@uniforge/platform-shopify 0.1.0-alpha.2

package/dist/auth/index.js

@@ -0,0 +1,623 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/index.ts
+var auth_exports = {};
+__export(auth_exports, {
+  ShopifySessionManager: () => ShopifySessionManager,
+  beginOAuth: () => beginOAuth,
+  createShopifyTokenExchangeFn: () => createShopifyTokenExchangeFn,
+  extractSessionToken: () => extractSessionToken,
+  extractShop: () => extractShop,
+  handleOAuthCallback: () => handleOAuthCallback,
+  performTokenExchange: () => performTokenExchange,
+  validateOAuthHmac: () => validateOAuthHmac
+});
+module.exports = __toCommonJS(auth_exports);
+
+// src/auth/token-exchange.ts
+var import_node_crypto = require("crypto");
+var import_auth = require("@uniforge/platform-core/auth");
+var import_auth2 = require("@uniforge/core/auth");
+function extractSessionToken(request) {
+  const authHeader = request.headers["authorization"] ?? request.headers["Authorization"];
+  if (!authHeader || typeof authHeader !== "string") {
+    return null;
+  }
+  if (!authHeader.startsWith("Bearer ")) {
+    return null;
+  }
+  const token = authHeader.slice("Bearer ".length).trim();
+  return token.length > 0 ? token : null;
+}
+function extractShop(request) {
+  const shopFromQuery = request.query["shop"];
+  if (shopFromQuery && (0, import_auth.isValidShopDomain)(shopFromQuery)) {
+    return shopFromQuery;
+  }
+  const shopFromHeader = request.headers["x-shopify-shop-domain"];
+  if (shopFromHeader && typeof shopFromHeader === "string" && (0, import_auth.isValidShopDomain)(shopFromHeader)) {
+    return shopFromHeader;
+  }
+  return null;
+}
+async function createShopifyTokenExchangeFn(config) {
+  const { shopifyApi, LogSeverity } = await import("@shopify/shopify-api");
+  await import("@shopify/shopify-api/adapters/node");
+  const shopify = shopifyApi({
+    apiKey: config.apiKey,
+    apiSecretKey: config.apiSecretKey,
+    scopes: config.scopes,
+    hostName: config.hostName,
+    apiVersion: config.apiVersion,
+    isEmbeddedApp: config.isEmbeddedApp ?? true,
+    logger: { level: LogSeverity.Error }
+  });
+  return shopify.auth.tokenExchange;
+}
+async function performTokenExchange(input) {
+  const { config, sessionToken, shop, tokenType } = input;
+  if (!sessionToken) {
+    throw new Error("Session token is required for token exchange.");
+  }
+  if (!(0, import_auth.isValidShopDomain)(shop)) {
+    throw new Error(
+      `Invalid shop domain "${shop}". Expected format: example.myshopify.com`
+    );
+  }
+  const tokenExchangeFn = input.tokenExchangeFn ?? await createShopifyTokenExchangeFn(config);
+  const requestedTokenType = tokenType === "online" ? "urn:shopify:params:oauth:token-type:online-access-token" : "urn:shopify:params:oauth:token-type:offline-access-token";
+  try {
+    const { session: shopifySession } = await tokenExchangeFn({
+      sessionToken,
+      shop,
+      requestedTokenType
+    });
+    const now = /* @__PURE__ */ new Date();
+    const session = mapShopifySession(shopifySession, shop, now);
+    if (config.eventHandler) {
+      const event = (0, import_auth2.createAuthEvent)({
+        type: "token_exchange_success",
+        shopDomain: shop,
+        outcome: "success",
+        sessionId: session.id,
+        metadata: {
+          tokenType,
+          sessionId: session.id
+        }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    return session;
+  } catch (error) {
+    if (config.eventHandler) {
+      const event = (0, import_auth2.createAuthEvent)({
+        type: "token_exchange_failure",
+        shopDomain: shop,
+        outcome: "failure",
+        metadata: {
+          tokenType,
