@shopify/cli-kit 3.66.1 → 3.67.0

package/assets/cli-ruby/lib/shopify_cli/theme/dev_server/proxy.rb

@@ -202,13 +202,9 @@ module ShopifyCLI
 
           expected_session_cookie = "#{SESSION_COOKIE_NAME}=#{secure_session_id};"
 
-          unless cookie_header.include?(expected_session_cookie)
-            if cookie_header.include?(SESSION_COOKIE_NAME)
-              cookie_header.sub!(SESSION_COOKIE_REGEXP, expected_session_cookie)
-            else
-              cookie_header << "; " unless cookie_header.empty?
-              cookie_header << expected_session_cookie
-            end
+          unless cookie_header.include?(SESSION_COOKIE_NAME)
+            cookie_header << "; " unless cookie_header.empty?
+            cookie_header << expected_session_cookie
           end
 
           cookie_header

package/dist/private/node/conf-store.d.ts

@@ -6,11 +6,13 @@ interface CacheValue<T> {
 export type IntrospectionUrlKey = `identity-introspection-url-${string}`;
 export type PackageVersionKey = `npm-package-${string}`;
 type MostRecentOccurrenceKey = `most-recent-occurrence-${string}`;
+type RateLimitKey = `rate-limited-occurrences-${string}`;
 type ExportedKey = IntrospectionUrlKey | PackageVersionKey;
 interface Cache {
     [introspectionUrlKey: IntrospectionUrlKey]: CacheValue<string>;
     [packageVersionKey: PackageVersionKey]: CacheValue<string>;
-    [MostRecentOccurrenceKey: MostRecentOccurrenceKey]: CacheValue<boolean>;
+    [mostRecentOccurrenceKey: MostRecentOccurrenceKey]: CacheValue<boolean>;
+    [rateLimitKey: RateLimitKey]: CacheValue<number[]>;
 }
 export interface ConfSchema {
     sessionStore: string;
@@ -63,7 +65,47 @@ interface TimeInterval {
  * days, hours, minutes, and seconds properties.
  * If the most recent occurrence is older than this, the task will be executed.
  * @param task - The task to run if the most recent occurrence is older than the timeout.
- * @returns The result of the task, or undefined if the task was not run.
+ * @returns true if the task was run, or false if the task was not run.
  */
-export declare function runAtMinimumInterval(key: string, timeout: TimeInterval, task: () => Promise<void>, config?: LocalStorage<ConfSchema>): Promise<boolean | undefined>;
+export declare function runAtMinimumInterval(key: string, timeout: TimeInterval, task: () => Promise<void>, config?: LocalStorage<ConfSchema>): Promise<boolean>;
+interface RunWithRateLimitOptions {
+    /**
+     * The key to use for the cache.
+     */
+    key: string;
+    /**
+     * The number of times the task can be run within the limit
+     */
+    limit: number;
+    /**
+     * The window of time after which the rate limit is refreshed,
+     * expressed as an object with days, hours, minutes, and seconds properties.
+     * If the most recent occurrence is older than this, the task will be executed.
+     */
+    timeout: TimeInterval;
+    /**
+     * The task to run if the most recent occurrence is older than the timeout.
+     */
+    task: () => Promise<void>;
+}
+/**
+ * Execute a task with a time-based rate limit. The rate limit is enforced by
+ * checking how many times that task has been executed in a window of time ending
+ * at the current time. If the task has been executed more than the allowed number
+ * of times in that window, the task will not be executed.
+ *
+ * Note that this function has side effects, as it will also remove events prior
+ * to the window of time that is being checked.
+ * @param options - The options for the rate limiting.
+ * @returns true, or undefined if the task was not run.
+ */
+export declare function runWithRateLimit(options: RunWithRateLimitOptions, config?: LocalStorage<ConfSchema>): Promise<boolean>;
+export declare function getConfigStoreForPartnerStatus(): LocalStorage<{
+    [partnerToken: string]: {
+        status: true;
+        checkedAt: string;
+    };
+}>;
+export declare function getCachedPartnerAccountStatus(partnersToken: string): true | null;
+export declare function setCachedPartnerAccountStatus(partnersToken: string): void;
 export {};

package/dist/private/node/conf-store.js

@@ -81,18 +81,76 @@ function timeIntervalToMilliseconds({ days = 0, hours = 0, minutes = 0, seconds
  * days, hours, minutes, and seconds properties.
  * If the most recent occurrence is older than this, the task will be executed.
  * @param task - The task to run if the most recent occurrence is older than the timeout.
- * @returns The result of the task, or undefined if the task was not run.
+ * @returns true if the task was run, or false if the task was not run.
  */
 export async function runAtMinimumInterval(key, timeout, task, config = cliKitStore()) {
     const cache = config.get('cache') || {};
     const cacheKey = `most-recent-occurrence-${key}`;
     const cached = cache[cacheKey];
     if (cached?.value !== undefined && Date.now() - cached.timestamp < timeIntervalToMilliseconds(timeout)) {
-        return undefined;
+        return false;
     }
     await task();
     cache[cacheKey] = { value: true, timestamp: Date.now() };
     config.set('cache', cache);
     return true;
 }
+/**
+ * Execute a task with a time-based rate limit. The rate limit is enforced by
+ * checking how many times that task has been executed in a window of time ending
+ * at the current time. If the task has been executed more than the allowed number
+ * of times in that window, the task will not be executed.
+ *
+ * Note that this function has side effects, as it will also remove events prior
+ * to the window of time that is being checked.
+ * @param options - The options for the rate limiting.
+ * @returns true, or undefined if the task was not run.
+ */
+export async function runWithRateLimit(options, config = cliKitStore()) {
+    const { key, limit, timeout, task } = options;
+    const cache = config.get('cache') || {};
+    const cacheKey = `rate-limited-occurrences-${key}`;
+    const cached = cache[cacheKey];
+    const now = Date.now();
+    if (cached?.value) {
+        // First sweep through the cache and eliminate old events
+        const windowStart = now - timeIntervalToMilliseconds(timeout);
+        const occurrences = cached.value.filter((occurrence) => occurrence >= windowStart);
+        // Now check that the number of occurrences within the interval is below the limit
+        if (occurrences.length >= limit) {
+            // First remove the old occurrences from the cache
+            cache[cacheKey] = { value: occurrences, timestamp: Date.now() };
+            config.set('cache', cache);
+            return false;
+        }
+        await task();
+        cache[cacheKey] = { value: [...occurrences, now], timestamp: now };
+    }
+    else {
+        await task();
+        cache[cacheKey] = { value: [now], timestamp: now };
+    }
+    config.set('cache', cache);
+    return true;
+}
+export function getConfigStoreForPartnerStatus() {
+    return new LocalStorage({
+        projectName: 'shopify-cli-kit-partner-status',
+    });
+}
+export function getCachedPartnerAccountStatus(partnersToken) {
+    if (!partnersToken)
+        return null;
+    const store = getConfigStoreForPartnerStatus();
+    const hasPartnerAccount = store.get(partnersToken);
+    if (hasPartnerAccount) {
+        // this never needs to expire
+        return true;
+    }
+    return null;
+}
+export function setCachedPartnerAccountStatus(partnersToken) {
+    const store = getConfigStoreForPartnerStatus();
+    store.set(partnersToken, { status: true, checkedAt: new Date().toISOString() });
+}
 //# sourceMappingURL=conf-store.js.map

