Add FirebaseStrategy

.nvmrc

@@ -1 +1 @@
-8.1.0
+8.1.1

README.md

@@ -1,15 +1,23 @@
-# shopify-express
+## Deprecation
 
-A small set of abstractions that will help you quickly build an Express.js app that consumes the Shopify API.
+:exclamation: **This project is deprecated**. This means Shopify will not be maintaining it going forward. If you are interested in building a Shopify app using first party tools then check out our other libraries:
+
+* [@shopify/koa-shopify-auth](https://github.com/Shopify/quilt/tree/master/packages/koa-shopify-auth)
+* [@shopify/koa-shopify-graphql-proxy](https://github.com/Shopify/quilt/blob/master/packages/koa-shopify-graphql-proxy/README.md)
+* [shopify_app](https://github.com/Shopify/shopify_app)
 
-:exclamation: **This project is currently in alpha status**. This means that the API could change at any time. It also means that your feedback will have a big impact on how the project evolves, so please feel free to [open issues](https://github.com/shopify/shopify-express/issues) if there is something you would like to see added.
+These are all used internally and written against technologies we use for our own applications. Of course, if you wish to continue using Express, feel free to fork this codebase and continue it as you wish.
 
+# shopify-express
+
+A small set of abstractions that will help you quickly build an Express.js app that consumes the Shopify API.
 
 ## Example
 
 ```javascript
 const express = require('express');
 const shopifyExpress = require('@shopify/shopify-express');
+const session = require('express-session');
 
 const app = express();
 
@@ -20,20 +28,27 @@ const {
   NODE_ENV,
 } = process.env;
 
-const shopify = shopifyExpress({
+// session is necessary for api proxy and auth verification
+app.use(session({secret: SHOPIFY_APP_SECRET}));
+
+const {routes, withShop} = shopifyExpress({
   host: SHOPIFY_APP_HOST,
   apiKey: SHOPIFY_APP_KEY,
   secret: SHOPIFY_APP_SECRET,
   scope: ['write_orders, write_products'],
+  accessMode: 'offline',
   afterAuth(request, response) {
     const { session: { accessToken, shop } } = request;
     // install webhooks or hook into your own app here
     return response.redirect('/');
   },
 });
 
-// mounts '/auth/shopify' and '/api' off of '/'
-app.use('/', shopify.routes);
+// mounts '/auth' and '/api' off of '/shopify'
+app.use('/shopify', routes);
+
+// shields myAppMiddleware from being accessed without session
+app.use('/myApp', withShop({authBaseUrl: '/shopify'}), myAppMiddleware)
 ```
 
 ## Shopify routes
@@ -62,30 +77,71 @@ endpoints from a client application without having to worry about CORS.
 
 By default the package comes with `MemoryStrategy`, `RedisStrategy`, and `SqliteStrategy`. If none are specified, the default is `MemoryStrategy`.
 
-You can use them in a config like so:
+#### MemoryStrategy
+
+Simple javascript object based memory store for development purposes. Do not use this in production!
+
+```javascript
+const shopifyExpress = require('@shopify/shopify-express');
+const {MemoryStrategy} = require('@shopify/shopify-express/strategies');
+
+const shopify = shopifyExpress({
+  shopStore: new MemoryStrategy(redisConfig),
+  ...restOfConfig,
+});
+```
+
+#### RedisStrategy
+
+Uses [redis](https://www.npmjs.com/package/redis) under the hood, so you can pass it any configuration that's valid for the library.
 
 ```javascript
 const shopifyExpress = require('@shopify/shopify-express');
 const {RedisStrategy} = require('@shopify/shopify-express/strategies');
 
+const redisConfig = {
+  // your config here
+};
+
+const shopify = shopifyExpress({
+  shopStore: new RedisStrategy(redisConfig),
+  ...restOfConfig,
+});
+```
+
+#### SQLStrategy
+
+Uses [knex](https://www.npmjs.com/package/knex) under the hood, so you can pass it any configuration that's valid for the library. By default it uses `sqlite3` so you'll need to run `yarn add sqlite3` to use it. Knex also supports `postgreSQL` and `mySQL`.
+
+```javascript
+const shopifyExpress = require('@shopify/shopify-express');
+const {SQLStrategy} = require('@shopify/shopify-express/strategies');
+
+// uses sqlite3 if no settings are specified
+const knexConfig = {
+  // your config here
+};
+
 const shopify = shopifyExpress({
-  shopStore: new RedisStrategy(),
+  shopStore: new SQLStrategy(knexConfig),
   ...restOfConfig,
 });
 ```
 
-### Custom Strategy
+SQLStrategy expects a table named `shops` with a primary key `id`, and `string` fields for `shopify_domain` and `access_token`. It's recommended you index `shopify_domain` since it is used to look up tokens.
+
+If you do not have a table already created for your store, you can generate one with `new SQLStrategy(myConfig).initialize()`. This returns a promise so you can finish setting up your app after it if you like, but we suggest you make a separate db initialization script, or keep track of your schema yourself.
 
