npm - shopify-app-js - Versions diffs - 0.0.1-security → 1.0.1 - Mend

shopify-app-js 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of shopify-app-js might be problematic. Click here for more details.

Files changed (424) hide show

package/packages/shopify-app-remix/src/server/authenticate/admin/__tests__/exit-i-frame-path.test.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import {ShopifyError} from '@shopify/shopify-api';
+import {shopifyApp} from '../../..';
+import {
+  APP_URL,
+  TEST_SHOP,
+  expectDocumentRequestHeaders,
+  getThrownResponse,
+  testConfig,
+} from '../../../__test-helpers';
+import {APP_BRIDGE_URL} from '../../const';
+describe('authorize.admin exit iframe path', () => {
+  test('Uses App Bridge to exit iFrame when the url matches auth.exitIframePath', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+    // WHEN
+    const exitTo = encodeURIComponent(config.appUrl);
+    const url = `${APP_URL}/auth/exit-iframe?exitIframe=${exitTo}&shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    const responseText = await response.text();
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toBe(
+      'text/html;charset=utf-8',
+    );
+    expect(responseText).toContain(
+      `<script data-api-key="${config.apiKey}" src="${APP_BRIDGE_URL}"></script>`,
+    );
+    expect(responseText).toContain(
+      `<script>window.open("${decodeURIComponent(exitTo)}/", "_top")</script>`,
+    );
+    expectDocumentRequestHeaders(response);
+  });
+  test('Uses App Bridge to exit iFrame when the url matches auth.exitIframePath and authPathPrefix is passed', async () => {
+    // GIVEN
+    const authPathPrefix = '/shopify';
+    const config = testConfig({authPathPrefix});
+    const shopify = shopifyApp(config);
+    // WHEN
+    const exitTo = encodeURIComponent(config.appUrl);
+    const url = `${APP_URL}${authPathPrefix}/exit-iframe?exitIframe=${exitTo}&shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    const responseText = await response.text();
+    expect(response.status).toBe(200);
+    expect(response.headers.get('content-type')).toBe(
+      'text/html;charset=utf-8',
+    );
+    expect(responseText).toContain(
+      `<script data-api-key="${config.apiKey}" src="${APP_BRIDGE_URL}"></script>`,
+    );
+    expect(responseText).toContain(
+      `<script>window.open("${decodeURIComponent(exitTo)}/", "_top")</script>`,
+    );
+    expectDocumentRequestHeaders(response);
+  });
+  test('Allows relative paths as exitIframe param', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    // WHEN
+    const exitTo = encodeURIComponent('/my-path');
+    const url = `${APP_URL}/auth/exit-iframe?exitIframe=${exitTo}&shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expect(response.status).toBe(200);
+    expectDocumentRequestHeaders(response);
+  });
+  test('refuses to redirect to invalid URLs', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    const exitTo = encodeURIComponent('file:///not/allowed/path');
+    const url = `${APP_URL}/auth/exit-iframe?exitIframe=${exitTo}&shop=${TEST_SHOP}`;
+    // THEN
+    await expect(shopify.authenticate.admin(new Request(url))).rejects.toThrow(
+      ShopifyError,
+    );
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/__tests__/patch-session-token-path.test.ts ADDED Viewed

@@ -0,0 +1,58 @@
+import {shopifyApp} from '../../..';
+import {APP_BRIDGE_URL} from '../../const';
+import {
+  APP_URL,
+  TEST_SHOP,
+  expectDocumentRequestHeaders,
+  getThrownResponse,
+  testConfig,
+} from '../../../__test-helpers';
+describe('authorize.admin path session token path', () => {
+  test('Uses AppBridge to get a session token if the URL is for auth.patchSessionTokenPath', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}/auth/session-token?shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expect(response.status).toBe(200);
+    expectDocumentRequestHeaders(response, config.isEmbeddedApp);
+    expect(response.headers.get('content-type')).toBe(
+      'text/html;charset=utf-8',
+    );
+    expect((await response.text()).trim()).toBe(
+      `<script data-api-key="${config.apiKey}" src="${APP_BRIDGE_URL}"></script>`,
+    );
+  });
+  test('Uses AppBridge to get a session token if the URL is for auth.patchSessionTokenPath and authPathPrefix is configured', async () => {
+    // GIVEN
+    const authPathPrefix = '/shopify';