package/dist/private/node/conf-store.js.map

@@ -1 +1 @@
-{"version":3,"file":"conf-store.js","sourceRoot":"","sources":["../../../src/private/node/conf-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,UAAU,EAAC,MAAM,oCAAoC,CAAA;AAC7D,OAAO,EAAC,YAAY,EAAC,MAAM,oCAAoC,CAAA;AAC/D,OAAO,EAAC,aAAa,EAAE,WAAW,EAAC,MAAM,8BAA8B,CAAA;AAwBvE,IAAI,SAA+C,CAAA;AAEnD;;;;GAIG;AACH,SAAS,WAAW;IAClB,IAAI,CAAC,SAAS,EAAE;QACd,SAAS,GAAG,IAAI,YAAY,CAAa,EAAC,WAAW,EAAE,kBAAkB,UAAU,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,EAAC,CAAC,CAAA;KACzG;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,SAAmC,WAAW,EAAE;IACzE,WAAW,CAAC,aAAa,CAAA,0BAA0B,CAAC,CAAA;IACpD,OAAO,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;AACnC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,SAAmC,WAAW,EAAE;IAC1F,WAAW,CAAC,aAAa,CAAA,0BAA0B,CAAC,CAAA;IACpD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAAmC,WAAW,EAAE;IAC5E,WAAW,CAAC,aAAa,CAAA,2BAA2B,CAAC,CAAA;IACrD,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;AAC/B,CAAC;AAID;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,GAAgB,EAChB,EAA+C,EAC/C,OAAgB,EAChB,MAAM,GAAG,WAAW,EAAE;IAEtB,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IAEzB,IAAI,MAAM,EAAE,KAAK,KAAK,SAAS,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE;QACrG,OAAO,MAAM,CAAC,KAAK,CAAA;KACpB;IAED,MAAM,KAAK,GAAG,MAAM,EAAE,EAAE,CAAA;IACxB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAA;IAC3C,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC1B,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAgB,EAAE,MAAM,GAAG,WAAW,EAAE;IACpE,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IACzB,OAAO,MAAM,EAAE,KAAK,CAAA;AACtB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAM,GAAG,WAAW,EAAE;IAC/C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;AACxB,CAAC;AASD,SAAS,0BAA0B,CAAC,EAAC,IAAI,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAe;IAC/F,OAAO,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,CAAA;AAChF,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,OAAqB,EACrB,IAAyB,EACzB,MAAM,GAAG,WAAW,EAAE;IAEtB,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,QAAQ,GAA4B,0BAA0B,GAAG,EAAE,CAAA;IACzE,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAA;IAE9B,IAAI,MAAM,EAAE,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,0BAA0B,CAAC,OAAO,CAAC,EAAE;QACtG,OAAO,SAAS,CAAA;KACjB;IAED,MAAM,IAAI,EAAE,CAAA;IACZ,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAA;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC1B,OAAO,IAAI,CAAA;AACb,CAAC","sourcesContent":["import {isUnitTest} from '../../public/node/context/local.js'\nimport {LocalStorage} from '../../public/node/local-storage.js'\nimport {outputContent, outputDebug} from '@shopify/cli-kit/node/output'\n\ninterface CacheValue<T> {\n  value: T\n  timestamp: number\n}\n\nexport type IntrospectionUrlKey = `identity-introspection-url-${string}`\nexport type PackageVersionKey = `npm-package-${string}`\ntype MostRecentOccurrenceKey = `most-recent-occurrence-${string}`\n\ntype ExportedKey = IntrospectionUrlKey | PackageVersionKey\n\ninterface Cache {\n  [introspectionUrlKey: IntrospectionUrlKey]: CacheValue<string>\n  [packageVersionKey: PackageVersionKey]: CacheValue<string>\n  [MostRecentOccurrenceKey: MostRecentOccurrenceKey]: CacheValue<boolean>\n}\n\nexport interface ConfSchema {\n  sessionStore: string\n  cache?: Cache\n}\n\nlet _instance: LocalStorage<ConfSchema> | undefined\n\n/**\n * CLIKIT Store.\n *\n * @returns CLIKitStore.\n */\nfunction cliKitStore() {\n  if (!_instance) {\n    _instance = new LocalStorage<ConfSchema>({projectName: `shopify-cli-kit${isUnitTest() ? '-test' : ''}`})\n  }\n  return _instance\n}\n\n/**\n * Get session.\n *\n * @returns Session.\n */\nexport function getSession(config: LocalStorage<ConfSchema> = cliKitStore()): string | undefined {\n  outputDebug(outputContent`Getting session store...`)\n  return config.get('sessionStore')\n}\n\n/**\n * Set session.\n *\n * @param session - Session.\n */\nexport function setSession(session: string, config: LocalStorage<ConfSchema> = cliKitStore()): void {\n  outputDebug(outputContent`Setting session store...`)\n  config.set('sessionStore', session)\n}\n\n/**\n * Remove session.\n */\nexport function removeSession(config: LocalStorage<ConfSchema> = cliKitStore()): void {\n  outputDebug(outputContent`Removing session store...`)\n  config.delete('sessionStore')\n}\n\ntype CacheValueForKey<TKey extends keyof Cache> = NonNullable<Cache[TKey]>['value']\n\n/**\n * Fetch from cache, or run the provided function to get the value, and cache it\n * before returning it.\n * @param key - The key to use for the cache.\n * @param fn - The function to run to get the value to cache, if a cache miss occurs.\n * @param timeout - The maximum valid age of a cached value, in milliseconds.\n * If the cached value is older than this, it will be refreshed.\n * @returns The value from the cache or the result of the function.\n */\nexport async function cacheRetrieveOrRepopulate(\n  key: ExportedKey,\n  fn: () => Promise<CacheValueForKey<typeof key>>,\n  timeout?: number,\n  config = cliKitStore(),\n): Promise<CacheValueForKey<typeof key>> {\n  const cache: Cache = config.get('cache') || {}\n  const cached = cache[key]\n\n  if (cached?.value !== undefined && (timeout === undefined || Date.now() - cached.timestamp < timeout)) {\n    return cached.value\n  }\n\n  const value = await fn()\n  cache[key] = {value, timestamp: Date.now()}\n  config.set('cache', cache)\n  return value\n}\n\n/**\n * Fetch from cache if already populated, otherwise return undefined.\n * @param key - The key to use for the cache.\n * @returns The value from the cache or the result of the function.\n */\nexport function cacheRetrieve(key: ExportedKey, config = cliKitStore()): CacheValueForKey<typeof key> | undefined {\n  const cache: Cache = config.get('cache') || {}\n  const cached = cache[key]\n  return cached?.value\n}\n\nexport function cacheClear(config = cliKitStore()): void {\n  config.delete('cache')\n}\n\ninterface TimeInterval {\n  days?: number\n  hours?: number\n  minutes?: number\n  seconds?: number\n}\n\nfunction timeIntervalToMilliseconds({days = 0, hours = 0, minutes = 0, seconds = 0}: TimeInterval): number {\n  return (days * 24 * 60 * 60 + hours * 60 * 60 + minutes * 60 + seconds) * 1000\n}\n\n/**\n * Execute a task only if the most recent occurrence of the task is older than the specified timeout.\n * @param key - The key to use for the cache.\n * @param timeout - The maximum valid age of the most recent occurrence, expressed as an object with\n * days, hours, minutes, and seconds properties.\n * If the most recent occurrence is older than this, the task will be executed.\n * @param task - The task to run if the most recent occurrence is older than the timeout.\n * @returns The result of the task, or undefined if the task was not run.\n */\nexport async function runAtMinimumInterval(\n  key: string,\n  timeout: TimeInterval,\n  task: () => Promise<void>,\n  config = cliKitStore(),\n): Promise<boolean | undefined> {\n  const cache: Cache = config.get('cache') || {}\n  const cacheKey: MostRecentOccurrenceKey = `most-recent-occurrence-${key}`\n  const cached = cache[cacheKey]\n\n  if (cached?.value !== undefined && Date.now() - cached.timestamp < timeIntervalToMilliseconds(timeout)) {\n    return undefined\n  }\n\n  await task()\n  cache[cacheKey] = {value: true, timestamp: Date.now()}\n  config.set('cache', cache)\n  return true\n}\n"]}
+{"version":3,"file":"conf-store.js","sourceRoot":"","sources":["../../../src/private/node/conf-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,UAAU,EAAC,MAAM,oCAAoC,CAAA;AAC7D,OAAO,EAAC,YAAY,EAAC,MAAM,oCAAoC,CAAA;AAC/D,OAAO,EAAC,aAAa,EAAE,WAAW,EAAC,MAAM,8BAA8B,CAAA;AA0BvE,IAAI,SAA+C,CAAA;AAEnD;;;;GAIG;AACH,SAAS,WAAW;IAClB,IAAI,CAAC,SAAS,EAAE;QACd,SAAS,GAAG,IAAI,YAAY,CAAa,EAAC,WAAW,EAAE,kBAAkB,UAAU,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,EAAC,CAAC,CAAA;KACzG;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,SAAmC,WAAW,EAAE;IACzE,WAAW,CAAC,aAAa,CAAA,0BAA0B,CAAC,CAAA;IACpD,OAAO,MAAM,CAAC,GAAG,CAAC,cAAc,CAAC,CAAA;AACnC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe,EAAE,SAAmC,WAAW,EAAE;IAC1F,WAAW,CAAC,aAAa,CAAA,0BAA0B,CAAC,CAAA;IACpD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,CAAA;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,SAAmC,WAAW,EAAE;IAC5E,WAAW,CAAC,aAAa,CAAA,2BAA2B,CAAC,CAAA;IACrD,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;AAC/B,CAAC;AAID;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,GAAgB,EAChB,EAA+C,EAC/C,OAAgB,EAChB,MAAM,GAAG,WAAW,EAAE;IAEtB,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IAEzB,IAAI,MAAM,EAAE,KAAK,KAAK,SAAS,IAAI,CAAC,OAAO,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,OAAO,CAAC,EAAE;QACrG,OAAO,MAAM,CAAC,KAAK,CAAA;KACpB;IAED,MAAM,KAAK,GAAG,MAAM,EAAE,EAAE,CAAA;IACxB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAA;IAC3C,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC1B,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAgB,EAAE,MAAM,GAAG,WAAW,EAAE;IACpE,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,CAAA;IACzB,OAAO,MAAM,EAAE,KAAK,CAAA;AACtB,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAM,GAAG,WAAW,EAAE;IAC/C,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;AACxB,CAAC;AASD,SAAS,0BAA0B,CAAC,EAAC,IAAI,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAe;IAC/F,OAAO,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,IAAI,CAAA;AAChF,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,OAAqB,EACrB,IAAyB,EACzB,MAAM,GAAG,WAAW,EAAE;IAEtB,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,QAAQ,GAA4B,0BAA0B,GAAG,EAAE,CAAA;IACzE,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAA;IAE9B,IAAI,MAAM,EAAE,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,0BAA0B,CAAC,OAAO,CAAC,EAAE;QACtG,OAAO,KAAK,CAAA;KACb;IAED,MAAM,IAAI,EAAE,CAAA;IACZ,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAA;IACtD,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAC1B,OAAO,IAAI,CAAA;AACb,CAAC;AA