@shopify/cli-kit 3.0.23 → 3.0.26

package/dist/session/schema.js

@@ -0,0 +1,59 @@
+import { define } from '../schema.js';
+const DateSchema = define.preprocess((arg) => {
+    if (typeof arg === 'string' || arg instanceof Date)
+        return new Date(arg);
+    return null;
+}, define.date());
+/**
+ * The schema represents an Identity token.
+ */
+const IdentityTokenSchema = define.object({
+    accessToken: define.string(),
+    refreshToken: define.string(),
+    expiresAt: DateSchema,
+    scopes: define.array(define.string()),
+});
+/**
+ * The schema represents an application token.
+ */
+const ApplicationTokenSchema = define.object({
+    accessToken: define.string(),
+    expiresAt: DateSchema,
+    scopes: define.array(define.string()),
+});
+/**
+ * This schema represents the format of the session
+ * that we cache in the system to avoid unnecessary
+ * token exchanges.
+ *
+ * @example
+ * {
+ *    "accounts.shopify.com": {
+ *      "identity": {...} // IdentityTokenSchema
+ *      "applications": {
+ *        "${domain}-application-id": {  // Admin APIs includes domain in the key
+ *          "accessToken": "...",
+ *        },
+ *        "$application-id": { // ApplicationTokenSchema
+ *          "accessToken": "...",
+ *        },
+ *      }
+ *    },
+ *    "identity.spin.com": {...}
+ *}
+ *
+ */
+export const SessionSchema = define.object({}).catchall(define.object({
+    /**
+     * It contains the identity token. Before usint it, we exchange it
+     * to get a token that we can use with different applications. The exchanged
+     * tokens for the applications are stored under applications.
+     */
+    identity: IdentityTokenSchema,
+    /**
+     * It contains exchanged tokens for the applications the CLI
+     * authenticates with. Tokens are scoped under the fqdn of the applications.
+     */
+    applications: define.object({}).catchall(ApplicationTokenSchema),
+}));
+//# sourceMappingURL=schema.js.map

package/dist/session/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/session/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,MAAM,EAAC,MAAM,cAAc,CAAA;AAEnC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAA;IACxE,OAAO,IAAI,CAAA;AACb,CAAC,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAA;AAEjB;;GAEG;AACH,MAAM,mBAAmB,GAAG,MAAM,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE;IAC5B,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE;IAC7B,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;CACtC,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG,MAAM,CAAC,MAAM,CAAC;IAC3C,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE;IAC5B,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;CACtC,CAAC,CAAA;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CACrD,MAAM,CAAC,MAAM,CAAC;IACZ;;;;OAIG;IACH,QAAQ,EAAE,mBAAmB;IAC7B;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;CACjE,CAAC,CACH,CAAA","sourcesContent":["import {define} from '../schema.js'\n\nconst DateSchema = define.preprocess((arg) => {\n  if (typeof arg === 'string' || arg instanceof Date) return new Date(arg)\n  return null\n}, define.date())\n\n/**\n * The schema represents an Identity token.\n */\nconst IdentityTokenSchema = define.object({\n  accessToken: define.string(),\n  refreshToken: define.string(),\n  expiresAt: DateSchema,\n  scopes: define.array(define.string()),\n})\n\n/**\n * The schema represents an application token.\n */\nconst ApplicationTokenSchema = define.object({\n  accessToken: define.string(),\n  expiresAt: DateSchema,\n  scopes: define.array(define.string()),\n})\n\n/**\n * This schema represents the format of the session\n * that we cache in the system to avoid unnecessary\n * token exchanges.\n *\n * @example\n * {\n *    \"accounts.shopify.com\": {\n *      \"identity\": {...} // IdentityTokenSchema\n *      \"applications\": {\n *        \"${domain}-application-id\": {  // Admin APIs includes domain in the key\n *          \"accessToken\": \"...\",\n *        },\n *        \"$application-id\": { // ApplicationTokenSchema\n *          \"accessToken\": \"...\",\n *        },\n *      }\n *    },\n *    \"identity.spin.com\": {...}\n *}\n *\n */\nexport const SessionSchema = define.object({}).catchall(\n  define.object({\n    /**\n     * It contains the identity token. Before usint it, we exchange it\n     * to get a token that we can use with different applications. The exchanged\n     * tokens for the applications are stored under applications.\n     */\n    identity: IdentityTokenSchema,\n    /**\n     * It contains exchanged tokens for the applications the CLI\n     * authenticates with. Tokens are scoped under the fqdn of the applications.\n     */\n    applications: define.object({}).catchall(ApplicationTokenSchema),\n  }),\n)\n\nexport type Session = define.infer<typeof SessionSchema>\nexport type IdentityToken = define.infer<typeof IdentityTokenSchema>\nexport type ApplicationToken = define.infer<typeof ApplicationTokenSchema>\n"]}