+    const config = testConfig({authPathPrefix});
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}${authPathPrefix}/session-token?shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expect(response.status).toBe(200);
+    expectDocumentRequestHeaders(response, config.isEmbeddedApp);
+    expect(response.headers.get('content-type')).toBe(
+      'text/html;charset=utf-8',
+    );
+    expect((await response.text()).trim()).toContain(
+      `<script data-api-key="${config.apiKey}" src="${APP_BRIDGE_URL}"></script>`,
+    );
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/__tests__/reject-bot.test.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import {shopifyApp} from '../../..';
+import {APP_URL, getThrownResponse, testConfig} from '../../../__test-helpers';
+describe('authorize.admin', () => {
+  test('rejects bot requests', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(APP_URL, {
+        headers: {
+          'User-Agent': 'Googlebot',
+        },
+      }),
+    );
+    // THEN
+    expect(response.status).toBe(410);
+    expect(response.statusText).toBe('Gone');
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/__tests__/respond-to-options.test.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import {shopifyApp} from '../../..';
+import {APP_URL, getThrownResponse, testConfig} from '../../../__test-helpers';
+import {REAUTH_URL_HEADER} from '../../const';
+describe('authorize.admin', () => {
+  test('Adds CORS headers if OPTIONS request and origin is not the app', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request('http://cdn.shopify.com', {
+        method: 'OPTIONS',
+        headers: {Origin: 'http://cdn.shopify.com'},
+      }),
+    );
+    // THEN
+    expect(response.status).toBe(204);
+    expect(response.headers.get('Access-Control-Allow-Origin')).toBe('*');
+    expect(response.headers.get('Access-Control-Allow-Headers')).toBe(
+      'Authorization, Content-Type',
+    );
+    expect(response.headers.get('Access-Control-Expose-Headers')).toBe(
+      REAUTH_URL_HEADER,
+    );
+  });
+  test('Does not add CORS headers if OPTIONS request and origin is the app', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(APP_URL, {method: 'OPTIONS'}),
+    );
+    // THEN
+    expect(response.status).toBe(204);
+    expect(response.headers.get('Access-Control-Allow-Origin')).not.toBe('*');
+    expect(response.headers.get('Access-Control-Allow-Headers')).not.toBe(
+      'Authorization, Content-Type',
+    );
+    expect(response.headers.get('Access-Control-Expose-Headers')).not.toBe(
+      REAUTH_URL_HEADER,
+    );
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/__tests__/session-token-header-path.test.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import {SESSION_COOKIE_NAME, Session} from '@shopify/shopify-api';
+import {shopifyApp} from '../../..';
+import {
+  APP_URL,
+  BASE64_HOST,
+  TEST_SHOP,
+  getJwt,
+  getThrownResponse,
+  setUpValidSession,
+  signRequestCookie,
+  testConfig,
+} from '../../../__test-helpers';
+import {REAUTH_URL_HEADER} from '../../const';
+describe('authorize.session token header path', () => {
+  describe('errors', () => {
+    it('throws a 401 if the session token is invalid', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      // WHEN
+      const response = await getThrownResponse(
+        shopify.authenticate.admin,
+        new Request(`${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`, {
+          headers: {Authorization: 'Bearer im-a-valid-token-promise'},
+        }),
+      );
+      // THEN
+      expect(response.status).toBe(401);
+    });
+  });
+  describe.each([true, false])(
+    'success cases when isOnline: %s',
+    (isOnline) => {
+      it('returns context when session exists for embedded apps', async () => {
+        // GIVEN
+        const shopify = shopifyApp(testConfig({useOnlineTokens: isOnline}));
+        const testSession = await setUpValidSession(shopify.sessionStorage, {
+          isOnline,
+        });
+        // WHEN
+        const {token, payload} = getJwt();
+        const {sessionToken, admin, session} = await shopify.authenticate.admin(
+          new Request(`${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`, {
+            headers: {Authorization: `Bearer ${token}`},
+          }),
+        );
+        // THEN
