Merge branch 'main' into feature/fix-recreate-webhook-bug

.github/workflows/stale.yml

@@ -29,3 +29,4 @@ jobs:
           days-before-pr-close: -1
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           exempt-issue-labels: "feature request"
+          close-issue-reason: "not_planned"

.spin/rails/prepare-application

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# This file exists to prevent the Spin infrastucture from infering that this is a Rails application:
+# https://github.com/Shopify/wave/issues/244
+
+set -ex
+
+bundle install

CHANGELOG.md

@@ -1,7 +1,26 @@
 Unreleased
 ----------
 * Fixes a bug with `ShopifyApp::WebhooksManager.destroy_webhooks` causing not passing session arguments to [unregister](https://github.com/Shopify/shopify-api-ruby/blob/main/lib/shopify_api/webhooks/registry.rb#L99) method [#1569](https://github.com/Shopify/shopify_app/pull/1569)
+* Validates shop's offline session token is still valid when using `EnsureInstalled`[#1612](https://github.com/Shopify/shopify_app/pull/1612)
+
+21.3.1 (Dec 12, 2022)
+----------
+* Fix bug with stores using the new unified admin that were falsely being flagged as phishing attempts [#1608](https://github.com/Shopify/shopify_app/pull/1608)
+
+21.3.0 (Dec 9, 2022)
+----------
+* Move covered scopes check into user access strategy [#1600](https://github.com/Shopify/shopify_app/pull/1600)
+* Add configuration option for user access strategy [#1599](https://github.com/Shopify/shopify_app/pull/1599)
 * Fixes a bug with `EnsureAuthenticatedLinks` causing deep links to not work [#1549](https://github.com/Shopify/shopify_app/pull/1549)
+* Ensure online token is properly used when using `current_shopify_session` [#1566](https://github.com/Shopify/shopify_app/pull/1566)
+* Added debug logs, you can read more about logging [here](./docs/logging.md). [#1545](https://github.com/Shopify/shopify_app/pull/1545)
+* Emit a deprecation notice for wrongly-rescued exceptions [#1530](https://github.com/Shopify/shopify_app/pull/1530)
+* Log a deprecation warning for the use of incompatible controller concerns [#1560](https://github.com/Shopify/shopify_app/pull/1560)
+* Fixes bug with expired sessions for embedded apps returning a 500 instead of 401 [#1580](https://github.com/Shopify/shopify_app/pull/1580)
+* Generator properly handles uninstall [#1597](https://github.com/Shopify/shopify_app/pull/1597)
+* Move ownership for session persistence from library to this gem [#1563](https://github.com/Shopify/shopify_app/pull/1563)
+* Patch phishing vulnerability [#1605](https://github.com/Shopify/shopify_app/pull/1605)
+* Remove `Itp` from `LoginProtection`. See the [upgrading docs](https://github.com/Shopify/shopify_app/blob/main/docs/Upgrading.md) for more information. [#1604](https://github.com/Shopify/shopify_app/pull/1604)
 
 21.2.0 (Oct 25, 2022)
 ----------

Gemfile.lock

@@ -1,13 +1,13 @@
 PATH
   remote: .
   specs:
-    shopify_app (21.2.0)
+    shopify_app (21.3.1)
       activeresource
       browser_sniffer (~> 2.0)
       jwt (>= 2.2.3)
       rails (> 5.2.1)
       redirect_safely (~> 1.0)
-      shopify_api (~> 12.2)
+      shopify_api (~> 12.3)
       sprockets-rails (>= 2.0.0)
 
