npm - shopify-app-js - Versions diffs - 0.0.1-security → 1.0.1 - Mend

shopify-app-js 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of shopify-app-js might be problematic. Click here for more details.

Files changed (424) hide show

package/packages/shopify-app-session-storage-postgresql/src/__tests__/postgresql.test.ts ADDED Viewed

@@ -0,0 +1,136 @@
+import * as child_process from 'child_process';
+import {promisify} from 'util';
+import pg from 'pg';
+import {
+  batteryOfTests,
+  poll,
+} from '@shopify/shopify-app-session-storage-test-utils';
+import {Session} from '@shopify/shopify-api';
+import {PostgreSQLSessionStorage} from '../postgresql';
+const exec = promisify(child_process.exec);
+const dbURL = new URL(
+  `postgres://${encodeURIComponent('shop&fy')}:${encodeURIComponent(
+    'passify#$',
+  )}@localhost/${encodeURIComponent('shop&test')}`,
+);
+const dbURL2 = new URL(
+  `postgres://${encodeURIComponent('shop&fy')}:${encodeURIComponent(
+    'passify#$',
+  )}@localhost/${encodeURIComponent('shop&test2')}`,
+);
+describe('PostgreSQLSessionStorage', () => {
+  let storage: PostgreSQLSessionStorage;
+  let storage2: PostgreSQLSessionStorage;
+  let containerId: string;
+  beforeAll(async () => {
+    const runCommand = await exec(
+      "podman run -d -e POSTGRES_DB='shop&test' -e POSTGRES_USER='shop&fy' -e POSTGRES_PASSWORD='passify#$' -p 5432:5432 postgres:15",
+      {encoding: 'utf8'},
+    );
+    containerId = runCommand.stdout.trim();
+    await poll(
+      async () => {
+        try {
+          const client = new pg.Client({
+            host: dbURL.hostname,
+            user: decodeURIComponent(dbURL.username),
+            password: decodeURIComponent(dbURL.password),
+            database: decodeURIComponent(dbURL.pathname.slice(1)),
+          });
+          await client.connect();
+          await client.query(`CREATE DATABASE "shop&test2"`, []);
+          await client.query(
+            `GRANT ALL PRIVILEGES ON DATABASE "shop&test2" TO "shop&fy"`,
+            [],
+          );
+          await client.end();
+        } catch (error) {
+          // console.error(error);  // uncomment to see error for debugging tests
+          return false;
+        }
+        return true;
+      },
+      {interval: 500, timeout: 20000},
+    );
+    storage = new PostgreSQLSessionStorage(dbURL);
+    storage2 = new PostgreSQLSessionStorage(dbURL2);
+    await storage.ready;
+    await storage2.ready;
+  });
+  afterAll(async () => {
+    await storage.disconnect();
+    await storage2.disconnect();
+    await exec(`podman rm -f ${containerId}`);
+  });
+  const tests = [
+    {dbName: 'shop&test', sessionStorage: async () => storage},
+    {dbName: 'shop&test2', sessionStorage: async () => storage2},
+  ];
+  for (const {dbName, sessionStorage} of tests) {
+    describe(`with ${dbName}`, () => {
+      batteryOfTests(sessionStorage);
+    });
+  }
+  it(`one-time initialisation like migrations and table creations are run only once`, async () => {
+    const storageClone1 = new PostgreSQLSessionStorage(dbURL);
+    await storageClone1.ready;
+    const storageClone2 = new PostgreSQLSessionStorage(dbURL);
+    await storageClone2.ready;
+    storageClone1.disconnect();
+    storageClone2.disconnect();
+  });
+  it(`can disconnect and reconnect to make queries with the pooling clients`, async () => {
+    const storage = new PostgreSQLSessionStorage(dbURL);
+    await storage.ready;
+    const sessionId = '123';
+    const session = new Session({
+      id: sessionId,
+      shop: 'test-shop.myshopify.com',
+      state: 'test-state',
+      isOnline: false,
+      scope: 'fake_scope',
+    });
+    expect(await storage.storeSession(session)).toBeTruthy();
+    await storage.disconnect();
+    const loadedSession = await storage.loadSession(sessionId);
+    expect(loadedSession).toEqual(session);
+    await storage.disconnect();
+    expect(await storage.deleteSession(sessionId)).toBeTruthy();
+    await storage.disconnect();
+  });
+  it(`can successfully connect with a url string instead of a URL object`, async () => {
+    const storage = new PostgreSQLSessionStorage(dbURL.toString());
+    await storage.ready;
+    const session = new Session({
+      id: '456',
+      shop: 'test-shop.myshopify.com',
+      state: 'test-state',
+      isOnline: false,
+      scope: 'fake_scope',
+    });
+    expect(await storage.storeSession(session)).toBeTruthy();
+    await storage.disconnect();
+  });
+});

