├── .dockerignore ├── .github ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── ISSUE_TEMPLATE.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── ci.yml │ ├── cla.yml │ └── merge_patch_dependencies.yml ├── .gitignore ├── .gitmodules ├── .npmrc ├── .vscode └── extensions.json ├── Dockerfile ├── LICENSE.md ├── README.md ├── SECURITY.md ├── package.json ├── shopify.app.toml └── web ├── gdpr.js ├── index.js ├── package.json ├── product-creator.js ├── shopify.js └── shopify.web.toml /.dockerignore: -------------------------------------------------------------------------------- 1 | web/node_modules 2 | web/frontend/node_modules 3 | web/frontend/dist 4 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @shopify/client-libraries-app-templates 2 | -------------------------------------------------------------------------------- /.github/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of experience, 9 | nationality, personal appearance, race, religion, or sexual identity and 10 | orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | - Using welcoming and inclusive language 18 | - Being respectful of differing viewpoints and experiences 19 | - Gracefully accepting constructive criticism 20 | - Focusing on what is best for the community 21 | - Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | - The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | - Trolling, insulting/derogatory comments, and personal or political attacks 28 | - Public or private harassment 29 | - Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | - Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or 41 | reject comments, commits, code, wiki edits, issues, and other contributions 42 | that are not aligned to this Code of Conduct, or to ban temporarily or 43 | permanently any contributor for other behaviors that they deem inappropriate, 44 | threatening, offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | ## Enforcement 56 | 57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 58 | reported by contacting the project team at opensource@shopify.com. All 59 | complaints will be reviewed and investigated and will result in a response that 60 | is deemed necessary and appropriate to the circumstances. The project team is 61 | obligated to maintain confidentiality with regard to the reporter of an incident. 62 | Further details of specific enforcement policies may be posted separately. 63 | 64 | Project maintainers who do not follow or enforce the Code of Conduct in good 65 | faith may face temporary or permanent repercussions as determined by other 66 | members of the project's leadership. 67 | 68 | ## Attribution 69 | 70 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, 71 | available at https://www.contributor-covenant.org/version/1/4/code-of-conduct/ 72 | 73 | [homepage]: https://www.contributor-covenant.org 74 | -------------------------------------------------------------------------------- /.github/CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to contribute 2 | 3 | Shopify App Node is an open source project. We want to make it as easy and transparent as possible to contribute. If we are missing anything or can make the process easier in any way, please let us know by [opening an issue](https://github.com/Shopify/starter-node-app/issues/new). 4 | 5 | ## Code of conduct 6 | 7 | We expect all participants to read our [code of conduct](https://github.com/Shopify/starter-node-app/.github/CODE_OF_CONDUCT.md) to understand which actions are and aren’t tolerated. 8 | 9 | ## Open development 10 | 11 | All work on Shopify App Node happens directly on GitHub. Both team members and external contributors send pull requests which go through the same review process. 12 | 13 | ## Bugs 14 | 15 | ### Where to find known issues 16 | 17 | We track all of our issues in GitHub and [bugs](https://github.com/Shopify/starter-node-app/labels/Bug) are labeled accordingly. If you are planning to work on an issue, avoid ones which already have an assignee, where someone has commented within the last two weeks they are working on it, or the issue is labeled with [fix in progress](https://github.com/Shopify/starter-node-app/labels/fix%20in%20progress). We will do our best to communicate when an issue is being worked on internally. 18 | 19 | ### Reporting new issues 20 | 21 | To reduce duplicates, look through open issues before filing one. When [opening an issue](https://github.com/Shopify/starter-node-app/issues/new?template=ISSUE.md), complete as much of the template as possible. 22 | 23 | ## Your first pull request 24 | 25 | Working on your first pull request? You can learn how from this free video series: 26 | 27 | [How to Contribute to an Open Source Project on GitHub](https://egghead.io/series/how-to-contribute-to-an-open-source-project-on-github) 28 | 29 | To help you get familiar with our contribution process, we have a list of [good first issues](https://github.com/Shopify/starter-node-app/labels/good%20first%20issue) that contain bugs with limited scope. This is a great place to get started. 