Merge branch 'main' into 2025-04-REST

lizkenyon · web-flow · commit 88100b614ca6 · 2025-04-02T11:47:41.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 
 - [#1362](https://github.com/Shopify/shopify-api-ruby/pull/1362) Add support for client credentials grant
 - [#1372](https://github.com/Shopify/shopify-api-ruby/pull/1372) Add support for 2025-04 API version
+- [#1369](https://github.com/Shopify/shopify-api-ruby/pull/1369) Make `sub` and `sid` jwt claims optional (Checkout ui extension support)
+- [#1370](https://github.com/Shopify/shopify-api-ruby/pull/1370) Add support for Shopify internal hosts
+
 
 ## 14.8.0
 
diff --git a/lib/shopify_api/auth/jwt_payload.rb b/lib/shopify_api/auth/jwt_payload.rb
@@ -10,11 +10,14 @@ class JwtPayload
       JWT_EXPIRATION_LEEWAY = JWT_LEEWAY
 
       sig { returns(String) }
-      attr_reader :iss, :dest, :aud, :sub, :jti, :sid
+      attr_reader :iss, :dest, :aud, :jti
 
       sig { returns(Integer) }
       attr_reader :exp, :nbf, :iat
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :sub, :sid
+
       alias_method :expire_at, :exp
 
       sig { params(token: String).void }
@@ -30,12 +33,12 @@ def initialize(token)
         @iss = T.let(payload_hash["iss"], String)
         @dest = T.let(payload_hash["dest"], String)
         @aud = T.let(payload_hash["aud"], String)
-        @sub = T.let(payload_hash["sub"], String)
+        @sub = T.let(payload_hash["sub"], T.nilable(String))
         @exp = T.let(payload_hash["exp"], Integer)
         @nbf = T.let(payload_hash["nbf"], Integer)
         @iat = T.let(payload_hash["iat"], Integer)
         @jti = T.let(payload_hash["jti"], String)
-        @sid = T.let(payload_hash["sid"], String)
+        @sid = T.let(payload_hash["sid"], T.nilable(String))
 
         raise ShopifyAPI::Errors::InvalidJwtTokenError,
           "Session token had invalid API key" unless @aud == Context.api_key
@@ -47,19 +50,9 @@ def shop
       end
       alias_method :shopify_domain, :shop
 
-      sig { returns(Integer) }
+      sig { returns(T.nilable(Integer)) }
       def shopify_user_id
-        @sub.to_i
-      end
-
-      # TODO: Remove before releasing v11
-      sig { params(shop: String).returns(T::Boolean) }
-      def validate_shop(shop)
-        Context.logger.warn(
-          "Deprecation notice: ShopifyAPI::Auth::JwtPayload.validate_shop no longer checks the given shop and always " \
-            "returns true. It will be removed in v11.",
-        )
-        true
+        @sub.to_i if user_id_sub? && admin_session_token?
       end
 
       alias_method :eql?, :==
@@ -86,6 +79,16 @@ def decode_token(token, api_secret_key)
       rescue JWT::DecodeError => err
         raise ShopifyAPI::Errors::InvalidJwtTokenError, "Error decoding session token: #{err.message}"
       end
+
+      sig { returns(T::Boolean) }
+      def admin_session_token?
+        @iss.end_with?("/admin")
+      end
+
+      sig { returns(T::Boolean) }
+      def user_id_sub?
+        @sub&.match?(/\A\d+\z/) || false
+      end
     end
   end
 end
diff --git a/lib/shopify_api/auth/oauth.rb b/lib/shopify_api/auth/oauth.rb
@@ -46,8 +46,8 @@ def begin_auth(shop:, redirect_path:, is_online: true, scope_override: nil)
           }
 
           query_string = URI.encode_www_form(query)
+          auth_route = auth_base_uri(shop) + "/oauth/authorize?#{query_string}"
 
-          auth_route = "https://#{shop}/admin/oauth/authorize?#{query_string}"
           { auth_route: auth_route, cookie: cookie }
         end
 
@@ -106,6 +106,20 @@ def validate_auth_callback(cookies:, auth_query:)
 