package/dist/session/scopes.d.ts

@@ -0,0 +1,16 @@
+import { API } from '../network/api.js';
+/**
+ * Generate a flat array with all the default scopes for all the APIs plus
+ * any custom scope defined by the user.
+ * @param extraScopes custom user-defined scopes
+ * @returns Array of scopes
+ */
+export declare function allDefaultScopes(extraScopes?: string[]): string[];
+/**
+ * Generate a flat array with the default scopes for the given API plus
+ * any custom scope defined by the user
+ * @param api API to get the scopes for
+ * @param extraScopes custom user-defined scopes
+ * @returns Array of scopes
+ */
+export declare function apiScopes(api: API, extraScopes?: string[]): string[];

package/dist/session/scopes.js

@@ -0,0 +1,53 @@
+import { Bug } from '../error.js';
+import { allAPIs } from '../network/api.js';
+/**
+ * Generate a flat array with all the default scopes for all the APIs plus
+ * any custom scope defined by the user.
+ * @param extraScopes custom user-defined scopes
+ * @returns Array of scopes
+ */
+export function allDefaultScopes(extraScopes = []) {
+    let scopes = allAPIs.map(defaultApiScopes).flat();
+    scopes = ['openid', ...scopes, ...extraScopes].map(scopeTransform);
+    return Array.from(new Set(scopes));
+}
+/**
+ * Generate a flat array with the default scopes for the given API plus
+ * any custom scope defined by the user
+ * @param api API to get the scopes for
+ * @param extraScopes custom user-defined scopes
+ * @returns Array of scopes
+ */
+export function apiScopes(api, extraScopes = []) {
+    const scopes = ['openid', ...defaultApiScopes(api), ...extraScopes.map(scopeTransform)].map(scopeTransform);
+    return Array.from(new Set(scopes));
+}
+function defaultApiScopes(api) {
+    switch (api) {
+        case 'admin':
+            return ['graphql', 'themes', 'collaborator'];
+        case 'storefront-renderer':
+            return ['devtools'];
+        case 'partners':
+            return ['cli'];
+        default:
+            throw new Bug(`Unknown API: ${api}`);
+    }
+}
+function scopeTransform(scope) {
+    switch (scope) {
+        case 'graphql':
+            return 'https://api.shopify.com/auth/shop.admin.graphql';
+        case 'themes':
+            return 'https://api.shopify.com/auth/shop.admin.themes';
+        case 'collaborator':
+            return 'https://api.shopify.com/auth/partners.collaborator-relationships.readonly';
+        case 'cli':
+            return 'https://api.shopify.com/auth/partners.app.cli.access';
+        case 'devtools':
+            return 'https://api.shopify.com/auth/shop.storefront-renderer.devtools';
+        default:
+            return scope;
+    }
+}
+//# sourceMappingURL=scopes.js.map

