Merge branch 'main' into liz/add-release-candidate-api-version

Author: lizkenyon

CHANGELOG.md

@@ -5,6 +5,9 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 
 - [#1362](https://github.com/Shopify/shopify-api-ruby/pull/1362) Add support for client credentials grant
 - [#1366](https://github.com/Shopify/shopify-api-ruby/pull/1366) Add support for release candidate API versions
+- [#1372](https://github.com/Shopify/shopify-api-ruby/pull/1372) Add support for 2025-04 API version
+- [#1369](https://github.com/Shopify/shopify-api-ruby/pull/1369) Make `sub` and `sid` jwt claims optional (Checkout ui extension support)
+- [#1370](https://github.com/Shopify/shopify-api-ruby/pull/1370) Add support for Shopify internal hosts
 
 ## 14.8.0
 

lib/shopify_api/admin_versions.rb

@@ -7,6 +7,7 @@ module AdminVersions
 
     SUPPORTED_ADMIN_VERSIONS = T.let([
       "unstable",
+      "2025-07"
       "2025-04",
       "2025-01",
       "2024-10",
@@ -23,8 +24,8 @@ module AdminVersions
       "2022-01",
     ], T::Array[String])
 
-    LATEST_SUPPORTED_ADMIN_VERSION = T.let("2025-01", String)
-    RELEASE_CANDIDATE_ADMIN_VERSION = T.let("2025-04", String)
+    LATEST_SUPPORTED_ADMIN_VERSION = T.let("2025-04", String)
+    RELEASE_CANDIDATE_ADMIN_VERSION = T.let("2025-07", String)
   end
 
   SUPPORTED_ADMIN_VERSIONS = ShopifyAPI::AdminVersions::SUPPORTED_ADMIN_VERSIONS

lib/shopify_api/auth/jwt_payload.rb

@@ -10,11 +10,14 @@ class JwtPayload
       JWT_EXPIRATION_LEEWAY = JWT_LEEWAY
 
       sig { returns(String) }
-      attr_reader :iss, :dest, :aud, :sub, :jti, :sid
+      attr_reader :iss, :dest, :aud, :jti
 
       sig { returns(Integer) }
       attr_reader :exp, :nbf, :iat
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :sub, :sid
+
       alias_method :expire_at, :exp
 
       sig { params(token: String).void }
@@ -30,12 +33,12 @@ def initialize(token)
         @iss = T.let(payload_hash["iss"], String)
         @dest = T.let(payload_hash["dest"], String)
         @aud = T.let(payload_hash["aud"], String)
-        @sub = T.let(payload_hash["sub"], String)
+        @sub = T.let(payload_hash["sub"], T.nilable(String))
         @exp = T.let(payload_hash["exp"], Integer)
         @nbf = T.let(payload_hash["nbf"], Integer)
         @iat = T.let(payload_hash["iat"], Integer)
         @jti = T.let(payload_hash["jti"], String)
-        @sid = T.let(payload_hash["sid"], String)
+        @sid = T.let(payload_hash["sid"], T.nilable(String))
 
         raise ShopifyAPI::Errors::InvalidJwtTokenError,
           "Session token had invalid API key" unless @aud == Context.api_key
@@ -47,19 +50,9 @@ def shop
       end
       alias_method :shopify_domain, :shop
 
-      sig { returns(Integer) }
+      sig { returns(T.nilable(Integer)) }
       def shopify_user_id
-        @sub.to_i
-      end
-
-      # TODO: Remove before releasing v11
-      sig { params(shop: String).returns(T::Boolean) }
-      def validate_shop(shop)
-        Context.logger.warn(
-          "Deprecation notice: ShopifyAPI::Auth::JwtPayload.validate_shop no longer checks the given shop and always " \
-            "returns true. It will be removed in v11.",
-        )
-        true
+        @sub.to_i if user_id_sub? && admin_session_token?
       end
 