+          error: error instanceof Error ? error.message : String(error)
+        }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    throw error;
+  }
+}
+function mapShopifySession(shopifySession, shop, now) {
+  const session = {
+    id: shopifySession.id,
+    shop: shopifySession.shop || shop,
+    state: shopifySession.state || (0, import_node_crypto.randomUUID)(),
+    isOnline: shopifySession.isOnline,
+    scope: shopifySession.scope || "",
+    expires: shopifySession.expires ?? null,
+    createdAt: now,
+    updatedAt: now
+  };
+  if (shopifySession.accessToken) {
+    session.accessToken = shopifySession.accessToken;
+  }
+  if (shopifySession.refreshToken) {
+    session.refreshToken = shopifySession.refreshToken;
+  }
+  if (shopifySession.onlineAccessInfo) {
+    const info = shopifySession.onlineAccessInfo;
+    session.onlineAccessInfo = {
+      expiresIn: info.expires_in ?? info.expiresIn ?? 0,
+      associatedUserScope: info.associated_user_scope ?? info.associatedUserScope ?? "",
+      associatedUser: info.associated_user ? {
+        id: info.associated_user.id,
+        firstName: info.associated_user.first_name,
+        lastName: info.associated_user.last_name,
+        email: info.associated_user.email,
+        emailVerified: info.associated_user.email_verified,
+        accountOwner: info.associated_user.account_owner,
+        locale: info.associated_user.locale,
+        collaborator: info.associated_user.collaborator
+      } : info.associatedUser
+    };
+  }
+  return session;
+}
+
+// src/auth/session.ts
+var import_auth3 = require("@uniforge/core/auth");
+var ShopifySessionManager = class {
+  constructor(config, options) {
+    this.config = config;
+    const encryption = new import_auth3.TokenEncryptionServiceImpl(config.encryption);
+    this.encryptedStorage = new import_auth3.EncryptedSessionStorage(
+      config.sessionStorage,
+      encryption
+    );
+    if (options?.tokenExchangeFn) {
+      this.tokenExchangeFn = options.tokenExchangeFn;
+    }
+    if (options?.tokenRefreshFn) {
+      this.tokenRefreshFn = options.tokenRefreshFn;
+    }
+  }
+  encryptedStorage;
+  tokenExchangeFn;
+  tokenRefreshFn;
+  /**
+   * Get an existing valid session or create one via token exchange.
+   *
+   * For embedded apps, this:
+   * 1. Extracts the session token and shop from the request
+   * 2. Checks storage for an existing non-expired session
+   * 3. If no valid session, performs token exchange with Shopify
+   * 4. Stores the new session (encrypted) and returns it
+   */
+  async getOrCreateSession(request) {
+    const shop = extractShop(request);
+    if (!shop) {
+      throw new Error(
+        "Could not extract shop domain from request. Provide shop in query parameter or x-shopify-shop-domain header."
+      );
+    }
+    const sessionToken = extractSessionToken(request);
+    if (!sessionToken) {
+      throw new Error(
+        "Could not extract session token from Authorization header. Expected: Authorization: Bearer <token>"
+      );
+    }
+    const sessionId = `offline_${shop}`;
+    const existingSession = await this.encryptedStorage.loadSession(sessionId);
+    if (existingSession && !this.isExpired(existingSession)) {
+      return existingSession;
+    }
+    const exchangeInput = {
+      config: this.config,
+      sessionToken,
+      shop,
+      tokenType: "offline"
+    };
+    if (this.tokenExchangeFn) {
+      exchangeInput.tokenExchangeFn = this.tokenExchangeFn;
+    }
+    const session = await performTokenExchange(exchangeInput);
+    await this.encryptedStorage.storeSession(session);
+    return session;
+  }
+  /**
+   * Get an existing valid online session or create one via token exchange.