30 | 31 | If you decide to fix an issue, please check the comment thread in case somebody is already working on a fix. If nobody is working on it, leave a comment stating that you intend to work on it. 32 | 33 | If somebody claims an issue but doesn’t follow up for more than two weeks, it’s fine to take it over but still leave a comment stating that you intend to work on it. 34 | 35 | ### Sending a pull request 36 | 37 | We’ll review your pull request and either merge it, request changes to it, or close it with an explanation. We’ll do our best to provide updates and feedback throughout the process. 38 | 39 | ### Contributor License Agreement (CLA) 40 | 41 | Each contributor is required to [sign a CLA](https://cla.shopify.com/). This process is automated as part of your first pull request and is only required once. If any contributor has not signed or does not have an associated GitHub account, the CLA check will fail and the pull request is unable to be merged. 42 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "🐛 Bug Report" 3 | about: Something isn't working 4 | labels: "Type: Bug 🐛" 5 | --- 6 | 7 | # Issue summary 8 | 9 | 25 | 26 | - `@shopify/shopify-app-express` version: 27 | - Node version: 28 | - Operating system: 29 | 30 | ``` 31 | // Paste any relevant logs here 32 | ``` 33 | 34 | ## Expected behavior 35 | 36 | 37 | 38 | ## Actual behavior 39 | 40 | 41 | 42 | ## Steps to reproduce the problem 43 | 44 | 1. 45 | 1. 46 | 1. 47 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 8 | 9 | ### WHY are these changes introduced? 10 | 11 | Fixes #0000 12 | 13 | 16 | 17 | ### WHAT is this pull request doing? 18 | 19 | 23 | 24 | ### Checklist 25 | 26 | **Note**: once this PR is merged, it becomes a new release for this template. 27 | 28 | - [ ] I have added/updated tests for this change 29 | - [ ] I have made changes to the `README.md` file and other related documentation, if applicable 30 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | # Enable version updates for npm 4 | - package-ecosystem: "npm" 5 | # Look for `package.json` and `lock` files in the `root` directory 6 | directory: "/" 7 | # Check the npm registry for updates every day (weekdays) 8 | schedule: 9 | interval: "daily" 10 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Node.js CI 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | 9 | strategy: 10 | matrix: 11 | node-version: [14, 16, 18, 20] 12 | 13 | defaults: 14 | run: 15 | working-directory: ./web 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | with: 20 | submodules: recursive 21 | - name: Find any lock file 22 | run: if test -f ../yarn.lock || test -f ../pnpm-lock.yaml || test -f ../package-lock.json; then echo "Please don't commit lock files" && exit 1; fi 23 | - name: Use Node.js ${{ matrix.node-version }} 24 | uses: actions/setup-node@v2 25 | with: 26 | node-version: ${{ matrix.node-version }} 27 | - run: yarn install 28 | - name: Build FE for production test 29 | working-directory: ./web/frontend 30 | run: yarn install && yarn build 31 | -------------------------------------------------------------------------------- /.github/workflows/cla.yml: -------------------------------------------------------------------------------- 1 | name: Contributor License Agreement (CLA) 2 | 3 | on: 4 | pull_request_target: 5 | types: [opened, synchronize] 6 | issue_comment: 7 | types: [created] 8 | 9 | jobs: 10 | cla: 11 | runs-on: ubuntu-latest 12 | if: | 13 | (github.event.issue.pull_request 14 | && !github.event.issue.pull_request.merged_at 15 | && contains(github.event.comment.body, 'signed') 16 | ) 17 | || (github.event.pull_request && !github.event.pull_request.merged) 18 | steps: 19 | - uses: Shopify/shopify-cla-action@v1 20 | with: 21 | github-token: ${{ secrets.GITHUB_TOKEN }} 22 | cla-token: ${{ secrets.CLA_TOKEN }} 23 | -------------------------------------------------------------------------------- /.github/workflows/merge_patch_dependencies.yml: -------------------------------------------------------------------------------- 1 | on: pull_request_target 2 | 3 | name: "Dependabot: auto-merge patch versions" 4 | 5 | jobs: 6 | approve-dependabot-pr: 7 | if: ${{ github.actor == 'dependabot[bot]' }} 8 | runs-on: ubuntu-latest 9 | steps: 10 | - name: Dependabot metadata 11 | id: dependabot-metadata 12 | uses: dependabot/fetch-metadata@v1 13 | with: 14 | github-token: "${{ secrets.GITHUB_TOKEN }}" 15 | - name: Approve and merge Dependabot PRs for patch versions 16 | if: ${{github.event.workflow_run.conclusion == 'success' && steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'}} 17 | uses: ridedott/merge-me-action@v2 18 | with: 19 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Environment Configuration 2 | .env 3 | .env.