby
+config.secret = Rails.application.secrets.shopify_secret
+config.old_secret = Rails.application.secrets.old_shopify_secret
+```
+
+We've provided a generator which creates the job and an example rake task:
+
+```sh
+bin/rails g shopify_app:rotate_shopify_token_job
+```
+
+The generated rake task will be found at `lib/tasks/shopify/rotate_shopify_token.rake` and is provided strictly for example purposes. It might not work with your application out of the box without some configuration.
+
+⚠️ Note: if you are updating `shopify_app` from a version prior to 8.4.2 (and do not wish to run the default/install generator again), you will need to add [the following line](https://github.com/Shopify/shopify_app/blob/4f7e6cca2a472d8f7af44b938bd0fcafe4d8e88a/lib/generators/shopify_app/install/templates/shopify_provider.rb#L18) to `config/intializers/omniauth.rb`:
+
+```ruby
+strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+```
+
 ShopifyApp::SessionRepository
 -----------------------------
 

data/config/locales/nl.yml

@@ -0,0 +1,21 @@
+---
+nl:
+  logged_out: U bent afgemeld
+  could_not_log_in: Kon niet aanmelden bij Shopify-winkel
+  invalid_shop_url: Ongeldig winkeldomein
+  enable_cookies_heading: Schakel cookies in van %{app}
+  enable_cookies_body: U moet cookies in deze browser handmatig inschakelen om %{app}
+    binnen Shopify te gebruiken.
+  enable_cookies_footer: Met cookies kan de app u verifiëren door uw voorkeuren en
+    persoonlijke informatie tijdelijk op te slaan. Ze vervallen na 30 dagen.
+  enable_cookies_action: Schakel cookies in
+  top_level_interaction_heading: Uw browser moet %{app} verifiëren
+  top_level_interaction_body: Uw browser heeft apps van derden nodig zoals %{app}
+    om u toegang te vragen tot cookies voordat Shopify het voor u kan openen.
+  top_level_interaction_action: Doorgaan
+  request_storage_access_heading: "%{app} heeft toegang tot cookies nodig"
+  request_storage_access_body: Hiermee kan de app u verifiëren door uw persoonlijke
+    gegevens tijdelijk op te slaan. Klik op Doorgaan en sta cookies toe om de app
+    te gebruiken.
+  request_storage_access_footer: Cookies verlopen na 30 dagen.
+  request_storage_access_action: Doorgaan

data/config/locales/zh-CN.yml

@@ -0,0 +1,16 @@
+---
+zh-CN:
+  logged_out: 已成功注销
+  could_not_log_in: 无法登录到 Shopify 店铺
+  invalid_shop_url: 商店域无效
+  enable_cookies_heading: 从 %{app} 启用 Cookie
+  enable_cookies_body: 您必须在此浏览器中手动启用 Cookie 才能在 Shopify 中使用 %{app}。
+  enable_cookies_footer: Cookie 使此应用能够通过暂时存储您的首选项和个人信息来验证您的身份。这些信息将在 30 天后过期。
+  enable_cookies_action: 启用 Cookie
+  top_level_interaction_heading: 您的浏览器需要对 %{app} 进行验证
+  top_level_interaction_body: 您的浏览器要求类似 %{app} 的第三方应用向您请求访问 Cookie，之后 Shopify 才能为您打开它。
+  top_level_interaction_action: 继续
+  request_storage_access_heading: "%{app} 需要访问 Cookie"
+  request_storage_access_body: 这使此应用能够通过暂时存储您的个人信息来验证您的身份。单击继续并启用 Cookie 以使用此应用。
+  request_storage_access_footer: Cookie 将在 30 天后过期。
+  request_storage_access_action: 继续

data/config/locales/zh-TW.yml

@@ -0,0 +1,17 @@
+---
+zh-TW:
+  logged_out: 登出成功
+  could_not_log_in: 無法登入 Shopify 商店
+  invalid_shop_url: 商店網域無效
+  enable_cookies_heading: 啟用 %{app} 的 Cookie
+  enable_cookies_body: 您必須在此瀏覽器中手動啟用 Cookie，才能夠在 Shopify 使用 %{app}。
+  enable_cookies_footer: Cookie 可讓應用程式暫時儲存您的偏好設定和個人資訊，藉此驗證您的身分，這些資料會在 30 天後失效。
+  enable_cookies_action: 啟用 Cookie
+  top_level_interaction_heading: 您的瀏覽器需要驗證 %{app}
+  top_level_interaction_body: 您的瀏覽器會要求第三方應用程式 (例如：%{app}) 向您請求 Cookie 的存取權限，然後才讓 Shopify
+    為您開啟此應用程式。
+  top_level_interaction_action: 繼續
+  request_storage_access_heading: "%{app} 需要 Cookie 存取權限"
+  request_storage_access_body: Cookie 可讓應用程式暫時儲存您的個人資訊，藉此驗證您的身分。按一下繼續並允許 Cookie 使用此應用程式。
+  request_storage_access_footer: Cookie 將於 30 天後失效。
+  request_storage_access_action: 繼續

data/lib/generators/shopify_app/add_after_authenticate_job/add_after_authenticate_job_generator.rb

