SessionRepository#delete_session shouldn't use actual models when destroying records

[zzooeeyy]

Issue summary

SessionRepository#delete_session is using the actual model classes (User, Shop) when destroying records.
We shouldn't be doing this since other apps might not use the same models.

In code:

 def delete_session(id)
  match = id.match(/^offline_(.*)/)

  record = if match
    domain = match[1]
    ShopifyApp::Logger.debug("Destroying session by domain - domain: #{domain}")
    Shop.find_by(shopify_domain: match[1]) ######### <------------ Problematic
  else
    shopify_user_id = id.split("_").last
    ShopifyApp::Logger.debug("Destroying session by user - user_id: #{shopify_user_id}")
    User.find_by(shopify_user_id: shopify_user_id)  ######### <------------ Problematic
  end

  record.destroy

  true
end

• shopify_api version: latest
• shopify_app version: latest (21.6.0)
• Ruby version: any
• Operating system: any

Expected behavior

Proxy through SessionRepository.user_storage or SessionRepository.shop_storage similar to load_session and store_session.

Actual behavior

We should not be using the Shop or User models directly since it might not exist on other applications.