Merge branch 'main' into andyw8/improve-upgrade-docs

.github/workflows/cla.yml

@@ -0,0 +1,22 @@
+name: Contributor License Agreement (CLA)
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+  issue_comment:
+    types: [created]
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    if: |
+      (github.event.issue.pull_request 
+        && !github.event.issue.pull_request.merged_at
+        && contains(github.event.comment.body, 'signed')
+      ) 
+      || (github.event.pull_request && !github.event.pull_request.merged)
+    steps:
+      - uses: Shopify/shopify-cla-action@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          cla-token: ${{ secrets.CLA_TOKEN }}

.github/workflows/close-waiting-for-response-issues.yml

@@ -0,0 +1,20 @@
+name: Close Waiting for Response Issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+jobs:
+  check-need-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: close-issues
+        uses: actions-cool/issues-helper@v3
+        with:
+          actions: 'close-issues'
+          token: ${{ secrets.GITHUB_TOKEN }}
+          labels: 'Waiting for Response'
+          inactive-day: 7
+          body: |
+            We are closing this issue because we did not hear back regarding additional details we needed to resolve this issue. If the issue persists and you are able to provide the missing clarification we need, feel free to respond and reopen this issue.
+
+            We appreciate your understanding as we try to manage our number of open issues.

.github/workflows/remove-labels-on-activity.yml

@@ -0,0 +1,16 @@
+name: Remove Stale or Waiting Labels
+on:
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+jobs:
+  remove-labels-on-activity:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions-ecosystem/action-remove-labels@v1
+        if: contains(github.event.issue.labels.*.name, 'Waiting for Response')
+        with:
+          labels: |
+            Waiting for Response
+

.github/workflows/stale.yml

@@ -0,0 +1,31 @@
+name: Close inactive issues
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v5
+        with:
+          days-before-issue-stale: 90
+          days-before-issue-close: 14
+          stale-issue-label: "Stale"
+          stale-issue-message: >
+            This issue is stale because it has been open for 90 days with no activity. It will be closed if no further action occurs in 14 days. 
+          close-issue-message: |
+            We are closing this issue because it has been inactive for a few months. 
+            This probably means that it is not reproducible or it has been fixed in a newer version. 
+            If it’s an enhancement and hasn’t been taken on since it was submitted, then it seems other issues have taken priority.
+
+            If you still encounter this issue with the latest stable version, please reopen using the issue template. You can also contribute directly by submitting a pull request– see the [CONTRIBUTING.md](https://github.com/Shopify/shopify_app/blob/main/CONTRIBUTING.md) file for guidelines
+
+            Thank you!
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          exempt-issue-labels: "feature request"

CHANGELOG.md

@@ -1,7 +1,34 @@
 Unreleased
 ----------
 
+21.0.0 (Oct 3, 2022)
+----------
+* Updating shopify_api gem to 12.0.0
+
+20.2.0 (September 30, 2022)
+----------
+* Fixes a method signature error bug when raising `BillingError`.  [#1513](https://github.com/Shopify/shopify_app/pull/1513)
+* Fixes bug with Rails 7 and import maps with Safari/Firefox on the HomeController#index view.  [#1506](https://github.com/Shopify/shopify_app/pull/1506)
+* Refactors how default `domain_host` is populated in the CSP header added to responses in the `FrameAncestors` controller concern. [#1504](https://github.com/Shopify/shopify_app/pull/1504)
+* Removes duplicate `;` added in CSP header. [#1500](https://github.com/Shopify/shopify_app/pull/1500)
+
+* Fixed an issue where `ShopifyApp::UserSessionStorage` was causing an infinite OAuth loop when not checking scopes. [#1516](https://github.com/Shopify/shopify_app/pull/1516)
+* Move all error classes created for this gem into `lib/shopify_app/errors.rb`. Constant names of errors nested by modules and classes have been removed to give a shorter namespace.
+
+20.1.1 (September 2, 2022)
+----------
+
+* Fixed an issue where the `embedded_redirect_url` could lead to a redirect loop in server-side rendered (or production) apps. [#1497](https://github.com/Shopify/shopify_app/pull/1497)
+* Fixes bug where webhooks were generated with addresses instead of the [path the Ruby API](https://github.com/Shopify/shopify-api-ruby/blob/7a08ae9d96a7a85abd0113dae4eb76398cba8c64/lib/shopify_api/webhooks/registrations/http.rb#L12) is expecting [#1474](https://github.com/Shopify/shopify_app/pull/1474). The breaking change that was accidentially already shipped was that `address` attribute for webhooks should be paths not addresses with `https://` and the host name. While the `address` attribute name will still work assuming the value is a path, this name is deprecated. Please configure webhooks with the `path` attribute name instead.
+* Deduce webhook path from deprecated webhook address if initializer uses address attribute. This makes this attribute change a non-breaking change for those upgrading.
+
+20.1.0 (August 22, 2022)
+----------
+
 * Set the appropriate CSP `frame-ancestor` directive in controllers using the `EmbeddedApp` concern. [#1474](https://github.com/Shopify/shopify_app/pull/1474)
+* Allow [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare/) hosts in `config/environments/development.rb`.
+* Use [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare/) as example tunnel in readme/docs.
+* Change to optimize OAuth redirects to happen on the server side when possible.  Also, add an optional `.embedded_redirect_url` configuration parameter to enable customized App Bridge-supported redirect. [1483](https://github.com/Shopify/shopify_app/pull/1483)
 