@@ -12,7 +12,9 @@ module ShopifyApp
       def init_after_authenticate_config
         initializer = load_initializer
 
-       after_authenticate_job_config = "  config.after_authenticate_job = { job: Shopify::AfterAuthenticateJob, inline: false }\n"
+        after_authenticate_job_config =
+          "  config.after_authenticate_job = "\
+          "{ job: Shopify::AfterAuthenticateJob, inline: false }\n"
 
         inject_into_file(
           'config/initializers/shopify_app.rb',

data/lib/generators/shopify_app/install/install_generator.rb

@@ -9,6 +9,7 @@ module ShopifyApp
       class_option :application_name, type: :array, default: ['My', 'Shopify', 'App']
       class_option :api_key, type: :string, default: '<api_key>'
       class_option :secret, type: :string, default: '<secret>'
+      class_option :old_secret, type: :string, default: '<old_secret>'
       class_option :scope, type: :array, default: ['read_products']
       class_option :embedded, type: :string, default: 'true'
 
@@ -16,6 +17,7 @@ module ShopifyApp
         @application_name = format_array_argument(options['application_name'])
         @api_key = options['api_key']
         @secret = options['secret']
+        @old_secret = options['old_secret']
         @scope = format_array_argument(options['scope'])
 
         template 'shopify_app.rb', 'config/initializers/shopify_app.rb'

data/lib/generators/shopify_app/install/templates/shopify_app.rb

@@ -2,6 +2,7 @@ ShopifyApp.configure do |config|
   config.application_name = "<%= @application_name %>"
   config.api_key = "<%= @api_key %>"
   config.secret = "<%= @secret %>"
+  config.old_secret = "<%= @old_secret %>"
   config.scope = "<%= @scope %>" # Consult this page for more scope options:
                                  # https://help.shopify.com/en/api/getting-started/authentication/oauth/scopes
   config.embedded_app = <%= embedded_app? %>

data/lib/generators/shopify_app/install/templates/shopify_provider.rb

@@ -1,16 +1,19 @@
-  provider :shopify,
-           ShopifyApp.configuration.api_key,
-           ShopifyApp.configuration.secret,
-           scope: ShopifyApp.configuration.scope,
-           setup: lambda { |env|
-             strategy = env['omniauth.strategy']
+# frozen_string_literal: true
 
-             shopify_auth_params = strategy.session['shopify.omniauth_params']&.with_indifferent_access
-             shop = if shopify_auth_params.present?
-               "https://#{shopify_auth_params[:shop]}"
-             else
-               ''
-             end
+provider :shopify,
+  ShopifyApp.configuration.api_key,
+  ShopifyApp.configuration.secret,
+  scope: ShopifyApp.configuration.scope,
+  setup: lambda { |env|
+    strategy = env['omniauth.strategy']
 
-             strategy.options[:client_options][:site] = shop
-           }
+    shopify_auth_params = strategy.session['shopify.omniauth_params']&.with_indifferent_access
+    shop = if shopify_auth_params.present?
+      "https://#{shopify_auth_params[:shop]}"
+    else
+      ''
+    end
+
+    strategy.options[:client_options][:site] = shop
+    strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
+  }

data/lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails/generators/base'
+
+module ShopifyApp
+  module Generators
+    class RotateShopifyTokenJobGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      def add_rotate_shopify_token_job
+        copy_file('rotate_shopify_token_job.rb', "app/jobs/shopify/rotate_shopify_token_job.rb")
+        copy_file('rotate_shopify_token.rake', "lib/tasks/shopify/rotate_shopify_token.rake")
+      end
+    end
+  end
+end

data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+namespace :shopify do
+  desc "Rotate shopify tokens for all active shops"
+  task :rotate_shopify_tokens, [:refresh_token] => :environment do |_t, args|
+    all_active_shops.find_each do |shop|
+      Shopify::RotateShopifyTokenJob.perform_later(
+        shop_domain: shop.shopify_domain,
+        refresh_token: args[:refresh_token]
+      )
+    end
+  end
+
+  # Its implementation will depend on the app configuration. Change accordingly.
+  def all_active_shops
+    Shop.all
+  end
+end

