spiffy_stores_app 8.2.6

data/lib/spiffy_stores_app.rb

@@ -0,0 +1,34 @@
+require 'spiffy_stores_app/version'
+
+# deps
+require 'spiffy_stores_api'
+require 'omniauth-spiffy-oauth2'
+
+# config
+require 'spiffy_stores_app/configuration'
+
+# engine
+require 'spiffy_stores_app/engine'
+
+# utils
+require 'spiffy_stores_app/utils'
+
+# controller concerns
+require 'spiffy_stores_app/controller_concerns/localization'
+require 'spiffy_stores_app/controller_concerns/login_protection'
+require 'spiffy_stores_app/controller_concerns/embedded_app'
+require 'spiffy_stores_app/controller_concerns/webhook_verification'
+require 'spiffy_stores_app/controller_concerns/app_proxy_verification'
+
+# jobs
+require 'spiffy_stores_app/jobs/webhooks_manager_job'
+require 'spiffy_stores_app/jobs/scripttags_manager_job'
+
+# mangers
+require 'spiffy_stores_app/managers/webhooks_manager'
+require 'spiffy_stores_app/managers/scripttags_manager'
+
+# session
+require 'spiffy_stores_app/session/session_storage'
+require 'spiffy_stores_app/session/session_repository'
+require 'spiffy_stores_app/session/in_memory_session_store'

data/lib/spiffy_stores_app/configuration.rb

@@ -0,0 +1,72 @@
+module SpiffyStoresApp
+  class Configuration
+
+    # SpiffyStores App settings. These values should match the configuration
+    # for the app in your SpiffyStores Partners page. Change your settings in
+    # `config/initializers/spiffy_stores_app.rb`
+    attr_accessor :application_name
+    attr_accessor :api_key
+    attr_accessor :secret
+    attr_accessor :scope
+    attr_accessor :embedded_app
+    alias_method  :embedded_app?, :embedded_app
+    attr_accessor :webhooks
+    attr_accessor :scripttags
+    attr_accessor :after_authenticate_job
+    attr_accessor :session_repository
+
+    # customise urls
+    attr_accessor :root_url
+
+    # customise ActiveJob queue names
+    attr_accessor :scripttags_manager_queue_name
+    attr_accessor :webhooks_manager_queue_name
+
+    # configure spiffystores domain for local spiffy_stores development
+    attr_accessor :spiffy_stores_domain
+
+    # allow namespacing webhook jobs
+    attr_accessor :webhook_jobs_namespace
+
+    def initialize
+      @root_url = '/'
+      @spiffy_stores_domain = 'spiffystores.com'
+      @scripttags_manager_queue_name = Rails.application.config.active_job.queue_name
+      @webhooks_manager_queue_name = Rails.application.config.active_job.queue_name
+    end
+
+    def login_url
+      File.join(@root_url, 'login')
+    end
+
+    def session_repository=(klass)
+      if Rails.configuration.cache_classes
+        SpiffyStoresApp::SessionRepository.storage = klass
+      else
+        ActiveSupport::Reloader.to_prepare do
+          SpiffyStoresApp::SessionRepository.storage = klass
+        end
+      end
+    end
+
+    def has_webhooks?
+      webhooks.present?
+    end
+
+    def has_scripttags?
+      scripttags.present?
+    end
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  def self.configure
+    yield configuration
+  end
+end

data/lib/spiffy_stores_app/controller_concerns/app_proxy_verification.rb

@@ -0,0 +1,38 @@
+module SpiffyStoresApp
+  module AppProxyVerification
+    extend ActiveSupport::Concern
+
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_proxy_request
+    end
+
+    def verify_proxy_request
+      return head :forbidden unless query_string_valid?(request.query_string)
+    end
+
+    private
+
+    def query_string_valid?(query_string)
+      query_hash = Rack::Utils.parse_query(query_string)
+
+      signature = query_hash.delete('signature')
+      return false if signature.nil?
+
+      ActiveSupport::SecurityUtils.secure_compare(
+        calculated_signature(query_hash),
+        signature
+      )
+    end
+
+    def calculated_signature(query_hash_without_signature)
+      sorted_params = query_hash_without_signature.collect{|k,v| "#{k}=#{Array(v).join(',')}"}.sort.join
+
+      OpenSSL::HMAC.hexdigest(
+        OpenSSL::Digest.new('sha256'),
+        SpiffyStoresApp.configuration.secret,
+        sorted_params
+      )
+    end
+  end
+end