+        expect(sessionToken).toEqual(payload);
+        expect(session).toBe(testSession);
+        expect(admin.rest.session).toBe(testSession);
+      });
+      it('returns context when session exists for non-embedded apps', async () => {
+        // GIVEN
+        const shopify = shopifyApp(
+          testConfig({isEmbeddedApp: false, useOnlineTokens: isOnline}),
+        );
+        let testSession: Session;
+        testSession = await setUpValidSession(shopify.sessionStorage);
+        if (isOnline) {
+          testSession = await setUpValidSession(shopify.sessionStorage, {
+            isOnline: true,
+          });
+        }
+        // WHEN
+        const request = new Request(
+          `${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`,
+        );
+        signRequestCookie({
+          request,
+          cookieName: SESSION_COOKIE_NAME,
+          cookieValue: testSession.id,
+        });
+        const {admin, session} = await shopify.authenticate.admin(request);
+        // THEN
+        expect(session).toBe(testSession);
+        expect(admin.rest.session).toBe(testSession);
+      });
+    },
+  );
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/authenticate.admin.doc.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import {ReferenceEntityTemplateSchema} from '@shopify/generate-docs';
+const data: ReferenceEntityTemplateSchema = {
+  name: 'Admin',
+  description:
+    'Contains functions for authenticating and interacting with the Admin API.\n\nThis function can handle requests for apps embedded in the Admin, Admin extensions, or non-embedded apps.',
+  category: 'Authenticate',
+  type: 'object',
+  isVisualComponent: false,
+  definitions: [
+    {
+      title: 'authenticate.admin',
+      description:
+        'Authenticates requests coming from the Shopify admin.\n\nThe shape of the returned object changes depending on the `isEmbeddedApp` config.',
+      type: 'AuthenticateAdmin',
+    },
+  ],
+  jsDocTypeExamples: [
+    'EmbeddedAdminContext',
+    'AdminApiContext',
+    'BillingContext',
+  ],
+  related: [
+    {
+      name: 'API context',
+      subtitle: 'Interact with the Admin API.',
+      url: '/docs/api/shopify-app-remix/apis/admin-api',
+    },
+    {
+      name: 'Billing context',
+      subtitle: 'Bill merchants for your app using the Admin API.',
+      url: '/docs/api/shopify-app-remix/apis/billing',
+    },
+  ],
+};
+export default data;

package/packages/shopify-app-remix/src/server/authenticate/admin/authenticate.ts ADDED Viewed

@@ -0,0 +1,201 @@
+import {JwtPayload, Session, ShopifyRestResources} from '@shopify/shopify-api';
+import type {BasicParams} from '../../types';
+import type {AppConfigArg} from '../../config-types';
+import {
+  getSessionTokenHeader,
+  ensureCORSHeadersFactory,
+  getSessionTokenFromUrlParam,
+  respondToBotRequest,
+  respondToOptionsRequest,
+  validateSessionToken,
+} from '../helpers';
+import {
+  cancelBillingFactory,
+  requestBillingFactory,
+  requireBillingFactory,
+  checkBillingFactory,
+} from './billing';
+import type {
+  AdminContext,
+  AuthenticateAdmin,
+  EmbeddedAdminContext,
+  NonEmbeddedAdminContext,
+} from './types';
+import {
+  createAdminApiContext,
+  ensureAppIsEmbeddedIfRequired,
+  ensureSessionTokenSearchParamIfRequired,
+  redirectFactory,
+  renderAppBridge,
+  validateShopAndHostParams,
+} from './helpers';
+import {AuthorizationStrategy} from './strategies/types';
+export interface SessionTokenContext {
+  shop: string;
+  sessionId?: string;
+  sessionToken?: string;
+  payload?: JwtPayload;
+}
+interface AuthStrategyParams extends BasicParams {
+  strategy: AuthorizationStrategy;
+}
+export function authStrategyFactory<
+  ConfigArg extends AppConfigArg,
+  Resources extends ShopifyRestResources = ShopifyRestResources,
+>({
+  strategy,
+  ...params
+}: AuthStrategyParams): AuthenticateAdmin<ConfigArg, Resources> {
+  const {api, logger, config} = params;
+  async function respondToBouncePageRequest(request: Request) {
+    const url = new URL(request.url);
+    if (url.pathname === config.auth.patchSessionTokenPath) {
+      logger.debug('Rendering bounce page');
+      throw renderAppBridge({config, logger, api}, request);
+    }
+  }
+  async function respondToExitIframeRequest(request: Request) {
+    const url = new URL(request.url);
+    if (url.pathname === config.auth.exitIframePath) {