0BD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAgC,EAAE,MAAM,GAAG,WAAW,EAAE;IAC7F,MAAM,EAAC,GAAG,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAC,GAAG,OAAO,CAAA;IAC3C,MAAM,KAAK,GAAU,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9C,MAAM,QAAQ,GAAiB,4BAA4B,GAAG,EAAE,CAAA;IAChE,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAA;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAEtB,IAAI,MAAM,EAAE,KAAK,EAAE;QACjB,yDAAyD;QACzD,MAAM,WAAW,GAAG,GAAG,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAA;QAC7D,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,IAAI,WAAW,CAAC,CAAA;QAElF,kFAAkF;QAClF,IAAI,WAAW,CAAC,MAAM,IAAI,KAAK,EAAE;YAC/B,kDAAkD;YAClD,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAC,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAC,CAAA;YAC7D,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;YAE1B,OAAO,KAAK,CAAA;SACb;QAED,MAAM,IAAI,EAAE,CAAA;QACZ,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAC,KAAK,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,CAAC,EAAE,SAAS,EAAE,GAAG,EAAC,CAAA;KACjE;SAAM;QACL,MAAM,IAAI,EAAE,CAAA;QACZ,KAAK,CAAC,QAAQ,CAAC,GAAG,EAAC,KAAK,EAAE,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,GAAG,EAAC,CAAA;KACjD;IACD,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;IAE1B,OAAO,IAAI,CAAA;AACb,CAAC;AAED,MAAM,UAAU,8BAA8B;IAC5C,OAAO,IAAI,YAAY,CAA8D;QACnF,WAAW,EAAE,gCAAgC;KAC9C,CAAC,CAAA;AACJ,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,aAAqB;IACjE,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAA;IAC/B,MAAM,KAAK,GAAG,8BAA8B,EAAE,CAAA;IAE9C,MAAM,iBAAiB,GAAG,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAClD,IAAI,iBAAiB,EAAE;QACrB,6BAA6B;QAC7B,OAAO,IAAI,CAAA;KACZ;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,aAAqB;IACjE,MAAM,KAAK,GAAG,8BAA8B,EAAE,CAAA;IAE9C,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,EAAC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAC,CAAC,CAAA;AAC/E,CAAC","sourcesContent":["import {isUnitTest} from '../../public/node/context/local.js'\nimport {LocalStorage} from '../../public/node/local-storage.js'\nimport {outputContent, outputDebug} from '@shopify/cli-kit/node/output'\n\ninterface CacheValue<T> {\n  value: T\n  timestamp: number\n}\n\nexport type IntrospectionUrlKey = `identity-introspection-url-${string}`\nexport type PackageVersionKey = `npm-package-${string}`\ntype MostRecentOccurrenceKey = `most-recent-occurrence-${string}`\ntype RateLimitKey = `rate-limited-occurrences-${string}`\n\ntype ExportedKey = IntrospectionUrlKey | PackageVersionKey\n\ninterface Cache {\n  [introspectionUrlKey: IntrospectionUrlKey]: CacheValue<string>\n  [packageVersionKey: PackageVersionKey]: CacheValue<string>\n  [mostRecentOccurrenceKey: MostRecentOccurrenceKey]: CacheValue<boolean>\n  [rateLimitKey: RateLimitKey]: CacheValue<number[]>\n}\n\nexport interface ConfSchema {\n  sessionStore: string\n  cache?: Cache\n}\n\nlet _instance: LocalStorage<ConfSchema> | undefined\n\n/**\n * CLIKIT Store.\n *\n * @returns CLIKitStore.\n */\nfunction cliKitStore() {\n  if (!_instance) {\n    _instance = new LocalStorage<ConfSchema>({projectName: `shopify-cli-kit${isUnitTest() ? '-test' : ''}`})\n  }\n  return _instance\n}\n\n/**\n * Get session.\n *\n * @returns Session.\n */\nexport function getSession(config: LocalStorage<ConfSchema> = cliKitStore()): string | undefined {\n  outputDebug(outputContent`Getting session store...`)\n  return config.get('sessionStore')\n}\n\n/**\n * Set session.\n *\n * @param session - Session.\n */\nexport function setSession(session: string, config: LocalStorage<ConfSchema> = cliKitStore()): void {\n  outputDebug(outputContent`Setting session store...`)\n  config.set('sessionStore', session)\n}\n\n/**\n * Remove session.\n */\nexport function removeSession(config: LocalStorage<ConfSchema> = cliKitStore()): void {\n  outputDebug(outputContent`Removing session store...`)\n  config.delete('sessionStore')\n}\n\ntype CacheValueForKey<TKey extends keyof Cache> = NonNullable<Cache[TKey]>['value']\n\n/**\n * Fetch from cache, or run the provided function to get the value, and cache it\n * before returning it.\n * @param key - The key to use for the cache.\n * @param fn - The function to run to get the value to cache, if a cache miss occurs.\n * @param timeout - The maximum valid age of a cached value, in milliseconds.\n * If the cached value is older than this, it will be refreshed.\n * @returns The value from the cache or the result of the function.\n */\nexport async function cacheRetrieveOrRepopulate(\n  key: ExportedKey,\n  fn: () => Promise<CacheValueForKey<typeof key>>,\n  timeout?: number,\n  config = cliKitStore(),\n): Promise<CacheValueForKey<typeof key>> {\n  const cache: Cache = config.get('cache') || {}\n  const cached = cache[key]\n\n  if (cached?.value !== undefined && (timeout === undefined || Date.now() - cached.timestamp < timeout)) {\n    return cached.value\n  }\n\n  const value = await fn()\n  cache[key] = {value, timestamp: Date.now()}\n  config.set('cache', cache)\n  return value\n}\n\n/**\n * Fetch from cache if already populated, otherwise return undefined.\n * @param key - The key to use for the cache.\n * @returns The value from the cache or the result of the function.\n */\nexport function cacheRetrieve(key: ExportedKey, config = cliKitStore()): CacheValueForKey<typeof key> | undefined {\n  const cache: Cache = config.get('cache') || {}\n  const cached = cache[key]\n  return cached?.value\n}\n\nexport function cacheClear(config = cliKitStore()): void {\n  config.delete('cache')\n}\n\ninterface TimeInterval {\n  days?: number\n  hours?: number\n  minutes?: number\n  seconds?: number\n}\n\nfunction timeIntervalToMilliseconds({days = 0, hours = 0, minutes = 0, seconds = 0}: TimeInterval): number {\n  return (days * 24 * 60 * 60 + hours * 60 * 60 + minutes * 60 + seconds) * 1000\n}\n\n/**\n * Execute a task only if the most recent occurrence of the task is older than the specified timeout.\n * @param key - The key to use for the cache.\n * @param timeout - The maximum valid age of the most recent occurrence, expressed as an object with\n * days, hours, minutes, and seconds properties.\n * If the most recent occurrence is older than this, the task will be executed.\n * @param task - The task to run if the most recent occurrence is older than the timeout.\n * @returns true if the task was run, or false if the task was not run.\n */\nexport async function runAtMinimumInterval(\n  key: string,\n  timeout: TimeInterval,\n  task: () => Promise<void>,\n  config = cliKitStore(),\n): Promise<boolean> {\n  const cache: Cache = config.get('cache') || {}\n  const cacheKey: MostRecentOccurrenceKey = `most-recent-occurrence-${key}`\n  const cached = cache[cacheKey]\n\n  if (cached?.value !== undefined && Date.now() - cached.timestamp < timeIntervalToMilliseconds(timeout)) {\n    return false\n  }\n\n  await task()\n  cache[cacheKey] = {value: true, timestamp: Date.now()}\n  config.set('cache', cache)\n  return true\n}\n\ninterface RunWithRateLimitOptions {\n  /**\n   * The key to use for the cache.\n   */\n  key: string\n\n  /**\n   * The number of times the task can be run within the limit\n   */\n  limit: number\n\n  /**\n   * The window of time after which the rate limit is refreshed,\n   * expressed as an object with days, hours, minutes, and seconds properties.\n   * If the most recent occurrence is older than this, the task will be executed.\n   */\n  timeout: TimeInterval\n\n  /**\n   * The task to run if the most recent occurrence is older than the timeout.\n   */\n  task: () => Promise<void>\n}\n\n/**\n * Execute a task with a time-based rate limit. The rate limit is enforced by\n * checking how many times that task has been executed in a window of time ending\n * at the current time. If the task has been executed more than the allowed number\n * of times in that window, the task will not be executed.\n *\n * Note that this function has side effects, as it will also remove events prior\n * to the window of time that is being checked.\n * @param options - The options for the rate limiting.\n * @returns true, or undefined if the task was not run.\n */\nexport async function runWithRateLimit(options: RunWithRateLimitOptions, config = cliKitStore()): Promise<boolean> {\n  const {key, limit, timeout, task} = options\n  const cache: Cache = config.get('cache') || {}\n  const cacheKey: RateLimitKey = `rate-limited-occurrences-${key}`\n  const cached = cache[cacheKey]\n  const now = Date.now()\n\n  if (cached?.value) {\n    // First sweep through the cache and eliminate old events\n    const windowStart = now - timeIntervalToMilliseconds(timeout)\n    const occurrences = cached.value.filter((occurrence) => occurrence >= windowStart)\n\n    // Now check that the number of occurrences within the interval is below the limit\n    if (occurrences.length >= limit) {\n      // First remove the old occurrences from the cache\n      cache[cacheKey] = {value: occurrences, timestamp: Date.now()}\n      config.set('cache', cache)\n\n      return false\n    }\n\n    await task()\n    cache[cacheKey] = {value: [...occurrences, now], timestamp: now}\n  } else {\n    await task()\n    cache[cacheKey] = {value: [now], timestamp: now}\n  }\n  config.set('cache', cache)\n\n  return true\n}\n\nexport function getConfigStoreForPartnerStatus() {\n  return new LocalStorage<{[partnerToken: string]: {status: true; checkedAt: string}}>({\n    projectName: 'shopify-cli-kit-partner-status',\n  })\n}\n\nexport function getCachedPartnerAccountStatus(partnersToken: string): true | null {\n  if (!partnersToken) return null\n  const store = getConfigStoreForPartnerStatus()\n\n  const hasPartnerAccount = store.get(partnersToken)\n  if (hasPartnerAccount) {\n    // this never needs to expire\n    return true\n  }\n  return null\n}\n\nexport function setCachedPartnerAccountStatus(partnersToken: string) {\n  const store = getConfigStoreForPartnerStatus()\n\n  store.set(partnersToken, {status: true, checkedAt: new Date().toISOString()})\n}\n"]}

