npm - shopify-app-js - Versions diffs - 0.0.1-security → 1.0.1 - Mend

shopify-app-js 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of shopify-app-js might be problematic. Click here for more details.

Files changed (424) hide show

package/packages/shopify-app-remix/src/server/authenticate/admin/strategies/__tests__/auth-code-flow/auth-callback-path.test.ts ADDED Viewed

@@ -0,0 +1,395 @@
+import {HashFormat, createSHA256HMAC} from '@shopify/shopify-api/runtime';
+import {shopifyApp} from '../../../../..';
+import {
+  BASE64_HOST,
+  TEST_SHOP,
+  getThrownResponse,
+  signRequestCookie,
+  testConfig,
+  mockExternalRequest,
+  APP_URL,
+} from '../../../../../__test-helpers';
+describe('authorize.admin auth callback path', () => {
+  describe.each([true, false])('when isEmbeddedApp: %s', (isEmbeddedApp) => {
+    describe('errors', () => {
+      test('throws an error if the shop param is missing', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          new Request(getCallbackUrl(config)),
+        );
+        // THEN
+        expect(response.status).toBe(400);
+        expect(await response.text()).toBe('Shop param is invalid');
+      });
+      test('throws an error if the shop param is not valid', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          new Request(`${getCallbackUrl(config)}?shop=invalid`),
+        );
+        // THEN
+        expect(response.status).toBe(400);
+        expect(await response.text()).toBe('Shop param is invalid');
+      });
+      test('throws an 302 Response to begin auth if CookieNotFound error', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        const callbackUrl = getCallbackUrl(config);
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          new Request(`${callbackUrl}?shop=${TEST_SHOP}`),
+        );
+        // THEN
+        const {searchParams, hostname} = new URL(
+          response.headers.get('location')!,
+        );
+        expect(response.status).toBe(302);
+        expect(hostname).toBe(TEST_SHOP);
+        expect(searchParams.get('client_id')).toBe(config.apiKey);
+        expect(searchParams.get('scope')).toBe(config.scopes!.toString());
+        expect(searchParams.get('redirect_uri')).toBe(callbackUrl);
+        expect(searchParams.get('state')).toStrictEqual(expect.any(String));
+      });
+      test('throws a 400 if there is no HMAC param', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        const state = 'nonce';
+        const request = new Request(
+          `${getCallbackUrl(config)}?shop=${TEST_SHOP}&state=${state}`,
+        );
+        signRequestCookie({
+          request,
+          cookieName: 'shopify_app_state',
+          cookieValue: state,
+        });
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          request,
+        );
+        // THEN
+        expect(response.status).toBe(400);
+        expect(response.statusText).toBe('Invalid OAuth Request');
+      });
+      test('throws a 400 if the HMAC param is invalid', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        const state = 'nonce';
+        const request = new Request(
+          `${getCallbackUrl(
+            config,
+          )}?shop=${TEST_SHOP}&state=${state}&hmac=invalid`,
+        );
+        signRequestCookie({
+          request,
+          cookieName: 'shopify_app_state',
+          cookieValue: state,
+        });
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          request,
+        );
+        // THEN
+        expect(response.status).toBe(400);
+      });
+      test('throws a 500 if any other errors are thrown', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp({
+          ...config,
+          hooks: {
+            afterAuth: () => {
+              throw new Error('test');
+            },
+          },
+        });
+        // WHEN
+        await mockCodeExchangeRequest('offline');
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          await getValidCallbackRequest(config),
+        );
+        // THEN
+        expect(response.status).toBe(500);
+      });
+    });
+    describe('Success states', () => {
+      test('Exchanges the code for a token and saves it to SessionStorage', async () => {
+        // GIVEN
+        const config = testConfig({
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        await mockCodeExchangeRequest('offline');
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          await getValidCallbackRequest(config),
+        );
+        // THEN
+        const [session] =
+          await config.sessionStorage!.findSessionsByShop(TEST_SHOP);
+        expect(session).toMatchObject({
+          accessToken: '123abc',
+          id: `offline_${TEST_SHOP}`,
+          isOnline: false,
+          scope: 'read_products',
+          shop: TEST_SHOP,
+          state: 'nonce',
+        });
+      });
+      test('throws an 302 Response to begin auth if token was offline and useOnlineTokens is true', async () => {
+        // GIVEN
+        const config = testConfig({
+          useOnlineTokens: true,
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        await mockCodeExchangeRequest('offline');
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          await getValidCallbackRequest(config),
+        );
+        // THEN
+        const {searchParams, hostname} = new URL(
+          response.headers.get('location')!,
+        );
+        expect(response.status).toBe(302);
+        expect(hostname).toBe(TEST_SHOP);
