Merge pull request #1197 from Shopify/revised-scope-strategies

Use access scopes strategies to handle changes to scopes requested by app

Author: rezaansyed

README.md

@@ -103,6 +103,7 @@ You can find documentation on gem usage, concepts, mixins, installation, and mor
   * [Generators](/docs/shopify_app/generators.md)
   * [ScriptTags](/docs/shopify_app/script-tags.md)
   * [Session repository](/docs/shopify_app/session-repository.md)
+  * [Handling changes in access scopes](/docs/shopify_app/handling-access-scopes-changes.md)
   * [Testing](/docs/shopify_app/testing.md)
   * [Webhooks](/docs/shopify_app/webhooks.md)
 

app/controllers/concerns/shopify_app/shop_access_scopes_verification.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module ShopifyApp
+  module ShopAccessScopesVerification
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :login_on_scope_changes
+    end
+
+    protected
+
+    def login_on_scope_changes
+      redirect_to(shop_login) if scopes_mismatch?
+    end
+
+    private
+
+    def scopes_mismatch?
+      ShopifyApp.configuration.shop_access_scopes_strategy.update_access_scopes?(current_shopify_domain)
+    end
+
+    def current_shopify_domain
+      return if params[:shop].blank?
+      ShopifyApp::Utils.sanitize_shop_domain(params[:shop])
+    end
+
+    def shop_login
+      ShopifyApp::Utils.shop_login_url(shop: params[:shop], return_to: request.fullpath)
+    end
+  end
+end

app/controllers/shopify_app/callback_controller.rb

@@ -76,10 +76,20 @@ def start_user_token_flow?
       if jwt_request?
         false
       else
-        ShopifyApp::SessionRepository.user_storage.present? && user_session.blank?
+        return false unless ShopifyApp::SessionRepository.user_storage.present?
+        update_user_access_scopes?
       end
     end
 
+    def update_user_access_scopes?
+      return true if user_session.blank?
+      user_access_scopes_strategy.update_access_scopes?(user_id: session[:user_id])
+    end
+
+    def user_access_scopes_strategy
+      ShopifyApp.configuration.user_access_scopes_strategy
+    end
+
     def jwt_request?
       jwt_shopify_domain || jwt_shopify_user_id
     end

docs/shopify_app/handling-access-scopes-changes.md

@@ -0,0 +1,8 @@
+# Handling changes in access scopes
+The Shopify App gem provides handling changes to scopes for both shop/offline and user/online tokens. To enable your app to login via OAuth on scope changes, you can set the following configuration flag:
+```ruby
+ShopifyApp.configuration.reauth_on_access_scope_changes = true
+```
+
+## ShopAccessScopesVerification
+The `ShopifyApp::ShopAccessScopesVerification` concern helps merchants grant new access scopes requested by the app. The concern compares the current access scopes granted by the shop and compares them with the scopes requested by the app. If there is a mismatch in configuration, the merchant is redirected to login via OAuth and grant the net new scopes.

docs/shopify_app/session-repository.md

@@ -78,13 +78,11 @@ end
 provider :shopify,
   ...
   setup: lambda { |env|
-    ...
-    # Add this line
-    strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
-    ...
+    configuration = ShopifyApp::OmniauthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
+    configuration.build_options
   }
 
 # In the `shopify_app.rb` initializer:
 config.shop_session_repository = {YOUR_SHOP_MODEL_CLASS}
 config.user_session_repository = {YOUR_USER_MODEL_CLASS}
-```
+```

lib/generators/shopify_app/home_controller/templates/home_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class HomeController < AuthenticatedController
+  include ShopifyApp::ShopAccessScopesVerification
+
   def index
     @products = ShopifyAPI::Product.find(:all, params: { limit: 10 })
     @webhooks = ShopifyAPI::Webhook.find(:all)

lib/generators/shopify_app/home_controller/templates/unauthenticated_home_controller.rb

@@ -3,6 +3,7 @@
 class HomeController < ApplicationController
   include ShopifyApp::EmbeddedApp
   include ShopifyApp::RequireKnownShop
+  include ShopifyApp::ShopAccessScopesVerification
 
   def index
     @shop_origin = current_shopify_domain

lib/generators/shopify_app/install/templates/shopify_app.rb.tt

@@ -7,6 +7,9 @@ ShopifyApp.configure do |config|
   config.after_authenticate_job = false
   config.api_version = "<%= @api_version %>"
   config.shop_session_repository = 'Shop'
+
+  config.reauth_on_access_scope_changes = true
+
   config.allow_jwt_authentication = <%= !with_cookie_authentication? %>
   config.allow_cookie_authentication = <%= with_cookie_authentication? %>
 

lib/generators/shopify_app/install/templates/shopify_provider.rb.tt

@@ -3,16 +3,6 @@
       ShopifyApp.configuration.secret,
       scope: ShopifyApp.configuration.scope,
       setup: lambda { |env|
-        strategy = env['omniauth.strategy']
-
-        shopify_auth_params = strategy.session['shopify.omniauth_params']&.with_indifferent_access
-        shop = if shopify_auth_params.present?
-          "https://#{shopify_auth_params[:shop]}"
-        else
-          ''
-        end
-
-        strategy.options[:client_options][:site] = shop
-        strategy.options[:old_client_secret] = ShopifyApp.configuration.old_secret
-        strategy.options[:per_user_permissions] = strategy.session[:user_tokens]
+        configuration = ShopifyApp::OmniAuthConfiguration.new(env['omniauth.strategy'], Rack::Request.new(env))
+        configuration.build_options
       }

lib/shopify_app.rb

@@ -61,6 +61,11 @@ def self.use_webpacker?
   require 'shopify_app/session/user_session_storage'
   require 'shopify_app/session/user_session_storage_with_scopes'
 
+  # access scopes strategies
+  require 'shopify_app/access_scopes/shop_strategy'
+  require 'shopify_app/access_scopes/user_strategy'
+  require 'shopify_app/access_scopes/noop_strategy'
+
   # omniauth_configuration
   require 'shopify_app/omniauth/omniauth_configuration'
 end