package/dist/private/node/constants.d.ts

@@ -54,3 +54,9 @@ export declare const sessionConstants: {
     expirationTimeMarginInMinutes: number;
 };
 export declare const bugsnagApiKey = "9e1e6889176fd0c795d5c659225e0fae";
+export declare const reportingRateLimit: {
+    limit: number;
+    timeout: {
+        days: number;
+    };
+};

package/dist/private/node/constants.js

@@ -71,4 +71,5 @@ export const sessionConstants = {
     expirationTimeMarginInMinutes: 4,
 };
 export const bugsnagApiKey = '9e1e6889176fd0c795d5c659225e0fae';
+export const reportingRateLimit = { limit: 300, timeout: { days: 1 } };
 //# sourceMappingURL=constants.js.map

package/dist/private/node/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/private/node/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,QAAQ,EAAC,MAAM,2BAA2B,CAAA;AAClD,OAAO,QAAQ,MAAM,WAAW,CAAA;AAEhC,MAAM,UAAU,GAAG,aAAa,CAAA;AAEhC,MAAM,WAAW,GAAG,GAAG,EAAE;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAA;IACjE,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC,KAAK,CAAA;AACnC,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,UAAU,GAAG,GAAG,EAAE;IAC7B,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,CAAA;AACjC,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,kBAAkB,EAAE,kCAAkC;IACtD,gBAAgB,EAAE,gCAAgC;IAClD,UAAU,EAAE,yBAAyB;IACrC,cAAc,EAAE,8BAA8B;IAC9C,iBAAiB,EAAE,iCAAiC;IACpD,GAAG,EAAE,iBAAiB;IACtB,aAAa,EAAE,oBAAoB;IACnC,WAAW,EAAE,0BAA0B;IACvC,aAAa,EAAE,4BAA4B;IAC3C,SAAS,EAAE,qBAAqB;IAChC,UAAU,EAAE,qBAAqB;IACjC,eAAe,EAAE,+BAA+B;IAChD,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,yBAAyB;IACrC,QAAQ,EAAE,mBAAmB;IAC7B,OAAO,EAAE,sBAAsB;IAC/B,eAAe,EAAE,+BAA+B;IAChD,eAAe,EAAE,+BAA+B;IAChD,mEAAmE;IACnE,UAAU,EAAE,YAAY;IACxB,aAAa,EAAE,gBAAgB;IAC/B,6BAA6B,EAAE,0CAA0C;IACzE,MAAM,EAAE,sBAAsB;IAC9B,UAAU,EAAE,aAAa;IACzB,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,aAAa;IAC1B,WAAW,EAAE,eAAe;IAC5B,YAAY,EAAE,0BAA0B;IACxC,aAAa,EAAE,4BAA4B;IAC3C,YAAY,EAAE,2BAA2B;IACzC,OAAO,EAAE,yCAAyC;IAClD,oBAAoB,EAAE,qCAAqC;CAC5D,CAAA;AAED,MAAM,CAAC,MAAM,2BAA2B,GAAG,kCAAkC,CAAA;AAE7E,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,WAAW,EAAE,cAAc;CAC5B,CAAA;AAED,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,WAAW,EAAE;QACX,GAAG,EAAE,kBAAkB;KACxB;IACD,WAAW,EAAE;QACX,KAAK,EAAE;YACL,IAAI,EAAE,GAAG,EAAE;gBACT,OAAO,WAAW,EAAE,CAAA;YACtB,CAAC;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,GAAG,EAAE;oBACT,OAAO,QAAQ,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAA;gBAC1C,CAAC;gBACD,QAAQ,EAAE,GAAG,EAAE;oBACb,OAAO,QAAQ,CAAC,WAAW,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAA;gBACtD,CAAC;aACF;SACF;KACF;CACF,CAAA;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,6BAA6B,EAAE,CAAC;CACjC,CAAA;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,kCAAkC,CAAA","sourcesContent":["import {joinPath} from '../../public/node/path.js'\nimport envPaths from 'env-paths'\n\nconst identifier = 'shopify-cli'\n\nconst cacheFolder = () => {\n  if (process.env.XDG_CACHE_HOME) return process.env.XDG_CACHE_HOME\n  return envPaths(identifier).cache\n}\n\nexport const logsFolder = () => {\n  return envPaths(identifier).log\n}\n\nexport const environmentVariables = {\n  alwaysLogAnalytics: 'SHOPIFY_CLI_ALWAYS_LOG_ANALYTICS',\n  alwaysLogMetrics: 'SHOPIFY_CLI_ALWAYS_LOG_METRICS',\n  deviceAuth: 'SHOPIFY_CLI_DEVICE_AUTH',\n  accessCodeAuth: 'SHOPIFY_CLI_ACCESS_CODE_AUTH',\n  enableCliRedirect: 'SHOPIFY_CLI_ENABLE_CLI_REDIRECT',\n  env: 'SHOPIFY_CLI_ENV',\n  firstPartyDev: 'SHOPIFY_CLI_1P_DEV',\n  noAnalytics: 'SHOPIFY_CLI_NO_ANALYTICS',\n  partnersToken: 'SHOPIFY_CLI_PARTNERS_TOKEN',\n  runAsUser: 'SHOPIFY_RUN_AS_USER',\n  serviceEnv: 'SHOPIFY_SERVICE_ENV',\n  skipCliRedirect: 'SHOPIFY_CLI_SKIP_CLI_REDIRECT',\n  spinInstance: 'SPIN_INSTANCE',\n  themeToken: 'SHOPIFY_CLI_THEME_TOKEN',\n  unitTest: 'SHOPIFY_UNIT_TEST',\n  verbose: 'SHOPIFY_FLAG_VERBOSE',\n  noThemeBundling: 'SHOPIFY_CLI_NO_THEME_BUNDLING',\n  bundledThemeCLI: 'SHOPIFY_CLI_BUNDLED_THEME_CLI',\n  // Variables to detect if the CLI is running in a cloud environment\n  codespaces: 'CODESPACES',\n  codespaceName: 'CODESPACE_NAME',\n  codespacePortForwardingDomain: 'GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN',\n  gitpod: 'GITPOD_WORKSPACE_URL',\n  cloudShell: 'CLOUD_SHELL',\n  spin: 'SPIN',\n  spinAppPort: 'SERVER_PORT',\n  spinAppHost: 'SPIN_APP_HOST',\n  organization: 'SHOPIFY_CLI_ORGANIZATION',\n  identityToken: 'SHOPIFY_CLI_IDENTITY_TOKEN',\n  refreshToken: 'SHOPIFY_CLI_REFRESH_TOKEN',\n  otelURL: 'SHOPIFY_CLI_OTEL_EXPORTER_OTLP_ENDPOINT',\n  themeKitAccessDomain: 'SHOPIFY_CLI_THEME_KIT_ACCESS_DOMAIN',\n}\n\nexport const defaultThemeKitAccessDomain = 'theme-kit-access.shopifyapps.com'\n\nexport const systemEnvironmentVariables = {\n  backendPort: 'BACKEND_PORT',\n}\n\nexport const pathConstants = {\n  executables: {\n    dev: '/opt/dev/bin/dev',\n  },\n  directories: {\n    cache: {\n      path: () => {\n        return cacheFolder()\n      },\n      vendor: {\n        path: () => {\n          return joinPath(cacheFolder(), 'vendor')\n        },\n        binaries: () => {\n          return joinPath(cacheFolder(), 'vendor', 'binaries')\n        },\n      },\n    },\n  },\n}\n\nexport const sessionConstants = {\n  expirationTimeMarginInMinutes: 4,\n}\n\nexport const bugsnagApiKey = '9e1e6889176fd0c795d5c659225e0fae'\n"]}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/private/node/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,QAAQ,EAAC,MAAM,2BAA2B,CAAA;AAClD,OAAO,QAAQ,MAAM,WAAW,CAAA;AAEhC,MAAM,UAAU,GAAG,aAAa,CAAA;AAEhC,MAAM,WAAW,GAAG,GAAG,EAAE;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc;QAAE,OAAO,OAAO,CAAC,GAAG,CAAC,cAAc,CAAA;IACjE,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC,KAAK,CAAA;AACnC,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,UAAU,GAAG,GAAG,EAAE;IAC7B,OAAO,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,CAAA;AACjC,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,kBAAkB,EAAE,kCAAkC;IACtD,gBAAgB,EAAE,gCAAgC;IAClD,UAAU,EAAE,yBAAyB;IACrC,cAAc,EAAE,8BAA8B;IAC9C,iBAAiB,EAAE,iCAAiC;IACpD,GAAG,EAAE,iBAAiB;IACtB,aAAa,EAAE,oBAAoB;IACnC,WAAW,EAAE,0BAA0B;IACvC,aAAa,EAAE,4BAA4B;IAC3C,SAAS,EAAE,qBAAqB;IAChC,UAAU,EAAE,qBAAqB;IACjC,eAAe,EAAE,+BAA+B;IAChD,YAAY,EAAE,eAAe;IAC7B,UAAU,EAAE,yBAAyB;IACrC,QAAQ,EAAE,mBAAmB;IAC7B,OAAO,EAAE,sBAAsB;IAC/B,eAAe,EAAE,+BAA+B;IAChD,eAAe,EAAE,+BAA+B;IAChD,mEAAmE;IACnE,UAAU,EAAE,YAAY;IACxB,aAAa,EAAE,gBAAgB;IAC/B,6BAA6B,EAAE,0CAA0C;IACzE,MAAM,EAAE,sBAAsB;IAC9B,UAAU,EAAE,aAAa;IACzB,IAAI,EAAE,MAAM;IACZ,WAAW,EAAE,aAAa;IAC1B,WAAW,EAAE,eAAe;IAC5B,YAAY,EAAE,0BAA0B;IACxC,aAAa,EAAE,4BAA4B;IAC3C,YAAY,EAAE,2BAA2B;IACzC,OAAO,EAAE,yCAAyC;IAClD,oBAAoB,EAAE,qCAAqC;CAC5D,CAAA;AAED,MAAM,CAAC,MAAM,2BAA2B,GAAG,kCAAkC,CAAA;AAE7E,MAAM,CAAC,MAAM,0BAA0B,GAAG;IACxC,WAAW,EAAE,cAAc;CAC5B,CAAA;AAED,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,WAAW,EAAE;QACX,GAAG,EAAE,kBAAkB;KACxB;IACD,WAAW,EAAE;QACX,KAAK,EAAE;YACL,IAAI,EAAE,GAAG,EAAE;gBACT,OAAO,WAAW,EAAE,CAAA;YACtB,CAAC;YACD,MAAM,EAAE;gBACN,IAAI,EAAE,GAAG,EAAE;oBACT,OAAO,QAAQ,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,CAAA;gBAC1C,CAAC;gBACD,QAAQ,EAAE,GAAG,EAAE;oBACb,OAAO,QAAQ,CAAC,WAAW,EAAE,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAA;gBACtD,CAAC;aACF;SACF;KACF;CACF,CAAA;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG;IAC9B,6BAA6B,EAAE,CAAC;CACjC,CAAA;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,kCAAkC,CAAA;AAE/D,MAAM,CAAC,MAAM,kBAAkB,GAAG,EAAC,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,EAAC,IAAI,EAAE,CAAC,EAAC,EAAC,CAAA","sourcesContent":["import {joinPath} from '../../public/node/path.js'\nimport envPaths from 'env-paths'\n\nconst identifier = 'shopify-cli'\n\nconst cacheFolder = () => {\n  if (process.env.XDG_CACHE_HOME) return process.env.XDG_CACHE_HOME\n  return envPaths(identifier).cache\n}\n\nexport const logsFolder = () => {\n  return envPaths(identifier).log\n}\n\nexport const environmentVariables = {\n  alwaysLogAnalytics: 'SHOPIFY_CLI_ALWAYS_LOG_ANALYTICS',\n  alwaysLogMetrics: 'SHOPIFY_CLI_ALWAYS_LOG_METRICS',\n  deviceAuth: 'SHOPIFY_CLI_DEVICE_AUTH',\n  accessCodeAuth: 'SHOPIFY_CLI_ACCESS_CODE_AUTH',\n  enableCliRedirect: 'SHOPIFY_CLI_ENABLE_CLI_REDIRECT',\n  env: 'SHOPIFY_CLI_ENV',\n  firstPartyDev: 'SHOPIFY_CLI_1P_DEV',\n  noAnalytics: 'SHOPIFY_CLI_NO_ANALYTICS',\n  partnersToken: 'SHOPIFY_CLI_PARTNERS_TOKEN',\n  runAsUser: 'SHOPIFY_RUN_AS_USER',\n  serviceEnv: 'SHOPIFY_SERVICE_ENV',\n  skipCliRedirect: 'SHOPIFY_CLI_SKIP_CLI_REDIRECT',\n  spinInstance: 'SPIN_INSTANCE',\n  themeToken: 'SHOPIFY_CLI_THEME_TOKEN',\n  unitTest: 'SHOPIFY_UNIT_TEST',\n  verbose: 'SHOPIFY_FLAG_VERBOSE',\n  noThemeBundling: 'SHOPIFY_CLI_NO_THEME_BUNDLING',\n  bundledThemeCLI: 'SHOPIFY_CLI_BUNDLED_THEME_CLI',\n  // Variables to detect if the CLI is running in a cloud environment\n  codespaces: 'CODESPACES',\n  codespaceName: 'CODESPACE_NAME',\n  codespacePortForwardingDomain: 'GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN',\n  gitpod: 'GITPOD_WORKSPACE_URL',\n  cloudShell: 'CLOUD_SHELL',\n  spin: 'SPIN',\n  spinAppPort: 'SERVER_PORT',\n  spinAppHost: 'SPIN_APP_HOST',\n  organization: 'SHOPIFY_CLI_ORGANIZATION',\n  identityToken: 'SHOPIFY_CLI_IDENTITY_TOKEN',\n  refreshToken: 'SHOPIFY_CLI_REFRESH_TOKEN',\n  otelURL: 'SHOPIFY_CLI_OTEL_EXPORTER_OTLP_ENDPOINT',\n  themeKitAccessDomain: 'SHOPIFY_CLI_THEME_KIT_ACCESS_DOMAIN',\n}\n\nexport const defaultThemeKitAccessDomain = 'theme-kit-access.shopifyapps.com'\n\nexport const systemEnvironmentVariables = {\n  backendPort: 'BACKEND_PORT',\n}\n\nexport const pathConstants = {\n  executables: {\n    dev: '/opt/dev/bin/dev',\n  },\n  directories: {\n    cache: {\n      path: () => {\n        return cacheFolder()\n      },\n      vendor: {\n        path: () => {\n          return joinPath(cacheFolder(), 'vendor')\n        },\n        binaries: () => {\n          return joinPath(cacheFolder(), 'vendor', 'binaries')\n        },\n      },\n    },\n  },\n}\n\nexport const sessionConstants = {\n  expirationTimeMarginInMinutes: 4,\n}\n\nexport const bugsnagApiKey = '9e1e6889176fd0c795d5c659225e0fae'\n\nexport const reportingRateLimit = {limit: 300, timeout: {days: 1}}\n"]}

package/dist/private/node/session/exchange.js

@@ -2,12 +2,15 @@ import { applicationId, clientId as getIdentityClientId } from './identity.js';
 import { identityFqdn } from '../../../public/node/context/fqdn.js';
 import { shopifyFetch } from '../../../public/node/http.js';
 import { err, ok } from '../../../public/node/result.js';
-import { AbortError, ExtendableError } from '../../../public/node/error.js';
+import { AbortError, BugError, ExtendableError } from '../../../public/node/error.js';
 import { isTruthy } from '@shopify/cli-kit/node/context/utilities';
+import * as jose from 'jose';
 export class InvalidGrantError extends ExtendableError {
 }
 export class InvalidRequestError extends ExtendableError {
 }
+class InvalidTargetError extends AbortError {
+}
 /**
  * Given a valid authorization code, request an identity access token.
  * This token can then be used to get API specific tokens.
@@ -64,7 +67,7 @@ export async function refreshAccessToken(currentToken) {
     };
     const tokenResult = await tokenRequest(params);
     const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug();
-    return buildIdentityToken(value);
+    return buildIdentityToken(value, currentToken.userId);
 }
 /**
  * Given a custom CLI token passed as ENV variable, request a valid partners API token
@@ -125,6 +128,16 @@ async function requestAppToken(api, token, scopes = [], store) {
     return { [identifier]: appToken };
 }
 function tokenRequestErrorHandler(error) {
+    const invalidTargetErrorMessage = 'You are not authorized to use the CLI to develop in the provided store.' +
+        '\n\n' +
+        "You can't use Shopify CLI with development stores if you only have Partner " +
+        'staff member access. If you want to use Shopify CLI to work on a development store, then ' +
+        'you should be the store owner or create a staff account on the store.' +
+        '\n\n' +
+        "If you're the store owner, then you need to log in to the store directly using the " +
+        'store URL at least once before you log in using Shopify CLI.' +
+        'Logging in to the Shopify admin directly connects the development ' +
+        'store with your Shopify login.';
     if (error === 'invalid_grant') {
         // There's an scenario when Identity returns "invalid_grant" when trying to refresh the token
         // using a valid refresh token. When that happens, we take the user through the authentication flow.
@@ -135,6 +148,9 @@ function tokenRequestErrorHandler(error) {
         // This means the token is invalid. We clear the session and throw an error to let the caller know.
         return new InvalidRequestError();
     }
+    if (error === 'invalid_target') {
+        return new InvalidTargetError(invalidTargetErrorMessage);
+    }
     // eslint-disable-next-line @shopify/cli/no-error-factory-functions
     return new AbortError(error);
 }
@@ -149,12 +165,17 @@ async function tokenRequest(params) {
         return ok(payload);
     return err(payload.error);
 }
-function buildIdentityToken(result) {
+function buildIdentityToken(result, existingUserId) {
+    const userId = existingUserId ?? (result.id_token ? jose.decodeJwt(result.id_token).sub : undefined);
+    if (!userId) {
+        throw new BugError('Error setting userId for session. No id_token or pre-existing user ID provided.');
+    }
     return {
         accessToken: result.access_token,
         refreshToken: result.refresh_token,
         expiresAt: new Date(Date.now() + result.expires_in * 1000),
         scopes: result.scope.split(' '),
+        userId,
     };
 }
 function buildApplicationToken(result) {