package/dist/session/scopes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scopes.js","sourceRoot":"","sources":["../../src/session/scopes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,GAAG,EAAC,MAAM,aAAa,CAAA;AAC/B,OAAO,EAAC,OAAO,EAAM,MAAM,mBAAmB,CAAA;AAE9C;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,cAAwB,EAAE;IACzD,IAAI,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAA;IACjD,MAAM,GAAG,CAAC,QAAQ,EAAE,GAAG,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IAClE,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;AACpC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,SAAS,CAAC,GAAQ,EAAE,cAAwB,EAAE;IAC5D,MAAM,MAAM,GAAG,CAAC,QAAQ,EAAE,GAAG,gBAAgB,CAAC,GAAG,CAAC,EAAE,GAAG,WAAW,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;IAC3G,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;AACpC,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAQ;IAChC,QAAQ,GAAG,EAAE;QACX,KAAK,OAAO;YACV,OAAO,CAAC,SAAS,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAA;QAC9C,KAAK,qBAAqB;YACxB,OAAO,CAAC,UAAU,CAAC,CAAA;QACrB,KAAK,UAAU;YACb,OAAO,CAAC,KAAK,CAAC,CAAA;QAChB;YACE,MAAM,IAAI,GAAG,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAA;KACvC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,QAAQ,KAAK,EAAE;QACb,KAAK,SAAS;YACZ,OAAO,iDAAiD,CAAA;QAC1D,KAAK,QAAQ;YACX,OAAO,gDAAgD,CAAA;QACzD,KAAK,cAAc;YACjB,OAAO,2EAA2E,CAAA;QACpF,KAAK,KAAK;YACR,OAAO,sDAAsD,CAAA;QAC/D,KAAK,UAAU;YACb,OAAO,gEAAgE,CAAA;QACzE;YACE,OAAO,KAAK,CAAA;KACf;AACH,CAAC","sourcesContent":["import {Bug} from '../error.js'\nimport {allAPIs, API} from '../network/api.js'\n\n/**\n * Generate a flat array with all the default scopes for all the APIs plus\n * any custom scope defined by the user.\n * @param extraScopes custom user-defined scopes\n * @returns Array of scopes\n */\nexport function allDefaultScopes(extraScopes: string[] = []): string[] {\n  let scopes = allAPIs.map(defaultApiScopes).flat()\n  scopes = ['openid', ...scopes, ...extraScopes].map(scopeTransform)\n  return Array.from(new Set(scopes))\n}\n\n/**\n * Generate a flat array with the default scopes for the given API plus\n * any custom scope defined by the user\n * @param api API to get the scopes for\n * @param extraScopes custom user-defined scopes\n * @returns Array of scopes\n */\nexport function apiScopes(api: API, extraScopes: string[] = []): string[] {\n  const scopes = ['openid', ...defaultApiScopes(api), ...extraScopes.map(scopeTransform)].map(scopeTransform)\n  return Array.from(new Set(scopes))\n}\n\nfunction defaultApiScopes(api: API): string[] {\n  switch (api) {\n    case 'admin':\n      return ['graphql', 'themes', 'collaborator']\n    case 'storefront-renderer':\n      return ['devtools']\n    case 'partners':\n      return ['cli']\n    default:\n      throw new Bug(`Unknown API: ${api}`)\n  }\n}\n\nfunction scopeTransform(scope: string): string {\n  switch (scope) {\n    case 'graphql':\n      return 'https://api.shopify.com/auth/shop.admin.graphql'\n    case 'themes':\n      return 'https://api.shopify.com/auth/shop.admin.themes'\n    case 'collaborator':\n      return 'https://api.shopify.com/auth/partners.collaborator-relationships.readonly'\n    case 'cli':\n      return 'https://api.shopify.com/auth/partners.app.cli.access'\n    case 'devtools':\n      return 'https://api.shopify.com/auth/shop.storefront-renderer.devtools'\n    default:\n      return scope\n  }\n}\n"]}

package/dist/session/store.d.ts

@@ -0,0 +1,24 @@
+import type { Session } from './schema.js';
+/**
+ * The identifier of the session in the secure store.
+ */
+export declare const identifier = "session";
+/**
+ * Serializes the session as a JSON and stores it securely in the system.
+ * If the secure store is not available, the session is stored in the local config.
+ * @param session {Session} the session to store.
+ */
+export declare function store(session: Session): Promise<void>;
+/**
+ * Fetches the session from the secure store and returns it.
+ * If the secure store is not available, the session is fetched from the local config.
+ * If the format of the session is invalid, the method will discard it.
+ * In the future might add some logic for supporting migrating the schema
+ * of already-persisted sessions.
+ * @returns {Promise<Session\undefined>} Returns a promise that resolves with the session if it exists and is valid.
+ */
+export declare function fetch(): Promise<Session | undefined>;
+/**
+ * Removes a session from the system.
+ */
+export declare function remove(): Promise<void>;

package/dist/session/store.js

@@ -0,0 +1,88 @@
+import { SessionSchema } from './schema.js';
+import constants from '../constants.js';
+import { platformAndArch } from '../os.js';
+import { store as secureStore, fetch as secureFetch, remove as secureRemove } from '../secure-store.js';
+import { cliKitStore } from '../store.js';
+import { content, debug } from '../output.js';
+/**
+ * The identifier of the session in the secure store.
+ */
+export const identifier = 'session';
+/**
+ * Serializes the session as a JSON and stores it securely in the system.
+ * If the secure store is not available, the session is stored in the local config.
+ * @param session {Session} the session to store.
+ */
+export async function store(session) {
+    const jsonSession = JSON.stringify(session);
+    if (await secureStoreAvailable()) {
+        await secureStore(identifier, jsonSession);
+    }
+    else {
+        await cliKitStore().setSession(jsonSession);
+    }
+}
+/**
+ * Fetches the session from the secure store and returns it.
+ * If the secure store is not available, the session is fetched from the local config.
+ * If the format of the session is invalid, the method will discard it.
+ * In the future might add some logic for supporting migrating the schema
+ * of already-persisted sessions.
+ * @returns {Promise<Session\undefined>} Returns a promise that resolves with the session if it exists and is valid.
+ */
+export async function fetch() {
+    let content;
+    if (await secureStoreAvailable()) {
+        content = await secureFetch(identifier);
+    }
+    else {
+        content = cliKitStore().getSession();
+    }
+    if (!content) {
+        return undefined;
+    }
+    const contentJson = JSON.parse(content);
+    const parsedSession = await SessionSchema.safeParseAsync(contentJson);
+    if (parsedSession.success) {
+        return parsedSession.data;
+    }
+    else {
+        await remove();
+        return undefined;
+    }
+}
+/**
+ * Removes a session from the system.
+ */
+export async function remove() {
+    if (await secureStoreAvailable()) {
+        await secureRemove(identifier);
+    }
+    else {
+        cliKitStore().removeSession();
+    }
+}
+/**
+ * Returns true if the secure store is available on the system.
+ * Keytar it's not supported on some Linux environments or Windows.
+ * More details: https://github.com/Shopify/shopify-cli-planning/issues/261
+ * @returns a boolean indicating if the secure store is available.
+ */
+async function secureStoreAvailable() {
+    try {
+        if (platformAndArch().platform === 'windows') {
+            debug(content `Secure store not supported on Windows`);
+            return false;
+        }
+        const keytar = await import('keytar');
+        await keytar.default.findCredentials(constants.keychain.service);
+        debug(content `Secure store is available`);
+        return true;
+        // eslint-disable-next-line no-catch-all/no-catch-all
+    }
+    catch (_error) {
+        debug(content `Failed to load secure store`);
+        return false;
+    }
+}
+//# sourceMappingURL=store.js.map

