|
| 1 | +# Breaking change notice for version 16.0.0 |
| 2 | + |
| 3 | +## Minimum Ruby Version Requirement |
| 4 | + |
| 5 | +The minimum required Ruby version has been updated from 3.0 to 3.2. |
| 6 | + |
| 7 | +### Why this change? |
| 8 | + |
| 9 | +Ruby 3.0 and 3.1 have reached End of Life (EOL). |
| 10 | + |
| 11 | +### Migration Guide |
| 12 | + |
| 13 | +If you're currently using Ruby 3.0 or 3.1, you'll need to upgrade to Ruby 3.2 or higher before upgrading to shopify-api-ruby v16.0.0. |
| 14 | + |
| 15 | +**Note:** Ruby 3.2+ includes performance improvements and new features. Most applications should not require code changes beyond updating the Ruby version itself. |
| 16 | + |
| 17 | +## Removal of `Session#serialize` and `Session.deserialize` methods |
| 18 | + |
| 19 | +The `Session#serialize` and `Session.deserialize` methods have been removed due to a security vulnerability. The `deserialize` method used `Oj.load` without safe mode, which allows instantiation of arbitrary Ruby objects. |
| 20 | + |
| 21 | +These methods were originally created for session persistence when the library handled session storage. After session storage was deprecated in v12.3.0, applications became responsible for their own session persistence, making these methods unnecessary for their original purpose. |
| 22 | + |
| 23 | +### Why this change? |
| 24 | + |
| 25 | +**No impact on most applications:** The `shopify_app gem` stores individual session attributes in database columns and reconstructs sessions using `Session.new()`, which is the recommended pattern. |
| 26 | + |
| 27 | +## Migration Guide |
| 28 | + |
| 29 | +If your application was using `Session#serialize` and `Session.deserialize` for session persistence, you'll need to refactor to store individual session attributes and reconstruct sessions using `Session.new()`. |
| 30 | + |
| 31 | +### Previous implementation (removed in v16.0.0) |
| 32 | + |
| 33 | +```ruby |
| 34 | +# Storing a session |
| 35 | +session = ShopifyAPI::Auth::Session.new( |
| 36 | + shop: "example.myshopify.com", |
| 37 | + access_token: "shpat_xxxxx", |
| 38 | + scope: "read_products,write_orders" |
| 39 | +) |
| 40 | + |
| 41 | +serialized_data = session.serialize |
| 42 | +# Store serialized_data in Redis, database, etc. |
| 43 | +redis.set("session:#{session.id}", serialized_data) |
| 44 | + |
| 45 | +# Retrieving a session |
| 46 | +serialized_data = redis.get("session:#{session_id}") |
| 47 | +session = ShopifyAPI::Auth::Session.deserialize(serialized_data) |
| 48 | +``` |
| 49 | + |
| 50 | +### New implementation (required in v16.0.0) |
| 51 | + |
| 52 | +Store individual session attributes and reconstruct using `Session.new()`: |
| 53 | + |
| 54 | +## Reference: shopify_app gem implementation |
| 55 | + |
| 56 | +The [shopify_app gem](https://github.com/Shopify/shopify_app) provides a reference implementation of session storage that follows these best practices: |
| 57 | + |
| 58 | +**Shop Session Storage** ([source](https://github.com/Shopify/shopify_app/blob/main/lib/shopify_app/session/shop_session_storage.rb)): |
| 59 | +```ruby |
| 60 | +# Stores attributes in database columns |
| 61 | +def store(auth_session) |
| 62 | + shop = find_or_initialize_by(shopify_domain: auth_session.shop) |
| 63 | + shop.shopify_token = auth_session.access_token |
| 64 | + shop.save! |
| 65 | +end |
| 66 | + |
| 67 | +# Reconstructs using Session.new() |
| 68 | +def retrieve(id) |
| 69 | + shop = find_by(id: id) |
| 70 | + return unless shop |
| 71 | + |
| 72 | + ShopifyAPI::Auth::Session.new( |
| 73 | + shop: shop.shopify_domain, |
| 74 | + access_token: shop.shopify_token |
| 75 | + ) |
| 76 | +end |
| 77 | +``` |
0 commit comments