npm - shopify-app-js - Versions diffs - 0.0.1-security → 1.0.1 - Mend

shopify-app-js 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of shopify-app-js might be problematic. Click here for more details.

Files changed (424) hide show

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/__tests__/redirect.test.ts ADDED Viewed

@@ -0,0 +1,313 @@
+import {SESSION_COOKIE_NAME} from '@shopify/shopify-api';
+import {shopifyApp} from '../../../..';
+import {
+  API_KEY,
+  APP_URL,
+  BASE64_HOST,
+  TEST_SHOP,
+  getJwt,
+  getThrownResponse,
+  setUpValidSession,
+  signRequestCookie,
+  testConfig,
+} from '../../../../__test-helpers';
+import {APP_BRIDGE_URL, REAUTH_URL_HEADER} from '../../../const';
+describe('Redirect helper', () => {
+  describe("passes request search params to redirect, but doesn't override them", () => {
+    it('when URL is a relative path', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = documentLoadRequest(true);
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = redirect('/?shop=override');
+      // THEN
+      searchParams.set('shop', 'override');
+      expect(response.status).toBe(302);
+      expect(response.headers.get('location')).toBe(
+        `${APP_URL}/?${searchParams}`,
+      );
+    });
+    it('when URL is absolute', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = documentLoadRequest(true);
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = redirect(`${APP_URL}/test?shop=override`, {
+        status: 304,
+      });
+      // THEN
+      searchParams.set('shop', 'override');
+      expect(response.status).toBe(304);
+      expect(response.headers.get('location')).toBe(
+        `${APP_URL}/test?${searchParams}`,
+      );
+    });
+  });
+  it('does not alter external URLs', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig());
+    await setUpValidSession(shopify.sessionStorage);
+    const {request} = documentLoadRequest(true);
+    const {redirect} = await shopify.authenticate.admin(request);
+    // WHEN
+    const response = redirect('https://www.example.local?test');
+    // THEN
+    expect(response.status).toBe(302);
+    expect(response.headers.get('location')).toBe(
+      'https://www.example.local/?test',
+    );
+  });
+  describe('and the target is _self', () => {
+    it('returns a 302 on embedded document loads', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = documentLoadRequest(true);
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = redirect('/');
+      // THEN
+      expect(response.status).toBe(302);
+      expect(response.headers.get('location')).toBe(
+        `${APP_URL}/?${searchParams}`,
+      );
+    });
+    it('returns an app bridge script on bounce requests', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = bounceRequest();
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = await getThrownResponse(
+        async () => redirect('/'),
+        request,
+      );
+      // THEN
+      await assertAppBridgeScript(
+        response,
+        `${APP_URL}/?${searchParams}`,
+        '_self',
+      );
+    });
+    it("uses Remix's default behaviour for GET data requests", async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request} = remixDataLoadRequest('GET');
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = redirect('/');
+      // THEN
+      expect(response.status).toBe(302);
+      expect(response.headers.get('location')).toBe(`${APP_URL}/`);
+    });
+    it("uses Remix's default behaviour for POST data requests", async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request} = remixDataLoadRequest('POST');
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = redirect('/');
+      // THEN
+      expect(response.status).toBe(302);
+      expect(response.headers.get('location')).toBe(`${APP_URL}/`);
+    });
+  });
+  describe('and the target is _parent', () => {
+    it('returns an app bridge redirect on embedded document loads', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = documentLoadRequest(true);
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = await getThrownResponse(
+        async () => redirect('/', {target: '_parent'}),
+        request,
+      );
+      // THEN
+      await assertAppBridgeScript(
+        response,
+        `${APP_URL}/?${searchParams}`,
+        '_parent',
+      );
+    });
+    it('returns an app bridge script on bounce requests', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request, searchParams} = bounceRequest();
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = await getThrownResponse(
+        async () => redirect('/', {target: '_parent'}),
+        request,
+      );
+      // THEN
+      await assertAppBridgeScript(
+        response,
+        `${APP_URL}/?${searchParams}`,
+        '_parent',
+      );
+    });
+    it('returns AB redirection headers for GET data requests', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request} = remixDataLoadRequest('GET');
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = await getThrownResponse(
+        async () => redirect('/', {target: '_parent'}),
+        request,
+      );
+      // THEN
+      await assertAppBridgeHeaders(response, `${APP_URL}/`);
+    });
+    it('returns AB redirection headers for POST data requests', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig());
+      await setUpValidSession(shopify.sessionStorage);
+      const {request} = remixDataLoadRequest('POST');
+      const {redirect} = await shopify.authenticate.admin(request);
+      // WHEN
+      const response = await getThrownResponse(
+        async () => redirect('/', {target: '_parent'}),
+        request,
+      );
+      // THEN
+      await assertAppBridgeHeaders(response, `${APP_URL}/`);
+    });
+  });
+  function documentLoadRequest(embedded: boolean) {
+    const {token} = getJwt();
+    const searchParams = new URLSearchParams({
+      shop: TEST_SHOP,
+      embedded: embedded ? '1' : '0',
+      host: BASE64_HOST,
+      id_token: token,
+    });
+    return {request: new Request(`${APP_URL}?${searchParams}`), searchParams};
+  }
+  function bounceRequest() {
+    const {token} = getJwt();
+    const searchParams = new URLSearchParams({
+      shop: TEST_SHOP,
+      embedded: '1',
+      host: BASE64_HOST,
+    });
+    return {
+      request: new Request(`${APP_URL}?${searchParams}`, {
+        headers: {Authorization: `Bearer ${token}`, 'X-Shopify-Bounce': '1'},
+      }),
+      searchParams,
+    };
+  }
+  function remixDataLoadRequest(method: string) {
+    const {token} = getJwt();
+    return {
+      request: new Request(APP_URL, {
+        headers: {Authorization: `Bearer ${token}`},
+        method,
+      }),
+    };
+  }
+  async function assertAppBridgeScript(
+    response: Response,
+    url: string,
+    target: string,
+  ) {
+    const body = await response.text();
+    expect(response.status).toBe(200);
+    expect(body).toContain(
+      `<script data-api-key="${API_KEY}" src="${APP_BRIDGE_URL}"></script>`,
+    );
+    expect(body).toContain(
+      `<script>window.open("${url}", "${target}")</script>`,
+    );
+  }
+  async function assertAppBridgeHeaders(response: Response, url: string) {
+    expect(response.status).toBe(401);
+    expect(response.headers.get(REAUTH_URL_HEADER)).toBe(url);
+  }
+  describe('when not embedded', () => {
+    it('is not returned as part of the context', async () => {
+      // GIVEN
+      const shopify = shopifyApp(testConfig({isEmbeddedApp: false}));
+      const testSession = await setUpValidSession(shopify.sessionStorage);
+      const request = new Request(APP_URL);
+      signRequestCookie({
+        request,
+        cookieName: SESSION_COOKIE_NAME,
+        cookieValue: testSession.id,
+      });
+      // WHEN
+      const context = await shopify.authenticate.admin(request);
+      // THEN
+      expect(context).not.toHaveProperty('redirect');
+    });
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/__tests__/validate-redirect-url.test.ts ADDED Viewed