data/lib/spiffy_stores_app/controller_concerns/embedded_app.rb

@@ -0,0 +1,19 @@
+module SpiffyStoresApp
+  module EmbeddedApp
+    extend ActiveSupport::Concern
+
+    included do
+      if SpiffyStoresApp.configuration.embedded_app?
+        after_action :set_esdk_headers
+        layout 'embedded_app'
+      end
+    end
+
+    private
+
+    def set_esdk_headers
+      response.set_header('P3P', 'CP="Not used"')
+      response.headers.except!('X-Frame-Options')
+    end
+  end
+end

data/lib/spiffy_stores_app/controller_concerns/localization.rb

@@ -0,0 +1,22 @@
+module SpiffyStoresApp
+  module Localization
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :set_locale
+    end
+
+    private
+
+    def set_locale
+      if params[:locale]
+        session[:locale] = params[:locale]
+      else
+        session[:locale] ||= I18n.default_locale
+      end
+      I18n.locale = session[:locale]
+    rescue I18n::InvalidLocale
+      I18n.locale = I18n.default_locale
+    end
+  end
+end

data/lib/spiffy_stores_app/controller_concerns/login_protection.rb

@@ -0,0 +1,103 @@
+module SpiffyStoresApp
+  module LoginProtection
+    extend ActiveSupport::Concern
+
+    class SpiffyStoresDomainNotFound < StandardError; end
+
+    included do
+      rescue_from ActiveResource::UnauthorizedAccess, :with => :close_session
+    end
+
+    def spiffy_stores_session
+      if shop_session
+        begin
+          SpiffyStoresAPI::Base.activate_session(shop_session)
+          yield
+        ensure
+          SpiffyStoresAPI::Base.clear_session
+        end
+      else
+        redirect_to_login
+      end
+    end
+
+    def shop_session
+      return unless session[:spiffy_stores]
+      @shop_session ||= SpiffyStoresApp::SessionRepository.retrieve(session[:spiffy_stores])
+    end
+
+    def login_again_if_different_shop
+      if shop_session && params[:store] && params[:store].is_a?(String) && shop_session.url != params[:store]
+        clear_shop_session
+        redirect_to_login
+      end
+    end
+
+    protected
+
+    def redirect_to_login
+      if request.xhr?
+        head :unauthorized
+      else
+        if request.get?
+          session[:return_to] = "#{request.path}?#{sanitized_params.to_query}"
+        end
+        redirect_to login_url
+      end
+    end
+
+    def close_session
+      clear_shop_session
+      redirect_to login_url
+    end
+
+    def clear_shop_session
+      session[:spiffy_stores] = nil
+      session[:spiffy_stores_domain] = nil
+      session[:spiffy_stores_user] = nil
+    end
+
+    def login_url
+      url = SpiffyStoresApp.configuration.login_url
+
+      if params[:store].present?
+        query = { store: sanitized_params[:store] }.to_query
+        url = "#{url}?#{query}"
+      end
+
+      url
+    end
+
+    def fullpage_redirect_to(url)
+      if SpiffyStoresApp.configuration.embedded_app?
+        render 'spiffy_stores_app/shared/redirect', layout: false, locals: { url: url, current_spiffy_stores_domain: current_spiffy_stores_domain }
+      else
+        redirect_to url
+      end
+    end
+
+    def current_spiffy_stores_domain
+      spiffy_stores_domain = sanitized_shop_name || session[:spiffy_stores_domain]
+      return spiffy_stores_domain if spiffy_stores_domain.present?
+
+      raise SpiffyStoresDomainNotFound
+    end
+
+    def sanitized_shop_name
+      @sanitized_shop_name ||= sanitize_shop_param(params)
+    end
+
+    def sanitize_shop_param(params)
+      return unless params[:store].present?
+      SpiffyStoresApp::Utils.sanitize_shop_domain(params[:store])
+    end
+
+    def sanitized_params
+      request.query_parameters.clone.tap do |query_params|
+        if params[:store].is_a?(String)
+          query_params[:store] = sanitize_shop_param(params)
+        end
+      end
+    end
+  end
+end

data/lib/spiffy_stores_app/controller_concerns/webhook_verification.rb

@@ -0,0 +1,34 @@
+module SpiffyStoresApp
+  module WebhookVerification
+    extend ActiveSupport::Concern
+
+    included do
+      skip_before_action :verify_authenticity_token, raise: false
+      before_action :verify_request
+    end
+
+    private
+
+    def verify_request
+      data = request.raw_post
+      return head :unauthorized unless hmac_valid?(data)
+    end
+
+    def hmac_valid?(data)
+      secret = SpiffyStoresApp.configuration.secret
+      digest = OpenSSL::Digest.new('sha256')
+      ActiveSupport::SecurityUtils.secure_compare(
+        spiffy_stores_hmac,
+        Base64.encode64(OpenSSL::HMAC.digest(digest, secret, data)).strip
+      )
+    end
+
+    def shop_domain
+      request.headers['HTTP_X_SPIFFY_STORES_SHOP_DOMAIN']
+    end
+
+    def spiffy_stores_hmac
+      request.headers['HTTP_X_SPIFFY_STORES_HMAC_SHA256']
+    end
+  end
+end