package/packages/shopify-app-session-storage-postgresql/src/__tests__/setup-jest.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import fetchMock from 'jest-fetch-mock';
+// Globally disable fetch requests so we don't risk making real ones
+fetchMock.enableMocks();
+beforeEach(() => {
+  fetchMock.mockReset();
+});

package/packages/shopify-app-session-storage-postgresql/src/migrations.ts ADDED Viewed

@@ -0,0 +1,70 @@
+import {MigrationOperation} from '@shopify/shopify-app-session-storage';
+import {PostgresConnection} from './postgres-connection';
+export const migrationList = [
+  new MigrationOperation(
+    'migrateScopeFieldToVarchar1024',
+    migrateScopeFieldToVarchar1024,
+  ),
+  new MigrationOperation('migrateToCaseSensitivity', migrateToCaseSensitivity),
+];
+// need change the size of the scope column from 255 to 1024 char
+export async function migrateScopeFieldToVarchar1024(
+  connection: PostgresConnection,
+): Promise<void> {
+  await connection.query(`ALTER TABLE "${connection.sessionStorageIdentifier}"
+    ALTER COLUMN "scope" TYPE varchar(1024)`);
+}
+export async function migrateToCaseSensitivity(
+  connection: PostgresConnection,
+): Promise<void> {
+  let queries: string[] = [];
+  if (
+    connection.sessionStorageIdentifier ===
+    connection.sessionStorageIdentifier.toLowerCase()
+  ) {
+    // tablename is lowercase anyway, only need to rename the relevant columns (if not already renamed)
+    const hasOldColumnsQuery = `
+      SELECT EXISTS (
+        SELECT column_name FROM information_schema.columns
+        WHERE table_schema='public' AND table_name = '${connection.sessionStorageIdentifier}' AND column_name='isonline'
+      )
+    `;
+    const rows = await connection.query(hasOldColumnsQuery);
+    if (rows[0].exists) {
+      queries = [
+        `ALTER TABLE "${connection.sessionStorageIdentifier}" RENAME COLUMN "isonline" TO "isOnline"`,
+        `ALTER TABLE "${connection.sessionStorageIdentifier}" RENAME COLUMN "onlineaccessinfo" TO "onlineAccessInfo"`,
+        `ALTER TABLE "${connection.sessionStorageIdentifier}" RENAME COLUMN "accesstoken" TO "accessToken"`,
+      ];
+    }
+  } else {
+    // may need to migrate the data from the old table (if it exists) to the new one
+    const hasOldSessionTable = await connection.hasTable(
+      connection.sessionStorageIdentifier.toLowerCase(),
+    );
+    if (hasOldSessionTable) {
+      queries = [
+        // 1. copy the data from the old table to the new one
+        `INSERT INTO "${connection.sessionStorageIdentifier}" (
+          "id", "shop", "state", "isOnline", "scope", "expires", "onlineAccessInfo", "accessToken"
+        )
+        SELECT id, shop, state, isonline, scope, expires, onlineaccessinfo, accesstoken
+        FROM "${connection.sessionStorageIdentifier.toLowerCase()}"`,
+        // 2. drop the old table
+        `DROP TABLE "${connection.sessionStorageIdentifier.toLowerCase()}"`,
+      ];
+    }
+  }
+  if (queries.length !== 0) {
+    // wrap in a transaction
+    queries.unshift(`BEGIN`);
+    queries.push(`COMMIT`);
+    await connection.transaction(queries);
+  }
+}

package/packages/shopify-app-session-storage-postgresql/src/postgres-connection.ts ADDED Viewed