package/dist/session/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","sourceRoot":"","sources":["../../src/session/store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAC,MAAM,aAAa,CAAA;AACzC,OAAO,SAAS,MAAM,iBAAiB,CAAA;AACvC,OAAO,EAAC,eAAe,EAAC,MAAM,UAAU,CAAA;AACxC,OAAO,EAAC,KAAK,IAAI,WAAW,EAAE,KAAK,IAAI,WAAW,EAAE,MAAM,IAAI,YAAY,EAAC,MAAM,oBAAoB,CAAA;AACrG,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAA;AACvC,OAAO,EAAC,OAAO,EAAE,KAAK,EAAC,MAAM,cAAc,CAAA;AAG3C;;GAEG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,SAAS,CAAA;AAEnC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,OAAgB;IAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IAC3C,IAAI,MAAM,oBAAoB,EAAE,EAAE;QAChC,MAAM,WAAW,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;KAC3C;SAAM;QACL,MAAM,WAAW,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;KAC5C;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK;IACzB,IAAI,OAAO,CAAA;IACX,IAAI,MAAM,oBAAoB,EAAE,EAAE;QAChC,OAAO,GAAG,MAAM,WAAW,CAAC,UAAU,CAAC,CAAA;KACxC;SAAM;QACL,OAAO,GAAG,WAAW,EAAE,CAAC,UAAU,EAAE,CAAA;KACrC;IAED,IAAI,CAAC,OAAO,EAAE;QACZ,OAAO,SAAS,CAAA;KACjB;IACD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;IACvC,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,cAAc,CAAC,WAAW,CAAC,CAAA;IACrE,IAAI,aAAa,CAAC,OAAO,EAAE;QACzB,OAAO,aAAa,CAAC,IAAI,CAAA;KAC1B;SAAM;QACL,MAAM,MAAM,EAAE,CAAA;QACd,OAAO,SAAS,CAAA;KACjB;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM;IAC1B,IAAI,MAAM,oBAAoB,EAAE,EAAE;QAChC,MAAM,YAAY,CAAC,UAAU,CAAC,CAAA;KAC/B;SAAM;QACL,WAAW,EAAE,CAAC,aAAa,EAAE,CAAA;KAC9B;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,oBAAoB;IACjC,IAAI;QACF,IAAI,eAAe,EAAE,CAAC,QAAQ,KAAK,SAAS,EAAE;YAC5C,KAAK,CAAC,OAAO,CAAA,uCAAuC,CAAC,CAAA;YACrD,OAAO,KAAK,CAAA;SACb;QACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAA;QACrC,MAAM,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAChE,KAAK,CAAC,OAAO,CAAA,2BAA2B,CAAC,CAAA;QACzC,OAAO,IAAI,CAAA;QACX,qDAAqD;KACtD;IAAC,OAAO,MAAM,EAAE;QACf,KAAK,CAAC,OAAO,CAAA,6BAA6B,CAAC,CAAA;QAC3C,OAAO,KAAK,CAAA;KACb;AACH,CAAC","sourcesContent":["import {SessionSchema} from './schema.js'\nimport constants from '../constants.js'\nimport {platformAndArch} from '../os.js'\nimport {store as secureStore, fetch as secureFetch, remove as secureRemove} from '../secure-store.js'\nimport {cliKitStore} from '../store.js'\nimport {content, debug} from '../output.js'\nimport type {Session} from './schema.js'\n\n/**\n * The identifier of the session in the secure store.\n */\nexport const identifier = 'session'\n\n/**\n * Serializes the session as a JSON and stores it securely in the system.\n * If the secure store is not available, the session is stored in the local config.\n * @param session {Session} the session to store.\n */\nexport async function store(session: Session) {\n  const jsonSession = JSON.stringify(session)\n  if (await secureStoreAvailable()) {\n    await secureStore(identifier, jsonSession)\n  } else {\n    await cliKitStore().setSession(jsonSession)\n  }\n}\n\n/**\n * Fetches the session from the secure store and returns it.\n * If the secure store is not available, the session is fetched from the local config.\n * If the format of the session is invalid, the method will discard it.\n * In the future might add some logic for supporting migrating the schema\n * of already-persisted sessions.\n * @returns {Promise<Session\\undefined>} Returns a promise that resolves with the session if it exists and is valid.\n */\nexport async function fetch(): Promise<Session | undefined> {\n  let content\n  if (await secureStoreAvailable()) {\n    content = await secureFetch(identifier)\n  } else {\n    content = cliKitStore().getSession()\n  }\n\n  if (!content) {\n    return undefined\n  }\n  const contentJson = JSON.parse(content)\n  const parsedSession = await SessionSchema.safeParseAsync(contentJson)\n  if (parsedSession.success) {\n    return parsedSession.data\n  } else {\n    await remove()\n    return undefined\n  }\n}\n\n/**\n * Removes a session from the system.\n */\nexport async function remove() {\n  if (await secureStoreAvailable()) {\n    await secureRemove(identifier)\n  } else {\n    cliKitStore().removeSession()\n  }\n}\n\n/**\n * Returns true if the secure store is available on the system.\n * Keytar it's not supported on some Linux environments or Windows.\n * More details: https://github.com/Shopify/shopify-cli-planning/issues/261\n * @returns a boolean indicating if the secure store is available.\n */\nasync function secureStoreAvailable(): Promise<boolean> {\n  try {\n    if (platformAndArch().platform === 'windows') {\n      debug(content`Secure store not supported on Windows`)\n      return false\n    }\n    const keytar = await import('keytar')\n    await keytar.default.findCredentials(constants.keychain.service)\n    debug(content`Secure store is available`)\n    return true\n    // eslint-disable-next-line no-catch-all/no-catch-all\n  } catch (_error) {\n    debug(content`Failed to load secure store`)\n    return false\n  }\n}\n"]}

