npm - shopify-app-js - Versions diffs - 0.0.1-security → 1.0.1 - Mend

shopify-app-js 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of shopify-app-js might be problematic. Click here for more details.

Files changed (424) hide show

package/packages/shopify-app-remix/src/server/authenticate/admin/billing/__tests__/request.test.ts ADDED Viewed

@@ -0,0 +1,373 @@
+import {
+  BillingConfigSubscriptionLineItemPlan,
+  BillingError,
+  BillingInterval,
+  HttpResponseError,
+  SESSION_COOKIE_NAME,
+} from '@shopify/shopify-api';
+import {shopifyApp} from '../../../..';
+import {
+  APP_URL,
+  BASE64_HOST,
+  GRAPHQL_URL,
+  TEST_SHOP,
+  expectBeginAuthRedirect,
+  expectExitIframeRedirect,
+  getJwt,
+  getThrownResponse,
+  setUpValidSession,
+  signRequestCookie,
+  testConfig,
+  mockExternalRequest,
+  mockExternalRequests,
+} from '../../../../__test-helpers';
+import {REAUTH_URL_HEADER} from '../../../const';
+import * as responses from './mock-responses';
+const BILLING_CONFIG = {
+  [responses.PLAN_1]: {
+    lineItems: [
+      {
+        amount: 5,
+        currencyCode: 'USD',
+        interval: BillingInterval.Every30Days,
+      },
+    ],
+  } as BillingConfigSubscriptionLineItemPlan,
+};
+describe('Billing request', () => {
+  it('redirects to payment confirmation URL when successful and at the top level for non-embedded apps', async () => {
+    // GIVEN
+    const shopify = shopifyApp(
+      testConfig({isEmbeddedApp: false, billing: BILLING_CONFIG}),
+    );
+    const session = await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequests({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.PURCHASE_SUBSCRIPTION_RESPONSE),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expect(response.status).toEqual(302);
+    expect(response.headers.get('Location')).toEqual(
+      responses.CONFIRMATION_URL,
+    );
+  });
+  it('redirects to payment confirmation URL when successful and at the top level for non-embedded apps', async () => {
+    // GIVEN
+    const shopify = shopifyApp(
+      testConfig({isEmbeddedApp: false, billing: BILLING_CONFIG}),
+    );
+    const session = await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequests({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.PURCHASE_SUBSCRIPTION_RESPONSE),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expect(response.status).toEqual(302);
+    expect(response.headers.get('Location')).toEqual(
+      responses.CONFIRMATION_URL,
+    );
+  });
+  it('redirects to exit-iframe with payment confirmation URL when successful using app bridge when embedded', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig({billing: BILLING_CONFIG}));
+    await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.PURCHASE_SUBSCRIPTION_RESPONSE),
+    });
+    const {token} = getJwt();
+    const request = new Request(
+      `${APP_URL}/billing?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+    );
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expectExitIframeRedirect(response, {
+      destination: responses.CONFIRMATION_URL,
+      addHostToExitIframePath: false,
+    });
+  });
+  it('returns redirection headers when successful during fetch requests', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig({billing: BILLING_CONFIG}));
+    await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.PURCHASE_SUBSCRIPTION_RESPONSE),
+    });
+    const request = new Request(`${APP_URL}/billing`, {
+      headers: {
+        Authorization: `Bearer ${getJwt().token}`,
+      },
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expect(response.status).toEqual(401);
+    expect(response.headers.get(REAUTH_URL_HEADER)).toEqual(
+      responses.CONFIRMATION_URL,
+    );
+  });
+  it('redirects to authentication when at the top level when Shopify invalidated the session', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(
+      testConfig({isEmbeddedApp: false, billing: BILLING_CONFIG}),
+    );
+    const session = await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequests({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expectBeginAuthRedirect(config, response);
+  });
+  it('redirects to exit-iframe with authentication using app bridge when embedded and Shopify invalidated the session', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp({...config, billing: BILLING_CONFIG});
+    await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const {token} = getJwt();
+    const request = new Request(
+      `${APP_URL}/billing?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+    );
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    const shopSessions =
+      await config.sessionStorage.findSessionsByShop(TEST_SHOP);
+    expect(shopSessions).toStrictEqual([]);
+    expectExitIframeRedirect(response);
+  });
+  it('returns redirection headers during fetch requests when Shopify invalidated the session', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig({billing: BILLING_CONFIG}));
+    await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing`, {
+      headers: {
+        Authorization: `Bearer ${getJwt().token}`,
+      },
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expect(response.status).toEqual(401);
+    const reauthUrl = new URL(response.headers.get(REAUTH_URL_HEADER)!);
+    expect(reauthUrl.origin).toEqual(APP_URL);
+    expect(reauthUrl.pathname).toEqual('/auth');
+  });
+  it('throws errors other than authentication errors', async () => {
+    // GIVEN
+    const shopify = shopifyApp(
+      testConfig({isEmbeddedApp: false, billing: BILLING_CONFIG}),
+    );
+    const session = await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequests({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 500,
+        statusText: 'Internal Server Error',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // THEN
+    await expect(
+      billing.request({plan: responses.PLAN_1, isTest: true}),
+    ).rejects.toThrowError(HttpResponseError);
+  });
+  it('throws a BillingError when the response contains user errors', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig({billing: BILLING_CONFIG}));
+    await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(
+        responses.PURCHASE_SUBSCRIPTION_RESPONSE_WITH_USER_ERRORS,
+      ),
+    });
+    const {token} = getJwt();
+    const {billing} = await shopify.authenticate.admin(
+      new Request(
+        `${APP_URL}/billing?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+    // THEN
+    await expect(
+      billing.request({plan: responses.PLAN_1, isTest: true}),
+    ).rejects.toThrowError(BillingError);
+  });
+  it('redirects to payment confirmation URL when successful and at the top level for non-embedded when v3_lineItemBilling is not enabled ', async () => {
+    // GIVEN
+    const shopify = shopifyApp(
+      testConfig({
+        isEmbeddedApp: false,
+        billing: {
+          [responses.PLAN_1]: {
+            amount: 5,
+            currencyCode: 'USD',
+            interval: BillingInterval.Every30Days,
+          },
+        },
+        future: {v3_lineItemBilling: false},
+      }),
+    );
+    const session = await setUpValidSession(shopify.sessionStorage);
+    await mockExternalRequests({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.PURCHASE_SUBSCRIPTION_RESPONSE),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () => billing.request({plan: responses.PLAN_1, isTest: true}),
+      request,
+    );
+    // THEN
+    expect(response.status).toEqual(302);
+    expect(response.headers.get('Location')).toEqual(
+      responses.CONFIRMATION_URL,
+    );
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/billing/__tests__/require.test.ts ADDED Viewed