@@ -0,0 +1,84 @@
+import {ShopifyError} from '@shopify/shopify-api';
+import {APP_URL} from '../../../../__test-helpers';
+import {sanitizeRedirectUrl} from '../validate-redirect-url';
+describe('sanitizeRedirectUrlFactory', () => {
+  it('throws ShopifyError with non-string types', () => {
+    // THEN
+    expect(() => sanitizeRedirectUrl(APP_URL, 123)).toThrow(ShopifyError);
+  });
+  it('throws ShopifyError with file URLs', () => {
+    // THEN
+    expect(() => sanitizeRedirectUrl(APP_URL, '///path/to/a/file')).toThrow(
+      ShopifyError,
+    );
+  });
+  it('throws ShopifyError if URL contains whitespaces', () => {
+    // THEN
+    expect(() =>
+      sanitizeRedirectUrl(APP_URL, '/fine/url/but/it has spaces'),
+    ).toThrow(ShopifyError);
+  });
+  it('throws ShopifyError with invalid URLs', () => {
+    // THEN
+    expect(() => sanitizeRedirectUrl('not a domain', '/valid/path')).toThrow(
+      ShopifyError,
+    );
+  });
+  it('throws ShopifyError with invalid relative URLs', () => {
+    // THEN
+    expect(() => sanitizeRedirectUrl(APP_URL, '/valid//path')).toThrow(
+      ShopifyError,
+    );
+  });
+  it('throws ShopifyError with invalid protocol', () => {
+    // THEN
+    expect(() =>
+      sanitizeRedirectUrl(APP_URL, 'javascript:alert("nope")'),
+    ).toThrow(ShopifyError);
+  });
+  it('throws ShopifyError when SSL is required and an HTTP address is given', () => {
+    // THEN
+    expect(() =>
+      sanitizeRedirectUrl(APP_URL, 'http://example.com', {requireSSL: true}),
+    ).toThrow(ShopifyError);
+  });
+  it('returns undefined if not set to throw', () => {
+    // THEN
+    expect(
+      sanitizeRedirectUrl(APP_URL, 'http://example.com', {
+        requireSSL: true,
+        throwOnInvalid: false,
+      }),
+    ).toBeUndefined();
+  });
+  it('succeeds on a valid URL', () => {
+    // THEN
+    expect(
+      sanitizeRedirectUrl(APP_URL, '/my/app/path', {requireSSL: true}),
+    ).toEqual(new URL(`${APP_URL}/my/app/path`));
+  });
+  it('succeeds on a valid URL when not throwing', () => {
+    // THEN
+    expect(
+      sanitizeRedirectUrl(APP_URL, '/my/app/path', {throwOnInvalid: false}),
+    ).toEqual(new URL(`${APP_URL}/my/app/path`));
+  });
+  it('succeeds on a valid HTTP URL when not requiring SSL', () => {
+    // THEN
+    expect(
+      sanitizeRedirectUrl(APP_URL, 'http://my/app/path', {requireSSL: false}),
+    ).toEqual(new URL('http://my/app/path'));
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/begin-auth.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type {BasicParams} from '../../../types';
+export async function beginAuth(
+  params: BasicParams,
+  request: Request,
+  isOnline: boolean,
+  shop: string,
+): Promise<never> {
+  const {api, config} = params;
+  throw await api.auth.begin({
+    shop,
+    callbackPath: config.auth.callbackPath,
+    isOnline,
+    rawRequest: request,
+  });
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/create-admin-api-context.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import {Session, ShopifyRestResources} from '@shopify/shopify-api';
+import type {BasicParams} from '../../../types';
+import {
+  AdminApiContext,
+  HandleAdminClientError,
+  adminClientFactory,
+} from '../../../clients/admin';
+export function createAdminApiContext<
+  Resources extends ShopifyRestResources = ShopifyRestResources,
+>(
+  session: Session,
+  params: BasicParams,
+  handleClientError: HandleAdminClientError,
+): AdminApiContext<Resources> {
+  return adminClientFactory<Resources>({
+    session,
+    params,
+    handleClientError,
+  });
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/ensure-app-is-embedded-if-required.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import {BasicParams} from '../../../types';
+import {redirectToShopifyOrAppRoot} from './redirect-to-shopify-or-app-root';
+export const ensureAppIsEmbeddedIfRequired = async (
+  params: BasicParams,
+  request: Request,
+) => {
+  const {api, logger, config} = params;
+  const url = new URL(request.url);
+  const shop = url.searchParams.get('shop')!;
+  if (api.config.isEmbeddedApp && url.searchParams.get('embedded') !== '1') {
+    logger.debug('App is not embedded, redirecting to Shopify', {shop});
+    await redirectToShopifyOrAppRoot(request, {api, logger, config});
+  }
+};