data/lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Shopify
+  class RotateShopifyTokenJob < ActiveJob::Base
+    def perform(params)
+      @shop = Shop.find_by(shopify_domain: params[:shop_domain])
+      return unless @shop
+
+      config = ShopifyApp.configuration
+      uri = URI("https://#{@shop.shopify_domain}/admin/oauth/access_token")
+      post_data = {
+        client_id: config.api_key,
+        client_secret: config.secret,
+        refresh_token: params[:refresh_token],
+        access_token: @shop.shopify_token,
+      }
+
+      @response = Net::HTTP.post_form(uri, post_data)
+      return log_error(response_expcetion_error_message) unless @response.is_a?(Net::HTTPSuccess)
+
+      access_token = JSON.parse(@response.body)['access_token']
+      return log_error(no_access_token_error_message) unless access_token
+
+      @shop.update(shopify_token: access_token)
+    end
+
+    private
+
+    def log_error(message)
+      Rails.logger.error(message)
+    end
+
+    def no_access_token_error_message
+      "RotateShopifyTokenJob response returned no access token for shop: #{@shop.shopify_domain}"
+    end
+
+    def response_exception_error_message
+      "RotateShopifyTokenJob failed for shop: #{@shop.shopify_domain}." \
+        "Response returned status: #{@response.code}. Error message: #{@response.message}. "
+    end
+  end
+end

data/lib/shopify_app/configuration.rb

@@ -7,6 +7,7 @@ module ShopifyApp
     attr_accessor :application_name
     attr_accessor :api_key
     attr_accessor :secret
+    attr_accessor :old_secret
     attr_accessor :scope
     attr_accessor :embedded_app
     alias_method  :embedded_app?, :embedded_app

data/lib/shopify_app/controller_concerns/webhook_verification.rb

@@ -15,12 +15,16 @@ module ShopifyApp
     end
 
     def hmac_valid?(data)
-      secret = ShopifyApp.configuration.secret
-      digest = OpenSSL::Digest.new('sha256')
-      ActiveSupport::SecurityUtils.secure_compare(
-        shopify_hmac,
-        Base64.encode64(OpenSSL::HMAC.digest(digest, secret, data)).strip
-      )
+      secrets = [ShopifyApp.configuration.secret, ShopifyApp.configuration.old_secret].reject(&:blank?)
+
+      secrets.any? do |secret|
+        digest = OpenSSL::Digest.new('sha256')
+
+        ActiveSupport::SecurityUtils.secure_compare(
+          shopify_hmac,
+          Base64.strict_encode64(OpenSSL::HMAC.digest(digest, secret, data))
+        )
+      end
     end
 
     def shop_domain

data/lib/shopify_app/version.rb

@@ -1,3 +1,3 @@
 module ShopifyApp
-  VERSION = '8.4.2'.freeze
+  VERSION = '8.5.0'.freeze
 end

data/shopify_app.gemspec

@@ -13,7 +13,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency('browser_sniffer', '~> 1.1.0')
   s.add_runtime_dependency('rails', '>= 5.0.0')
   s.add_runtime_dependency('shopify_api', '>= 4.3.5')
-  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.0.0')
+  s.add_runtime_dependency('omniauth-shopify-oauth2', '~> 2.1.0')
 
   s.add_development_dependency('rake')
   s.add_development_dependency('byebug')

data/translation.yml

@@ -1,5 +1,5 @@
 source_language: en
-target_languages: [de, es, fr, it, ja, pt-BR]
+target_languages: [de, es, fr, it, ja, nl, pt-BR, zh-CN, zh-TW]
 components:
   - name: 'merchant'
     paths:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: shopify_app
 version: !ruby/object:Gem::Version
-  version: 8.4.2
+  version: 8.5.0
 platform: ruby
 authors:
 - Shopify
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-02-11 00:00:00.000000000 Z
+date: 2019-02-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: browser_sniffer
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 2.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 2.1.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -186,7 +186,10 @@ files:
 - config/locales/fr.yml
 - config/locales/it.yml
 - config/locales/ja.yml
+- config/locales/nl.yml
 - config/locales/pt-BR.yml
+- config/locales/zh-CN.yml
+- config/locales/zh-TW.yml
 - config/routes.rb
 - docs/Quickstart.md
 - docs/Releasing.md
@@ -212,6 +215,9 @@ files:
 - lib/generators/shopify_app/install/templates/omniauth.rb
 - lib/generators/shopify_app/install/templates/shopify_app.rb
 - lib/generators/shopify_app/install/templates/shopify_provider.rb
+- lib/generators/shopify_app/rotate_shopify_token_job/rotate_shopify_token_job_generator.rb
+- lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token.rake
+- lib/generators/shopify_app/rotate_shopify_token_job/templates/rotate_shopify_token_job.rb
 - lib/generators/shopify_app/routes/routes_generator.rb
 - lib/generators/shopify_app/routes/templates/routes.rb
 - lib/generators/shopify_app/shop_model/shop_model_generator.rb