       alias_method :eql?, :==
@@ -86,6 +79,16 @@ def decode_token(token, api_secret_key)
       rescue JWT::DecodeError => err
         raise ShopifyAPI::Errors::InvalidJwtTokenError, "Error decoding session token: #{err.message}"
       end
+
+      sig { returns(T::Boolean) }
+      def admin_session_token?
+        @iss.end_with?("/admin")
+      end
+
+      sig { returns(T::Boolean) }
+      def user_id_sub?
+        @sub&.match?(/\A\d+\z/) || false
+      end
     end
   end
 end

lib/shopify_api/auth/oauth.rb

@@ -46,8 +46,8 @@ def begin_auth(shop:, redirect_path:, is_online: true, scope_override: nil)
           }
 
           query_string = URI.encode_www_form(query)
+          auth_route = auth_base_uri(shop) + "/oauth/authorize?#{query_string}"
 
-          auth_route = "https://#{shop}/admin/oauth/authorize?#{query_string}"
           { auth_route: auth_route, cookie: cookie }
         end
 
@@ -106,6 +106,20 @@ def validate_auth_callback(cookies:, auth_query:)
 
           { session: session, cookie: cookie }
         end
+
+        private
+
+        sig { params(shop: String).returns(String) }
+        def auth_base_uri(shop)
+          return "https://#{shop}/admin" unless defined?(DevServer)
+
+          # For first-party apps in development only, we leverage DevServer to build the admin base URI
+          admin_web = T.unsafe(Object.const_get("DevServer")).new("web") # rubocop:disable Sorbet/ConstantsFromStrings
+          admin_host = admin_web.host!(nonstandard_host_prefix: "admin")
+          shop_name = shop.split(".").first
+
+          "https://#{admin_host}/store/#{shop_name}"
+        end
       end
     end
   end

lib/shopify_api/clients/http_client.rb

@@ -40,13 +40,17 @@ def request(request, response_as_struct: false)
         headers["Content-Type"] = T.must(request.body_type) if request.body_type
         headers = headers.merge(T.must(request.extra_headers)) if request.extra_headers
 
+        parsed_uri = URI(request_url(request))
+
+        headers = append_first_party_development_headers(headers, parsed_uri)
+
         tries = 0
         response = HttpResponse.new(code: 0, headers: {}, body: "")
         while tries < request.tries
           tries += 1
           res = T.cast(HTTParty.send(
             request.http_method,
-            request_url(request),
+            parsed_uri.to_s,
             headers: headers,
             query: request.query,
             body: request.body.class == Hash ? T.unsafe(request.body).to_json : request.body,
@@ -115,6 +119,27 @@ def serialized_error(response)
         end
         body.to_json
       end
+
+      private
+
+      sig do
+        params(
+          headers: T::Hash[T.any(Symbol, String), T.untyped],
+          parsed_uri: URI::Generic,
+        ).returns(T::Hash[T.any(Symbol, String), T.untyped])
+      end
+      def append_first_party_development_headers(headers, parsed_uri)
+        return headers unless defined?(DevServer)
+        return headers unless headers["Host"]&.include?(".my.shop.dev") || parsed_uri.host&.include?(".my.shop.dev")
+
+        # These headers are only used for first party applications in development mode
+        headers["x-forwarded-host"] = headers["Host"] || parsed_uri.host
+        headers["Host"] = T.unsafe(
+          Object.const_get("DevServer::Core"), # rubocop:disable Sorbet/ConstantsFromStrings
+        ).new.host!(:app)
+
+        headers
+      end
     end
   end
 end