           { session: session, cookie: cookie }
         end
+
+        private
+
+        sig { params(shop: String).returns(String) }
+        def auth_base_uri(shop)
+          return "https://#{shop}/admin" unless defined?(DevServer)
+
+          # For first-party apps in development only, we leverage DevServer to build the admin base URI
+          admin_web = T.unsafe(Object.const_get("DevServer")).new("web") # rubocop:disable Sorbet/ConstantsFromStrings
+          admin_host = admin_web.host!(nonstandard_host_prefix: "admin")
+          shop_name = shop.split(".").first
+
+          "https://#{admin_host}/store/#{shop_name}"
+        end
       end
     end
   end
diff --git a/lib/shopify_api/clients/http_client.rb b/lib/shopify_api/clients/http_client.rb
@@ -40,13 +40,17 @@ def request(request, response_as_struct: false)
         headers["Content-Type"] = T.must(request.body_type) if request.body_type
         headers = headers.merge(T.must(request.extra_headers)) if request.extra_headers
 
+        parsed_uri = URI(request_url(request))
+
+        headers = append_first_party_development_headers(headers, parsed_uri)
+
         tries = 0
         response = HttpResponse.new(code: 0, headers: {}, body: "")
         while tries < request.tries
           tries += 1
           res = T.cast(HTTParty.send(
             request.http_method,
-            request_url(request),
+            parsed_uri.to_s,
             headers: headers,
             query: request.query,
             body: request.body.class == Hash ? T.unsafe(request.body).to_json : request.body,
@@ -115,6 +119,27 @@ def serialized_error(response)
         end
         body.to_json
       end
+
+      private
+
+      sig do
+        params(
+          headers: T::Hash[T.any(Symbol, String), T.untyped],
+          parsed_uri: URI::Generic,
+        ).returns(T::Hash[T.any(Symbol, String), T.untyped])
+      end
+      def append_first_party_development_headers(headers, parsed_uri)
+        return headers unless defined?(DevServer)
+        return headers unless headers["Host"]&.include?(".my.shop.dev") || parsed_uri.host&.include?(".my.shop.dev")
+
+        # These headers are only used for first party applications in development mode
+        headers["x-forwarded-host"] = headers["Host"] || parsed_uri.host
+        headers["Host"] = T.unsafe(
+          Object.const_get("DevServer::Core"), # rubocop:disable Sorbet/ConstantsFromStrings
+        ).new.host!(:app)
+
+        headers
+      end
     end
   end
 end
diff --git a/lib/shopify_api/utils/session_utils.rb b/lib/shopify_api/utils/session_utils.rb
@@ -49,7 +49,7 @@ def session_id_from_shopify_id_token(id_token:, online:)
           shop = payload.shop
 
           if online
-            jwt_session_id(shop, payload.sub)
+            jwt_session_id(shop, T.must(payload.sub))
           else
             offline_session_id(shop)
           end
diff --git a/test/auth/jwt_payload_test.rb b/test/auth/jwt_payload_test.rb
@@ -8,7 +8,7 @@ module Auth
     class JwtPayloadTest < Test::Unit::TestCase
       def setup
         super
-        @jwt_payload = {
+        @admin_jwt_payload = {
           iss: "https://test-shop.myshopify.io/admin",
           dest: "https://test-shop.myshopify.io",
           aud: ShopifyAPI::Context.api_key,
@@ -19,12 +19,23 @@ def setup
           jti: "4321",
           sid: "abc123",
         }
+
+        @checkout_ui_extension_jwt_payload = {
+          iss: "https://test-shop.myshopify.io/checkouts",
+          dest: "test-shop.myshopify.io",
+          aud: ShopifyAPI::Context.api_key,
+          sub: "gid://shopify/Customer/123456789",
+          exp: (Time.now + 10).to_i,
+          nbf: 1234,
+          iat: 1234,
+          jti: "4321",
+        }
       end
 
       def test_decode_jwt_payload_succeeds_with_valid_token
-        jwt_token = JWT.encode(@jwt_payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        jwt_token = JWT.encode(@admin_jwt_payload, ShopifyAPI::Context.api_secret_key, "HS256")
         decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
-        assert_equal(@jwt_payload,
+        assert_equal(@admin_jwt_payload,
           {
             iss: decoded.iss,
             dest: decoded.dest,
@@ -38,14 +49,14 @@ def test_decode_jwt_payload_succeeds_with_valid_token
           })
 