* 4 | 5 | # Dependency directory 6 | node_modules 7 | 8 | # Test coverage directory 9 | coverage 10 | 11 | # Ignore Apple macOS Desktop Services Store 12 | .DS_Store 13 | 14 | # Logs 15 | logs 16 | *.log 17 | 18 | # ngrok tunnel file 19 | config/tunnel.pid 20 | 21 | # vite build output 22 | dist/ 23 | 24 | # extensions build output 25 | extensions/*/build 26 | 27 | # Node library SQLite database 28 | web/database.sqlite 29 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "web/frontend"] 2 | path = web/frontend 3 | url = https://github.com/Shopify/shopify-frontend-template-react.git 4 | -------------------------------------------------------------------------------- /.npmrc: -------------------------------------------------------------------------------- 1 | engine-strict=true 2 | auto-install-peers=true 3 | shamefully-hoist=true 4 | -------------------------------------------------------------------------------- /.vscode/extensions.json: -------------------------------------------------------------------------------- 1 | { 2 | "recommendations": [ 3 | "shopify.polaris-for-vscode" 4 | ] 5 | } -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:18-alpine 2 | 3 | ARG SHOPIFY_API_KEY 4 | ENV SHOPIFY_API_KEY=$SHOPIFY_API_KEY 5 | EXPOSE 8081 6 | WORKDIR /app 7 | COPY web . 8 | RUN npm install 9 | RUN cd frontend && npm install && npm run build 10 | CMD ["npm", "run", "serve"] 11 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Shopify 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Shopify App Template - Node 2 | 3 | This is a template for building a [Shopify app](https://shopify.dev/docs/apps/getting-started) using Node and React. It contains the basics for building a Shopify app. 4 | 5 | Rather than cloning this repo, you can use your preferred package manager and the Shopify CLI with [these steps](#installing-the-template). 6 | 7 | ## Benefits 8 | 9 | Shopify apps are built on a variety of Shopify tools to create a great merchant experience. The [create an app](https://shopify.dev/docs/apps/getting-started/create) tutorial in our developer documentation will guide you through creating a Shopify app using this template. 10 | 11 | The Node app template comes with the following out-of-the-box functionality: 12 | 13 | - OAuth: Installing the app and granting permissions 14 | - GraphQL Admin API: Querying or mutating Shopify admin data 15 | - REST Admin API: Resource classes to interact with the API 16 | - Shopify-specific tooling: 17 | - AppBridge 18 | - Polaris 19 | - Webhooks 20 | 21 | ## Tech Stack 22 | 23 | This template combines a number of third party open-source tools: 24 | 25 | - [Express](https://expressjs.com/) builds the backend. 26 | - [Vite](https://vitejs.dev/) builds the [React](https://reactjs.org/) frontend. 27 | - [React Router](https://reactrouter.com/) is used for routing. We wrap this with file-based routing. 28 | - [React Query](https://react-query.tanstack.com/) queries the Admin API. 29 | - [`i18next`](https://www.i18next.com/) and related libraries are used to internationalize the frontend. 30 | - [`react-i18next`](https://react.i18next.com/) is used for React-specific i18n functionality. 31 | - [`i18next-resources-to-backend`](https://github.com/i18next/i18next-resources-to-backend) is used to dynamically load app translations. 32 | - [`@formatjs/intl-localematcher`](https://formatjs.io/docs/polyfills/intl-localematcher/) is used to match the user locale with supported app locales. 33 | - [`@formatjs/intl-locale`](https://formatjs.io/docs/polyfills/intl-locale) is used as a polyfill for [`Intl.Locale`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl/Locale) if necessary. 34 | - [`@formatjs/intl-pluralrules`](https://formatjs.io/docs/polyfills/intl-pluralrules) is used as a polyfill for [`Intl.PluralRules`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl/PluralRules) if necessary. 35 | 36 | The following Shopify tools complement these third-party tools to ease app development: 37 | 38 | - [Shopify API library](https://github.com/Shopify/shopify-node-api) adds OAuth to the Express backend. This lets users install the app and grant scope permissions. 39 | - [App Bridge React](https://shopify.dev/docs/apps/tools/app-bridge/getting-started/using-react) adds authentication to API requests in the frontend and renders components outside of the App’s iFrame. 40 | - [Polaris React](https://polaris.shopify.com/) is a powerful design system and component library that helps developers build high quality, consistent experiences for Shopify merchants. 