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/ensure-session-token-search-param-if-required.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import {BasicParams} from '../../../types';
+import {redirectToBouncePage} from './redirect-to-bounce-page';
+const SESSION_TOKEN_PARAM = 'id_token';
+export const ensureSessionTokenSearchParamIfRequired = async (
+  params: BasicParams,
+  request: Request,
+) => {
+  const {api, logger} = params;
+  const url = new URL(request.url);
+  const shop = url.searchParams.get('shop')!;
+  const searchParamSessionToken = url.searchParams.get(SESSION_TOKEN_PARAM);
+  const isEmbedded = url.searchParams.get('embedded') === '1';
+  if (api.config.isEmbeddedApp && isEmbedded && !searchParamSessionToken) {
+    logger.debug(
+      'Missing session token in search params, going to bounce page',
+      {shop},
+    );
+    redirectToBouncePage(params, url);
+  }
+};

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/handle-client-error.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import {HttpResponseError} from '@shopify/shopify-api';
+import type {HandleAdminClientError} from '../../../clients/admin/types';
+import {HandleClientErrorOptions} from '../strategies/types';
+export function handleClientErrorFactory({
+  request,
+  onError,
+}: HandleClientErrorOptions): HandleAdminClientError {
+  return async function handleClientError({
+    error,
+    params,
+    session,
+  }): Promise<never> {
+    if (error instanceof HttpResponseError !== true) {
+      params.logger.debug(
+        `Got a response error from the API: ${error.message}`,
+      );
+      throw error;
+    }
+    params.logger.debug(
+      `Got an HTTP response error from the API: ${error.message}`,
+      {
+        code: error.response.code,
+        statusText: error.response.statusText,
+        body: JSON.stringify(error.response.body),
+      },
+    );
+    if (onError) {
+      await onError({request, session, error});
+    }
+    // forward a minimal copy of the upstream HTTP response instead of an Error:
+    throw new Response(JSON.stringify(error.response.body), {
+      status: error.response.code,
+      headers: {
+        'Content-Type': error.response.headers!['Content-Type'] as string,
+      },
+    });
+  };
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/index.ts ADDED Viewed