+        expect(searchParams.get('client_id')).toBe(config.apiKey);
+        expect(searchParams.get('scope')).toBe(config.scopes!.toString());
+        expect(searchParams.get('redirect_uri')).toBe(getCallbackUrl(config));
+        expect(searchParams.get('state')).toStrictEqual(expect.any(String));
+      });
+      test('Does not throw a 302 Response to begin auth if token was online', async () => {
+        // GIVEN
+        const config = testConfig({
+          useOnlineTokens: true,
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        await mockCodeExchangeRequest('online');
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          await getValidCallbackRequest(config),
+        );
+        // THEN
+        const base = `http://${APP_URL}`;
+        const {hostname} = new URL(response.headers.get('location')!, base);
+        expect(hostname).not.toBe(TEST_SHOP);
+      });
+      test('Runs the afterAuth hooks passing', async () => {
+        // GIVEN
+        const afterAuthMock = jest.fn();
+        const config = testConfig({
+          hooks: {
+            afterAuth: afterAuthMock,
+          },
+          future: {unstable_newEmbeddedAuthStrategy: !isEmbeddedApp},
+          isEmbeddedApp,
+        });
+        const shopify = shopifyApp(config);
+        // WHEN
+        await mockCodeExchangeRequest();
+        const response = await getThrownResponse(
+          shopify.authenticate.admin,
+          await getValidCallbackRequest(config),
+        );
+        // THEN
+        expect(afterAuthMock).toHaveBeenCalledTimes(1);
+      });
+      if (isEmbeddedApp) {
+        test('throws a 302 response to the embedded app URL', async () => {
+          // GIVEN
+          const config = testConfig({
+            future: {unstable_newEmbeddedAuthStrategy: false},
+            isEmbeddedApp: true,
+          });
+          const shopify = shopifyApp(config);
+          // WHEN
+          await mockCodeExchangeRequest('offline');
+          const response = await getThrownResponse(
+            shopify.authenticate.admin,
+            await getValidCallbackRequest(config),
+          );
+          // THEN
+          expect(response.status).toBe(302);
+          expect(response.headers.get('location')).toBe(
+            'https://totally-real-host.myshopify.io/apps/testApiKey',
+          );
+        });
+      } else {
+        test('throws a 302 to /', async () => {
+          // GIVEN
+          const config = testConfig({
+            isEmbeddedApp: false,
+          });
+          const shopify = shopifyApp(config);
+          // WHEN
+          await mockCodeExchangeRequest('offline');
+          const request = await getValidCallbackRequest(config);
+          const response = await getThrownResponse(
+            shopify.authenticate.admin,
+            request,
+          );
+          // THEN
+          const url = new URL(request.url);
+          const host = url.searchParams.get('host');
+          expect(response.status).toBe(302);
+          expect(response.headers.get('location')).toBe(
+            `/?shop=${TEST_SHOP}&host=${host}`,
+          );
+          expect(response.headers.get('set-cookie')).toBe(
+            [
+              'shopify_app_state=;path=/;expires=Thu, 01 Jan 1970 00:00:00 GMT',
+              `shopify_app_session=offline_${TEST_SHOP};sameSite=lax; secure=true; path=/`,
+              'shopify_app_session.sig=0qSrbSUpq8Cr+fev917WGyO1IU3Py1fTwZukcHd4hVE=;sameSite=lax; secure=true; path=/',
+            ].join(', '),
+          );
+        });
+      }
+    });
+  });
+});
+function getCallbackUrl(appConfig: ReturnType<typeof testConfig>) {
+  return `${appConfig.appUrl}/auth/callback`;
+}
+async function getValidCallbackRequest(config: ReturnType<typeof testConfig>) {
+  const cookieName = 'shopify_app_state';
+  const state = 'nonce';
+  const code = 'code_from_shopify';
+  const now = Math.trunc(Date.now() / 1000) - 2;
+  const queryParams = `code=${code}&host=${BASE64_HOST}&shop=${TEST_SHOP}&state=${state}&timestamp=${now}`;
+  const hmac = await createSHA256HMAC(
+    config.apiSecretKey,
+    queryParams,
+    HashFormat.Hex,
+  );
+  const request = new Request(
+    `${getCallbackUrl(config)}?${queryParams}&hmac=${hmac}`,
+  );
+  signRequestCookie({
+    request,
+    cookieName,
+    cookieValue: state,
+  });
+  return request;
+}
+async function mockCodeExchangeRequest(
+  tokenType: 'online' | 'offline' = 'offline',
+) {
+  const responseBody = {
+    access_token: '123abc',
+    scope: 'read_products',
+  };
+  await mockExternalRequest({
+    request: new Request(`https://${TEST_SHOP}/admin/oauth/access_token`, {
+      method: 'POST',
+    }),
+    response:
+      tokenType === 'offline'
+        ? new Response(JSON.stringify(responseBody))
+        : new Response(
+            JSON.stringify({
+              ...responseBody,
+              expires_in: Math.trunc(Date.now() / 1000) + 3600,
+              associated_user_scope: 'read_products',
+              associated_user: {
+                id: 902541635,
+                first_name: 'John',
+                last_name: 'Smith',
+                email: 'john@example.com',
+                email_verified: true,
+                account_owner: true,
+                locale: 'en',
+                collaborator: false,
+              },
+            }),
+          ),
+  });
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/strategies/__tests__/auth-code-flow/auth-path.test.ts ADDED Viewed