package/dist/session/token.d.ts

@@ -0,0 +1,40 @@
+/**
+ * It represents a temporary token that can be
+ * used to send authenticated HTTP requests.
+ */
+declare class Token {
+    /**
+     * A fully-qualified domain name of the service
+     * this token is for.
+     */
+    fqdn: string;
+    /**
+     * Access token
+     */
+    accessToken: string;
+    /**
+     * Token to refresh the access token if it has expired.
+     */
+    refreshToken?: string;
+    /**
+     * The expiration date of the session
+     */
+    expiresAt: Date;
+    /**
+     * The list of scopes the token has access to.
+     */
+    scopes: string[];
+    constructor(options: {
+        fqdn: string;
+        accessToken: string;
+        refreshToken?: string;
+        expiresAt: Date;
+        scopes: string[];
+    });
+    /**
+     * Returns true if the session is expired.
+     * @returns {boolean} True if the session is expired.
+     */
+    get isExpired(): boolean;
+}
+export default Token;

package/dist/session/token.js

@@ -0,0 +1,22 @@
+/**
+ * It represents a temporary token that can be
+ * used to send authenticated HTTP requests.
+ */
+class Token {
+    constructor(options) {
+        this.fqdn = options.fqdn;
+        this.accessToken = options.accessToken;
+        this.refreshToken = options.refreshToken;
+        this.expiresAt = options.expiresAt;
+        this.scopes = options.scopes;
+    }
+    /**
+     * Returns true if the session is expired.
+     * @returns {boolean} True if the session is expired.
+     */
+    get isExpired() {
+        return new Date() > this.expiresAt;
+    }
+}
+export default Token;
+//# sourceMappingURL=token.js.map