lib/shopify_api/rest/resources/2025_04/abandoned_checkout.rb

@@ -0,0 +1,194 @@
+# typed: false
+# frozen_string_literal: true
+
+########################################################################################################################
+# This file is auto-generated. If you have an issue, please create a GitHub issue.                                     #
+########################################################################################################################
+
+module ShopifyAPI
+  class AbandonedCheckout < ShopifyAPI::Rest::Base
+    extend T::Sig
+
+    @prev_page_info = T.let(Concurrent::ThreadLocalVar.new { nil }, Concurrent::ThreadLocalVar)
+    @next_page_info = T.let(Concurrent::ThreadLocalVar.new { nil }, Concurrent::ThreadLocalVar)
+
+    @api_call_limit = T.let(Concurrent::ThreadLocalVar.new { nil }, Concurrent::ThreadLocalVar)
+    @retry_request_after = T.let(Concurrent::ThreadLocalVar.new { nil }, Concurrent::ThreadLocalVar)
+
+    sig { params(session: T.nilable(ShopifyAPI::Auth::Session), from_hash: T.nilable(T::Hash[T.untyped, T.untyped])).void }
+    def initialize(session: ShopifyAPI::Context.active_session, from_hash: nil)
+
+      @abandoned_checkout_url = T.let(nil, T.nilable(String))
+      @billing_address = T.let(nil, T.nilable(T::Hash[T.untyped, T.untyped]))
+      @buyer_accepts_marketing = T.let(nil, T.nilable(T::Boolean))
+      @buyer_accepts_sms_marketing = T.let(nil, T.nilable(T::Boolean))
+      @cart_token = T.let(nil, T.nilable(String))
+      @closed_at = T.let(nil, T.nilable(String))
+      @completed_at = T.let(nil, T.nilable(String))
+      @created_at = T.let(nil, T.nilable(String))
+      @currency = T.let(nil, T.nilable(Currency))
+      @customer = T.let(nil, T.nilable(Customer))
+      @customer_locale = T.let(nil, T.nilable(String))
+      @device_id = T.let(nil, T.nilable(Integer))
+      @discount_codes = T.let(nil, T.nilable(T::Array[T.untyped]))
+      @email = T.let(nil, T.nilable(String))
+      @gateway = T.let(nil, T.nilable(String))
+      @id = T.let(nil, T.nilable(Integer))
+      @landing_site = T.let(nil, T.nilable(String))
+      @line_items = T.let(nil, T.nilable(T::Hash[T.untyped, T.untyped]))
+      @location_id = T.let(nil, T.nilable(Integer))
+      @note = T.let(nil, T.nilable(String))
+      @phone = T.let(nil, T.nilable(String))
+      @presentment_currency = T.let(nil, T.nilable(String))
+      @referring_site = T.let(nil, T.nilable(String))
+      @shipping_address = T.let(nil, T.nilable(T::Hash[T.untyped, T.untyped]))
+      @shipping_lines = T.let(nil, T.nilable(T::Hash[T.untyped, T.untyped]))
+      @sms_marketing_phone = T.let(nil, T.nilable(String))
+      @source_name = T.let(nil, T.nilable(String))
+      @subtotal_price = T.let(nil, T.nilable(String))
+      @tax_lines = T.let(nil, T.nilable(T::Hash[T.untyped, T.untyped]))
+      @taxes_included = T.let(nil, T.nilable(T::Boolean))
+      @token = T.let(nil, T.nilable(String))
+      @total_discounts = T.let(nil, T.nilable(String))
+      @total_duties = T.let(nil, T.nilable(String))
+      @total_line_items_price = T.let(nil, T.nilable(String))
+      @total_price = T.let(nil, T.nilable(String))
+      @total_tax = T.let(nil, T.nilable(String))
+      @total_weight = T.let(nil, T.nilable(Integer))
+      @updated_at = T.let(nil, T.nilable(String))
+      @user_id = T.let(nil, T.nilable(Integer))
+
+      super(session: session, from_hash: from_hash)
+    end
+
+    @has_one = T.let({
+      currency: Currency,
+      customer: Customer
+    }, T::Hash[Symbol, Class])
+    @has_many = T.let({
+      discount_codes: DiscountCode
+    }, T::Hash[Symbol, Class])
+    @paths = T.let([
+      {http_method: :get, operation: :checkouts, ids: [], path: "checkouts.json"},
+      {http_method: :get, operation: :checkouts, ids: [], path: "checkouts.json"}
+    ], T::Array[T::Hash[String, T.any(T::Array[Symbol], String, Symbol)]])