 20.0.2 (July 7, 2022)
 ----------

Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: .
   specs:
-    shopify_app (20.0.2)
+    shopify_app (21.0.0)
       activeresource
       browser_sniffer (~> 2.0)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
-      shopify_api (~> 11.0)
+      shopify_api (~> 12.0.0)
       sprockets-rails (>= 2.0.0)
 
 GEM
@@ -85,7 +85,7 @@ GEM
     ast (2.4.2)
     binding_of_caller (1.0.0)
       debug_inspector (>= 0.0.1)
-    browser_sniffer (2.0.0)
+    browser_sniffer (2.1.0)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -97,14 +97,14 @@ GEM
     erubi (1.10.0)
     globalid (1.0.0)
       activesupport (>= 5.0)
-    hash_diff (1.0.0)
+    hash_diff (1.1.1)
     hashdiff (1.0.1)
     httparty (0.20.0)
       mime-types (~> 3.0)
       multi_xml (>= 0.5.2)
     i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    jwt (2.4.1)
+    jwt (2.5.0)
     loofah (2.15.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -124,8 +124,8 @@ GEM
     nokogiri (1.13.4)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    oj (3.13.16)
-    openssl (3.0.0)
+    oj (3.13.21)
+    openssl (3.0.1)
     parallel (1.21.0)
     parser (3.1.0.0)
       ast (~> 2.4.1)
@@ -194,7 +194,7 @@ GEM
       rubocop (~> 1.24)
     ruby-progressbar (1.11.0)
     securerandom (0.2.0)
-    shopify_api (11.0.1)
+    shopify_api (12.0.0)
       concurrent-ruby
       hash_diff
       httparty
@@ -204,7 +204,7 @@ GEM
       securerandom
       sorbet-runtime
       zeitwerk (~> 2.5)
-    sorbet-runtime (0.5.10141)
+    sorbet-runtime (0.5.10477)
     sprockets (4.1.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
@@ -224,7 +224,7 @@ GEM
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
-    zeitwerk (2.6.0)
+    zeitwerk (2.6.1)
 
 PLATFORMS
   ruby

README.md

@@ -1,8 +1,6 @@
 # Shopify App
 
-**Shopify is doubling our engineering staff in 2021! [Join our team and work on libraries like this one.](https://smrtr.io/5GGrK)**
-
-[![Version][gem]][gem_url] [![Build Status](https://github.com/Shopify/shopify_app/workflows/CI/badge.svg)](https://github.com/Shopify/shopify_app/actions?query=workflow%3ACI) ![Supported Rails version][supported_rails_version]
+[![Version][gem]][gem_url] [![Build Status](https://github.com/Shopify/shopify_app/workflows/CI/badge.svg)](https://github.com/Shopify/shopify_app/actions?query=workflow%3ACI)
 
 [gem]: https://img.shields.io/gem/v/shopify_app.svg
 [gem_url]: https://rubygems.org/gems/shopify_app
@@ -39,18 +37,18 @@ This gem requires that you have the following credentials:
 1. To get started, create a new Rails app:
 
 ``` sh
-$ rails new my_shopify_app
+rails new my_shopify_app
 ```
 
 2. Add the Shopify App gem to `my_shopify_app`'s Gemfile.
 
 ```sh
-$ bundle add shopify_app
+bundle add shopify_app
 ```
 
 3. Create a `.env` file in the root of `my_shopify_app` to specify your Shopify API credentials:
 
-```
+```sh
 SHOPIFY_API_KEY=<Your Shopify API key>
 SHOPIFY_API_SECRET=<Your Shopify API secret>
 ```
@@ -60,22 +58,26 @@ SHOPIFY_API_SECRET=<Your Shopify API secret>
 4. Run the default Shopify App generator to create an app that can be embedded in the Shopify Admin:
 
 ```sh
-$ rails generate shopify_app
+rails generate shopify_app
 ```
 
 5. Run a migration to create the necessary tables in your database:
 
