@shopify/cli 3.66.0 → 3.67.0

package/dist/{chunk-D2RO6JR3.js → chunk-33B37WAX.js}

@@ -19,19 +19,22 @@ import {
   retryAwareRequest,
   sanitizedHeadersOutput,
   shopifyFetch
-} from "./chunk-UUUKSZ6D.js";
+} from "./chunk-2A4NZDBL.js";
 import {
   base64URLEncode,
+  nonRandomUUID,
   randomBytes,
   randomHex,
   sha256
-} from "./chunk-IZJK3NZC.js";
+} from "./chunk-BPTBCC7K.js";
 import {
   cacheRetrieveOrRepopulate,
+  getCachedPartnerAccountStatus,
   getSession,
   removeSession,
+  setCachedPartnerAccountStatus,
   setSession
-} from "./chunk-XC2GDHJG.js";
+} from "./chunk-56GJOU7U.js";
 import {
   AbortError,
   BugError,
@@ -43,7 +46,6 @@ import {
   import_ts_error,
   isCloudEnvironment,
   isSpin,
-  isSpinEnvironment,
   isTTY,
   isTruthy,
   keypress,
@@ -61,10 +63,10 @@ import {
   spinFqdn,
   stringifyMessage,
   useDeviceAuth
-} from "./chunk-JDW4FALN.js";
+} from "./chunk-7QTS6ZWN.js";
 import {
   sessionConstants
-} from "./chunk-F6BSBHJJ.js";
+} from "./chunk-NZDBLGNM.js";
 import {
   moduleDirectory
 } from "./chunk-T2GATXSP.js";
@@ -3014,8 +3016,17 @@ async function identityFqdn() {
   }
 }
 async function normalizeStoreFqdn(store2) {
-  let storeFqdn = store2.replace(/^https?:\/\//, "").replace(/\/$/, ""), addDomain = async (storeFqdn2) => isSpinEnvironment() ? `${storeFqdn2}.shopify.${await spinFqdn()}` : `${storeFqdn2}.myshopify.com`;
-  return ((storeFqdn2) => storeFqdn2.includes(".myshopify.com") || storeFqdn2.includes("spin.dev"))(storeFqdn) ? storeFqdn : addDomain(storeFqdn);
+  let storeFqdn = store2.replace(/^https?:\/\//, "").replace(/\/$/, ""), addDomain = async (storeFqdn2) => {
+    switch (serviceEnvironment()) {
+      case "local":
+        return `${storeFqdn2}.myshopify.io`;
+      case "spin":
+        return `${storeFqdn2}.shopify.${await spinFqdn()}`;
+      default:
+        return `${storeFqdn2}.myshopify.com`;
+    }
+  };
+  return ((storeFqdn2) => storeFqdn2.includes(".myshopify.com") || storeFqdn2.includes("spin.dev") || storeFqdn2.includes("shopify.io"))(storeFqdn) ? storeFqdn : addDomain(storeFqdn);
 }
 
 // ../cli-kit/dist/private/node/session/store.js
@@ -3027,7 +3038,8 @@ var DateSchema = z.preprocess((arg) => typeof arg == "string" || arg instanceof
   accessToken: z.string(),
   refreshToken: z.string(),
   expiresAt: DateSchema,
-  scopes: z.array(z.string())
+  scopes: z.array(z.string()),
+  userId: z.string()
 }), ApplicationTokenSchema = z.object({
   accessToken: z.string(),
   expiresAt: DateSchema,
@@ -3045,6 +3057,9 @@ var DateSchema = z.preprocess((arg) => typeof arg == "string" || arg instanceof
    */
   applications: z.object({}).catchall(ApplicationTokenSchema)
 }));
+function validateCachedIdentityTokenStructure(identityToken) {
+  return IdentityTokenSchema.safeParse(identityToken).success;
+}
 
 // ../cli-kit/dist/private/node/session/store.js
 async function store(session) {
@@ -3212,9 +3227,103 @@ var ok = (value) => new Ok(value), err = (err2) => new Err(err2), Ok = class {
   }
 };
 