41 | - [Custom hooks](https://github.com/Shopify/shopify-frontend-template-react/tree/main/hooks) make authenticated requests to the Admin API. 42 | - [File-based routing](https://github.com/Shopify/shopify-frontend-template-react/blob/main/Routes.jsx) makes creating new pages easier. 43 | - [`@shopify/i18next-shopify`](https://github.com/Shopify/i18next-shopify) is a plugin for [`i18next`](https://www.i18next.com/) that allows translation files to follow the same JSON schema used by Shopify [app extensions](https://shopify.dev/docs/apps/checkout/best-practices/localizing-ui-extensions#how-it-works) and [themes](https://shopify.dev/docs/themes/architecture/locales/storefront-locale-files#usage). 44 | 45 | ## Getting started 46 | 47 | ### Requirements 48 | 49 | 1. You must [download and install Node.js](https://nodejs.org/en/download/) if you don't already have it. 50 | 1. You must [create a Shopify partner account](https://partners.shopify.com/signup) if you don’t have one. 51 | 1. You must create a store for testing if you don't have one, either a [development store](https://help.shopify.com/en/partners/dashboard/development-stores#create-a-development-store) or a [Shopify Plus sandbox store](https://help.shopify.com/en/partners/dashboard/managing-stores/plus-sandbox-store). 52 | 53 | ### Installing the template 54 | 55 | This template can be installed using your preferred package manager: 56 | 57 | Using yarn: 58 | 59 | ```shell 60 | yarn create @shopify/app 61 | ``` 62 | 63 | Using npm: 64 | 65 | ```shell 66 | npm init @shopify/app@latest 67 | ``` 68 | 69 | Using pnpm: 70 | 71 | ```shell 72 | pnpm create @shopify/app@latest 73 | ``` 74 | 75 | This will clone the template and install the required dependencies. 76 | 77 | #### Local Development 78 | 79 | [The Shopify CLI](https://shopify.dev/docs/apps/tools/cli) connects to an app in your Partners dashboard. It provides environment variables, runs commands in parallel, and updates application URLs for easier development. 80 | 81 | You can develop locally using your preferred package manager. Run one of the following commands from the root of your app. 82 | 83 | Using yarn: 84 | 85 | ```shell 86 | yarn dev 87 | ``` 88 | 89 | Using npm: 90 | 91 | ```shell 92 | npm run dev 93 | ``` 94 | 95 | Using pnpm: 96 | 97 | ```shell 98 | pnpm run dev 99 | ``` 100 | 101 | Open the URL generated in your console. Once you grant permission to the app, you can start development. 102 | 103 | ## Deployment 104 | 105 | ### Application Storage 106 | 107 | This template uses [SQLite](https://www.sqlite.org/index.html) to store session data. The database is a file called `database.sqlite` which is automatically created in the root. This use of SQLite works in production if your app runs as a single instance. 108 | 109 | The database that works best for you depends on the data your app needs and how it is queried. You can run your database of choice on a server yourself or host it with a SaaS company. Here’s a short list of databases providers that provide a free tier to get started: 110 | 111 | | Database | Type | Hosters | 112 | | ---------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 113 | | MySQL | SQL | [Digital Ocean](https://www.digitalocean.com/try/managed-databases-mysql), [Planet Scale](https://planetscale.com/), [Amazon Aurora](https://aws.amazon.com/rds/aurora/), [Google Cloud SQL](https://cloud.google.com/sql/docs/mysql) | 114 | | PostgreSQL | SQL | [Digital Ocean](https://www.digitalocean.com/try/managed-databases-postgresql), [Amazon Aurora](https://aws.amazon.com/rds/aurora/), [Google Cloud SQL](https://cloud.google.com/sql/docs/postgres) | 115 | | Redis | Key-value | [Digital Ocean](https://www.digitalocean.com/try/managed-databases-redis), [Amazon MemoryDB](https://aws.amazon.com/memorydb/) | 116 | | MongoDB | NoSQL / Document | [Digital Ocean](https://www.digitalocean.com/try/managed-databases-mongodb), [MongoDB Atlas](https://www.mongodb.com/atlas/database) | 117 | 118 | To use one of these, you need to change your session storage configuration. To help, here’s a list of [SessionStorage adapter packages](https://github.com/Shopify/shopify-api-js/tree/main/docs/guides/session-storage.md). 119 | 120 | ### Build 121 | 122 | The frontend is a single page app. It requires the `SHOPIFY_API_KEY`, which you can find on the page for your app in your partners dashboard. Paste your app’s key in the command for the package manager of your choice: 123 | 124 | Using yarn: 125 | 126 | ```shell 127 | cd web/frontend/ && SHOPIFY_API_KEY=REPLACE_ME yarn build 128 | ``` 129 | 130 | Using npm: 131 | 132 | ```shell 133 | cd web/frontend/ && SHOPIFY_API_KEY=REPLACE_ME npm run build 134 | ``` 135 | 136 | Using pnpm: 137 | 138 | ```shell 139 | cd web/frontend/ && SHOPIFY_API_KEY=REPLACE_ME pnpm run build 140 | ``` 141 | 142 | You do not need to build the backend. 