@@ -0,0 +1,83 @@
+import {shopifyApp} from '../../../../..';
+import {
+  APP_URL,
+  TEST_SHOP,
+  expectBeginAuthRedirect,
+  expectExitIframeRedirect,
+  getThrownResponse,
+  testConfig,
+} from '../../../../../__test-helpers';
+describe('authorize.admin auth path', () => {
+  test('throws an 400 Response if the shop param is missing', async () => {
+    // GIVEN
+    const config = testConfig({
+      future: {unstable_newEmbeddedAuthStrategy: false},
+    });
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}/auth`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expect(response.status).toBe(400);
+  });
+  test('throws an 400 Response if the shop param is invalid', async () => {
+    // GIVEN
+    const config = testConfig({
+      future: {unstable_newEmbeddedAuthStrategy: false},
+    });
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}/auth?shop=invalid_shop`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expect(response.status).toBe(400);
+  });
+  test('throws an 302 Response to begin auth', async () => {
+    // GIVEN
+    const config = testConfig({
+      future: {unstable_newEmbeddedAuthStrategy: false},
+    });
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}/auth?shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url),
+    );
+    // THEN
+    expectBeginAuthRedirect(config, response);
+  });
+  test('redirects to exit-iframe when loading the auth path while in an iframe request', async () => {
+    // GIVEN
+    const config = testConfig({
+      future: {unstable_newEmbeddedAuthStrategy: false},
+    });
+    const shopify = shopifyApp(config);
+    // WHEN
+    const url = `${APP_URL}/auth?shop=${TEST_SHOP}`;
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(url, {headers: {'Sec-Fetch-Dest': 'iframe'}}),
+    );
+    // THEN
+    expectExitIframeRedirect(response, {host: null});
+  });
+});

package/packages/shopify-app-remix/src/server/authenticate/admin/strategies/__tests__/auth-code-flow/authenticate.test.ts ADDED Viewed