@@ -0,0 +1,94 @@
+import pg from 'pg';
+import {RdbmsConnection} from '@shopify/shopify-app-session-storage';
+export class PostgresConnection implements RdbmsConnection {
+  sessionStorageIdentifier: string;
+  private ready: Promise<void>;
+  private pool: pg.Pool;
+  private dbUrl: URL;
+  constructor(dbUrl: string, sessionStorageIdentifier: string) {
+    this.dbUrl = new URL(dbUrl);
+    this.ready = this.init();
+    this.sessionStorageIdentifier = sessionStorageIdentifier;
+  }
+  async query(query: string, params: any[] = []): Promise<any[]> {
+    await this.ready;
+    return (await this.pool.query(query, params)).rows;
+  }
+  /**
+   * Runs a series of queries in a transaction - requires the use of a SINGLE client,
+   * hence we can't use the query method above.
+   *
+   * @param queries an array of SQL queries to execute in a transaction
+   */
+  async transaction(queries: string[]): Promise<void> {
+    await this.ready;
+    // check if the first and last queries are BEGIN and COMMIT, if not, add them
+    if (queries[0] !== 'BEGIN') {
+      queries.unshift('BEGIN');
+    }
+    if (queries[queries.length - 1] !== 'COMMIT') {
+      queries.push('COMMIT');
+    }
+    const client = await this.pool.connect();
+    try {
+      for (const query of queries) {
+        await client.query(query);
+      }
+    } catch (error) {
+      // rollback if any of the queries fail
+      await client.query(`ROLLBACK`);
+      throw error;
+    } finally {
+      client.release();
+    }
+  }
+  async disconnect(): Promise<void> {
+    // Since no longer using individual client, use disconnect to reset the pool.
+    await this.ready;
+    await this.pool.end();
+    this.ready = this.init();
+  }
+  async connect(): Promise<void> {
+    await this.ready;
+  }
+  public getDatabase(): string | undefined {
+    return decodeURIComponent(this.dbUrl.pathname.slice(1));
+  }
+  async hasTable(tablename: string): Promise<boolean> {
+    await this.ready;
+    const query = `
+      SELECT EXISTS (
+        SELECT tablename FROM pg_catalog.pg_tables
+          WHERE tablename = ${this.getArgumentPlaceholder(1)}
+      )
+  `;
+    // Allow multiple apps to be on the same host with separate DB and querying the right
+    // DB for the session table exisitence
+    const rows = await this.query(query, [tablename]);
+    return rows[0].exists;
+  }
+  getArgumentPlaceholder(position: number): string {
+    return `$${position}`;
+  }
+  private async init(): Promise<void> {
+    this.pool = new pg.Pool({
+      host: this.dbUrl.hostname,
+      user: decodeURIComponent(this.dbUrl.username),
+      password: decodeURIComponent(this.dbUrl.password),
+      database: this.getDatabase(),
+      port: Number(this.dbUrl.port),
+    });
+  }
+}