-`shopifyExpress` takes a `shopStore` parameter. This can be any javascript class matching the following interface:
+#### Custom Strategy
+
+`shopifyExpress` accepts any javascript class matching the following interface:
 
 ```javascript
   class Strategy {
-    constructor(){}
     // shop refers to the shop's domain name
-    getShop({ shop }, done)){}
+    getShop({ shop }): Promise<{accessToken: string}>
     // shop refers to the shop's domain name
-    // data can by any serializable object
-    storeShop({ shop, accessToken, data }, done){}
+    storeShop({ shop, accessToken }): Promise<{accessToken: string}>
   }
 ```
 
@@ -95,20 +151,51 @@ const shopify = shopifyExpress({
 
 ### `withShop`
 
-`app.use('/someProtectedPath', withShop, someHandler);`
+`app.use('/someProtectedPath', withShop({authBaseUrl: '/shopify'}), someHandler);`
 
-Express middleware that validates the presence of your shop session.
+Express middleware that validates the presence of your shop session. The parameter you pass to it should match the base URL for where you've mounted the shopify routes.
 
 ### `withWebhook`
 
 `app.use('/someProtectedPath', withWebhook, someHandler);`
 
-Express middleware that validates the the presence of a valid HMAC signature to allow webhook requests from shopify to your app.
+Express middleware that validates the presence of a valid HMAC signature to allow webhook requests from shopify to your app.
 
 ## Example app
 
 You can look at [shopify-node-app](https://github.com/shopify/shopify-node-app) for a complete working example.
 
+## Gotchas
+
+### Install route
+For the moment the app expects you to mount your install route at `/install`. See [shopify-node-app](https://github.com/shopify/shopify-node-app) for details.
+
+### Express Session
+This library expects [express-session](https://www.npmjs.com/package/express-session) or a compatible library to be installed and set up for much of it's functionality. Api Proxy and auth verification functions won't work without something putting a `session` key on `request`.
+
+It is possible to use auth without a session key on your request, but not recommended.
+
+### Body Parser
+This library handles body parsing on it's own for webhooks. If you're using webhooks you should make sure to follow express best-practices by only adding your body parsing middleware to specific routes that need it.
+
+**Good**
+```javascript
+  app.use('/some-route', bodyParser.json(), myHandler);
+
+  app.use('/webhook', withWebhook(myWebhookHandler));
+  app.use('/', shopifyExpress.routes);
+```
+
+**Bad**
+```javascript
+  app.use(bodyParser.json());
+  app.use('/some-route', myHandler);
+
+  app.use('/webhook', withWebhook(myWebhookHandler));
+  app.use('/', shopifyExpress.routes);
+```
+
+
 ## Contributing
 
 Contributions are welcome. Please refer to the [contributing guide](https://github.com/Shopify/shopify-express/blob/master/CONTRIBUTING.md) for more details.

RELEASING.md

@@ -0,0 +1,8 @@
+1. Merge your branch into master
+2. Run `npm version [version]` which will do the following:
+  * write new version to package.json
+  * create a new commit with a commit message matching the version number
+  * create a new tag matching the version number
+3. Push the new commit and tags to master with `git push origin master --tags`
+4. Create a release on Github. Include a change log in the description
+5. Deploy via Shipit

circle.yml

@@ -0,0 +1,9 @@
+machine:
+  node:
+    version: 8.1
+dependencies:
+  override:
+    - yarn install --dev
+test:
+  override:
+    - yarn run test:ci

constants.js

@@ -0,0 +1,2 @@
+module.exports.TEST_COOKIE_NAME = 'shopifyTestCookie';
+module.exports.TOP_LEVEL_OAUTH_COOKIE_NAME = 'shopifyTopLevelOAuth';

index.js

@@ -1,12 +1,27 @@
+const PropTypes = require('prop-types');
 const createRouter = require('./routes');
 const createMiddleware = require('./middleware');
 const {MemoryStrategy} = require('./strategies');
 