@@ -0,0 +1,183 @@
+import {SESSION_COOKIE_NAME, Session} from '@shopify/shopify-api';
+import {shopifyApp} from '../../../../..';
+import {
+  APP_URL,
+  BASE64_HOST,
+  TEST_SHOP,
+  expectBeginAuthRedirect,
+  expectExitIframeRedirect,
+  getJwt,
+  getThrownResponse,
+  setUpValidSession,
+  testConfig,
+  signRequestCookie,
+} from '../../../../../__test-helpers';
+describe('authenticate', () => {
+  describe('errors', () => {
+    it('redirects to exit-iframe if app is embedded and the session is no longer valid for the id_token when embedded', async () => {
+      // GIVEN
+      const shopify = shopifyApp(
+        testConfig({
+          scopes: ['otherTestScope'],
+          future: {unstable_newEmbeddedAuthStrategy: false},
+          isEmbeddedApp: true,
+        }),
+      );
+      await setUpValidSession(shopify.sessionStorage);
+      // WHEN
+      const {token} = getJwt();
+      const response = await getThrownResponse(
+        shopify.authenticate.admin,
+        new Request(
+          `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+        ),
+      );
+      // THEN
+      expectExitIframeRedirect(response);
+    });
+    // manageAccessToken or ensureInstalledOnShop
+    it('redirects to auth if there is no session cookie for non-embedded apps when at the top level', async () => {
+      // GIVEN
+      const config = testConfig({
+        isEmbeddedApp: false,
+      });
+      const shopify = shopifyApp(config);
+      await setUpValidSession(shopify.sessionStorage);
+      // WHEN
+      const request = new Request(
+        `${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`,
+      );
+      const response = await getThrownResponse(
+        shopify.authenticate.admin,
+        request,
+      );
+      // THEN
+      expectBeginAuthRedirect(config, response);
+    });
+    it('redirects to auth if the session is no longer valid for non-embedded apps when at the top level', async () => {
+      // GIVEN
+      const config = testConfig({
+        scopes: ['otherTestScope'],
+        isEmbeddedApp: false,
+      });
+      const shopify = shopifyApp(config);
+      const session = await setUpValidSession(shopify.sessionStorage);
+      // WHEN
+      const request = new Request(
+        `${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`,
+      );
+      signRequestCookie({
+        request,
+        cookieName: SESSION_COOKIE_NAME,
+        cookieValue: session.id,
+      });
+      const response = await getThrownResponse(
+        shopify.authenticate.admin,
+        request,
+      );
+      // THEN
+      expectBeginAuthRedirect(config, response);
+    });
+  });
+  describe.each([true, false])(
+    'success cases when isOnline: %s',
+    (isOnline) => {
+      it('returns the context if the session is valid and the app is embedded', async () => {
+        // GIVEN
+        const shopify = shopifyApp(
+          testConfig({
+            useOnlineTokens: isOnline,
+            future: {unstable_newEmbeddedAuthStrategy: false},
+            isEmbeddedApp: true,
+          }),
+        );
+        let testSession: Session;
+        testSession = await setUpValidSession(shopify.sessionStorage);
+        if (isOnline) {
+          testSession = await setUpValidSession(shopify.sessionStorage, {
+            isOnline,
+          });
+        }
+        // WHEN
+        const {token} = getJwt();
+        const {admin, session} = await shopify.authenticate.admin(
+          new Request(
+            `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+          ),
+        );
+        // THEN
+        expect(session).toBe(testSession);
+        expect(admin.rest.session).toBe(testSession);
+      });
+      it('returns the context if the session is valid and the app is not embedded', async () => {
+        // GIVEN
+        const shopify = shopifyApp(
+          testConfig({
+            isEmbeddedApp: false,
+          }),
+        );
+        let testSession: Session;
+        testSession = await setUpValidSession(shopify.sessionStorage);
+        if (isOnline) {
+          testSession = await setUpValidSession(shopify.sessionStorage, {
+            isOnline,
+          });
+        }
+        // WHEN
+        const request = new Request(
+          `${APP_URL}?shop=${TEST_SHOP}&host=${BASE64_HOST}`,
+        );
+        signRequestCookie({
+          request,
+          cookieName: SESSION_COOKIE_NAME,
+          cookieValue: testSession.id,
+        });
+        const {admin, session} = await shopify.authenticate.admin(request);
+        // THEN
+        expect(session).toBe(testSession);
+        expect(admin.rest.session).toBe(testSession);
+      });
+    },
+  );
+  // manageAccessToken & ensureInstalledOnShop
+  it('loads a session from the cookie from a request with no search params when not embedded', async () => {
+    // GIVEN
+    const shopify = shopifyApp(testConfig({isEmbeddedApp: false}));
+    const testSession = await setUpValidSession(shopify.sessionStorage);
+    // WHEN
+    const request = new Request(APP_URL);
+    signRequestCookie({
+      request,
+      cookieName: SESSION_COOKIE_NAME,
+      cookieValue: testSession.id,
+    });
+    const {session} = await shopify.authenticate.admin(request);
+    // THEN
+    expect(session).toBe(testSession);
+  });
+});