 GEM
@@ -85,7 +85,7 @@ GEM
     ast (2.4.2)
     binding_of_caller (1.0.0)
       debug_inspector (>= 0.0.1)
-    browser_sniffer (2.1.0)
+    browser_sniffer (2.2.0)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -104,34 +104,48 @@ GEM
       multi_xml (>= 0.5.2)
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    json (2.6.2)
+    json (2.6.3)
     jwt (2.5.0)
-    language_server-protocol (3.17.0.1)
+    language_server-protocol (3.17.0.2)
     loofah (2.19.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
+    mail (2.8.0)
       mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
     marcel (1.0.2)
     method_source (1.0.0)
     mime-types (3.4.1)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2022.0105)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.0)
     minitest (5.16.3)
-    mocha (1.16.0)
+    mocha (2.0.2)
+      ruby2_keywords (>= 0.0.5)
     multi_xml (0.6.0)
+    net-imap (0.3.1)
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.0)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
     nio4r (2.5.8)
-    nokogiri (1.13.9)
-      mini_portile2 (~> 2.8.0)
+    nokogiri (1.13.9-arm64-darwin)
       racc (~> 1.4)
-    oj (3.13.21)
+    nokogiri (1.13.9-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.13.9-x86_64-linux)
+      racc (~> 1.4)
+    oj (3.13.23)
     openssl (3.0.1)
     parallel (1.22.1)
-    parser (3.1.2.1)
+    parser (3.1.3.0)
       ast (~> 2.4.1)
-    prettier_print (1.0.2)
+    prettier_print (1.1.0)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
@@ -140,8 +154,8 @@ GEM
     pry-stack_explorer (0.6.1)
       binding_of_caller (~> 1.0)
       pry (~> 0.13)
-    public_suffix (5.0.0)
-    racc (1.6.0)
+    public_suffix (5.0.1)
+    racc (1.6.1)
     rack (2.2.4)
     rack-test (2.0.2)
       rack (>= 1.3)
@@ -180,29 +194,31 @@ GEM
     rb-readline (0.5.5)
     redirect_safely (1.0.0)
       activemodel
-    regexp_parser (2.6.0)
+    regexp_parser (2.6.1)
     rexml (3.2.5)
-    rubocop (1.37.0)
+    rubocop (1.39.0)
       json (~> 2.3)
       parallel (~> 1.10)
       parser (>= 3.1.2.1)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.22.0, < 2.0)
+      rubocop-ast (>= 1.23.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.22.0)
+    rubocop-ast (1.24.0)
       parser (>= 3.1.1.0)
     rubocop-shopify (2.10.1)
       rubocop (~> 1.35)
-    ruby-lsp (0.3.5)
+    ruby-lsp (0.3.6)
       language_server-protocol (~> 3.17.0)
       sorbet-runtime
-      syntax_tree (>= 4.0.2)
+      syntax_tree (>= 4.0.2, < 5.0.0)
     ruby-progressbar (1.11.0)
-    securerandom (0.2.0)
-    shopify_api (12.2.1)
+    ruby2_keywords (0.0.5)
+    securerandom (0.2.1)
+    shopify_api (12.3.0)
+      activesupport
       concurrent-ruby
       hash_diff
       httparty
@@ -211,20 +227,22 @@ GEM
       openssl
       securerandom
       sorbet-runtime
-      zeitwerk (~> 2.5)
-    sorbet-runtime (0.5.10514)
+      zeitwerk (~> 2.5, < 2.6.5)
+    sorbet-runtime (0.5.10576)
     sprockets (4.1.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.4.2)
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.5.3)
-      mini_portile2 (~> 2.8.0)
+    sqlite3 (1.5.4-arm64-darwin)
+    sqlite3 (1.5.4-x86_64-darwin)
+    sqlite3 (1.5.4-x86_64-linux)
     syntax_tree (4.3.0)
       prettier_print (>= 1.0.2)
     thor (1.2.1)
+    timeout (0.3.1)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.3.0)
@@ -235,10 +253,12 @@ GEM
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
-    zeitwerk (2.6.1)
+    zeitwerk (2.6.4)
 
 PLATFORMS
-  ruby
+  arm64-darwin-21
+  x86_64-darwin-19
+  x86_64-linux
 
 DEPENDENCIES
   byebug
@@ -258,4 +278,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.3.22
+   2.3.4

README.md

@@ -7,10 +7,10 @@
 
 This gem builds Rails applications that can be embedded in the Shopify Admin.
 
-[Introduction](#introduction) | 
-[Requirements](#requirements) | 
-[Usage](#usage) | 
-[Documentation](#documentation) | 
+[Introduction](#introduction) |
+[Requirements](#requirements) |
+[Usage](#usage) |
+[Documentation](#documentation) |
 [Contributing](/CONTRIBUTING.md) |
 [License](/LICENSE)
 
@@ -22,15 +22,12 @@ This gem includes a Rails engine, generators, modules, and mixins that help crea
 <!-- This section is linked to in `templates/shopify_app.rb.tt`. Be careful renaming this heading. -->
 ## Requirements
 
-> **Rails compatibility** 
-> * Use Shopify App `<= v7.2.8` if you need to work with Rails 4.
-
 To become a Shopify app developer, you will need a [Shopify Partners](https://www.shopify.com/partners) account. Explore the [Shopify dev docs](https://shopify.dev/concepts/shopify-introduction) to learn more about [building Shopify apps](https://shopify.dev/concepts/apps).
 
 This gem requires that you have the following credentials:
 
-- **Shopify API key:** The API key app credential specified in your [Shopify Partners dashboard](https://partners.shopify.com/organizations). 
-- **Shopify API secret:** The API secret key app credential specified in your [Shopify Partners dashboard](https://partners.shopify.com/organizations). 
+- **Shopify API key:** The API key app credential specified in your [Shopify Partners dashboard](https://partners.shopify.com/organizations).
+- **Shopify API secret:** The API secret key app credential specified in your [Shopify Partners dashboard](https://partners.shopify.com/organizations).
 