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/index.js
+init_cjs_shims();
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/runtime/base64url.js
+init_cjs_shims();
+import { Buffer } from "node:buffer";
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/lib/buffer_utils.js
+init_cjs_shims();
+var encoder = new TextEncoder(), decoder = new TextDecoder(), MAX_INT32 = 2 ** 32;
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/runtime/base64url.js
+function normalize(input) {
+  let encoded = input;
+  return encoded instanceof Uint8Array && (encoded = decoder.decode(encoded)), encoded;
+}
+var decode = (input) => new Uint8Array(Buffer.from(normalize(input), "base64"));
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/util/errors.js
+init_cjs_shims();
+var JOSEError = class extends Error {
+  static get code() {
+    return "ERR_JOSE_GENERIC";
+  }
+  code = "ERR_JOSE_GENERIC";
+  constructor(message) {
+    super(message), this.name = this.constructor.name, Error.captureStackTrace?.(this, this.constructor);
+  }
+};
+var JWTInvalid = class extends JOSEError {
+  static get code() {
+    return "ERR_JWT_INVALID";
+  }
+  code = "ERR_JWT_INVALID";
+};
+var JWKSMultipleMatchingKeys = class extends JOSEError {
+  [Symbol.asyncIterator];
+  static get code() {
+    return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  }
+  code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
+  message = "multiple matching keys found in the JSON Web Key Set";
+};
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/lib/is_object.js
+init_cjs_shims();
+function isObjectLike(value) {
+  return typeof value == "object" && value !== null;
+}
+function isObject(input) {
+  if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]")
+    return !1;
+  if (Object.getPrototypeOf(input) === null)
+    return !0;
+  let proto = input;
+  for (; Object.getPrototypeOf(proto) !== null; )
+    proto = Object.getPrototypeOf(proto);
+  return Object.getPrototypeOf(input) === proto;
+}
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/util/base64url.js
+init_cjs_shims();
+var decode2 = decode;
+
+// ../../node_modules/.pnpm/jose@5.8.0/node_modules/jose/dist/node/esm/util/decode_jwt.js
+init_cjs_shims();
+function decodeJwt(jwt) {
+  if (typeof jwt != "string")
+    throw new JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string");
+  let { 1: payload, length } = jwt.split(".");
+  if (length === 5)
+    throw new JWTInvalid("Only JWTs using Compact JWS serialization can be decoded");
+  if (length !== 3)
+    throw new JWTInvalid("Invalid JWT");
+  if (!payload)
+    throw new JWTInvalid("JWTs must contain a payload");
+  let decoded;
+  try {
+    decoded = decode2(payload);
+  } catch {
+    throw new JWTInvalid("Failed to base64url decode the payload");
+  }
+  let result;
+  try {
+    result = JSON.parse(decoder.decode(decoded));
+  } catch {
+    throw new JWTInvalid("Failed to parse the decoded payload as JSON");
+  }
+  if (!isObject(result))
+    throw new JWTInvalid("Invalid JWT Claims Set");
+  return result;
+}
+
 // ../cli-kit/dist/private/node/session/exchange.js
 var InvalidGrantError = class extends import_ts_error.ExtendableError {
 }, InvalidRequestError = class extends import_ts_error.ExtendableError {
+}, InvalidTargetError = class extends AbortError {
 };
 async function exchangeCodeForAccessToken(codeData) {
   let clientId2 = await clientId(), params = {
@@ -3249,7 +3358,7 @@ async function refreshAccessToken(currentToken) {
     refresh_token: currentToken.refreshToken,
     client_id: clientId2
   }, value = (await tokenRequest(params)).mapError(tokenRequestErrorHandler).valueOrBug();
-  return buildIdentityToken(value);
+  return buildIdentityToken(value, currentToken.userId);
 }
 async function exchangeCustomPartnerToken(token) {
   let appId = applicationId("partners");
@@ -3286,7 +3395,12 @@ async function requestAppToken(api, token, scopes = [], store2) {
   return { [identifier]: appToken };
 }
 function tokenRequestErrorHandler(error) {
-  return error === "invalid_grant" ? new InvalidGrantError() : error === "invalid_request" ? new InvalidRequestError() : new AbortError(error);