package/dist/private/node/session/exchange.js.map

@@ -1 +1 @@
-{"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../../../src/private/node/session/exchange.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,aAAa,EAAE,QAAQ,IAAI,mBAAmB,EAAC,MAAM,eAAe,CAAA;AAG5E,OAAO,EAAC,YAAY,EAAC,MAAM,sCAAsC,CAAA;AACjE,OAAO,EAAC,YAAY,EAAC,MAAM,8BAA8B,CAAA;AACzD,OAAO,EAAC,GAAG,EAAE,EAAE,EAAS,MAAM,gCAAgC,CAAA;AAC9D,OAAO,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,+BAA+B,CAAA;AACzE,OAAO,EAAC,QAAQ,EAAC,MAAM,yCAAyC,CAAA;AAEhE,MAAM,OAAO,iBAAkB,SAAQ,eAAe;CAAG;AACzD,MAAM,OAAO,mBAAoB,SAAQ,eAAe;CAAG;AAS3D;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,QAAwB;IACvE,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAC5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,oBAAoB;QAChC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,YAAY,EAAE,uBAAuB;QACrC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,QAAQ,CAAC,YAAY;KACrC,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAA;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kCAAkC,CACtD,aAA4B,EAC5B,MAAsB,EACtB,KAAc;IAEd,MAAM,KAAK,GAAG,aAAa,CAAC,WAAW,CAAA;IACvC,MAAM,oBAAoB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAA;IAEzE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACvF,eAAe,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC;QACnD,eAAe,CAAC,qBAAqB,EAAE,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC;QAChE,eAAe,CAAC,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC,gBAAgB,CAAC;QACpE,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;QACjE,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE;KAC3F,CAAC,CAAA;IAEF,OAAO;QACL,GAAG,QAAQ;QACX,GAAG,UAAU;QACb,GAAG,gBAAgB;QACnB,GAAG,KAAK;QACR,GAAG,aAAa;KACjB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,YAA2B;IAClE,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAA;IACtC,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,eAAe;QAC3B,YAAY,EAAE,YAAY,CAAC,WAAW;QACtC,aAAa,EAAE,YAAY,CAAC,YAAY;QACxC,SAAS,EAAE,QAAQ;KACpB,CAAA;IACD,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAA;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,KAAa;IAC5D,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;IACvC,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC,sDAAsD,CAAC,CAAC,CAAA;QACnH,OAAO,QAAQ,CAAC,KAAK,CAAE,CAAA;KACxB;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,UAAU,CAAC,uCAAuC,EAAE,8CAA8C,CAAC,CAAA;KAC9G;AACH,CAAC;AAID;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,UAAkB;IAElB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAE5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,8CAA8C;QAC1D,WAAW,EAAE,UAAU;QACvB,SAAS,EAAE,QAAQ;KACpB,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,IAAI,WAAW,CAAC,KAAK,EAAE,EAAE;QACvB,OAAO,GAAG,CAAC,WAAW,CAAC,KAA4B,CAAC,CAAA;KACrD;IACD,MAAM,aAAa,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;IAC3D,OAAO,EAAE,CAAC,aAAa,CAAC,CAAA;AAC1B,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,GAAQ,EACR,KAAa,EACb,SAAmB,EAAE,EACrB,KAAc;IAEd,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IAChC,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAE5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,iDAAiD;QAC7D,oBAAoB,EAAE,+CAA+C;QACrE,kBAAkB,EAAE,+CAA+C;QACnE,SAAS,EAAE,QAAQ;QACnB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACvB,aAAa,EAAE,KAAK;QACpB,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,EAAC,WAAW,EAAE,WAAW,KAAK,QAAQ,EAAC,CAAC;KAChE,CAAA;IAED,IAAI,UAAU,GAAG,KAAK,CAAA;IACtB,IAAI,GAAG,KAAK,OAAO,IAAI,KAAK,EAAE;QAC5B,UAAU,GAAG,GAAG,KAAK,IAAI,KAAK,EAAE,CAAA;KACjC;IACD,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAA;IAC7C,OAAO,EAAC,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAC,CAAA;AACjC,CAAC;AASD,SAAS,wBAAwB,CAAC,KAAa;IAC7C,IAAI,KAAK,KAAK,eAAe,EAAE;QAC7B,6FAA6F;QAC7F,oGAAoG;QACpG,OAAO,IAAI,iBAAiB,EAAE,CAAA;KAC/B;IACD,IAAI,KAAK,KAAK,iBAAiB,EAAE;QAC/B,iGAAiG;QACjG,mGAAmG;QACnG,OAAO,IAAI,mBAAmB,EAAE,CAAA;KACjC;IACD,mEAAmE;IACnE,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;AAC9B,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,MAA+B;IACzD,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAA;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,IAAI,cAAc,CAAC,CAAA;IAClD,GAAG,CAAC,MAAM,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;IACnE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAA;IAC1D,8DAA8D;IAC9D,MAAM,OAAO,GAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;IAErC,IAAI,GAAG,CAAC,EAAE;QAAE,OAAO,EAAE,CAAC,OAAO,CAAC,CAAA;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;AAC3B,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA0B;IACpD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC;KAChC,CAAA;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAA0B;IACvD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC;KAChC,CAAA;AACH,CAAC","sourcesContent":["import {ApplicationToken, IdentityToken} from './schema.js'\nimport {applicationId, clientId as getIdentityClientId} from './identity.js'\nimport {CodeAuthResult} from './authorize.js'\nimport {API} from '../api.js'\nimport {identityFqdn} from '../../../public/node/context/fqdn.js'\nimport {shopifyFetch} from '../../../public/node/http.js'\nimport {err, ok, Result} from '../../../public/node/result.js'\nimport {AbortError, ExtendableError} from '../../../public/node/error.js'\nimport {isTruthy} from '@shopify/cli-kit/node/context/utilities'\n\nexport class InvalidGrantError extends ExtendableError {}\nexport class InvalidRequestError extends ExtendableError {}\n\nexport interface ExchangeScopes {\n  admin: string[]\n  partners: string[]\n  storefront: string[]\n  businessPlatform: string[]\n  appManagement: string[]\n}\n/**\n * Given a valid authorization code, request an identity access token.\n * This token can then be used to get API specific tokens.\n * @param codeData - code and codeVerifier from the authorize endpoint\n * @returns An instance with the identity access tokens.\n */\nexport async function exchangeCodeForAccessToken(codeData: CodeAuthResult): Promise<IdentityToken> {\n  const clientId = await getIdentityClientId()\n  const params = {\n    grant_type: 'authorization_code',\n    code: codeData.code,\n    redirect_uri: 'http://127.0.0.1:3456',\n    client_id: clientId,\n    code_verifier: codeData.codeVerifier,\n  }\n\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  return buildIdentityToken(value)\n}\n\n/**\n * Given an identity token, request an application token.\n * @param identityToken - access token obtained in a previous step\n * @param store - the store to use, only needed for admin API\n * @returns An array with the application access tokens.\n */\nexport async function exchangeAccessForApplicationTokens(\n  identityToken: IdentityToken,\n  scopes: ExchangeScopes,\n  store?: string,\n): Promise<{[x: string]: ApplicationToken}> {\n  const token = identityToken.accessToken\n  const appManagementEnabled = isTruthy(process.env.USE_APP_MANAGEMENT_API)\n\n  const [partners, storefront, businessPlatform, admin, appManagement] = await Promise.all([\n    requestAppToken('partners', token, scopes.partners),\n    requestAppToken('storefront-renderer', token, scopes.storefront),\n    requestAppToken('business-platform', token, scopes.businessPlatform),\n    store ? requestAppToken('admin', token, scopes.admin, store) : {},\n    appManagementEnabled ? requestAppToken('app-management', token, scopes.appManagement) : {},\n  ])\n\n  return {\n    ...partners,\n    ...storefront,\n    ...businessPlatform,\n    ...admin,\n    ...appManagement,\n  }\n}\n\n/**\n * Given an expired access token, refresh it to get a new one.\n */\nexport async function refreshAccessToken(currentToken: IdentityToken): Promise<IdentityToken> {\n  const clientId = getIdentityClientId()\n  const params = {\n    grant_type: 'refresh_token',\n    access_token: currentToken.accessToken,\n    refresh_token: currentToken.refreshToken,\n    client_id: clientId,\n  }\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  return buildIdentityToken(value)\n}\n\n/**\n * Given a custom CLI token passed as ENV variable, request a valid partners API token\n * This token does not accept extra scopes, just the cli one.\n * @param token - The CLI token passed as ENV variable\n * @returns An instance with the application access tokens.\n */\nexport async function exchangeCustomPartnerToken(token: string): Promise<ApplicationToken> {\n  const appId = applicationId('partners')\n  try {\n    const newToken = await requestAppToken('partners', token, ['https://api.shopify.com/auth/partners.app.cli.access'])\n    return newToken[appId]!\n  } catch (error) {\n    throw new AbortError('The custom token provided is invalid.', 'Ensure the token is correct and not expired.')\n  }\n}\n\ntype IdentityDeviceError = 'authorization_pending' | 'access_denied' | 'expired_token' | 'slow_down' | 'unknown_failure'\n\n/**\n * Given a deviceCode obtained after starting a device identity flow, request an identity token.\n * @param deviceCode - The device code obtained after starting a device identity flow\n * @param scopes - The scopes to request\n * @returns An instance with the identity access tokens.\n */\nexport async function exchangeDeviceCodeForAccessToken(\n  deviceCode: string,\n): Promise<Result<IdentityToken, IdentityDeviceError>> {\n  const clientId = await getIdentityClientId()\n\n  const params = {\n    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n    device_code: deviceCode,\n    client_id: clientId,\n  }\n\n  const tokenResult = await tokenRequest(params)\n  if (tokenResult.isErr()) {\n    return err(tokenResult.error as IdentityDeviceError)\n  }\n  const identityToken = buildIdentityToken(tokenResult.value)\n  return ok(identityToken)\n}\n\nasync function requestAppToken(\n  api: API,\n  token: string,\n  scopes: string[] = [],\n  store?: string,\n): Promise<{[x: string]: ApplicationToken}> {\n  const appId = applicationId(api)\n  const clientId = await getIdentityClientId()\n\n  const params = {\n    grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',\n    requested_token_type: 'urn:ietf:params:oauth:token-type:access_token',\n    subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',\n    client_id: clientId,\n    audience: appId,\n    scope: scopes.join(' '),\n    subject_token: token,\n    ...(api === 'admin' && {destination: `https://${store}/admin`}),\n  }\n\n  let identifier = appId\n  if (api === 'admin' && store) {\n    identifier = `${store}-${appId}`\n  }\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  const appToken = buildApplicationToken(value)\n  return {[identifier]: appToken}\n}\n\ninterface TokenRequestResult {\n  access_token: string\n  expires_in: number\n  refresh_token: string\n  scope: string\n}\n\nfunction tokenRequestErrorHandler(error: string) {\n  if (error === 'invalid_grant') {\n    // There's an scenario when Identity returns \"invalid_grant\" when trying to refresh the token\n    // using a valid refresh token. When that happens, we take the user through the authentication flow.\n    return new InvalidGrantError()\n  }\n  if (error === 'invalid_request') {\n    // There's an scenario when Identity returns \"invalid_request\" when exchanging an identity token.\n    // This means the token is invalid. We clear the session and throw an error to let the caller know.\n    return new InvalidRequestError()\n  }\n  // eslint-disable-next-line @shopify/cli/no-error-factory-functions\n  return new AbortError(error)\n}\n\nasync function tokenRequest(params: {[key: string]: string}): Promise<Result<TokenRequestResult, string>> {\n  const fqdn = await identityFqdn()\n  const url = new URL(`https://${fqdn}/oauth/token`)\n  url.search = new URLSearchParams(Object.entries(params)).toString()\n  const res = await shopifyFetch(url.href, {method: 'POST'})\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  const payload: any = await res.json()\n\n  if (res.ok) return ok(payload)\n  return err(payload.error)\n}\n\nfunction buildIdentityToken(result: TokenRequestResult): IdentityToken {\n  return {\n    accessToken: result.access_token,\n    refreshToken: result.refresh_token,\n    expiresAt: new Date(Date.now() + result.expires_in * 1000),\n    scopes: result.scope.split(' '),\n  }\n}\n\nfunction buildApplicationToken(result: TokenRequestResult): ApplicationToken {\n  return {\n    accessToken: result.access_token,\n    expiresAt: new Date(Date.now() + result.expires_in * 1000),\n    scopes: result.scope.split(' '),\n  }\n}\n"]}