+   */
+  async getOrCreateOnlineSession(request) {
+    const shop = extractShop(request);
+    if (!shop) {
+      throw new Error(
+        "Could not extract shop domain from request."
+      );
+    }
+    const sessionToken = extractSessionToken(request);
+    if (!sessionToken) {
+      throw new Error(
+        "Could not extract session token from Authorization header."
+      );
+    }
+    const onlineExchangeInput = {
+      config: this.config,
+      sessionToken,
+      shop,
+      tokenType: "online"
+    };
+    if (this.tokenExchangeFn) {
+      onlineExchangeInput.tokenExchangeFn = this.tokenExchangeFn;
+    }
+    const session = await performTokenExchange(onlineExchangeInput);
+    await this.encryptedStorage.storeSession(session);
+    return session;
+  }
+  /**
+   * Refresh an expiring session token.
+   *
+   * Retries up to `config.tokenRefresh.maxRetries` on failure.
+   * On success, stores the refreshed session (encrypted) and emits
+   * a `token_refreshed` event. On final failure, emits
+   * `token_refresh_failed` and throws.
+   */
+  async refreshSessionToken(session) {
+    const maxRetries = this.config.tokenRefresh?.maxRetries ?? 3;
+    const refreshFn = this.tokenRefreshFn ?? await this.createDefaultRefreshFn();
+    let lastError;
+    for (let attempt = 0; attempt < maxRetries; attempt++) {
+      try {
+        const refreshInput = { shop: session.shop };
+        if (session.accessToken) {
+          refreshInput.accessToken = session.accessToken;
+        }
+        if (session.refreshToken) {
+          refreshInput.refreshToken = session.refreshToken;
+        }
+        const { session: refreshedShopifySession } = await refreshFn({
+          session: refreshInput
+        });
+        const now = /* @__PURE__ */ new Date();
+        const refreshedSession = this.mapRefreshedSession(
+          refreshedShopifySession,
+          session,
+          now
+        );
+        await this.encryptedStorage.storeSession(refreshedSession);
+        if (this.config.eventHandler) {
+          const event = (0, import_auth3.createAuthEvent)({
+            type: "token_refreshed",
+            shopDomain: session.shop,
+            outcome: "success",
+            sessionId: session.id,
+            metadata: { attempt: String(attempt + 1) }
+          });
+          await Promise.resolve(
+            this.config.eventHandler.onAuthEvent(event)
+          );
+        }
+        return refreshedSession;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+      }
+    }
+    if (this.config.eventHandler) {
+      const event = (0, import_auth3.createAuthEvent)({
+        type: "token_refresh_failed",
+        shopDomain: session.shop,
+        outcome: "failure",
+        sessionId: session.id,
+        metadata: {
+          maxRetries: String(maxRetries),
+          error: lastError?.message ?? "Unknown error"
+        }
+      });
+      await Promise.resolve(this.config.eventHandler.onAuthEvent(event));
+    }
+    throw lastError ?? new Error("Token refresh failed after all retries.");
+  }
+  /**
+   * Delete all sessions for a shop (e.g., on app uninstall).
+   *
+   * Finds all sessions via `findSessionsByShop`, deletes them,
+   * and emits `session_deleted` events.