+  let invalidTargetErrorMessage = `You are not authorized to use the CLI to develop in the provided store.
+
+You can't use Shopify CLI with development stores if you only have Partner staff member access. If you want to use Shopify CLI to work on a development store, then you should be the store owner or create a staff account on the store.
+
+If you're the store owner, then you need to log in to the store directly using the store URL at least once before you log in using Shopify CLI.Logging in to the Shopify admin directly connects the development store with your Shopify login.`;
+  return error === "invalid_grant" ? new InvalidGrantError() : error === "invalid_request" ? new InvalidRequestError() : error === "invalid_target" ? new InvalidTargetError(invalidTargetErrorMessage) : new AbortError(error);
 }
 async function tokenRequest(params) {
   let fqdn = await identityFqdn(), url2 = new URL(`https://${fqdn}/oauth/token`);
@@ -3294,12 +3408,16 @@ async function tokenRequest(params) {
   let res = await shopifyFetch(url2.href, { method: "POST" }), payload = await res.json();
   return res.ok ? ok(payload) : err(payload.error);
 }
-function buildIdentityToken(result) {
+function buildIdentityToken(result, existingUserId) {
+  let userId = existingUserId ?? (result.id_token ? decodeJwt(result.id_token).sub : void 0);
+  if (!userId)
+    throw new BugError("Error setting userId for session. No id_token or pre-existing user ID provided.");
   return {
     accessToken: result.access_token,
     refreshToken: result.refresh_token,
     expiresAt: new Date(Date.now() + result.expires_in * 1e3),
-    scopes: result.scope.split(" ")
+    scopes: result.scope.split(" "),
+    userId
   };
 }
 function buildApplicationToken(result) {
@@ -3391,7 +3509,7 @@ async function validateSession(scopes, applications, session) {
 The validation of the token for application/identity completed with the following results:
 - It's expired: ${tokensAreExpired}
 - It's invalid in identity: ${!identityIsValid}
-  `), tokensAreExpired ? "needs_refresh" : identityIsValid ? "ok" : "needs_full_auth";
+  `), validateCachedIdentityTokenStructure(session.identity) ? tokensAreExpired ? "needs_refresh" : identityIsValid ? "ok" : "needs_full_auth" : "needs_full_auth";
 }
 function isTokenExpired(token) {
   return token ? token.expiresAt < expireThreshold() : !0;
@@ -3880,19 +3998,6 @@ async function partnersRequestDoc(query, token, variables) {
     variables
   }));
 }
-var FunctionUploadUrlGenerateMutation = gql`
-  mutation functionUploadUrlGenerateMutation {
-    functionUploadUrlGenerate {
-      generatedUrlDetails {
-        url
-        moduleId
-        headers
-        maxBytes
-        maxSize
-      }
-    }
-  }
-`;
 function handleDeprecations(response) {
   if (!response.extensions)
     return;
@@ -3939,7 +4044,7 @@ Error validating auth session`, "We've cleared the current session, please try a
   let completeSession = { ...currentSession, ...newSession };
   Object.keys(newSession).length > 0 && await store(completeSession);
   let tokens = await tokensFor(applications, completeSession, fqdn), envToken = getPartnersToken();
-  return envToken && applications.partnersApi && (tokens.partners = (await exchangeCustomPartnerToken(envToken)).accessToken), !envToken && tokens.partners && await ensureUserHasPartnerAccount(tokens.partners), tokens;
+  return envToken && applications.partnersApi && (tokens.partners = (await exchangeCustomPartnerToken(envToken)).accessToken), !envToken && tokens.partners && await ensureUserHasPartnerAccount(tokens.partners, tokens.userId), tokens;
 }
 async function executeCompleteFlow(applications, identityFqdn2) {
   let scopes = getFlattenScopes(applications), exchangeScopes = getExchangeScopes(applications), store2 = applications.adminApi?.storeFqdn;
@@ -3965,9 +4070,9 @@ async function executeCompleteFlow(applications, identityFqdn2) {
   };
   return outputCompleted("Logged in."), session;
 }
-async function ensureUserHasPartnerAccount(partnersToken) {
-  if (!isTruthy(process.env.USE_APP_MANAGEMENT_API) && (outputDebug(outputContent`Verifying that the user has a Partner organization`), !await hasPartnerAccount(partnersToken) && (outputInfo(`