         # Helper methods
-        assert_equal(decoded.expire_at, @jwt_payload[:exp])
+        assert_equal(decoded.expire_at, @admin_jwt_payload[:exp])
         assert_equal("test-shop.myshopify.io", decoded.shopify_domain)
         assert_equal("test-shop.myshopify.io", decoded.shop)
         assert_equal(1, decoded.shopify_user_id)
       end
 
       def test_decode_jwt_payload_succeeds_with_spin_domain
-        payload = @jwt_payload.dup
+        payload = @admin_jwt_payload.dup
         payload[:iss] = "https://test-shop.other.spin.dev/admin"
         payload[:dest] = "https://test-shop.other.spin.dev"
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
@@ -68,14 +79,14 @@ def test_decode_jwt_payload_succeeds_with_spin_domain
       end
 
       def test_decode_jwt_payload_fails_with_wrong_key
-        jwt_token = JWT.encode(@jwt_payload, "Wrong", "HS256")
+        jwt_token = JWT.encode(@admin_jwt_payload, "Wrong", "HS256")
         assert_raises(ShopifyAPI::Errors::InvalidJwtTokenError) do
           ShopifyAPI::Auth::JwtPayload.new(jwt_token)
         end
       end
 
       def test_decode_jwt_payload_fails_with_expired_token
-        payload = @jwt_payload.dup
+        payload = @admin_jwt_payload.dup
         payload[:exp] = (Time.now - 40).to_i
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
         assert_raises(ShopifyAPI::Errors::InvalidJwtTokenError) do
@@ -84,7 +95,7 @@ def test_decode_jwt_payload_fails_with_expired_token
       end
 
       def test_decode_jwt_payload_fails_if_not_activated_yet
-        payload = @jwt_payload.dup
+        payload = @admin_jwt_payload.dup
         payload[:nbf] = (Time.now + 12).to_i
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
         assert_raises(ShopifyAPI::Errors::InvalidJwtTokenError) do
@@ -93,7 +104,7 @@ def test_decode_jwt_payload_fails_if_not_activated_yet
       end
 
       def test_decode_jwt_payload_fails_with_invalid_api_key
-        jwt_token = JWT.encode(@jwt_payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        jwt_token = JWT.encode(@admin_jwt_payload, ShopifyAPI::Context.api_secret_key, "HS256")
 
         modify_context(api_key: "invalid")
 
@@ -103,7 +114,7 @@ def test_decode_jwt_payload_fails_with_invalid_api_key
       end
 
       def test_decode_jwt_payload_succeeds_with_expiration_in_the_past_within_10s_leeway
-        payload = @jwt_payload.merge(exp: Time.now.to_i - 8)
+        payload = @admin_jwt_payload.merge(exp: Time.now.to_i - 8)
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
 
         decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
@@ -122,7 +133,7 @@ def test_decode_jwt_payload_succeeds_with_expiration_in_the_past_within_10s_leew
       end
 
       def test_decode_jwt_payload_succeeds_with_not_before_in_the_future_within_10s_leeway
-        payload = @jwt_payload.merge(nbf: Time.now.to_i + 8)
+        payload = @admin_jwt_payload.merge(nbf: Time.now.to_i + 8)
         jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
 
         decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
@@ -139,6 +150,51 @@ def test_decode_jwt_payload_succeeds_with_not_before_in_the_future_within_10s_le
           sid: decoded.sid,
         })
       end
+
+      def test_decode_jwt_payload_coming_from_checkout_ui_extension
+        payload = @checkout_ui_extension_jwt_payload.dup
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+        assert_equal(payload,
+          {
+            iss: decoded.iss,
+            dest: decoded.dest,
+            aud: decoded.aud,
+            sub: decoded.sub,
+            exp: decoded.exp,
+            nbf: decoded.nbf,
+            iat: decoded.iat,
+            jti: decoded.jti,
+          })
+
+        assert_equal(decoded.expire_at, @checkout_ui_extension_jwt_payload[:exp])
+        assert_equal("test-shop.myshopify.io", decoded.shopify_domain)
+        assert_equal("test-shop.myshopify.io", decoded.shop)
+        assert_nil(decoded.shopify_user_id)
+      end
+
+      def test_decode_jwt_payload_coming_from_checkout_ui_extension_without_user_logged_in
+        payload = @checkout_ui_extension_jwt_payload.dup
+        payload[:sub] = nil
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+        assert_equal(payload,
+          {
+            iss: decoded.iss,
+            dest: decoded.dest,
+            aud: decoded.aud,
+            sub: decoded.sub,
+            exp: decoded.exp,
+            nbf: decoded.nbf,
+            iat: decoded.iat,
+            jti: decoded.jti,
+          })
+
+        assert_equal(decoded.expire_at, @checkout_ui_extension_jwt_payload[:exp])
+        assert_equal("test-shop.myshopify.io", decoded.shopify_domain)
+        assert_equal("test-shop.myshopify.io", decoded.shop)
+        assert_nil(decoded.shopify_user_id)
+      end
     end
   end
 end