+{"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../../../src/private/node/session/exchange.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,aAAa,EAAE,QAAQ,IAAI,mBAAmB,EAAC,MAAM,eAAe,CAAA;AAG5E,OAAO,EAAC,YAAY,EAAC,MAAM,sCAAsC,CAAA;AACjE,OAAO,EAAC,YAAY,EAAC,MAAM,8BAA8B,CAAA;AACzD,OAAO,EAAC,GAAG,EAAE,EAAE,EAAS,MAAM,gCAAgC,CAAA;AAC9D,OAAO,EAAC,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAC,MAAM,+BAA+B,CAAA;AACnF,OAAO,EAAC,QAAQ,EAAC,MAAM,yCAAyC,CAAA;AAChE,OAAO,KAAK,IAAI,MAAM,MAAM,CAAA;AAE5B,MAAM,OAAO,iBAAkB,SAAQ,eAAe;CAAG;AACzD,MAAM,OAAO,mBAAoB,SAAQ,eAAe;CAAG;AAC3D,MAAM,kBAAmB,SAAQ,UAAU;CAAG;AAS9C;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,QAAwB;IACvE,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAC5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,oBAAoB;QAChC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,YAAY,EAAE,uBAAuB;QACrC,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,QAAQ,CAAC,YAAY;KACrC,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAA;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,kCAAkC,CACtD,aAA4B,EAC5B,MAAsB,EACtB,KAAc;IAEd,MAAM,KAAK,GAAG,aAAa,CAAC,WAAW,CAAA;IACvC,MAAM,oBAAoB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAA;IAEzE,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,aAAa,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACvF,eAAe,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC;QACnD,eAAe,CAAC,qBAAqB,EAAE,KAAK,EAAE,MAAM,CAAC,UAAU,CAAC;QAChE,eAAe,CAAC,mBAAmB,EAAE,KAAK,EAAE,MAAM,CAAC,gBAAgB,CAAC;QACpE,KAAK,CAAC,CAAC,CAAC,eAAe,CAAC,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;QACjE,oBAAoB,CAAC,CAAC,CAAC,eAAe,CAAC,gBAAgB,EAAE,KAAK,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE;KAC3F,CAAC,CAAA;IAEF,OAAO;QACL,GAAG,QAAQ;QACX,GAAG,UAAU;QACb,GAAG,gBAAgB;QACnB,GAAG,KAAK;QACR,GAAG,aAAa;KACjB,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,YAA2B;IAClE,MAAM,QAAQ,GAAG,mBAAmB,EAAE,CAAA;IACtC,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,eAAe;QAC3B,YAAY,EAAE,YAAY,CAAC,WAAW;QACtC,aAAa,EAAE,YAAY,CAAC,YAAY;QACxC,SAAS,EAAE,QAAQ;KACpB,CAAA;IACD,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,OAAO,kBAAkB,CAAC,KAAK,EAAE,YAAY,CAAC,MAAM,CAAC,CAAA;AACvD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,KAAa;IAC5D,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;IACvC,IAAI;QACF,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC,sDAAsD,CAAC,CAAC,CAAA;QACnH,OAAO,QAAQ,CAAC,KAAK,CAAE,CAAA;KACxB;IAAC,OAAO,KAAK,EAAE;QACd,MAAM,IAAI,UAAU,CAAC,uCAAuC,EAAE,8CAA8C,CAAC,CAAA;KAC9G;AACH,CAAC;AAID;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gCAAgC,CACpD,UAAkB;IAElB,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAE5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,8CAA8C;QAC1D,WAAW,EAAE,UAAU;QACvB,SAAS,EAAE,QAAQ;KACpB,CAAA;IAED,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,IAAI,WAAW,CAAC,KAAK,EAAE,EAAE;QACvB,OAAO,GAAG,CAAC,WAAW,CAAC,KAA4B,CAAC,CAAA;KACrD;IACD,MAAM,aAAa,GAAG,kBAAkB,CAAC,WAAW,CAAC,KAAK,CAAC,CAAA;IAC3D,OAAO,EAAE,CAAC,aAAa,CAAC,CAAA;AAC1B,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,GAAQ,EACR,KAAa,EACb,SAAmB,EAAE,EACrB,KAAc;IAEd,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IAChC,MAAM,QAAQ,GAAG,MAAM,mBAAmB,EAAE,CAAA;IAE5C,MAAM,MAAM,GAAG;QACb,UAAU,EAAE,iDAAiD;QAC7D,oBAAoB,EAAE,+CAA+C;QACrE,kBAAkB,EAAE,+CAA+C;QACnE,SAAS,EAAE,QAAQ;QACnB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;QACvB,aAAa,EAAE,KAAK;QACpB,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,EAAC,WAAW,EAAE,WAAW,KAAK,QAAQ,EAAC,CAAC;KAChE,CAAA;IAED,IAAI,UAAU,GAAG,KAAK,CAAA;IACtB,IAAI,GAAG,KAAK,OAAO,IAAI,KAAK,EAAE;QAC5B,UAAU,GAAG,GAAG,KAAK,IAAI,KAAK,EAAE,CAAA;KACjC;IACD,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAA;IAC9C,MAAM,KAAK,GAAG,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,CAAC,UAAU,EAAE,CAAA;IACzE,MAAM,QAAQ,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAA;IAC7C,OAAO,EAAC,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAC,CAAA;AACjC,CAAC;AAUD,SAAS,wBAAwB,CAAC,KAAa;IAC7C,MAAM,yBAAyB,GAC7B,yEAAyE;QACzE,MAAM;QACN,6EAA6E;QAC7E,2FAA2F;QAC3F,uEAAuE;QACvE,MAAM;QACN,qFAAqF;QACrF,8DAA8D;QAC9D,oEAAoE;QACpE,gCAAgC,CAAA;IAClC,IAAI,KAAK,KAAK,eAAe,EAAE;QAC7B,6FAA6F;QAC7F,oGAAoG;QACpG,OAAO,IAAI,iBAAiB,EAAE,CAAA;KAC/B;IACD,IAAI,KAAK,KAAK,iBAAiB,EAAE;QAC/B,iGAAiG;QACjG,mGAAmG;QACnG,OAAO,IAAI,mBAAmB,EAAE,CAAA;KACjC;IACD,IAAI,KAAK,KAAK,gBAAgB,EAAE;QAC9B,OAAO,IAAI,kBAAkB,CAAC,yBAAyB,CAAC,CAAA;KACzD;IACD,mEAAmE;IACnE,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,CAAA;AAC9B,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,MAA+B;IACzD,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAA;IACjC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,WAAW,IAAI,cAAc,CAAC,CAAA;IAClD,GAAG,CAAC,MAAM,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAA;IACnE,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,EAAC,MAAM,EAAE,MAAM,EAAC,CAAC,CAAA;IAC1D,8DAA8D;IAC9D,MAAM,OAAO,GAAQ,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;IAErC,IAAI,GAAG,CAAC,EAAE;QAAE,OAAO,EAAE,CAAC,OAAO,CAAC,CAAA;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;AAC3B,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA0B,EAAE,cAAuB;IAC7E,MAAM,MAAM,GAAG,cAAc,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;IAErG,IAAI,CAAC,MAAM,EAAE;QACX,MAAM,IAAI,QAAQ,CAAC,iFAAiF,CAAC,CAAA;KACtG;IAED,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,YAAY,EAAE,MAAM,CAAC,aAAa;QAClC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC;QAC/B,MAAM;KACP,CAAA;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,MAA0B;IACvD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,YAAY;QAChC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;QAC1D,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC;KAChC,CAAA;AACH,CAAC","sourcesContent":["import {ApplicationToken, IdentityToken} from './schema.js'\nimport {applicationId, clientId as getIdentityClientId} from './identity.js'\nimport {CodeAuthResult} from './authorize.js'\nimport {API} from '../api.js'\nimport {identityFqdn} from '../../../public/node/context/fqdn.js'\nimport {shopifyFetch} from '../../../public/node/http.js'\nimport {err, ok, Result} from '../../../public/node/result.js'\nimport {AbortError, BugError, ExtendableError} from '../../../public/node/error.js'\nimport {isTruthy} from '@shopify/cli-kit/node/context/utilities'\nimport * as jose from 'jose'\n\nexport class InvalidGrantError extends ExtendableError {}\nexport class InvalidRequestError extends ExtendableError {}\nclass InvalidTargetError extends AbortError {}\n\nexport interface ExchangeScopes {\n  admin: string[]\n  partners: string[]\n  storefront: string[]\n  businessPlatform: string[]\n  appManagement: string[]\n}\n/**\n * Given a valid authorization code, request an identity access token.\n * This token can then be used to get API specific tokens.\n * @param codeData - code and codeVerifier from the authorize endpoint\n * @returns An instance with the identity access tokens.\n */\nexport async function exchangeCodeForAccessToken(codeData: CodeAuthResult): Promise<IdentityToken> {\n  const clientId = await getIdentityClientId()\n  const params = {\n    grant_type: 'authorization_code',\n    code: codeData.code,\n    redirect_uri: 'http://127.0.0.1:3456',\n    client_id: clientId,\n    code_verifier: codeData.codeVerifier,\n  }\n\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  return buildIdentityToken(value)\n}\n\n/**\n * Given an identity token, request an application token.\n * @param identityToken - access token obtained in a previous step\n * @param store - the store to use, only needed for admin API\n * @returns An array with the application access tokens.\n */\nexport async function exchangeAccessForApplicationTokens(\n  identityToken: IdentityToken,\n  scopes: ExchangeScopes,\n  store?: string,\n): Promise<{[x: string]: ApplicationToken}> {\n  const token = identityToken.accessToken\n  const appManagementEnabled = isTruthy(process.env.USE_APP_MANAGEMENT_API)\n\n  const [partners, storefront, businessPlatform, admin, appManagement] = await Promise.all([\n    requestAppToken('partners', token, scopes.partners),\n    requestAppToken('storefront-renderer', token, scopes.storefront),\n    requestAppToken('business-platform', token, scopes.businessPlatform),\n    store ? requestAppToken('admin', token, scopes.admin, store) : {},\n    appManagementEnabled ? requestAppToken('app-management', token, scopes.appManagement) : {},\n  ])\n\n  return {\n    ...partners,\n    ...storefront,\n    ...businessPlatform,\n    ...admin,\n    ...appManagement,\n  }\n}\n\n/**\n * Given an expired access token, refresh it to get a new one.\n */\nexport async function refreshAccessToken(currentToken: IdentityToken): Promise<IdentityToken> {\n  const clientId = getIdentityClientId()\n  const params = {\n    grant_type: 'refresh_token',\n    access_token: currentToken.accessToken,\n    refresh_token: currentToken.refreshToken,\n    client_id: clientId,\n  }\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  return buildIdentityToken(value, currentToken.userId)\n}\n\n/**\n * Given a custom CLI token passed as ENV variable, request a valid partners API token\n * This token does not accept extra scopes, just the cli one.\n * @param token - The CLI token passed as ENV variable\n * @returns An instance with the application access tokens.\n */\nexport async function exchangeCustomPartnerToken(token: string): Promise<ApplicationToken> {\n  const appId = applicationId('partners')\n  try {\n    const newToken = await requestAppToken('partners', token, ['https://api.shopify.com/auth/partners.app.cli.access'])\n    return newToken[appId]!\n  } catch (error) {\n    throw new AbortError('The custom token provided is invalid.', 'Ensure the token is correct and not expired.')\n  }\n}\n\ntype IdentityDeviceError = 'authorization_pending' | 'access_denied' | 'expired_token' | 'slow_down' | 'unknown_failure'\n\n/**\n * Given a deviceCode obtained after starting a device identity flow, request an identity token.\n * @param deviceCode - The device code obtained after starting a device identity flow\n * @param scopes - The scopes to request\n * @returns An instance with the identity access tokens.\n */\nexport async function exchangeDeviceCodeForAccessToken(\n  deviceCode: string,\n): Promise<Result<IdentityToken, IdentityDeviceError>> {\n  const clientId = await getIdentityClientId()\n\n  const params = {\n    grant_type: 'urn:ietf:params:oauth:grant-type:device_code',\n    device_code: deviceCode,\n    client_id: clientId,\n  }\n\n  const tokenResult = await tokenRequest(params)\n  if (tokenResult.isErr()) {\n    return err(tokenResult.error as IdentityDeviceError)\n  }\n  const identityToken = buildIdentityToken(tokenResult.value)\n  return ok(identityToken)\n}\n\nasync function requestAppToken(\n  api: API,\n  token: string,\n  scopes: string[] = [],\n  store?: string,\n): Promise<{[x: string]: ApplicationToken}> {\n  const appId = applicationId(api)\n  const clientId = await getIdentityClientId()\n\n  const params = {\n    grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',\n    requested_token_type: 'urn:ietf:params:oauth:token-type:access_token',\n    subject_token_type: 'urn:ietf:params:oauth:token-type:access_token',\n    client_id: clientId,\n    audience: appId,\n    scope: scopes.join(' '),\n    subject_token: token,\n    ...(api === 'admin' && {destination: `https://${store}/admin`}),\n  }\n\n  let identifier = appId\n  if (api === 'admin' && store) {\n    identifier = `${store}-${appId}`\n  }\n  const tokenResult = await tokenRequest(params)\n  const value = tokenResult.mapError(tokenRequestErrorHandler).valueOrBug()\n  const appToken = buildApplicationToken(value)\n  return {[identifier]: appToken}\n}\n\ninterface TokenRequestResult {\n  access_token: string\n  expires_in: number\n  refresh_token: string\n  scope: string\n  id_token?: string\n}\n\nfunction tokenRequestErrorHandler(error: string) {\n  const invalidTargetErrorMessage =\n    'You are not authorized to use the CLI to develop in the provided store.' +\n    '\\n\\n' +\n    \"You can't use Shopify CLI with development stores if you only have Partner \" +\n    'staff member access. If you want to use Shopify CLI to work on a development store, then ' +\n    'you should be the store owner or create a staff account on the store.' +\n    '\\n\\n' +\n    \"If you're the store owner, then you need to log in to the store directly using the \" +\n    'store URL at least once before you log in using Shopify CLI.' +\n    'Logging in to the Shopify admin directly connects the development ' +\n    'store with your Shopify login.'\n  if (error === 'invalid_grant') {\n    // There's an scenario when Identity returns \"invalid_grant\" when trying to refresh the token\n    // using a valid refresh token. When that happens, we take the user through the authentication flow.\n    return new InvalidGrantError()\n  }\n  if (error === 'invalid_request') {\n    // There's an scenario when Identity returns \"invalid_request\" when exchanging an identity token.\n    // This means the token is invalid. We clear the session and throw an error to let the caller know.\n    return new InvalidRequestError()\n  }\n  if (error === 'invalid_target') {\n    return new InvalidTargetError(invalidTargetErrorMessage)\n  }\n  // eslint-disable-next-line @shopify/cli/no-error-factory-functions\n  return new AbortError(error)\n}\n\nasync function tokenRequest(params: {[key: string]: string}): Promise<Result<TokenRequestResult, string>> {\n  const fqdn = await identityFqdn()\n  const url = new URL(`https://${fqdn}/oauth/token`)\n  url.search = new URLSearchParams(Object.entries(params)).toString()\n  const res = await shopifyFetch(url.href, {method: 'POST'})\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  const payload: any = await res.json()\n\n  if (res.ok) return ok(payload)\n  return err(payload.error)\n}\n\nfunction buildIdentityToken(result: TokenRequestResult, existingUserId?: string): IdentityToken {\n  const userId = existingUserId ?? (result.id_token ? jose.decodeJwt(result.id_token).sub! : undefined)\n\n  if (!userId) {\n    throw new BugError('Error setting userId for session. No id_token or pre-existing user ID provided.')\n  }\n\n  return {\n    accessToken: result.access_token,\n    refreshToken: result.refresh_token,\n    expiresAt: new Date(Date.now() + result.expires_in * 1000),\n    scopes: result.scope.split(' '),\n    userId,\n  }\n}\n\nfunction buildApplicationToken(result: TokenRequestResult): ApplicationToken {\n  return {\n    accessToken: result.access_token,\n    expiresAt: new Date(Date.now() + result.expires_in * 1000),\n    scopes: result.scope.split(' '),\n  }\n}\n"]}