 ## Usage
 
@@ -40,22 +37,22 @@ This gem requires that you have the following credentials:
 rails new my_shopify_app
 ```
 
-2. Add the Shopify App gem to `my_shopify_app`'s Gemfile.
+2. Add the Shopify App gem to the app's Gemfile:
 
 ```sh
 bundle add shopify_app
 ```
 
-3. Create a `.env` file in the root of `my_shopify_app` to specify your full host and Shopify API credentials:
+3. You will need to provide several environment variables to the app.
+There are a variety of way of doing this, but for a development environment we recommended the [`dotenv-rails`](https://github.com/bkeepers/dotenv) gem.
+Create a `.env` file in the root of your Rails app to specify the full host and Shopify API credentials:
 
 ```sh
 HOST=http://localhost:3000
 SHOPIFY_API_KEY=<Your Shopify API key>
 SHOPIFY_API_SECRET=<Your Shopify API secret>
 ```
 
-> In a development environment, you can use a gem like `dotenv-rails` to manage environment variables. 
-
 4. Run the default Shopify App generator to create an app that can be embedded in the Shopify Admin:
 
 ```sh
@@ -74,9 +71,14 @@ rails db:migrate
 rails server
 ```
 
-7. Install the app by visiting the server's URL (e.g. http://127.0.0.1:3000) and specifying the subdomain of the shop where you want it to be installed to.
+7. Within [Shopify Partners](https://www.shopify.com/partners), navigate to your App, then App Setup, and configure the URLs, e.g.:
+
+  * App URL: http://localhost:3000/
+  * Allowed redirection URL(s): http://localhost:3000/auth/shopify/callback
+
+8. Install the app by visiting the server's URL (e.g. http://localhost:3000) and specifying the subdomain of the shop where you want it to be installed to.
 
-8. After the app is installed, you're redirected to the embedded app.
+9. After the app is installed, you're redirected to the embedded app.
 
 This app implements [OAuth 2.0](https://shopify.dev/tutorials/authenticate-with-oauth) with Shopify to authenticate requests made to Shopify APIs. By default, this app is configured to use [session tokens](https://shopify.dev/concepts/apps/building-embedded-apps-using-session-tokens) to authenticate merchants when embedded in the Shopify Admin.
 
@@ -110,6 +112,7 @@ You can find documentation on gem usage, concepts, mixins, installation, and mor
   * [Testing](/docs/shopify_app/testing.md)
   * [Webhooks](/docs/shopify_app/webhooks.md)
   * [Content Security Policy](/docs/shopify_app/content-security-policy.md)
+  * [Logging](/docs/shopify_app/logging.md)
 
 ### Engine
 

SECURITY.md

@@ -56,4 +56,4 @@ We look forward to working with all security researchers and strive to be respec
 
 ## Receiving Security Updates
 
-To recieve all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)
+To receive all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity)

app/controllers/concerns/shopify_app/authenticated.rb

@@ -5,15 +5,10 @@ module Authenticated
     extend ActiveSupport::Concern
 
     included do
-      include ShopifyApp::Localization
-      include ShopifyApp::LoginProtection
-      include ShopifyApp::CsrfProtection
-      include ShopifyApp::EmbeddedApp
-      include ShopifyApp::EnsureBilling
-
-      before_action :login_again_if_different_user_or_shop
-      around_action :activate_shopify_session
-      after_action :add_top_level_redirection_headers
+      ShopifyApp::Logger.deprecated("Authenticated has been replaced by EnsureHasSession."\
+        " Please use the EnsureHasSession controller concern for the same behavior", "22.0.0")
     end
+
+    include ShopifyApp::EnsureHasSession
   end
 end

app/controllers/concerns/shopify_app/ensure_authenticated_links.rb

@@ -28,8 +28,8 @@ def splash_page_with_params(params)
     def redirect_to_splash_page
       redirect_to(splash_page)
     rescue ::ShopifyApp::ShopifyDomainNotFound => error
-      Rails.logger.warn("[ShopifyApp::EnsureAuthenticatedLinks] Redirecting to login: [#{error.class}] "\
-        "Could not determine current shop domain")
+      ShopifyApp::Logger.warn("Redirecting to login: [#{error.class}]"\
+        " Could not determine current shop domain")
       redirect_to(ShopifyApp.configuration.login_url)
     end
 

app/controllers/concerns/shopify_app/ensure_has_session.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module EnsureHasSession
+    extend ActiveSupport::Concern
+
+    included do
+      include ShopifyApp::Localization
+      include ShopifyApp::LoginProtection
+      include ShopifyApp::CsrfProtection
+      include ShopifyApp::EmbeddedApp
+      include ShopifyApp::EnsureBilling
+
+      before_action :login_again_if_different_user_or_shop
+      around_action :activate_shopify_session
+      after_action :add_top_level_redirection_headers
+    end
+  end
+end