Remove JWT middleware

[danielpgross]

What this PR does

Closes #1744

Removes the JWT middleware, since JWT authentication was moved to shopify-api-ruby in v19 and then the related ShopifyApp::JWT class was deprecated here (see upgrading guide).

• There were a few remaining references to the decoded JWT values set by the middleware (e.g. request.env["jwt.shopify_domain"]), notably in ShopifyApp::WithShopifyIdToken
  • ShopifyApp::WithShopifyIdToken has been updated to no longer check values in request.env["jwt.*"], and instead only check header and URL param values
  • Other uses of request.env["jwt.*"] have been updated to use the respective methods in ShopifyApp::WithShopifyIdToken.
• The jwt gem has been changed from runtime dependency to dev dependency (it's still used to create JWTs in unit tests)

Checklist

Before submitting the PR, please consider if any of the following are needed:

• [x] Update CHANGELOG.md if the changes would impact users
• [x] Update README.md, if appropriate.
• [x] Update any relevant pages in /docs, if necessary
• [x] For security fixes, the Disclosure Policy must be followed.

[danielpgross]

Very nice! This LGTM, though others should review too.

Admittedly, I'm having troubles following the code that actually ensures a shopify app verifies the ID token is present and valid. The code I'm reading seems to indicate we do some kind of token exchange - but I thought we fully relied on the JWT, without any external calls.

Could you please walk me through the flow?

Thanks @tgwizard! Will walk you through it according to my understanding:

1. An app includes the EnsureHasSession concern in a given controller to restrict that controller to requests that are authenticated with a valid session -- think of this as the entry point to the flow.
2. EnsureHasSession includes LoginProtection and sets up activate_shopify_session from there as an around_action: https://github.com/Shopify/shopify_app/blob/ef54cdc1742d77e5410218e72bfb864fa2623861/app/controllers/concerns/shopify_app/ensure_has_session.rb#L16
3. activate_shopify_session calls current_shopify_session, which calls load_current_sessionand in turn ShopifyAPI::Utils::SessionUtils.current_session_id https://github.com/Shopify/shopify_app/blob/ef54cdc1742d77e5410218e72bfb864fa2623861/lib/shopify_app/controller_concerns/login_protection.rb#L25 https://github.com/Shopify/shopify_app/blob/ef54cdc1742d77e5410218e72bfb864fa2623861/lib/shopify_app/controller_concerns/login_protection.rb#L56 https://github.com/Shopify/shopify_app/blob/ef54cdc1742d77e5410218e72bfb864fa2623861/lib/shopify_app/controller_concerns/login_protection.rb#L264
4. Now we're in ShopifyAPI land, and session_id_from_shopify_id_token gets called: https://github.com/Shopify/shopify-api-ruby/blob/a64f7dd391306033ca58399b42fa32207ba6dc34/lib/shopify_api/utils/session_utils.rb#L23
5. The JWT finally gets decoded and then a session ID is generated from it: https://github.com/Shopify/shopify-api-ruby/blob/a64f7dd391306033ca58399b42fa32207ba6dc34/lib/shopify_api/utils/session_utils.rb#L48

[danielpgross]

I tested this using a new test app created with https://github.com/Shopify/shopify-app-template-ruby and it's working as expected 👍