@@ -0,0 +1,14 @@
+export * from './begin-auth';
+export * from './create-admin-api-context';
+export * from './ensure-app-is-embedded-if-required';
+export * from './ensure-session-token-search-param-if-required';
+export * from './handle-client-error';
+export * from './redirect-to-auth-page';
+export * from './redirect-to-bounce-page';
+export * from './redirect-to-shopify-or-app-root';
+export * from './redirect-with-app-bridge-headers';
+export * from './redirect-with-exitiframe';
+export * from './redirect';
+export * from './render-app-bridge';
+export * from './trigger-after-auth-hook';
+export * from './validate-shop-and-host-params';

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/redirect-to-auth-page.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import type {BasicParams} from '../../../types';
+import {beginAuth} from './begin-auth';
+import {redirectWithExitIframe} from './redirect-with-exitiframe';
+import {redirectWithAppBridgeHeaders} from './redirect-with-app-bridge-headers';
+export async function redirectToAuthPage(
+  params: BasicParams,
+  request: Request,
+  shop: string,
+  isOnline = false,
+): Promise<never> {
+  const {config} = params;
+  const url = new URL(request.url);
+  const isEmbeddedRequest = url.searchParams.get('embedded') === '1';
+  const isXhrRequest = request.headers.get('authorization');
+  if (isXhrRequest) {
+    const redirectUri = new URL(config.auth.path, config.appUrl);
+    redirectUri.searchParams.set('shop', shop);
+    redirectWithAppBridgeHeaders(redirectUri.toString());
+  } else if (isEmbeddedRequest) {
+    redirectWithExitIframe(params, request, shop);
+  } else {
+    throw await beginAuth(params, request, isOnline, shop);
+  }
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/redirect-to-bounce-page.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import {redirect} from '@remix-run/server-runtime';
+import {BasicParams} from '../../../types';
+export const redirectToBouncePage = (params: BasicParams, url: URL): never => {
+  const {config} = params;
+  // Make sure we always point to the configured app URL so it also works behind reverse proxies (that alter the Host
+  // header).
+  const searchParams = url.searchParams;
+  searchParams.delete('id_token');
+  searchParams.set(
+    'shopify-reload',
+    `${config.appUrl}${url.pathname}?${searchParams.toString()}`,
+  );
+  // eslint-disable-next-line no-warning-comments
+  // TODO Make sure this works on chrome without a tunnel (weird HTTPS redirect issue)
+  // https://github.com/orgs/Shopify/projects/6899/views/1?pane=issue&itemId=28376650
+  throw redirect(
+    `${config.auth.patchSessionTokenPath}?${searchParams.toString()}`,
+  );
+};

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/redirect-to-shopify-or-app-root.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import {redirect} from '@remix-run/server-runtime';
+import type {BasicParams} from '../../../types';
+export async function redirectToShopifyOrAppRoot(
+  request: Request,
+  params: BasicParams,
+  responseHeaders?: Headers,
+): Promise<never> {
+  const {api} = params;
+  const url = new URL(request.url);
+  const host = api.utils.sanitizeHost(url.searchParams.get('host')!)!;
+  const shop = api.utils.sanitizeShop(url.searchParams.get('shop')!)!;
+  const redirectUrl = api.config.isEmbeddedApp
+    ? await api.auth.getEmbeddedAppUrl({rawRequest: request})
+    : `/?shop=${shop}&host=${encodeURIComponent(host)}`;
+  throw redirect(redirectUrl, {headers: responseHeaders});
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/redirect-with-app-bridge-headers.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import {REAUTH_URL_HEADER} from '../../const';
+export function redirectWithAppBridgeHeaders(redirectUri: string): never {
+  throw new Response(undefined, {
+    status: 401,
+    statusText: 'Unauthorized',
+    headers: getAppBridgeHeaders(redirectUri),
+  });
+}
+export function getAppBridgeHeaders(url: string) {
+  return new Headers({[REAUTH_URL_HEADER]: url});
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/helpers/redirect-with-exitiframe.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import {redirect} from '@remix-run/server-runtime';
+import type {BasicParams} from '../../../types';
+export function redirectWithExitIframe(
+  params: BasicParams,
+  request: Request,
+  shop: string,
+): never {
+  const {api, config} = params;
+  const url = new URL(request.url);
+  const queryParams = url.searchParams;
+  const host = api.utils.sanitizeHost(queryParams.get('host')!);
+  queryParams.set('shop', shop);
+  let destination = `${config.auth.path}?shop=${shop}`;
+  if (host) {
+    queryParams.set('host', host);
+    destination = `${destination}&host=${host}`;
+  }
+  queryParams.set('exitIframe', destination);
+  throw redirect(`${config.auth.exitIframePath}?${queryParams.toString()}`);
+}