@@ -0,0 +1,316 @@
+import {
+  BillingConfigSubscriptionLineItemPlan,
+  BillingInterval,
+  HttpResponseError,
+  SESSION_COOKIE_NAME,
+  Shopify,
+} from '@shopify/shopify-api';
+import {shopifyApp} from '../../../..';
+import {
+  APP_URL,
+  BASE64_HOST,
+  GRAPHQL_URL,
+  TEST_SHOP,
+  expectBeginAuthRedirect,
+  expectExitIframeRedirect,
+  getJwt,
+  getThrownResponse,
+  setUpValidSession,
+  signRequestCookie,
+  testConfig,
+  mockExternalRequest,
+} from '../../../../__test-helpers';
+import {REAUTH_URL_HEADER} from '../../../const';
+import * as responses from './mock-responses';
+const BILLING_CONFIG = {
+  [responses.PLAN_1]: {
+    lineItems: [
+      {
+        amount: 5,
+        currencyCode: 'USD',
+        interval: BillingInterval.Every30Days,
+      },
+    ],
+  } as BillingConfigSubscriptionLineItemPlan,
+};
+describe('Billing require', () => {
+  it('throws the returned response from onFailure when there is no payment', async () => {
+    // GIVEN
+    const config = testConfig();
+    await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({...config, billing: BILLING_CONFIG});
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.EMPTY_SUBSCRIPTIONS),
+    });
+    const {billing} = await shopify.authenticate.admin(
+      new Request(`${APP_URL}/billing`, {
+        headers: {
+          Authorization: `Bearer ${getJwt().token}`,
+        },
+      }),
+    );
+    // WHEN
+    try {
+      await billing.require({
+        plans: [responses.PLAN_1],
+        onFailure: async (error) => {
+          expect(error.message).toBe('Billing check failed');
+          return new Response('Test response', {status: 402});
+        },
+      });
+    } catch (response) {
+      expect(response.status).toBe(402);
+      expect(await response.text()).toBe('Test response');
+    }
+  });
+  it('returns true when there is payment', async () => {
+    // GIVEN
+    const config = testConfig();
+    await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({...config, billing: BILLING_CONFIG});
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.EXISTING_SUBSCRIPTION),
+    });
+    const {billing} = await shopify.authenticate.admin(
+      new Request(`${APP_URL}/billing`, {
+        headers: {
+          Authorization: `Bearer ${getJwt().token}`,
+        },
+      }),
+    );
+    // WHEN
+    const result = await billing.require({
+      plans: [responses.PLAN_1],
+      onFailure: async () => {
+        throw new Error('This should not be called');
+      },
+    });
+    // THEN
+    expect(result.hasActivePayment).toBe(true);
+    expect(result.oneTimePurchases).toEqual([]);
+    expect(result.appSubscriptions).toEqual([
+      {id: 'gid://123', name: responses.PLAN_1, test: true},
+    ]);
+  });
+  it('returns true when there is payment and v3_lineItemBilling is not enabled', async () => {
+    // GIVEN
+    const config = testConfig();
+    await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({
+      ...config,
+      billing: {
+        [responses.PLAN_1]: {
+          amount: 5,
+          currencyCode: 'USD',
+          interval: BillingInterval.Every30Days,
+        },
+      },
+      future: {v3_lineItemBilling: false},
+    });
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(responses.EXISTING_SUBSCRIPTION),
+    });
+    const {billing} = await shopify.authenticate.admin(
+      new Request(`${APP_URL}/billing`, {
+        headers: {
+          Authorization: `Bearer ${getJwt().token}`,
+        },
+      }),
+    );
+    // WHEN
+    const result = await billing.require({
+      plans: [responses.PLAN_1],
+      onFailure: async () => {
+        throw new Error('This should not be called');
+      },
+    });
+    // THEN
+    expect(result.hasActivePayment).toBe(true);
+    expect(result.oneTimePurchases).toEqual([]);
+    expect(result.appSubscriptions).toEqual([
+      {id: 'gid://123', name: responses.PLAN_1, test: true},
+    ]);
+  });
+  it('redirects to authentication when at the top level when Shopify invalidated the session', async () => {
+    // GIVEN
+    const config = testConfig({
+      isEmbeddedApp: false,
+      billing: BILLING_CONFIG,
+    });
+    const session = await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp(config);