package/packages/shopify-app-session-storage-postgresql/src/postgres-migrator.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import {
+  RdbmsSessionStorageMigrator,
+  RdbmsSessionStorageMigratorOptions,
+  MigrationOperation,
+} from '@shopify/shopify-app-session-storage';
+import {PostgresConnection} from './postgres-connection';
+export class PostgresSessionStorageMigrator extends RdbmsSessionStorageMigrator {
+  constructor(
+    dbConnection: PostgresConnection,
+    opts: Partial<RdbmsSessionStorageMigratorOptions> = {},
+    migrations: MigrationOperation[],
+  ) {
+    super(dbConnection, opts, migrations);
+  }
+  async initMigrationPersistence(): Promise<void> {
+    const migration = `
+      CREATE TABLE IF NOT EXISTS ${this.options.migrationDBIdentifier} (
+        ${
+          this.getOptions().migrationNameColumnName
+        } varchar(255) NOT NULL PRIMARY KEY
+    );`;
+    await this.connection.query(migration, []);
+  }
+}

package/packages/shopify-app-session-storage-postgresql/src/postgresql.ts ADDED Viewed

@@ -0,0 +1,178 @@
+import {Session} from '@shopify/shopify-api';
+import {
+  SessionStorage,
+  RdbmsSessionStorageOptions,
+} from '@shopify/shopify-app-session-storage';
+import {migrationList} from './migrations';
+import {PostgresConnection} from './postgres-connection';
+import {PostgresSessionStorageMigrator} from './postgres-migrator';
+export interface PostgreSQLSessionStorageOptions
+  extends RdbmsSessionStorageOptions {
+  port: number;
+}
+const defaultPostgreSQLSessionStorageOptions: PostgreSQLSessionStorageOptions =
+  {
+    sessionTableName: 'shopify_sessions',
+    port: 3211,
+    migratorOptions: {
+      migrationDBIdentifier: 'shopify_sessions_migrations',
+      migrationNameColumnName: 'migration_name',
+    },
+  };
+export class PostgreSQLSessionStorage implements SessionStorage {
+  static withCredentials(
+    host: string,
+    dbName: string,
+    username: string,
+    password: string,
+    opts: Partial<PostgreSQLSessionStorageOptions>,
+  ) {
+    return new PostgreSQLSessionStorage(
+      new URL(
+        `postgres://${encodeURIComponent(username)}:${encodeURIComponent(
+          password,
+        )}@${host}/${encodeURIComponent(dbName)}`,
+      ),
+      opts,
+    );
+  }
+  public readonly ready: Promise<void>;
+  private internalInit: Promise<void>;
+  private options: PostgreSQLSessionStorageOptions;
+  private client: PostgresConnection;
+  private migrator: PostgresSessionStorageMigrator;
+  constructor(
+    dbUrl: URL | string,
+    opts: Partial<PostgreSQLSessionStorageOptions> = {},
+  ) {
+    this.options = {...defaultPostgreSQLSessionStorageOptions, ...opts};
+    this.internalInit = this.init(
+      typeof dbUrl === 'string' ? dbUrl : dbUrl.toString(),
+    );
+    this.migrator = new PostgresSessionStorageMigrator(
+      this.client,
+      this.options.migratorOptions,
+      migrationList,
+    );
+    this.ready = this.migrator.applyMigrations(this.internalInit);
+  }
+  public async storeSession(session: Session): Promise<boolean> {
+    await this.ready;
+    // Note milliseconds to seconds conversion for `expires` property
+    const entries = session
+      .toPropertyArray()
+      .map(([key, value]) =>
+        key === 'expires'