package/dist/session/token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token.js","sourceRoot":"","sources":["../../src/session/token.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,KAAK;IA2BT,YAAY,OAAsG;QAChH,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAA;QACxB,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;QACtC,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAA;QACxC,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;QAClC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAA;IAC9B,CAAC;IAED;;;OAGG;IACH,IAAI,SAAS;QACX,OAAO,IAAI,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAA;IACpC,CAAC;CACF;AAED,eAAe,KAAK,CAAA","sourcesContent":["/**\n * It represents a temporary token that can be\n * used to send authenticated HTTP requests.\n */\nclass Token {\n  /**\n   * A fully-qualified domain name of the service\n   * this token is for.\n   */\n  fqdn: string\n\n  /**\n   * Access token\n   */\n  accessToken: string\n\n  /**\n   * Token to refresh the access token if it has expired.\n   */\n  refreshToken?: string\n\n  /**\n   * The expiration date of the session\n   */\n  expiresAt: Date\n\n  /**\n   * The list of scopes the token has access to.\n   */\n  scopes: string[]\n\n  constructor(options: {fqdn: string; accessToken: string; refreshToken?: string; expiresAt: Date; scopes: string[]}) {\n    this.fqdn = options.fqdn\n    this.accessToken = options.accessToken\n    this.refreshToken = options.refreshToken\n    this.expiresAt = options.expiresAt\n    this.scopes = options.scopes\n  }\n\n  /**\n   * Returns true if the session is expired.\n   * @returns {boolean} True if the session is expired.\n   */\n  get isExpired(): boolean {\n    return new Date() > this.expiresAt\n  }\n}\n\nexport default Token\n"]}

package/dist/session/validate.d.ts

@@ -0,0 +1,17 @@
+import { ApplicationToken, IdentityToken } from './schema.js';
+import { OAuthApplications } from '../session.js';
+declare type ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok';
+/**
+ * Validate if the current session is valid or we need to refresh/re-authenticate
+ * @param scopes {string[]} requested scopes to validate
+ * @param applications {OAuthApplications} requested applications
+ * @param session current session with identity and application tokens
+ * @returns {ValidationResult} 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session
+ */
+export declare function validateSession(scopes: string[], applications: OAuthApplications, session: {
+    identity: IdentityToken;
+    applications: {
+        [x: string]: ApplicationToken;
+    };
+}): Promise<ValidationResult>;
+export {};

package/dist/session/validate.js

@@ -0,0 +1,75 @@
+import { applicationId } from './identity.js';
+import constants from '../constants.js';
+import { identity, partners } from '../api.js';
+import { debug } from '../output.js';
+/**
+ * Validate if an identity token is valid for the requested scopes
+ * @param requestedScopes scopes
+ * @param identity
+ * @returns
+ */
+function validateScopes(requestedScopes, identity) {
+    const currentScopes = identity.scopes;
+    return requestedScopes.every((scope) => currentScopes.includes(scope));
+}
+/**
+ * Validate if the current session is valid or we need to refresh/re-authenticate
+ * @param scopes {string[]} requested scopes to validate
+ * @param applications {OAuthApplications} requested applications
+ * @param session current session with identity and application tokens
+ * @returns {ValidationResult} 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session
+ */
+export async function validateSession(scopes, applications, session) {
+    if (!session)
+        return 'needs_full_auth';
+    const scopesAreValid = validateScopes(scopes, session.identity);
+    const identityIsValid = await identity.validateIdentityToken(session.identity.accessToken);
+    if (!scopesAreValid)
+        return 'needs_full_auth';
+    let tokensAreExpired = isTokenExpired(session.identity);
+    let tokensAreRevoked = false;
+    if (applications.partnersApi) {
+        const appId = applicationId('partners');
+        const token = session.applications[appId];
+        tokensAreRevoked = tokensAreRevoked || (await isPartnersTokenRevoked(token));
+        tokensAreExpired = tokensAreExpired || isTokenExpired(token);
+    }
+    if (applications.storefrontRendererApi) {
+        const appId = applicationId('storefront-renderer');
+        const token = session.applications[appId];
+        tokensAreExpired = tokensAreExpired || isTokenExpired(token);
+    }
+    if (applications.adminApi) {
+        const appId = applicationId('admin');
+        const realAppId = `${applications.adminApi.storeFqdn}-${appId}`;
+        const token = session.applications[realAppId];
+        tokensAreExpired = tokensAreExpired || isTokenExpired(token);
+    }
+    debug(`
+The validation of the token for application/identity completed with the following results:
+- It's expired: ${tokensAreExpired}
+- It's been revoked: ${tokensAreRevoked}
+- It's invalid in identity: ${!identityIsValid}
+  `);
+    if (tokensAreExpired)
+        return 'needs_refresh';
+    if (tokensAreRevoked)
+        return 'needs_full_auth';
+    if (!identityIsValid)
+        return 'needs_full_auth';
+    return 'ok';
+}
+function isTokenExpired(token) {
+    if (!token)
+        return true;
+    return token.expiresAt < expireThreshold();
+}
+async function isPartnersTokenRevoked(token) {
+    if (!token)
+        return false;
+    return partners.checkIfTokenIsRevoked(token.accessToken);
+}
+function expireThreshold() {
+    return new Date(Date.now() + constants.session.expirationTimeMarginInMinutes * 60 * 1000);
+}
+//# sourceMappingURL=validate.js.map