 ```sh
-$ rails db:migrate
+rails db:migrate
 ```
 
-6. Run the app:
+6. Setup a SSH tunnel to allow the OAuth redirect to work. See how in the [Setup SSH tunnel for development](/docs/Quickstart.md#setup-ssh-tunnel-for-development) section in [Quickstart](/docs/Quickstart.md)
+
+7. Run the app:
 
 ```sh
-$ rails server
+rails server
 ```
 
-See [*Quickstart*](/docs/Quickstart.md) to learn how to install your app on a shop.
+8. Install the app by visiting the server's URL (e.g. http://127.0.0.1:3000) and specifying the subdomain of the shop where you want it to be installed to.
+
+9. After the app is installed, you're redirected to the embedded app.
 
 This app implements [OAuth 2.0](https://shopify.dev/tutorials/authenticate-with-oauth) with Shopify to authenticate requests made to Shopify APIs. By default, this app is configured to use [session tokens](https://shopify.dev/concepts/apps/building-embedded-apps-using-session-tokens) to authenticate merchants when embedded in the Shopify Admin.
 
@@ -107,6 +109,7 @@ You can find documentation on gem usage, concepts, mixins, installation, and mor
   * [Handling changes in access scopes](/docs/shopify_app/handling-access-scopes-changes.md)
   * [Testing](/docs/shopify_app/testing.md)
   * [Webhooks](/docs/shopify_app/webhooks.md)
+  * [Content Security Policy](/docs/shopify_app/content-security-policy.md)
 
 ### Engine
 

app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -26,7 +26,7 @@ def splash_page_with_params(params)
 
     def redirect_to_splash_page
       redirect_to(splash_page)
-    rescue ShopifyApp::LoginProtection::ShopifyDomainNotFound => error
+    rescue ::ShopifyApp::ShopifyDomainNotFound => error
       Rails.logger.warn("[ShopifyApp::EnsureAuthenticatedLinks] Redirecting to login: [#{error.class}] "\
         "Could not determine current shop domain")
       redirect_to(ShopifyApp.configuration.login_url)

app/controllers/concerns/shopify_app/require_known_shop.rb

@@ -3,6 +3,7 @@
 module ShopifyApp
   module RequireKnownShop
     extend ActiveSupport::Concern
+    include ShopifyApp::RedirectForEmbedded
 
     included do
       before_action :check_shop_domain
@@ -11,6 +12,7 @@ module RequireKnownShop
 
     def current_shopify_domain
       return if params[:shop].blank?
+
       @shopify_domain ||= ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
     end
 
@@ -22,7 +24,13 @@ def check_shop_domain
 
     def check_shop_known
       @shop = SessionRepository.retrieve_shop_session_by_shopify_domain(current_shopify_domain)
-      redirect_to(shop_login) unless @shop
+      unless @shop
+        if embedded_param?
+          redirect_for_embedded
+        else
+          redirect_to(shop_login)
+        end
+      end
     end
 
     def shop_login

app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb

@@ -3,6 +3,7 @@
 module ShopifyApp
   module ShopAccessScopesVerification
     extend ActiveSupport::Concern
+    include ShopifyApp::RedirectForEmbedded
 
     included do
       before_action :login_on_scope_changes
@@ -11,7 +12,13 @@ module ShopAccessScopesVerification
     protected
 
     def login_on_scope_changes
-      redirect_to(shop_login) if scopes_mismatch?
+      if scopes_mismatch?
+        if embedded_param?
+          redirect_for_embedded
+        else
+          redirect_to(shop_login)
+        end
+      end
     end
 
     private
@@ -22,6 +29,7 @@ def scopes_mismatch?
 
     def current_shopify_domain
       return if params[:shop].blank?
+
       ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
     end
 

app/controllers/shopify_app/callback_controller.rb

@@ -43,7 +43,12 @@ def callback
     private
 
     def respond_successfully
-      redirect_to(return_address)
+      if ShopifyAPI::Context.embedded?
+        return_to = session.delete(:return_to) || ""
+        redirect_to(ShopifyAPI::Auth.embedded_app_url(params[:host]) + return_to, allow_other_host: true)
+      else
+        redirect_to(return_address)
+      end
     end
 
     def respond_with_error
@@ -58,11 +63,13 @@ def respond_with_user_token_flow
     def start_user_token_flow?(shopify_session)
       return false unless ShopifyApp::SessionRepository.user_storage.present?
       return false if shopify_session.online?
+
       update_user_access_scopes?
     end
 
     def update_user_access_scopes?
       return true if session[:shopify_user_id].nil?
+
       user_access_scopes_strategy.update_access_scopes?(shopify_user_id: session[:shopify_user_id])
     end