-A Shopify Partners organization is needed to proceed.`), outputInfo("\u{1F449} Press any key to create one"), await keypress(), await openURL(`https://${await partnersFqdn()}/signup`), outputInfo(outputContent`👉 Press any key when you have ${outputToken.cyan("created the organization")}`), outputWarn(outputContent`Make sure you've confirmed your Shopify and the Partner organization from the email`), await keypress(), !await hasPartnerAccount(partnersToken))))
+async function ensureUserHasPartnerAccount(partnersToken, userId) {
+  if (!isTruthy(process.env.USE_APP_MANAGEMENT_API) && (outputDebug(outputContent`Verifying that the user has a Partner organization`), !await hasPartnerAccount(partnersToken, userId) && (outputInfo(`
+A Shopify Partners organization is needed to proceed.`), outputInfo("\u{1F449} Press any key to create one"), await keypress(), await openURL(`https://${await partnersFqdn()}/signup`), outputInfo(outputContent`👉 Press any key when you have ${outputToken.cyan("created the organization")}`), outputWarn(outputContent`Make sure you've confirmed your Shopify and the Partner organization from the email`), await keypress(), !await hasPartnerAccount(partnersToken, userId))))
     throw new AbortError("Couldn't find your Shopify Partners organization", "Have you confirmed your accounts from the emails you received?");
 }
 var getFirstOrganization = gql`
@@ -3979,9 +4084,12 @@ var getFirstOrganization = gql`
     }
   }
 `;
-async function hasPartnerAccount(partnersToken) {
+async function hasPartnerAccount(partnersToken, userId) {
+  let cacheKey = userId ?? partnersToken;
+  if (getCachedPartnerAccountStatus(cacheKey))
+    return outputDebug("Confirmed partner account exists from cache"), !0;
   try {
-    return await partnersRequest(getFirstOrganization, partnersToken), !0;
+    return await partnersRequest(getFirstOrganization, partnersToken), setCachedPartnerAccountStatus(cacheKey), !0;
   } catch (error) {
     return !(error instanceof RequestClientError && error.statusCode === 404);
   }
@@ -3999,7 +4107,9 @@ async function tokensFor(applications, session, fqdn) {
   let fqdnSession = session[fqdn];
   if (!fqdnSession)
     throw new BugError("No session found after ensuring authenticated");
-  let tokens = {};
+  let tokens = {
+    userId: fqdnSession.identity.userId
+  };
   if (applications.adminApi) {
     let appId = applicationId("admin"), realAppId = `${applications.adminApi.storeFqdn}-${appId}`, token = fqdnSession.applications[realAppId]?.accessToken;
     token && (tokens.admin = { token, storeFqdn: applications.adminApi.storeFqdn });
@@ -4051,11 +4161,11 @@ ${outputToken.json(scopes)}
 `);
   let envToken = getPartnersToken();
   if (envToken)
-    return (await exchangeCustomPartnerToken(envToken)).accessToken;
+    return { token: (await exchangeCustomPartnerToken(envToken)).accessToken, userId: nonRandomUUID(envToken) };
   let tokens = await ensureAuthenticated({ partnersApi: { scopes } }, env, options2);
   if (!tokens.partners)
     throw new BugError("No partners token found after ensuring authenticated");
-  return tokens.partners;
+  return { token: tokens.partners, userId: tokens.userId };
 }
 async function ensureAuthenticatedAppManagement(scopes = [], env = process.env, options2 = {}) {
   outputDebug(outputContent`Ensuring that the user is authenticated with the App Management API with the following scopes:
@@ -4064,7 +4174,7 @@ ${outputToken.json(scopes)}
   let tokens = await ensureAuthenticated({ appManagementApi: { scopes } }, env, options2);
   if (!tokens)
     throw new BugError("No App Management token found after ensuring authenticated");
-  return tokens.appManagement;
+  return { token: tokens.appManagement, userId: tokens.userId };
 }
 async function ensureAuthenticatedStorefront(scopes = [], password = void 0, forceRefresh = !1) {
   if (password)
@@ -4122,7 +4232,6 @@ export {
   require_lib,
   partnersRequest,
   partnersRequestDoc,
-  FunctionUploadUrlGenerateMutation,
   handleDeprecations,
   ensureAuthenticatedPartners,
   ensureAuthenticatedAppManagement,
@@ -4132,4 +4241,4 @@ export {
   ensureAuthenticatedBusinessPlatform,
   logout
 };
-//# sourceMappingURL=chunk-D2RO6JR3.js.map
+//# sourceMappingURL=chunk-33B37WAX.js.map