package/dist/private/node/session/schema.d.ts

@@ -7,15 +7,18 @@ declare const IdentityTokenSchema: zod.ZodObject<{
     refreshToken: zod.ZodString;
     expiresAt: zod.ZodEffects<zod.ZodDate, Date, unknown>;
     scopes: zod.ZodArray<zod.ZodString, "many">;
+    userId: zod.ZodString;
 }, "strip", zod.ZodTypeAny, {
     accessToken: string;
     scopes: string[];
     refreshToken: string;
     expiresAt: Date;
+    userId: string;
 }, {
     accessToken: string;
     scopes: string[];
     refreshToken: string;
+    userId: string;
     expiresAt?: unknown;
 }>;
 /**
@@ -68,15 +71,18 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         refreshToken: zod.ZodString;
         expiresAt: zod.ZodEffects<zod.ZodDate, Date, unknown>;
         scopes: zod.ZodArray<zod.ZodString, "many">;
+        userId: zod.ZodString;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     }, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     }>;
     /**
@@ -126,6 +132,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     };
     applications: {} & {
         [k: string]: {
@@ -139,6 +146,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     };
     applications: {} & {
@@ -159,15 +167,18 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         refreshToken: zod.ZodString;
         expiresAt: zod.ZodEffects<zod.ZodDate, Date, unknown>;
         scopes: zod.ZodArray<zod.ZodString, "many">;
+        userId: zod.ZodString;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     }, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     }>;
     /**
@@ -217,6 +228,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     };
     applications: {} & {
         [k: string]: {
@@ -230,6 +242,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     };
     applications: {} & {
@@ -250,15 +263,18 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         refreshToken: zod.ZodString;
         expiresAt: zod.ZodEffects<zod.ZodDate, Date, unknown>;
         scopes: zod.ZodArray<zod.ZodString, "many">;
+        userId: zod.ZodString;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     }, {
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     }>;
     /**
@@ -308,6 +324,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         scopes: string[];
         refreshToken: string;
         expiresAt: Date;
+        userId: string;
     };
     applications: {} & {
         [k: string]: {
@@ -321,6 +338,7 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
         accessToken: string;
         scopes: string[];
         refreshToken: string;
+        userId: string;
         expiresAt?: unknown;
     };
     applications: {} & {
@@ -334,4 +352,10 @@ export declare const SessionSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{
 export type Session = zod.infer<typeof SessionSchema>;
 export type IdentityToken = zod.infer<typeof IdentityTokenSchema>;
 export type ApplicationToken = zod.infer<typeof ApplicationTokenSchema>;
+/**
+ * Confirms that a given identity token structure matches what the schema currently defines.
+ *
+ * A full re-auth is the expectation if this validation fails.
+ */
+export declare function validateCachedIdentityTokenStructure(identityToken: unknown): boolean;
 export {};

package/dist/private/node/session/schema.js

@@ -12,6 +12,7 @@ const IdentityTokenSchema = zod.object({
     refreshToken: zod.string(),
     expiresAt: DateSchema,
     scopes: zod.array(zod.string()),
+    userId: zod.string(),
 });
 /**
  * The schema represents an application token.
@@ -57,4 +58,13 @@ export const SessionSchema = zod.object({}).catchall(zod.object({
      */
     applications: zod.object({}).catchall(ApplicationTokenSchema),
 }));
+/**
+ * Confirms that a given identity token structure matches what the schema currently defines.
+ *
+ * A full re-auth is the expectation if this validation fails.
+ */
+export function validateCachedIdentityTokenStructure(identityToken) {
+    const parsed = IdentityTokenSchema.safeParse(identityToken);
+    return parsed.success;
+}
 //# sourceMappingURL=schema.js.map

package/dist/private/node/session/schema.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/private/node/session/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,GAAG,EAAC,MAAM,gCAAgC,CAAA;AAElD,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAA;IACxE,OAAO,IAAI,CAAA;AACb,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAA;AAEd;;GAEG;AACH,MAAM,mBAAmB,GAAG,GAAG,CAAC,MAAM,CAAC;IACrC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IACzB,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE;IAC1B,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;CAChC,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG,GAAG,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IACzB,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;CAChC,CAAC,CAAA;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAClD,GAAG,CAAC,MAAM,CAAC;IACT;;;;OAIG;IACH,QAAQ,EAAE,mBAAmB;IAC7B;;;OAGG;IACH,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;CAC9D,CAAC,CACH,CAAA","sourcesContent":["import {zod} from '../../../public/node/schema.js'\n\nconst DateSchema = zod.preprocess((arg) => {\n  if (typeof arg === 'string' || arg instanceof Date) return new Date(arg)\n  return null\n}, zod.date())\n\n/**\n * The schema represents an Identity token.\n */\nconst IdentityTokenSchema = zod.object({\n  accessToken: zod.string(),\n  refreshToken: zod.string(),\n  expiresAt: DateSchema,\n  scopes: zod.array(zod.string()),\n})\n\n/**\n * The schema represents an application token.\n */\nconst ApplicationTokenSchema = zod.object({\n  accessToken: zod.string(),\n  expiresAt: DateSchema,\n  scopes: zod.array(zod.string()),\n})\n\n/**\n * This schema represents the format of the session\n * that we cache in the system to avoid unnecessary\n * token exchanges.\n *\n * @example\n * ```\n * {\n *    \"accounts.shopify.com\": {\n *      \"identity\": {...} // IdentityTokenSchema\n *      \"applications\": {\n *        \"${domain}-application-id\": {  // Admin APIs includes domain in the key\n *          \"accessToken\": \"...\",\n *        },\n *        \"$application-id\": { // ApplicationTokenSchema\n *          \"accessToken\": \"...\",\n *        },\n *      }\n *    },\n *    \"identity.spin.com\": {...}\n * }\n * ```\n */\nexport const SessionSchema = zod.object({}).catchall(\n  zod.object({\n    /**\n     * It contains the identity token. Before usint it, we exchange it\n     * to get a token that we can use with different applications. The exchanged\n     * tokens for the applications are stored under applications.\n     */\n    identity: IdentityTokenSchema,\n    /**\n     * It contains exchanged tokens for the applications the CLI\n     * authenticates with. Tokens are scoped under the fqdn of the applications.\n     */\n    applications: zod.object({}).catchall(ApplicationTokenSchema),\n  }),\n)\n\nexport type Session = zod.infer<typeof SessionSchema>\nexport type IdentityToken = zod.infer<typeof IdentityTokenSchema>\nexport type ApplicationToken = zod.infer<typeof ApplicationTokenSchema>\n"]}
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/private/node/session/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,GAAG,EAAC,MAAM,gCAAgC,CAAA;AAElD,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;IACxC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAA;IACxE,OAAO,IAAI,CAAA;AACb,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAA;AAEd;;GAEG;AACH,MAAM,mBAAmB,GAAG,GAAG,CAAC,MAAM,CAAC;IACrC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IACzB,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE;IAC1B,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;IAC/B,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE;CACrB,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,sBAAsB,GAAG,GAAG,CAAC,MAAM,CAAC;IACxC,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE;IACzB,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;CAChC,CAAC,CAAA;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAClD,GAAG,CAAC,MAAM,CAAC;IACT;;;;OAIG;IACH,QAAQ,EAAE,mBAAmB;IAC7B;;;OAGG;IACH,YAAY,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;CAC9D,CAAC,CACH,CAAA;AAMD;;;;GAIG;AACH,MAAM,UAAU,oCAAoC,CAAC,aAAsB;IACzE,MAAM,MAAM,GAAG,mBAAmB,CAAC,SAAS,CAAC,aAAa,CAAC,CAAA;IAC3D,OAAO,MAAM,CAAC,OAAO,CAAA;AACvB,CAAC","sourcesContent":["import {zod} from '../../../public/node/schema.js'\n\nconst DateSchema = zod.preprocess((arg) => {\n  if (typeof arg === 'string' || arg instanceof Date) return new Date(arg)\n  return null\n}, zod.date())\n\n/**\n * The schema represents an Identity token.\n */\nconst IdentityTokenSchema = zod.object({\n  accessToken: zod.string(),\n  refreshToken: zod.string(),\n  expiresAt: DateSchema,\n  scopes: zod.array(zod.string()),\n  userId: zod.string(),\n})\n\n/**\n * The schema represents an application token.\n */\nconst ApplicationTokenSchema = zod.object({\n  accessToken: zod.string(),\n  expiresAt: DateSchema,\n  scopes: zod.array(zod.string()),\n})\n\n/**\n * This schema represents the format of the session\n * that we cache in the system to avoid unnecessary\n * token exchanges.\n *\n * @example\n * ```\n * {\n *    \"accounts.shopify.com\": {\n *      \"identity\": {...} // IdentityTokenSchema\n *      \"applications\": {\n *        \"${domain}-application-id\": {  // Admin APIs includes domain in the key\n *          \"accessToken\": \"...\",\n *        },\n *        \"$application-id\": { // ApplicationTokenSchema\n *          \"accessToken\": \"...\",\n *        },\n *      }\n *    },\n *    \"identity.spin.com\": {...}\n * }\n * ```\n */\nexport const SessionSchema = zod.object({}).catchall(\n  zod.object({\n    /**\n     * It contains the identity token. Before usint it, we exchange it\n     * to get a token that we can use with different applications. The exchanged\n     * tokens for the applications are stored under applications.\n     */\n    identity: IdentityTokenSchema,\n    /**\n     * It contains exchanged tokens for the applications the CLI\n     * authenticates with. Tokens are scoped under the fqdn of the applications.\n     */\n    applications: zod.object({}).catchall(ApplicationTokenSchema),\n  }),\n)\n\nexport type Session = zod.infer<typeof SessionSchema>\nexport type IdentityToken = zod.infer<typeof IdentityTokenSchema>\nexport type ApplicationToken = zod.infer<typeof ApplicationTokenSchema>\n\n/**\n * Confirms that a given identity token structure matches what the schema currently defines.\n *\n * A full re-auth is the expectation if this validation fails.\n */\nexport function validateCachedIdentityTokenStructure(identityToken: unknown) {\n  const parsed = IdentityTokenSchema.safeParse(identityToken)\n  return parsed.success\n}\n"]}