143 | 144 | ## Hosting 145 | 146 | When you're ready to set up your app in production, you can follow [our deployment documentation](https://shopify.dev/docs/apps/deployment/web) to host your app on a cloud provider like [Heroku](https://www.heroku.com/) or [Fly.io](https://fly.io/). 147 | 148 | When you reach the step for [setting up environment variables](https://shopify.dev/docs/apps/deployment/web#set-env-vars), you also need to set the variable `NODE_ENV=production`. 149 | 150 | ## Known issues 151 | 152 | ### Hot module replacement and Firefox 153 | 154 | When running the app with the CLI in development mode on Firefox, you might see your app constantly reloading when you access it. 155 | That happened in previous versions of the CLI, because of the way HMR websocket requests work. 156 | 157 | We fixed this issue with v3.4.0 of the CLI, so after updating it, you can make the following changes to your app's `web/frontend/vite.config.js` file: 158 | 159 | 1. Change the definition `hmrConfig` object to be: 160 | 161 | ```js 162 | const host = process.env.HOST 163 | ? process.env.HOST.replace(/https?:\/\//, "") 164 | : "localhost"; 165 | 166 | let hmrConfig; 167 | if (host === "localhost") { 168 | hmrConfig = { 169 | protocol: "ws", 170 | host: "localhost", 171 | port: 64999, 172 | clientPort: 64999, 173 | }; 174 | } else { 175 | hmrConfig = { 176 | protocol: "wss", 177 | host: host, 178 | port: process.env.FRONTEND_PORT, 179 | clientPort: 443, 180 | }; 181 | } 182 | ``` 183 | 184 | 1. Change the `server.host` setting in the configs to `"localhost"`: 185 | 186 | ```js 187 | server: { 188 | host: "localhost", 189 | ... 190 | ``` 191 | 192 | ### I can't get past the ngrok "Visit site" page 193 | 194 | When you’re previewing your app or extension, you might see an ngrok interstitial page with a warning: 195 | 196 | ```text 197 | You are about to visit .ngrok.io: Visit Site 198 | ``` 199 | 200 | If you click the `Visit Site` button, but continue to see this page, then you should run dev using an alternate tunnel URL that you run using tunneling software. 201 | We've validated that [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/run-tunnel/trycloudflare/) works with this template. 202 | 203 | To do that, you can [install the `cloudflared` CLI tool](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/installation/), and run: 204 | 205 | ```shell 206 | # Note that you can also use a different port 207 | cloudflared tunnel --url http://localhost:3000 208 | ``` 209 | 210 | Out of the logs produced by cloudflare you will notice a https URL where the domain ends with `trycloudflare.com`. This is your tunnel URL. You need to copy this URL as you will need it in the next step. 211 | 212 | ```shell 213 | 2022-11-11T19:57:55Z INF Requesting new quick Tunnel on trycloudflare.com... 214 | 2022-11-11T19:57:58Z INF +--------------------------------------------------------------------------------------------+ 215 | 2022-11-11T19:57:58Z INF | Your quick Tunnel has been created! Visit it at (it may take some time to be reachable): | 216 | 2022-11-11T19:57:58Z INF | https://randomly-generated-hostname.trycloudflare.com | 217 | 2022-11-11T19:57:58Z INF +--------------------------------------------------------------------------------------------+ 218 | ``` 219 | 220 | Below you would replace `randomly-generated-hostname` with what you have copied from the terminal. In a different terminal window, navigate to your app's root and with the URL from above you would call: 221 | 222 | ```shell 223 | # Using yarn 224 | yarn dev --tunnel-url https://randomly-generated-hostname.trycloudflare.com:3000 225 | # or using npm 226 | npm run dev --tunnel-url https://randomly-generated-hostname.trycloudflare.com:3000 227 | # or using pnpm 228 | pnpm dev --tunnel-url https://randomly-generated-hostname.trycloudflare.com:3000 229 | ``` 230 | 231 | ## Developer resources 232 | 233 | - [Introduction to Shopify apps](https://shopify.dev/docs/apps/getting-started) 234 | - [App authentication](https://shopify.dev/docs/apps/auth) 235 | - [Shopify CLI](https://shopify.dev/docs/apps/tools/cli) 236 | - [Shopify API Library documentation](https://github.com/Shopify/shopify-api-js#readme) 237 | - [Getting started with internationalizing your app](https://shopify.dev/docs/apps/best-practices/internationalization/getting-started) 238 | - [i18next](https://www.i18next.com/) 239 | - [Configuration options](https://www.i18next.com/overview/configuration-options) 240 | - [react-i18next](https://react.i18next.com/) 241 | - [`useTranslation` hook](https://react.i18next.com/latest/usetranslation-hook) 242 | - [`Trans` component usage with components array](https://react.i18next.com/latest/trans-component#alternative-usage-components-array) 243 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Supported versions 4 | 5 | ### New features 6 | 7 | New features will only be added to the master branch and will not be made available in point releases. 