Add shop validation

[gonzaloriestra]

Description

https://docs.google.com/document/d/1c0iXhKBpm-yhvff0iSgq1XwBSPL39fTBVajIJ3svaxU/edit?usp=sharing

Checklist:

• My commit message follow the pattern described in here
• I have performed a self-review of my own code.
• I have added tests that prove my fix is effective or that my feature works.
• I have updated the project documentation.
• I have added a changelog line.

[lizkenyon]

If we are no longer using the shop param. We could deprecate it, so it can be removed in the next major version.

  jwt_payload = ShopifyAPI::Auth::JwtPayload.new(session_token)
  dest_shop = jwt_payload.shop

  if shop != dest_shop
    ShopifyAPI::Context.logger.warn(
      "shop parameter (#{shop}) does not match session token dest claim (#{dest_shop}). " \
      "The dest claim will be used. The shop parameter is deprecated for exchange_token " \
      "and will be removed in a future major version."
    )
  end

[zzooeeyy]

I also agree! We should remove shop from this method's arguments

[lizkenyon]

I think we need to modify the ShopValidator check to protect against URLs like "attacker.com/.myshopify.com". This passes validation since it ends with .myshopify.com, but URI.parse resolves the host to
attacker.com

[lizkenyon]

This could probably be module similar to hmac

[zzooeeyy]

There's also a similar sanitize method from shopify_app gem, I wonder if the logic can be extracted so we don't have to maintain 2 packages for validating Shopify URLS

[zzooeeyy]

I also agree! We should remove shop from this method's arguments

[zzooeeyy]

validate might be a misleading method name since it does more than validation and returns the sanitized shop name