package/dist/session/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../src/session/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAC,MAAM,eAAe,CAAA;AAE3C,OAAO,SAAS,MAAM,iBAAiB,CAAA;AAEvC,OAAO,EAAC,QAAQ,EAAE,QAAQ,EAAC,MAAM,WAAW,CAAA;AAC5C,OAAO,EAAC,KAAK,EAAC,MAAM,cAAc,CAAA;AAIlC;;;;;GAKG;AACH,SAAS,cAAc,CAAC,eAAyB,EAAE,QAAuB;IACxE,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAA;IACrC,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAgB,EAChB,YAA+B,EAC/B,OAGC;IAED,IAAI,CAAC,OAAO;QAAE,OAAO,iBAAiB,CAAA;IACtC,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC/D,MAAM,eAAe,GAAG,MAAM,QAAQ,CAAC,qBAAqB,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAC1F,IAAI,CAAC,cAAc;QAAE,OAAO,iBAAiB,CAAA;IAC7C,IAAI,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IACvD,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,IAAI,YAAY,CAAC,WAAW,EAAE;QAC5B,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;QACvC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACzC,gBAAgB,GAAG,gBAAgB,IAAI,CAAC,MAAM,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAA;QAC5E,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,qBAAqB,EAAE;QACtC,MAAM,KAAK,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,CAAA;QACzC,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,QAAQ,EAAE;QACzB,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;QACpC,MAAM,SAAS,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,IAAI,KAAK,EAAE,CAAA;QAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAC,CAAA;QAC7C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,KAAK,CAAC;;kBAEU,gBAAgB;uBACX,gBAAgB;8BACT,CAAC,eAAe;GAC3C,CAAC,CAAA;IAEF,IAAI,gBAAgB;QAAE,OAAO,eAAe,CAAA;IAC5C,IAAI,gBAAgB;QAAE,OAAO,iBAAiB,CAAA;IAC9C,IAAI,CAAC,eAAe;QAAE,OAAO,iBAAiB,CAAA;IAC9C,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,cAAc,CAAC,KAAuB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,OAAO,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,CAAA;AAC5C,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,KAAuB;IAC3D,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAA;IACxB,OAAO,QAAQ,CAAC,qBAAqB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;AAC1D,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,6BAA6B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;AAC3F,CAAC","sourcesContent":["import {applicationId} from './identity.js'\nimport {ApplicationToken, IdentityToken} from './schema.js'\nimport constants from '../constants.js'\nimport {OAuthApplications} from '../session.js'\nimport {identity, partners} from '../api.js'\nimport {debug} from '../output.js'\n\ntype ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok'\n\n/**\n * Validate if an identity token is valid for the requested scopes\n * @param requestedScopes scopes\n * @param identity\n * @returns\n */\nfunction validateScopes(requestedScopes: string[], identity: IdentityToken) {\n  const currentScopes = identity.scopes\n  return requestedScopes.every((scope) => currentScopes.includes(scope))\n}\n\n/**\n * Validate if the current session is valid or we need to refresh/re-authenticate\n * @param scopes {string[]} requested scopes to validate\n * @param applications {OAuthApplications} requested applications\n * @param session current session with identity and application tokens\n * @returns {ValidationResult} 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session\n */\nexport async function validateSession(\n  scopes: string[],\n  applications: OAuthApplications,\n  session: {\n    identity: IdentityToken\n    applications: {[x: string]: ApplicationToken}\n  },\n): Promise<ValidationResult> {\n  if (!session) return 'needs_full_auth'\n  const scopesAreValid = validateScopes(scopes, session.identity)\n  const identityIsValid = await identity.validateIdentityToken(session.identity.accessToken)\n  if (!scopesAreValid) return 'needs_full_auth'\n  let tokensAreExpired = isTokenExpired(session.identity)\n  let tokensAreRevoked = false\n\n  if (applications.partnersApi) {\n    const appId = applicationId('partners')\n    const token = session.applications[appId]\n    tokensAreRevoked = tokensAreRevoked || (await isPartnersTokenRevoked(token))\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.storefrontRendererApi) {\n    const appId = applicationId('storefront-renderer')\n    const token = session.applications[appId]\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.adminApi) {\n    const appId = applicationId('admin')\n    const realAppId = `${applications.adminApi.storeFqdn}-${appId}`\n    const token = session.applications[realAppId]\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  debug(`\nThe validation of the token for application/identity completed with the following results:\n- It's expired: ${tokensAreExpired}\n- It's been revoked: ${tokensAreRevoked}\n- It's invalid in identity: ${!identityIsValid}\n  `)\n\n  if (tokensAreExpired) return 'needs_refresh'\n  if (tokensAreRevoked) return 'needs_full_auth'\n  if (!identityIsValid) return 'needs_full_auth'\n  return 'ok'\n}\n\nfunction isTokenExpired(token: ApplicationToken): boolean {\n  if (!token) return true\n  return token.expiresAt < expireThreshold()\n}\n\nasync function isPartnersTokenRevoked(token: ApplicationToken) {\n  if (!token) return false\n  return partners.checkIfTokenIsRevoked(token.accessToken)\n}\n\nfunction expireThreshold(): Date {\n  return new Date(Date.now() + constants.session.expirationTimeMarginInMinutes * 60 * 1000)\n}\n"]}