8 | 9 | ### Bug fixes 10 | 11 | Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from. 12 | 13 | ### Security issues 14 | 15 | Only the latest release series will receive patches and new versions in case of a security issue. 16 | 17 | ### Severe security issues 18 | 19 | For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team. 20 | 21 | ### Unsupported Release Series 22 | 23 | When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version. 24 | 25 | ## Reporting a bug 26 | 27 | All security bugs in shopify repositories should be reported to [our hackerone program](https://hackerone.com/shopify) 28 | Shopify's whitehat program is our way to reward security researchers for finding serious security vulnerabilities in the In Scope properties listed at the bottom of this page, including our core application (all functionality associated with a Shopify store, particularly your-store.myshopify.com/admin) and certain ancillary applications. 29 | 30 | ## Disclosure Policy 31 | 32 | We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to: 33 | 34 | - Reply to all reports within one business day and triage within two business days (if applicable) 35 | - Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports 36 | - Award bounties within a week of resolution (excluding extenuating circumstances) 37 | - Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability 38 | 39 | **The following rules must be followed in order for any rewards to be paid:** 40 | 41 | - You may only test against shops you have created which include your HackerOne YOURHANDLE @ wearehackerone.com registered email address. 42 | - You must not attempt to gain access to, or interact with, any shops other than those created by you. 43 | - The use of commercial scanners is prohibited (e.g., Nessus). 44 | - Rules for reporting must be followed. 45 | - Do not disclose any issues publicly before they have been resolved. 46 | - Shopify reserves the right to modify the rules for this program or deem any submissions invalid at any time. Shopify may cancel the whitehat program without notice at any time. 47 | - Contacting Shopify Support over chat, email or phone about your HackerOne report is not allowed. We may disqualify you from receiving a reward, or from participating in the program altogether. 48 | - You are not an employee of Shopify; employees should report bugs to the internal bug bounty program. 49 | - You hereby represent, warrant and covenant that any content you submit to Shopify is an original work of authorship and that you are legally entitled to grant the rights and privileges conveyed by these terms. You further represent, warrant and covenant that the consent of no other person or entity is or will be necessary for Shopify to use the submitted content. 50 | - By submitting content to Shopify, you irrevocably waive all moral rights which you may have in the content. 51 | - All content submitted by you to Shopify under this program is licensed under the MIT License. 52 | - You must report any discovered vulnerability to Shopify as soon as you have validated the vulnerability. 53 | - Failure to follow any of the foregoing rules will disqualify you from participating in this program. 54 | 55 | \*\* Please see our [Hackerone Profile](https://hackerone.com/shopify) for full details 56 | 57 | ## Receiving Security Updates 58 | 59 | To receive all general updates to vulnerabilities, please subscribe to our hackerone [Hacktivity](https://hackerone.com/shopify/hacktivity) 60 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "my-node-app", 3 | "version": "1.0.0", 4 | "main": "web/index.js", 5 | "license": "UNLICENSED", 6 | "scripts": { 7 | "shopify": "shopify", 8 | "build": "shopify app build", 9 | "dev": "shopify app dev", 10 | "info": "shopify app info", 11 | "generate": "shopify app generate", 12 | "deploy": "shopify app deploy" 13 | }, 14 | "dependencies": { 15 | "@shopify/app": "^3.0.0", 16 | "@shopify/cli": "^3.0.0" 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /shopify.app.toml: -------------------------------------------------------------------------------- 1 | # This file stores configurations for your Shopify app. 2 | 3 | scopes = "write_products" 4 | -------------------------------------------------------------------------------- /web/gdpr.js: -------------------------------------------------------------------------------- 1 | import { DeliveryMethod } from "@shopify/shopify-api"; 2 | 3 | /** 4 | * @type {{[key: string]: import("@shopify/shopify-api").WebhookHandler}} 5 | */ 6 | export default { 7 | /** 8 | * Customers can request their data from a store owner. When this happens, 9 | * Shopify invokes this webhook. 