package/dist/private/node/session/validate.js

@@ -1,4 +1,5 @@
 import { applicationId } from './identity.js';
+import { validateCachedIdentityTokenStructure } from './schema.js';
 import { validateIdentityToken } from './identity-token-validation.js';
 import { sessionConstants } from '../constants.js';
 import { outputDebug } from '../../../public/node/output.js';
@@ -53,6 +54,9 @@ The validation of the token for application/identity completed with the followin
 - It's expired: ${tokensAreExpired}
 - It's invalid in identity: ${!identityIsValid}
   `);
+    if (!validateCachedIdentityTokenStructure(session.identity)) {
+        return 'needs_full_auth';
+    }
     if (tokensAreExpired)
         return 'needs_refresh';
     if (!identityIsValid)

package/dist/private/node/session/validate.js.map

@@ -1 +1 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../src/private/node/session/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAC,MAAM,eAAe,CAAA;AAE3C,OAAO,EAAC,qBAAqB,EAAC,MAAM,gCAAgC,CAAA;AACpE,OAAO,EAAC,gBAAgB,EAAC,MAAM,iBAAiB,CAAA;AAChD,OAAO,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAA;AAC1D,OAAO,EAAC,aAAa,EAAC,MAAM,uCAAuC,CAAA;AAKnE;;GAEG;AACH,SAAS,cAAc,CAAC,eAAyB,EAAE,QAAuB;IACxE,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAA;IACrC,IAAI,aAAa,EAAE,KAAK,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAA;IACxE,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAgB,EAChB,YAA+B,EAC/B,OAGC;IAED,IAAI,CAAC,OAAO;QAAE,OAAO,iBAAiB,CAAA;IACtC,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC/D,MAAM,eAAe,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IACjF,IAAI,CAAC,cAAc;QAAE,OAAO,iBAAiB,CAAA;IAC7C,IAAI,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAEvD,IAAI,YAAY,CAAC,WAAW,EAAE;QAC5B,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;QACvC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,gBAAgB,EAAE;QACjC,MAAM,KAAK,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAA;QAC7C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,qBAAqB,EAAE;QACtC,MAAM,KAAK,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,QAAQ,EAAE;QACzB,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;QACpC,MAAM,SAAS,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,IAAI,KAAK,EAAE,CAAA;QAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAE,CAAA;QAC9C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,WAAW,CAAC;;kBAEI,gBAAgB;8BACJ,CAAC,eAAe;GAC3C,CAAC,CAAA;IAEF,IAAI,gBAAgB;QAAE,OAAO,eAAe,CAAA;IAC5C,IAAI,CAAC,eAAe;QAAE,OAAO,iBAAiB,CAAA;IAC9C,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,cAAc,CAAC,KAAuB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,OAAO,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,CAAA;AAC5C,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,CAAC,6BAA6B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;AAC1F,CAAC","sourcesContent":["import {applicationId} from './identity.js'\nimport {ApplicationToken, IdentityToken} from './schema.js'\nimport {validateIdentityToken} from './identity-token-validation.js'\nimport {sessionConstants} from '../constants.js'\nimport {outputDebug} from '../../../public/node/output.js'\nimport {firstPartyDev} from '../../../public/node/context/local.js'\nimport {OAuthApplications} from '../session.js'\n\ntype ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok'\n\n/**\n * Validate if an identity token is valid for the requested scopes\n */\nfunction validateScopes(requestedScopes: string[], identity: IdentityToken) {\n  const currentScopes = identity.scopes\n  if (firstPartyDev() !== currentScopes.includes('employee')) return false\n  return requestedScopes.every((scope) => currentScopes.includes(scope))\n}\n\n/**\n * Validate if the current session is valid or we need to refresh/re-authenticate\n * @param scopes - requested scopes to validate\n * @param applications - requested applications\n * @param session - current session with identity and application tokens\n * @returns 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session\n */\nexport async function validateSession(\n  scopes: string[],\n  applications: OAuthApplications,\n  session: {\n    identity: IdentityToken\n    applications: {[x: string]: ApplicationToken}\n  },\n): Promise<ValidationResult> {\n  if (!session) return 'needs_full_auth'\n  const scopesAreValid = validateScopes(scopes, session.identity)\n  const identityIsValid = await validateIdentityToken(session.identity.accessToken)\n  if (!scopesAreValid) return 'needs_full_auth'\n  let tokensAreExpired = isTokenExpired(session.identity)\n\n  if (applications.partnersApi) {\n    const appId = applicationId('partners')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.appManagementApi) {\n    const appId = applicationId('app-management')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.storefrontRendererApi) {\n    const appId = applicationId('storefront-renderer')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.adminApi) {\n    const appId = applicationId('admin')\n    const realAppId = `${applications.adminApi.storeFqdn}-${appId}`\n    const token = session.applications[realAppId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  outputDebug(`\nThe validation of the token for application/identity completed with the following results:\n- It's expired: ${tokensAreExpired}\n- It's invalid in identity: ${!identityIsValid}\n  `)\n\n  if (tokensAreExpired) return 'needs_refresh'\n  if (!identityIsValid) return 'needs_full_auth'\n  return 'ok'\n}\n\nfunction isTokenExpired(token: ApplicationToken): boolean {\n  if (!token) return true\n  return token.expiresAt < expireThreshold()\n}\n\nfunction expireThreshold(): Date {\n  return new Date(Date.now() + sessionConstants.expirationTimeMarginInMinutes * 60 * 1000)\n}\n"]}
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../src/private/node/session/validate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAC,MAAM,eAAe,CAAA;AAC3C,OAAO,EAAkC,oCAAoC,EAAC,MAAM,aAAa,CAAA;AACjG,OAAO,EAAC,qBAAqB,EAAC,MAAM,gCAAgC,CAAA;AACpE,OAAO,EAAC,gBAAgB,EAAC,MAAM,iBAAiB,CAAA;AAChD,OAAO,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAA;AAC1D,OAAO,EAAC,aAAa,EAAC,MAAM,uCAAuC,CAAA;AAKnE;;GAEG;AACH,SAAS,cAAc,CAAC,eAAyB,EAAE,QAAuB;IACxE,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAA;IACrC,IAAI,aAAa,EAAE,KAAK,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAA;IACxE,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAgB,EAChB,YAA+B,EAC/B,OAGC;IAED,IAAI,CAAC,OAAO;QAAE,OAAO,iBAAiB,CAAA;IACtC,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAA;IAC/D,MAAM,eAAe,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IACjF,IAAI,CAAC,cAAc;QAAE,OAAO,iBAAiB,CAAA;IAC7C,IAAI,gBAAgB,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAEvD,IAAI,YAAY,CAAC,WAAW,EAAE;QAC5B,MAAM,KAAK,GAAG,aAAa,CAAC,UAAU,CAAC,CAAA;QACvC,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,gBAAgB,EAAE;QACjC,MAAM,KAAK,GAAG,aAAa,CAAC,gBAAgB,CAAC,CAAA;QAC7C,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,qBAAqB,EAAE;QACtC,MAAM,KAAK,GAAG,aAAa,CAAC,qBAAqB,CAAC,CAAA;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAE,CAAA;QAC1C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,IAAI,YAAY,CAAC,QAAQ,EAAE;QACzB,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,CAAA;QACpC,MAAM,SAAS,GAAG,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,IAAI,KAAK,EAAE,CAAA;QAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,YAAY,CAAC,SAAS,CAAE,CAAA;QAC9C,gBAAgB,GAAG,gBAAgB,IAAI,cAAc,CAAC,KAAK,CAAC,CAAA;KAC7D;IAED,WAAW,CAAC;;kBAEI,gBAAgB;8BACJ,CAAC,eAAe;GAC3C,CAAC,CAAA;IAEF,IAAI,CAAC,oCAAoC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE;QAC3D,OAAO,iBAAiB,CAAA;KACzB;IAED,IAAI,gBAAgB;QAAE,OAAO,eAAe,CAAA;IAC5C,IAAI,CAAC,eAAe;QAAE,OAAO,iBAAiB,CAAA;IAC9C,OAAO,IAAI,CAAA;AACb,CAAC;AAED,SAAS,cAAc,CAAC,KAAuB;IAC7C,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAA;IACvB,OAAO,KAAK,CAAC,SAAS,GAAG,eAAe,EAAE,CAAA;AAC5C,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,gBAAgB,CAAC,6BAA6B,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;AAC1F,CAAC","sourcesContent":["import {applicationId} from './identity.js'\nimport {ApplicationToken, IdentityToken, validateCachedIdentityTokenStructure} from './schema.js'\nimport {validateIdentityToken} from './identity-token-validation.js'\nimport {sessionConstants} from '../constants.js'\nimport {outputDebug} from '../../../public/node/output.js'\nimport {firstPartyDev} from '../../../public/node/context/local.js'\nimport {OAuthApplications} from '../session.js'\n\ntype ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok'\n\n/**\n * Validate if an identity token is valid for the requested scopes\n */\nfunction validateScopes(requestedScopes: string[], identity: IdentityToken) {\n  const currentScopes = identity.scopes\n  if (firstPartyDev() !== currentScopes.includes('employee')) return false\n  return requestedScopes.every((scope) => currentScopes.includes(scope))\n}\n\n/**\n * Validate if the current session is valid or we need to refresh/re-authenticate\n * @param scopes - requested scopes to validate\n * @param applications - requested applications\n * @param session - current session with identity and application tokens\n * @returns 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session\n */\nexport async function validateSession(\n  scopes: string[],\n  applications: OAuthApplications,\n  session: {\n    identity: IdentityToken\n    applications: {[x: string]: ApplicationToken}\n  },\n): Promise<ValidationResult> {\n  if (!session) return 'needs_full_auth'\n  const scopesAreValid = validateScopes(scopes, session.identity)\n  const identityIsValid = await validateIdentityToken(session.identity.accessToken)\n  if (!scopesAreValid) return 'needs_full_auth'\n  let tokensAreExpired = isTokenExpired(session.identity)\n\n  if (applications.partnersApi) {\n    const appId = applicationId('partners')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.appManagementApi) {\n    const appId = applicationId('app-management')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.storefrontRendererApi) {\n    const appId = applicationId('storefront-renderer')\n    const token = session.applications[appId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  if (applications.adminApi) {\n    const appId = applicationId('admin')\n    const realAppId = `${applications.adminApi.storeFqdn}-${appId}`\n    const token = session.applications[realAppId]!\n    tokensAreExpired = tokensAreExpired || isTokenExpired(token)\n  }\n\n  outputDebug(`\nThe validation of the token for application/identity completed with the following results:\n- It's expired: ${tokensAreExpired}\n- It's invalid in identity: ${!identityIsValid}\n  `)\n\n  if (!validateCachedIdentityTokenStructure(session.identity)) {\n    return 'needs_full_auth'\n  }\n\n  if (tokensAreExpired) return 'needs_refresh'\n  if (!identityIsValid) return 'needs_full_auth'\n  return 'ok'\n}\n\nfunction isTokenExpired(token: ApplicationToken): boolean {\n  if (!token) return true\n  return token.expiresAt < expireThreshold()\n}\n\nfunction expireThreshold(): Date {\n  return new Date(Date.now() + sessionConstants.expirationTimeMarginInMinutes * 60 * 1000)\n}\n"]}

package/dist/private/node/session.d.ts

@@ -60,6 +60,7 @@ export interface OAuthSession {
     storefront?: string;
     businessPlatform?: string;
     appManagement?: string;
+    userId: string;
 }
 /**
  * This method ensures that we have a valid session to authenticate against the given applications using the provided scopes.