package/dist/{chunk-XC2GDHJG.js → chunk-56GJOU7U.js}

@@ -19,10 +19,10 @@ import {
   require_get_stream,
   runWithTimer,
   writeFile
-} from "./chunk-JDW4FALN.js";
+} from "./chunk-7QTS6ZWN.js";
 import {
   envPaths
-} from "./chunk-F6BSBHJJ.js";
+} from "./chunk-NZDBLGNM.js";
 import {
   dirname,
   joinPath
@@ -9902,8 +9902,29 @@ function timeIntervalToMilliseconds({ days = 0, hours = 0, minutes = 0, seconds
 }
 async function runAtMinimumInterval(key, timeout, task, config = cliKitStore()) {
   let cache = config.get("cache") || {}, cacheKey = `most-recent-occurrence-${key}`, cached = cache[cacheKey];
-  if (!(cached?.value !== void 0 && Date.now() - cached.timestamp < timeIntervalToMilliseconds(timeout)))
-    return await task(), cache[cacheKey] = { value: !0, timestamp: Date.now() }, config.set("cache", cache), !0;
+  return cached?.value !== void 0 && Date.now() - cached.timestamp < timeIntervalToMilliseconds(timeout) ? !1 : (await task(), cache[cacheKey] = { value: !0, timestamp: Date.now() }, config.set("cache", cache), !0);
+}
+async function runWithRateLimit(options, config = cliKitStore()) {
+  let { key, limit, timeout, task } = options, cache = config.get("cache") || {}, cacheKey = `rate-limited-occurrences-${key}`, cached = cache[cacheKey], now = Date.now();
+  if (cached?.value) {
+    let windowStart = now - timeIntervalToMilliseconds(timeout), occurrences = cached.value.filter((occurrence) => occurrence >= windowStart);
+    if (occurrences.length >= limit)
+      return cache[cacheKey] = { value: occurrences, timestamp: Date.now() }, config.set("cache", cache), !1;
+    await task(), cache[cacheKey] = { value: [...occurrences, now], timestamp: now };
+  } else
+    await task(), cache[cacheKey] = { value: [now], timestamp: now };
+  return config.set("cache", cache), !0;
+}
+function getConfigStoreForPartnerStatus() {
+  return new LocalStorage({
+    projectName: "shopify-cli-kit-partner-status"
+  });
+}
+function getCachedPartnerAccountStatus(partnersToken) {
+  return partnersToken && getConfigStoreForPartnerStatus().get(partnersToken) ? !0 : null;
+}
+function setCachedPartnerAccountStatus(partnersToken) {
+  getConfigStoreForPartnerStatus().set(partnersToken, { status: !0, checkedAt: (/* @__PURE__ */ new Date()).toISOString() });
 }
 
 // ../../node_modules/.pnpm/latest-version@7.0.0/node_modules/latest-version/index.js
@@ -13875,6 +13896,9 @@ export {
   removeSession,
   cacheRetrieveOrRepopulate,
   runAtMinimumInterval,
+  runWithRateLimit,
+  getCachedPartnerAccountStatus,
+  setCachedPartnerAccountStatus,
   yarnLockfile,
   npmLockfile,
   pnpmLockfile,
@@ -13938,4 +13962,4 @@ deep-extend/lib/deep-extend.js:
    * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
    *)
 */
-//# sourceMappingURL=chunk-XC2GDHJG.js.map
+//# sourceMappingURL=chunk-56GJOU7U.js.map

package/dist/{chunk-WX53MNQL.js → chunk-66CAOMYB.js}

@@ -1,12 +1,12 @@
 import {
   base_command_default
-} from "./chunk-DCRMMYAV.js";
+} from "./chunk-T5OZRID5.js";
 import {
   mkdir,
   outputInfo,
   rmdir,
   writeFile
-} from "./chunk-JDW4FALN.js";
+} from "./chunk-7QTS6ZWN.js";
 import {
   cwd,
   joinPath
@@ -116,4 +116,4 @@ export {
   writeCommandFlagInterface,
   writeCommandUsageExampleFile
 };
-//# sourceMappingURL=chunk-WX53MNQL.js.map
+//# sourceMappingURL=chunk-66CAOMYB.js.map

package/dist/{chunk-UVGRJGX3.js → chunk-6JA2FWML.js}

@@ -1,9 +1,9 @@
 import {
   prompts
-} from "./chunk-63P6ZWRY.js";
+} from "./chunk-UNEY6YDL.js";
 import {
   base_command_default
-} from "./chunk-DCRMMYAV.js";
+} from "./chunk-T5OZRID5.js";
 import {
   init_cjs_shims
 } from "./chunk-POZ5MGPT.js";
@@ -25,4 +25,4 @@ var KitchenSinkPrompts = class extends base_command_default {
 export {
   KitchenSinkPrompts
 };
-//# sourceMappingURL=chunk-UVGRJGX3.js.map
+//# sourceMappingURL=chunk-6JA2FWML.js.map

package/dist/{chunk-PBJ5OTM2.js → chunk-6RGB2VE4.js}

@@ -7,7 +7,7 @@ import {
   renderSuccess,
   renderTable,
   renderWarning
-} from "./chunk-JDW4FALN.js";
+} from "./chunk-7QTS6ZWN.js";
 import {
   init_cjs_shims
 } from "./chunk-POZ5MGPT.js";
@@ -185,4 +185,4 @@ async function staticService() {
 export {
   staticService
 };
-//# sourceMappingURL=chunk-PBJ5OTM2.js.map
+//# sourceMappingURL=chunk-6RGB2VE4.js.map