10 | * 11 | * https://shopify.dev/docs/apps/webhooks/configuration/mandatory-webhooks#customers-data_request 12 | */ 13 | CUSTOMERS_DATA_REQUEST: { 14 | deliveryMethod: DeliveryMethod.Http, 15 | callbackUrl: "/api/webhooks", 16 | callback: async (topic, shop, body, webhookId) => { 17 | const payload = JSON.parse(body); 18 | // Payload has the following shape: 19 | // { 20 | // "shop_id": 954889, 21 | // "shop_domain": "{shop}.myshopify.com", 22 | // "orders_requested": [ 23 | // 299938, 24 | // 280263, 25 | // 220458 26 | // ], 27 | // "customer": { 28 | // "id": 191167, 29 | // "email": "john@example.com", 30 | // "phone": "555-625-1199" 31 | // }, 32 | // "data_request": { 33 | // "id": 9999 34 | // } 35 | // } 36 | }, 37 | }, 38 | 39 | /** 40 | * Store owners can request that data is deleted on behalf of a customer. When 41 | * this happens, Shopify invokes this webhook. 42 | * 43 | * https://shopify.dev/docs/apps/webhooks/configuration/mandatory-webhooks#customers-redact 44 | */ 45 | CUSTOMERS_REDACT: { 46 | deliveryMethod: DeliveryMethod.Http, 47 | callbackUrl: "/api/webhooks", 48 | callback: async (topic, shop, body, webhookId) => { 49 | const payload = JSON.parse(body); 50 | // Payload has the following shape: 51 | // { 52 | // "shop_id": 954889, 53 | // "shop_domain": "{shop}.myshopify.com", 54 | // "customer": { 55 | // "id": 191167, 56 | // "email": "john@example.com", 57 | // "phone": "555-625-1199" 58 | // }, 59 | // "orders_to_redact": [ 60 | // 299938, 61 | // 280263, 62 | // 220458 63 | // ] 64 | // } 65 | }, 66 | }, 67 | 68 | /** 69 | * 48 hours after a store owner uninstalls your app, Shopify invokes this 70 | * webhook. 71 | * 72 | * https://shopify.dev/docs/apps/webhooks/configuration/mandatory-webhooks#shop-redact 73 | */ 74 | SHOP_REDACT: { 75 | deliveryMethod: DeliveryMethod.Http, 76 | callbackUrl: "/api/webhooks", 77 | callback: async (topic, shop, body, webhookId) => { 78 | const payload = JSON.parse(body); 79 | // Payload has the following shape: 80 | // { 81 | // "shop_id": 954889, 82 | // "shop_domain": "{shop}.myshopify.com" 83 | // } 84 | }, 85 | }, 86 | }; 87 | -------------------------------------------------------------------------------- /web/index.js: -------------------------------------------------------------------------------- 1 | // @ts-check 2 | import { join } from "path"; 3 | import { readFileSync } from "fs"; 4 | import express from "express"; 5 | import serveStatic from "serve-static"; 6 | 7 | import shopify from "./shopify.js"; 8 | import productCreator from "./product-creator.js"; 9 | import GDPRWebhookHandlers from "./gdpr.js"; 10 | 11 | const PORT = parseInt( 12 | process.env.BACKEND_PORT || process.env.PORT || "3000", 13 | 10 14 | ); 15 | 16 | const STATIC_PATH = 17 | process.env.NODE_ENV === "production" 18 | ? `${process.cwd()}/frontend/dist` 19 | : `${process.cwd()}/frontend/`; 20 | 21 | const app = express(); 22 | 23 | // Set up Shopify authentication and webhook handling 24 | app.get(shopify.config.auth.path, shopify.auth.begin()); 25 | app.get( 26 | shopify.config.auth.callbackPath, 27 | shopify.auth.callback(), 28 | shopify.redirectToShopifyOrAppRoot() 29 | ); 30 | app.post( 31 | shopify.config.webhooks.path, 32 | shopify.processWebhooks({ webhookHandlers: GDPRWebhookHandlers }) 33 | ); 34 | 35 | // If you are adding routes outside of the /api path, remember to 36 | // also add a proxy rule for them in web/frontend/vite.config.js 37 | 38 | app.use("/api/*", shopify.validateAuthenticatedSession()); 39 | 40 | app.use(express.json()); 41 | 42 | app.get("/api/products/count", async (_req, res) => { 43 | const countData = await shopify.api.rest.Product.count({ 44 | session: res.locals.shopify.session, 45 | }); 46 | res.status(200).send(countData); 47 | }); 48 | 49 | app.get("/api/products/create", async (_req, res) => { 50 | let status = 200; 51 | let error = null; 52 | 53 | try { 54 | await productCreator(res.locals.shopify.session); 55 | } catch (e) { 56 | console.log(`Failed to process products/create: ${e.message}`); 57 | status = 500; 58 | error = e.message; 59 | } 60 | res.status(status).send({ success: status === 200, error }); 61 | }); 62 | 63 | app.use(shopify.cspHeaders()); 64 | app.use(serveStatic(STATIC_PATH, { index: false })); 65 | 66 | app.use("/*", shopify.ensureInstalledOnShop(), async (_req, res, _next) => { 67 | return res 68 | .status(200) 69 | .set("Content-Type", "text/html") 70 | .send(readFileSync(join(STATIC_PATH, "index.html"))); 71 | }); 72 | 73 | app.listen(PORT); 74 | -------------------------------------------------------------------------------- /web/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shopify-app-template-node", 3 | "version": "1.0.0", 4 | "private": true, 5 | "license": "UNLICENSED", 6 | "scripts": { 7 | "debug": "node --inspect-brk index.js", 8 | "dev": "cross-env NODE_ENV=development nodemon index.js --ignore ./frontend", 9 | "serve": "cross-env NODE_ENV=production node index.js" 10 | }, 11 | "type": "module", 12 | "engines": { 13 | "node": ">=14.13.1" 14 | }, 15 | "dependencies": { 16 | "@shopify/shopify-app-express": "^2.1.3", 17 | "@shopify/shopify-app-session-storage-sqlite": "^1.2.3", 18 | "compression": "^1.7.4", 19 | "cross-env": "^7.0.3", 20 | "serve-static": "^1.14.1" 21 | }, 22 | "devDependencies": { 23 | "nodemon": "^2.0.15", 24 | "prettier": "^2.6.2", 25 | "pretty-quick": "^3.1.3" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /web/product-creator.js: -------------------------------------------------------------------------------- 1 | import { GraphqlQueryError } from "@shopify/shopify-api"; 2 | import shopify from "./shopify.js"; 3 | 4 | const ADJECTIVES = [ 5 | "autumn", 6 | "hidden", 7 | "bitter", 8 | "misty", 9 | "silent", 10 | "empty", 11 | "dry", 12 | "dark", 13 | "summer", 14 | "icy", 15 | "delicate", 16 | "quiet", 17 | "white", 18 | "cool", 19 | "spring", 20 | "winter", 21 | "patient", 22 | "twilight", 23 | "dawn", 24 | "crimson", 25 | "wispy", 26 | "weathered", 27 | "blue", 28 | "billowing", 29 | "broken", 30 | "cold", 31 | "damp", 32 | "falling", 33 | "frosty", 34 | "green", 35 | "long", 36 | ]; 37 | 38 | const NOUNS = [ 39 | "waterfall", 40 | "river", 41 | "breeze", 42 | "moon", 43 | "rain", 44 | "wind", 45 | "sea", 46 | "morning", 47 | "snow", 48 | "lake", 49 | "sunset", 50 | "pine", 51 | "shadow", 52 | "leaf", 53 | "dawn", 54 | "glitter", 55 | "forest", 56 | "hill", 57 | "cloud", 58 | "meadow", 59 | "sun", 60 | "glade", 61 | "bird", 62 | "brook", 63 | "butterfly", 64 | "bush", 65 | "dew", 66 | "dust", 67 | "field", 68 | "fire", 69 | "flower", 70 | ]; 71 | 72 | export const DEFAULT_PRODUCTS_COUNT = 5; 73 | const CREATE_PRODUCTS_MUTATION = ` 74 | mutation populateProduct($input: ProductInput!) { 75 | productCreate(input: $input) { 76 | product { 77 | id 78 | } 79 | } 80 | } 81 | `; 82 | 83 | export default async function productCreator( 84 | session, 85 | count = DEFAULT_PRODUCTS_COUNT 86 | ) { 87 | const client = new shopify.api.clients.Graphql({ session }); 88 | 89 | try { 90 | for (let i = 0; i < count; i++) { 91 | await client.query({ 92 | data: { 93 | query: CREATE_PRODUCTS_MUTATION, 94 | variables: { 95 | input: { 96 | title: `${randomTitle()}`, 97 | variants: [{ price: randomPrice() }], 98 | }, 99 | }, 100 | }, 101 | }); 102 | } 103 | } catch (error) { 104 | if (error instanceof GraphqlQueryError) { 105 | throw new Error( 106 | `${error.message}\n${JSON.stringify(error.response, null, 2)}` 107 | ); 108 | } else { 109 | throw error; 110 | } 111 | } 112 | } 113 | 114 | function randomTitle() { 115 | const adjective = ADJECTIVES[Math.floor(Math.random() * ADJECTIVES.length)]; 116 | const noun = NOUNS[Math.floor(Math.random() * NOUNS.length)]; 117 | return `${adjective} ${noun}`; 118 | } 119 | 120 | function randomPrice() { 121 | return Math.round((Math.random() * 10 + Number.EPSILON) * 100) / 100; 122 | } 123 | -------------------------------------------------------------------------------- /web/shopify.js: -------------------------------------------------------------------------------- 1 | import { BillingInterval, LATEST_API_VERSION } from "@shopify/shopify-api"; 2 | import { shopifyApp } from "@shopify/shopify-app-express"; 3 | import { SQLiteSessionStorage } from "@shopify/shopify-app-session-storage-sqlite"; 4 | import { restResources } from "@shopify/shopify-api/rest/admin/2023-04"; 5 | 6 | const DB_PATH = `${process.cwd()}/database.sqlite`; 7 | 8 | // The transactions with Shopify will always be marked as test transactions, unless NODE_ENV is production. 9 | // See the ensureBilling helper to learn more about billing in this template. 10 | const billingConfig = { 11 | "My Shopify One-Time Charge": { 12 | // This is an example configuration that would do a one-time charge for $5 (only USD is currently supported) 13 | amount: 5.0, 14 | currencyCode: "USD", 15 | interval: BillingInterval.OneTime, 16 | }, 17 | }; 18 | 19 | const shopify = shopifyApp({ 20 | api: { 21 | apiVersion: LATEST_API_VERSION, 22 | restResources, 23 | billing: undefined, // or replace with billingConfig above to enable example billing 24 | }, 25 | auth: { 26 | path: "/api/auth", 27 | callbackPath: "/api/auth/callback", 28 | }, 29 | webhooks: { 30 | path: "/api/webhooks", 31 | }, 32 | // This should be replaced with your preferred storage strategy 33 | sessionStorage: new SQLiteSessionStorage(DB_PATH), 34 | }); 35 | 36 | export default shopify; 37 | -------------------------------------------------------------------------------- /web/shopify.web.toml: -------------------------------------------------------------------------------- 1 | type="backend" 2 | 3 | [commands] 4 | dev = "npm run dev" 5 | --------------------------------------------------------------------------------