+const ShopifyConfigTypes = {
+  apiKey: PropTypes.string.isRequired,
+  host: PropTypes.string.isRequired,
+  secret: PropTypes.string.isRequired,
+  scope: PropTypes.arrayOf(PropTypes.string).isRequired,
+  afterAuth: PropTypes.func.isRequired,
+  shopStore: PropTypes.object,
+  accessMode: PropTypes.oneOf(['offline', 'online']),
+};
+
+const defaults = {
+  shopStore: new MemoryStrategy(),
+  accessMode: 'offline'
+};
+
 module.exports = function shopify(shopifyConfig) {
-  const config = Object.assign(
-    {shopStore: new MemoryStrategy()},
-    shopifyConfig,
-  );
+  PropTypes.checkPropTypes(ShopifyConfigTypes, shopifyConfig, 'option', 'ShopifyExpress');
+
+  const config = Object.assign({}, defaults, shopifyConfig);
 
   return {
     middleware: createMiddleware(config),

middleware/index.js

@@ -1,9 +1,8 @@
 const createWithWebhook = require('./webhooks');
-const createWithShop = require('./withShop');
+const withShop = require('./withShop');
 
 module.exports = function createMiddleware(shopifyConfig) {
   const withWebhook = createWithWebhook(shopifyConfig);
-  const withShop = createWithShop();
 
   return {
     withShop,

middleware/webhooks.js

@@ -1,29 +1,40 @@
 const crypto = require('crypto');
+const getRawBody = require('raw-body');
 
-module.exports = function createWithWebhook({ secret, shopStore }) {
-  return function withWebhook(request, response, next) {
-    const { body: data } = request;
-    const hmac = request.get('X-Shopify-Hmac-Sha256');
-    const topic = request.get('X-Shopify-Topic');
-    const shopDomain = request.get('X-Shopify-Shop-Domain');
+module.exports = function configureWithWebhook({ secret, shopStore }) {
+  return function createWebhookHandler(onVerified) {
+    return async function withWebhook(request, response, next) {
+      const { body: data } = request;
+      const hmac = request.get('X-Shopify-Hmac-Sha256');
+      const topic = request.get('X-Shopify-Topic');
+      const shopDomain = request.get('X-Shopify-Shop-Domain');
 
-    const generated_hash = crypto
-      .createHmac('sha256', SHOPIFY_APP_SECRET)
-      .update(JSON.stringify(data))
-      .digest('base64');
+      try {
+        const rawBody = await getRawBody(request);
+        const generated_hash = crypto
+          .createHmac('sha256', secret)
+          .update(rawBody)
+          .digest('base64');
 
-    if (generated_hash !== hmac) {
-      return response.status(401).send("Request doesn't pass HMAC validation");
-    }
+        if (generated_hash !== hmac) {
+          response.status(401).send();
+          onVerified(new Error("Unable to verify request HMAC"));
+          return;
+        }
 
-    shopStore.getShop({ shop: shopDomain }, (error, { accessToken }) => {
-      if (error) {
-        next(error);
-      }
+        const {accessToken} = await shopStore.getShop({ shop: shopDomain });
+
+        request.body = rawBody.toString('utf8');
+        request.webhook = { topic, shopDomain, accessToken };
 
-      request.webhook = { topic, shopDomain, accessToken };
+        response.status(200).send();
 
-      next();
-    });
-  };
+        onVerified(null, request);
+      } catch (error) {
+        response.status(401).send();
+        onVerified(new Error("Unable to verify request HMAC"));
+        return;
+      }
+    };
+  }
 };

middleware/withShop.js

@@ -1,19 +1,23 @@
-module.exports = function withShop({ redirect } = { redirect: true }) {
+const {TEST_COOKIE_NAME, TOP_LEVEL_OAUTH_COOKIE_NAME} = require('../constants');
+
+module.exports = function withShop({ authBaseUrl } = {}) {
   return function verifyRequest(request, response, next) {
-    const { query: { shop }, session } = request;
+    const { query: { shop }, session, baseUrl } = request;
 
     if (session && session.accessToken) {
-      return next();
+      response.cookie(TOP_LEVEL_OAUTH_COOKIE_NAME);
+      next();
+      return;
     }
 
-    if (shop && redirect) {
-      return response.redirect(`/auth/shopify?shop=${shop}`);
-    }
+    response.cookie(TEST_COOKIE_NAME, '1');
 
-    if (redirect) {
-      return response.redirect('/install');
+    if (shop) {
+      response.redirect(`${authBaseUrl || baseUrl}/auth?shop=${shop}`);
+      return;
     }
 
-    return response.status(401).json('Unauthorized');
+    response.redirect('/install');
+    return;
   };
 };