data/lib/spiffy_stores_app/engine.rb

@@ -0,0 +1,10 @@
+module SpiffyStoresApp
+  class Engine < Rails::Engine
+    engine_name 'spiffy_stores_app'
+    isolate_namespace SpiffyStoresApp
+
+    initializer "spiffy_stores_app.assets.precompile" do |app|
+      app.config.assets.precompile += %w( spiffy_stores_app/redirect.js )
+    end
+  end
+end

data/lib/spiffy_stores_app/jobs/scripttags_manager_job.rb

@@ -0,0 +1,15 @@
+module SpiffyStoresApp
+  class ScripttagsManagerJob < ActiveJob::Base
+
+    queue_as do
+      SpiffyStoresApp.configuration.scripttags_manager_queue_name
+    end
+
+    def perform(shop_domain:, shop_token:, scripttags:)
+      SpiffyStoresAPI::Session.temp(shop_domain, shop_token) do
+        manager = ScripttagsManager.new(scripttags, shop_domain)
+        manager.create_scripttags
+      end
+    end
+  end
+end

data/lib/spiffy_stores_app/jobs/webhooks_manager_job.rb

@@ -0,0 +1,15 @@
+module SpiffyStoresApp
+  class WebhooksManagerJob < ActiveJob::Base
+
+    queue_as do
+      SpiffyStoresApp.configuration.webhooks_manager_queue_name
+    end
+
+    def perform(shop_domain:, shop_token:, webhooks:)
+      SpiffyStoresAPI::Session.temp(shop_domain, shop_token) do
+        manager = WebhooksManager.new(webhooks)
+        manager.create_webhooks
+      end
+    end
+  end
+end

data/lib/spiffy_stores_app/managers/scripttags_manager.rb

@@ -0,0 +1,77 @@
+module SpiffyStoresApp
+  class ScripttagsManager
+    class CreationFailed < StandardError; end
+
+    def self.queue(shop_domain, shop_token, scripttags)
+      SpiffyStoresApp::ScripttagsManagerJob.perform_later(
+        shop_domain: shop_domain,
+        shop_token: shop_token,
+        # Procs cannot be serialized so we interpolate now, if necessary
+        scripttags: build_src(scripttags, shop_domain)
+      )
+    end
+
+    def self.build_src(scripttags, domain)
+      scripttags.map do |tag|
+        next tag unless tag[:src].respond_to?(:call)
+        tag = tag.dup
+        tag[:src] = tag[:src].call(domain)
+        tag
+      end
+    end
+
+    attr_reader :required_scripttags, :shop_domain
+
+    def initialize(scripttags, shop_domain)
+      @required_scripttags = scripttags
+      @shop_domain = shop_domain
+    end
+
+    def recreate_scripttags!
+      destroy_scripttags
+      create_scripttags
+    end
+
+    def create_scripttags
+      return unless required_scripttags.present?
+
+      expanded_scripttags.each do |scripttag|
+        create_scripttag(scripttag) unless scripttag_exists?(scripttag[:src])
+      end
+    end
+
+    def destroy_scripttags
+      scripttags = expanded_scripttags
+      SpiffyStoresAPI::ScriptTag.all.each do |tag|
+        SpiffyStoresAPI::ScriptTag.delete(tag.id) if is_required_scripttag?(scripttags, tag)
+      end
+
+      @current_scripttags = nil
+    end
+
+    private
+
+    def expanded_scripttags
+      self.class.build_src(required_scripttags, shop_domain)
+    end
+
+    def is_required_scripttag?(scripttags, tag)
+      scripttags.map{ |w| w[:src] }.include? tag.src
+    end
+
+    def create_scripttag(attributes)
+      attributes.reverse_merge!(format: 'json')
+      scripttag = SpiffyStoresAPI::ScriptTag.create(attributes)
+      raise CreationFailed, scripttag.errors.full_messages.to_sentence unless scripttag.persisted?
+      scripttag
+    end
+
+    def scripttag_exists?(src)
+      current_scripttags[src]
+    end
+
+    def current_scripttags
+      @current_scripttags ||= SpiffyStoresAPI::ScriptTag.all.index_by(&:src)
+    end
+  end
+end