package/dist/session.d.ts

@@ -0,0 +1,88 @@
+/// <reference types="node" />
+import { Abort } from './error.js';
+/**
+ * A scope supported by the Shopify Admin API.
+ */
+declare type AdminAPIScope = 'graphql' | 'themes' | 'collaborator' | string;
+/**
+ * It represents the options to authenticate against the Shopify Admin API.
+ */
+interface AdminAPIOAuthOptions {
+    /** Store to request permissions for */
+    storeFqdn: string;
+    /** List of scopes to request permissions for */
+    scopes: AdminAPIScope[];
+}
+/**
+ * A scope supported by the Partners API.
+ */
+declare type PartnersAPIScope = 'cli' | string;
+interface PartnersAPIOAuthOptions {
+    /** List of scopes to request permissions for */
+    scopes: PartnersAPIScope[];
+}
+/**
+ * A scope supported by the Storefront Renderer API.
+ */
+declare type StorefrontRendererScope = 'devtools' | string;
+interface StorefrontRendererAPIOAuthOptions {
+    /** List of scopes to request permissions for */
+    scopes: StorefrontRendererScope[];
+}
+/**
+ * It represents the authentication requirements and
+ * is the input necessary to trigger the authentication
+ * flow.
+ */
+export interface OAuthApplications {
+    adminApi?: AdminAPIOAuthOptions;
+    storefrontRendererApi?: StorefrontRendererAPIOAuthOptions;
+    partnersApi?: PartnersAPIOAuthOptions;
+}
+export interface AdminSession {
+    token: string;
+    storeFqdn: string;
+}
+export interface OAuthSession {
+    admin?: AdminSession;
+    partners?: string;
+    storefront?: string;
+}
+export declare const PartnerOrganizationNotFoundError: () => Abort;
+/**
+ * Ensure that we have a valid session to access the Partners API.
+ * If SHOPIFY_CLI_PARTNERS_TOKEN exists, that token will be used to obtain a valid Partners Token
+ * If SHOPIFY_CLI_PARTNERS_TOKEN exists, scopes will be ignored
+ * @param scopes {string[]} Optional array of extra scopes to authenticate with.
+ * @returns {Promise<string>} The access token for the Partners API.
+ */
+export declare function ensureAuthenticatedPartners(scopes?: string[], env?: NodeJS.ProcessEnv): Promise<string>;
+/**
+ * Ensure that we have a valid session to access the Storefront API.
+ * @param scopes {string[]} Optional array of extra scopes to authenticate with.
+ * @returns {Promise<string>} The access token for the Storefront API.
+ */
+export declare function ensureAuthenticatedStorefront(scopes?: string[]): Promise<string>;
+/**
+ * Ensure that we have a valid Admin session for the given store.
+ * @param store {string} Store fqdn to request auth for
+ * @param scopes {string[]} Optional array of extra scopes to authenticate with.
+ * @returns {Promise<string>} The access token for the Admin API
+ */
+export declare function ensureAuthenticatedAdmin(store: string, scopes?: string[]): Promise<AdminSession>;
+/**
+ * This method ensures that we have a valid session to authenticate against the given applications using the provided scopes.
+ * @param applications {OAuthApplications} An object containing the applications we need to be authenticated with.
+ * @returns {OAuthSession} An instance with the access tokens organized by application.
+ */
+export declare function ensureAuthenticated(applications: OAuthApplications, env?: NodeJS.ProcessEnv): Promise<OAuthSession>;
+export declare function hasPartnerAccount(partnersToken: string): Promise<boolean>;
+/**
+ * If the user creates an account from the Identity website, the created
+ * account won't get a Partner organization created. We need to detect that
+ * and take the user to create a partner organization.
+ * @param partnersToken {string} Partners token
+ */
+export declare function ensureUserHasPartnerAccount(partnersToken: string): Promise<void>;
+export declare function logout(): Promise<void>;
+export {};