+      const destination = url.searchParams.get('exitIframe')!;
+      logger.debug('Rendering exit iframe page', {destination});
+      throw renderAppBridge({config, logger, api}, request, {url: destination});
+    }
+  }
+  function createContext(
+    request: Request,
+    session: Session,
+    authStrategy: AuthorizationStrategy,
+    sessionToken?: JwtPayload,
+  ): AdminContext<ConfigArg, Resources> {
+    const context:
+      | EmbeddedAdminContext<ConfigArg, Resources>
+      | NonEmbeddedAdminContext<ConfigArg, Resources> = {
+      admin: createAdminApiContext<Resources>(
+        session,
+        params,
+        authStrategy.handleClientError(request),
+      ),
+      billing: {
+        require: requireBillingFactory(params, request, session),
+        check: checkBillingFactory(params, request, session),
+        request: requestBillingFactory(params, request, session),
+        cancel: cancelBillingFactory(params, request, session),
+      },
+      session,
+      cors: ensureCORSHeadersFactory(params, request),
+    };
+    if (config.isEmbeddedApp) {
+      return {
+        ...context,
+        sessionToken,
+        redirect: redirectFactory(params, request),
+      } as AdminContext<ConfigArg, Resources>;
+    } else {
+      return context as AdminContext<ConfigArg, Resources>;
+    }
+  }
+  return async function authenticateAdmin(request: Request) {
+    try {
+      respondToBotRequest(params, request);
+      respondToOptionsRequest(params, request);
+      await respondToBouncePageRequest(request);
+      await respondToExitIframeRequest(request);
+      await strategy.respondToOAuthRequests(request);
+      // If this is a valid request, but it doesn't have a session token header, this is a document request. We need to
+      // ensure we're embedded if needed and we have the information needed to load the session.
+      if (!getSessionTokenHeader(request)) {
+        validateShopAndHostParams(params, request);
+        await ensureAppIsEmbeddedIfRequired(params, request);
+        await ensureSessionTokenSearchParamIfRequired(params, request);
+      }
+      logger.info('Authenticating admin request');
+      const {payload, shop, sessionId, sessionToken} =
+        await getSessionTokenContext(params, request);
+      logger.debug('Loading session from storage', {sessionId});
+      const existingSession = sessionId
+        ? await config.sessionStorage.loadSession(sessionId)
+        : undefined;
+      const session = await strategy.authenticate(request, {
+        session: existingSession,
+        sessionToken,
+        shop,
+      });
+      logger.debug('Request is valid, loaded session from session token', {
+        shop: session.shop,
+        isOnline: session.isOnline,
+      });
+      return createContext(request, session, strategy, payload);
+    } catch (errorOrResponse) {
+      if (errorOrResponse instanceof Response) {
+        ensureCORSHeadersFactory(params, request)(errorOrResponse);
+      }
+      throw errorOrResponse;
+    }
+  };
+}
+async function getSessionTokenContext(
+  params: BasicParams,
+  request: Request,
+): Promise<SessionTokenContext> {
+  const {api, config, logger} = params;
+  const headerSessionToken = getSessionTokenHeader(request);
+  const searchParamSessionToken = getSessionTokenFromUrlParam(request);
+  const sessionToken = (headerSessionToken || searchParamSessionToken)!;
+  logger.debug('Attempting to authenticate session token', {
+    sessionToken: JSON.stringify({
+      header: headerSessionToken,
+      search: searchParamSessionToken,
+    }),
+  });
+  if (config.isEmbeddedApp) {
+    const payload = await validateSessionToken(
+      {config, logger, api},
+      sessionToken,
+    );
+    const dest = new URL(payload.dest);
+    const shop = dest.hostname;
+    logger.debug('Session token is valid', {shop, payload});
+    const sessionId = config.useOnlineTokens
+      ? api.session.getJwtSessionId(shop, payload.sub)
+      : api.session.getOfflineId(shop);
+    return {shop, payload, sessionId, sessionToken};
+  }
+  const url = new URL(request.url);
+  const shop = url.searchParams.get('shop')!;
+  const sessionId = await api.session.getCurrentId({
+    isOnline: config.useOnlineTokens,
+    rawRequest: request,
+  });
+  return {shop, sessionId, payload: undefined, sessionToken};
+}