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :abandoned_checkout_url
+    sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+    attr_reader :billing_address
+    sig { returns(T.nilable(T::Boolean)) }
+    attr_reader :buyer_accepts_marketing
+    sig { returns(T.nilable(T::Boolean)) }
+    attr_reader :buyer_accepts_sms_marketing
+    sig { returns(T.nilable(String)) }
+    attr_reader :cart_token
+    sig { returns(T.nilable(String)) }
+    attr_reader :closed_at
+    sig { returns(T.nilable(String)) }
+    attr_reader :completed_at
+    sig { returns(T.nilable(String)) }
+    attr_reader :created_at
+    sig { returns(T.nilable(Currency)) }
+    attr_reader :currency
+    sig { returns(T.nilable(Customer)) }
+    attr_reader :customer
+    sig { returns(T.nilable(String)) }
+    attr_reader :customer_locale
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :device_id
+    sig { returns(T.nilable(T::Array[DiscountCode])) }
+    attr_reader :discount_codes
+    sig { returns(T.nilable(String)) }
+    attr_reader :email
+    sig { returns(T.nilable(String)) }
+    attr_reader :gateway
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :id
+    sig { returns(T.nilable(String)) }
+    attr_reader :landing_site
+    sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+    attr_reader :line_items
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :location_id
+    sig { returns(T.nilable(String)) }
+    attr_reader :note
+    sig { returns(T.nilable(String)) }
+    attr_reader :phone
+    sig { returns(T.nilable(String)) }
+    attr_reader :presentment_currency
+    sig { returns(T.nilable(String)) }
+    attr_reader :referring_site
+    sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+    attr_reader :shipping_address
+    sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+    attr_reader :shipping_lines
+    sig { returns(T.nilable(String)) }
+    attr_reader :sms_marketing_phone
+    sig { returns(T.nilable(String)) }
+    attr_reader :source_name
+    sig { returns(T.nilable(String)) }
+    attr_reader :subtotal_price
+    sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
+    attr_reader :tax_lines
+    sig { returns(T.nilable(T::Boolean)) }
+    attr_reader :taxes_included
+    sig { returns(T.nilable(String)) }
+    attr_reader :token
+    sig { returns(T.nilable(String)) }
+    attr_reader :total_discounts
+    sig { returns(T.nilable(String)) }
+    attr_reader :total_duties
+    sig { returns(T.nilable(String)) }
+    attr_reader :total_line_items_price
+    sig { returns(T.nilable(String)) }
+    attr_reader :total_price
+    sig { returns(T.nilable(String)) }
+    attr_reader :total_tax
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :total_weight
+    sig { returns(T.nilable(String)) }
+    attr_reader :updated_at
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :user_id
+
+    class << self
+      sig do
+        params(
+          since_id: T.untyped,
+          created_at_min: T.untyped,
+          created_at_max: T.untyped,
+          updated_at_min: T.untyped,
+          updated_at_max: T.untyped,
+          status: T.untyped,
+          limit: T.untyped,
+          session: Auth::Session,
+          kwargs: T.untyped
+        ).returns(T.untyped)
+      end
+      def checkouts(
+        since_id: nil,
+        created_at_min: nil,
+        created_at_max: nil,
+        updated_at_min: nil,
+        updated_at_max: nil,
+        status: nil,
+        limit: nil,
+        session: ShopifyAPI::Context.active_session,
+        **kwargs
+      )
+        request(
+          http_method: :get,
+          operation: :checkouts,
+          session: session,
+          ids: {},
+          params: {since_id: since_id, created_at_min: created_at_min, created_at_max: created_at_max, updated_at_min: updated_at_min, updated_at_max: updated_at_max, status: status, limit: limit}.merge(kwargs).compact,
+          body: {},
+          entity: nil,
+        )
+      end
+
+    end
+
+  end
+end