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () =>
+        billing.require({
+          plans: [responses.PLAN_1 as unknown as never],
+          onFailure: async () => {
+            throw new Error('This should not be called');
+          },
+        }),
+      request,
+    );
+    // THEN
+    expectBeginAuthRedirect(config, response);
+  });
+  it('redirects to exit-iframe with authentication using app bridge when embedded and Shopify invalidated the session', async () => {
+    // GIVEN
+    const config = testConfig();
+    await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({...config, billing: BILLING_CONFIG});
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const {token} = getJwt();
+    const request = new Request(
+      `${APP_URL}/billing?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+    );
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () =>
+        billing.require({
+          plans: [responses.PLAN_1],
+          onFailure: async () => {
+            throw new Error('This should not be called');
+          },
+        }),
+      request,
+    );
+    // THEN
+    const shopSessions =
+      await config.sessionStorage.findSessionsByShop(TEST_SHOP);
+    expect(shopSessions).toStrictEqual([]);
+    expectExitIframeRedirect(response);
+  });
+  it('returns redirection headers during fetch requests when Shopify invalidated the session', async () => {
+    // GIVEN
+    const config = testConfig();
+    await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({...config, billing: BILLING_CONFIG});
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 401,
+        statusText: 'Unauthorized',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing`, {
+      headers: {
+        Authorization: `Bearer ${getJwt().token}`,
+      },
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = await getThrownResponse(
+      async () =>
+        billing.require({
+          plans: [responses.PLAN_1],
+          onFailure: async () => {
+            throw new Error('This should not be called');
+          },
+        }),
+      request,
+    );
+    // THEN
+    const reauthUrl = new URL(response.headers.get(REAUTH_URL_HEADER)!);
+    expect(response.status).toEqual(401);
+    expect(reauthUrl.origin).toEqual(APP_URL);
+    expect(reauthUrl.pathname).toEqual('/auth');
+  });
+  it('throws errors other than authentication errors', async () => {
+    // GIVEN
+    const config = testConfig();
+    const session = await setUpValidSession(config.sessionStorage);
+    const shopify = shopifyApp({
+      ...config,
+      isEmbeddedApp: false,
+      billing: BILLING_CONFIG,
+    });
+    await mockExternalRequest({
+      request: new Request(GRAPHQL_URL, {method: 'POST', body: 'test'}),
+      response: new Response(undefined, {
+        status: 500,
+        statusText: 'Internal Server Error',
+      }),
+    });
+    const request = new Request(`${APP_URL}/billing?shop=${TEST_SHOP}`);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: session.id,
+    });
+    const {billing} = await shopify.authenticate.admin(request);
+    // THEN
+    await expect(
+      billing.require({
+        plans: [responses.PLAN_1],
+        onFailure: async () => {
+          throw new Error('This should not be called');
+        },
+      }),
+    ).rejects.toThrowError(HttpResponseError);
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/billing/authenticate.admin.billing.doc.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import {ReferenceEntityTemplateSchema} from '@shopify/generate-docs';
+const data: ReferenceEntityTemplateSchema = {
+  name: 'Billing',
+  description:
+    'Contains function used to bill merchants for your app.\n\nThis object is returned on authenticated Admin requests.',
+  category: 'APIs',
+  type: 'object',
+  isVisualComponent: false,
+  definitions: [
+    {
+      title: 'billing',
+      description:
+        'Provides utilities that apps can use to request billing for the app using the Admin API.',
+      type: 'BillingContext',
+    },
+  ],
+  jsDocTypeExamples: ['BillingContext'],
+  related: [
+    {
+      name: 'Admin context',
+      subtitle: 'Authenticate requests from Shopify Admin.',
+      url: '/docs/api/shopify-app-remix/authenticate/admin',
+    },
+  ],
+};
+export default data;