+          ? [key, Math.floor((value as number) / 1000)]
+          : [key, value],
+      );
+    const query = `
+      INSERT INTO "${this.options.sessionTableName}"
+      (${entries.map(([key]) => `"${key}"`).join(', ')})
+      VALUES (${entries
+        .map((_, i) => `${this.client.getArgumentPlaceholder(i + 1)}`)
+        .join(', ')})
+      ON CONFLICT ("id") DO UPDATE SET ${entries
+        .map(([key]) => `"${key}" = Excluded."${key}"`)
+        .join(', ')};
+    `;
+    await this.client.query(
+      query,
+      entries.map(([_key, value]) => value),
+    );
+    return true;
+  }
+  public async loadSession(id: string): Promise<Session | undefined> {
+    await this.ready;
+    const query = `
+      SELECT * FROM "${this.options.sessionTableName}"
+      WHERE "id" = ${this.client.getArgumentPlaceholder(1)};
+    `;
+    const rows = await this.client.query(query, [id]);
+    if (!Array.isArray(rows) || rows?.length !== 1) return undefined;
+    const rawResult = rows[0] as any;
+    return this.databaseRowToSession(rawResult);
+  }
+  public async deleteSession(id: string): Promise<boolean> {
+    await this.ready;
+    const query = `
+      DELETE FROM "${this.options.sessionTableName}"
+      WHERE "id" = ${this.client.getArgumentPlaceholder(1)};
+    `;
+    await this.client.query(query, [id]);
+    return true;
+  }
+  public async deleteSessions(ids: string[]): Promise<boolean> {
+    await this.ready;
+    const query = `
+      DELETE FROM "${this.options.sessionTableName}"
+      WHERE "id" IN (${ids
+        .map((_, i) => `${this.client.getArgumentPlaceholder(i + 1)}`)
+        .join(', ')});
+    `;
+    await this.client.query(query, ids);
+    return true;
+  }
+  public async findSessionsByShop(shop: string): Promise<Session[]> {
+    await this.ready;
+    const query = `
+      SELECT * FROM "${this.options.sessionTableName}"
+      WHERE "shop" = ${this.client.getArgumentPlaceholder(1)};
+    `;
+    const rows = await this.client.query(query, [shop]);
+    if (!Array.isArray(rows) || rows?.length === 0) return [];
+    const results: Session[] = rows.map((row: any) => {
+      return this.databaseRowToSession(row);
+    });
+    return results;
+  }
+  public disconnect(): Promise<void> {
+    return this.client.disconnect();
+  }
+  private async init(dbUrl: string) {
+    this.client = new PostgresConnection(dbUrl, this.options.sessionTableName);
+    await this.connectClient();
+    await this.createTable();
+  }
+  private async connectClient(): Promise<void> {
+    await this.client.connect();
+  }
+  private async createTable() {
+    const query = `
+        CREATE TABLE IF NOT EXISTS "${this.options.sessionTableName}" (
+          "id" varchar(255) NOT NULL PRIMARY KEY,
+          "shop" varchar(255) NOT NULL,
+          "state" varchar(255) NOT NULL,
+          "isOnline" boolean NOT NULL,
+          "scope" varchar(255),
+          "expires" integer,
+          "onlineAccessInfo" varchar(255),
+          "accessToken" varchar(255)
+        )
+      `;
+    await this.client.query(query);
+  }
+  private databaseRowToSession(row: any): Session {
+    // convert seconds to milliseconds prior to creating Session object
+    if (row.expires) row.expires *= 1000;
+    return Session.fromPropertyArray(Object.entries(row));
+  }
+}

package/packages/shopify-app-session-storage-postgresql/tsconfig.json ADDED Viewed

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "outDir": "./build/ts",
+    "rootDir": "src"
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["**/*.test.ts", "**/*.test.tsx", "**/test/*", "**/__tests__/*"]
+}

package/packages/shopify-app-session-storage-prisma/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,148 @@
+# @shopify/shopify-app-session-storage-prisma
+## 4.0.1
+### Patch Changes
+- 02a8341: Updated dependency on `@shopify/shopify-api` to 9.3.1
+- 321d6a4: Update @shopify/shopify-api to 9.3.2
+- 56c2198: Bumps @prisma/client from 5.8.1 to 5.9.1.
+- 2d5181b: Add error cause when throwing MissingSessionTableError
+- Updated dependencies [02a8341]
+- Updated dependencies [321d6a4]
+  - @shopify/shopify-app-session-storage@2.1.1
+## 4.0.0
+### Minor Changes
+- 64e0246: Update shopify-api version to 9.2.0
+### Patch Changes
+- f5742c1: Updated dependency on `@shopify/shopify-api`
+- Updated dependencies [f5742c1]
+- Updated dependencies [64e0246]
+  - @shopify/shopify-app-session-storage@2.1.0
+## 3.0.0
+### Major Changes
+- ea88df2: Updated the dependency on `prisma` to v5+. This package itself has no breaking changes, but you'll need to update your app's dependency on Prisma as well as this package.
+### Patch Changes
+- b4eeb24: Improved and simplified package.json dependencies
+- b998c30: Bump shopify-api version from 9.0.1 to 9.0.2
+- Updated dependencies [b4eeb24]
+- Updated dependencies [b998c30]
+  - @shopify/shopify-app-session-storage@2.0.4
+## 2.0.3
+### Patch Changes
+- d3e4b5e: Updated the dependency on `@shopify/shopify-api`
+- Updated dependencies [d3e4b5e]
+  - @shopify/shopify-app-session-storage@2.0.3
+## 2.0.2
+### Patch Changes
+- 3685bd4: Bump shopify-api to ^8.1.1
+- Updated dependencies [3685bd4]
+  - @shopify/shopify-app-session-storage@2.0.2
+## 2.0.1
+### Patch Changes
+- 6d12840: Updating dependencies on @shopify/shopify-api
+- Updated dependencies [6d12840]
+  - @shopify/shopify-app-session-storage@2.0.1
+## 2.0.0
+### Major Changes
+- f837060: **Removed support for Node 14**
+  Node 14 has reached its [EOL](https://endoflife.date/nodejs), and dependencies to this package no longer work on Node 14.
+  Because of that, we can no longer support that version.
+  If your app is running on Node 14, you'll need to update to a more recent version before upgrading this package.
+  This upgrade does not require any code changes.
+### Patch Changes
+- a69d6fc: Updating dependency on @shopify/shopify-api to v.8.0.1
+- Updated dependencies [f837060]
+- Updated dependencies [a69d6fc]
+  - @shopify/shopify-app-session-storage@2.0.0
+## 1.1.1
+### Patch Changes
+- 616388d: Updating dependency on @shopify/shopify-api to 7.7.0
+- Updated dependencies [616388d]
+  - @shopify/shopify-app-session-storage@1.1.10
+## 1.1.0
+### Minor Changes
+- 695f829: Allow using custom tables for the Prisma session storage.
+### Patch Changes
+- 5b862fe: Upgraded shopify-api dependency to 7.6.0
+- Updated dependencies [5b862fe]
+  - @shopify/shopify-app-session-storage@1.1.9
+## 1.0.5
+### Patch Changes
+- 346b623: Updating dependency on @shopify/shopify-api
+- Updated dependencies [346b623]
+  - @shopify/shopify-app-session-storage@1.1.8
+## 1.0.4
+### Patch Changes
+- 13b9048: Updating @shopify/shopify-api dependency to the latest version
+- Updated dependencies [13b9048]
+  - @shopify/shopify-app-session-storage@1.1.7
+## 1.0.3
+### Patch Changes
+- 90a62de: Throw a specific error when the database doesn't exist to help indicate that a migration might be needed
+## 1.0.2
+### Patch Changes
+- 32296d7: Update @shopify/shopify-api dependency to 7.5.0
+- Updated dependencies [32296d7]
+  - @shopify/shopify-app-session-storage@1.1.6
+## 1.0.1
+### Patch Changes
+- 93e9126: Updating @shopify/shopify-api dependency
+- Updated dependencies [93e9126]
+  - @shopify/shopify-app-session-storage@1.1.5
+## 1.0.0
+### Major Changes
+- Initial release of @shopify/shopify-app-session-storage-prisma

package/packages/shopify-app-session-storage-prisma/LICENSE.md ADDED Viewed

@@ -0,0 +1,9 @@
+MIT License
+Copyright (c) 2022-present, Shopify Inc.
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.