+   */
+  async cleanupShopSessions(shop) {
+    const sessions = await this.config.sessionStorage.findSessionsByShop(shop);
+    if (sessions.length === 0) {
+      return;
+    }
+    const sessionIds = sessions.map((s) => s.id);
+    await this.config.sessionStorage.deleteSessions(sessionIds);
+    if (this.config.eventHandler) {
+      for (const session of sessions) {
+        const event = (0, import_auth3.createAuthEvent)({
+          type: "session_deleted",
+          shopDomain: shop,
+          outcome: "success",
+          sessionId: session.id,
+          metadata: { reason: "shop_cleanup" }
+        });
+        await Promise.resolve(
+          this.config.eventHandler.onAuthEvent(event)
+        );
+      }
+    }
+  }
+  isExpired(session) {
+    if (!session.expires) {
+      return false;
+    }
+    return session.expires.getTime() <= Date.now();
+  }
+  mapRefreshedSession(refreshed, original, now) {
+    const session = {
+      id: refreshed.id || original.id,
+      shop: refreshed.shop || original.shop,
+      state: refreshed.state || original.state,
+      isOnline: refreshed.isOnline,
+      scope: refreshed.scope || original.scope,
+      expires: refreshed.expires ?? original.expires,
+      createdAt: original.createdAt,
+      updatedAt: now
+    };
+    if (refreshed.accessToken) {
+      session.accessToken = refreshed.accessToken;
+    }
+    if (refreshed.refreshToken) {
+      session.refreshToken = refreshed.refreshToken;
+    }
+    return session;
+  }
+  async createDefaultRefreshFn() {
+    const { shopifyApi, LogSeverity } = await import("@shopify/shopify-api");
+    await import("@shopify/shopify-api/adapters/node");
+    const shopify = shopifyApi({
+      apiKey: this.config.apiKey,
+      apiSecretKey: this.config.apiSecretKey,
+      scopes: this.config.scopes,
+      hostName: this.config.hostName,
+      apiVersion: this.config.apiVersion,
+      isEmbeddedApp: this.config.isEmbeddedApp ?? true,
+      logger: { level: LogSeverity.Error }
+    });
+    return async (params) => {
+      const result = await shopify.auth.refreshToken(params);
+      return result;
+    };
+  }
+};
+
+// src/auth/hmac.ts
+var import_node_crypto2 = require("crypto");
+function validateOAuthHmac(query, secret) {
+  const hmac = query["hmac"];
+  if (!hmac) {
+    return false;
+  }
+  const entries = Object.entries(query).filter(([key]) => key !== "hmac").sort(([a], [b]) => a.localeCompare(b));
+  const message = entries.map(([key, value]) => `${key}=${value}`).join("&");
+  const computed = (0, import_node_crypto2.createHmac)("sha256", secret).update(message).digest("hex");
+  if (computed.length !== hmac.length) {
+    return false;
+  }
+  return (0, import_node_crypto2.timingSafeEqual)(
+    Buffer.from(computed, "utf-8"),
+    Buffer.from(hmac, "utf-8")
+  );
+}
+
+// src/auth/oauth.ts
+var import_node_crypto3 = require("crypto");
+var import_auth4 = require("@uniforge/platform-core/auth");
+var import_auth5 = require("@uniforge/core/auth");
+var import_auth6 = require("@uniforge/core/auth");
+async function beginOAuth(input) {
+  const { config, request, callbackPath, isOnline } = input;
+  const shop = request.query["shop"];
+  if (!shop || !(0, import_auth4.isValidShopDomain)(shop)) {
+    throw new Error(
+      "Could not extract valid shop domain from request. Provide shop in query parameter."
+    );
+  }
+  const beginFn = input.beginFn ?? await createShopifyOAuthBeginFn(config);
+  const { redirectUrl } = await beginFn({
+    shop,
+    callbackPath,
+    isOnline: isOnline ?? false
+  });
+  if (config.eventHandler) {
+    const event = (0, import_auth5.createAuthEvent)({
+      type: "oauth_begin",
+      shopDomain: shop,
+      outcome: "success",
+      metadata: { callbackPath }
+    });
+    await Promise.resolve(config.eventHandler.onAuthEvent(event));
+  }
+  return { redirectUrl };
+}
+async function handleOAuthCallback(input) {
+  const { config, request } = input;
+  const query = request.query;
+  const shop = query["shop"] ?? "";
+  if (query["error"]) {
+    const errorDesc = query["error_description"] ?? `Authorization ${query["error"]}`;
+    if (config.eventHandler) {
+      const event = (0, import_auth5.createAuthEvent)({
+        type: "oauth_callback_failure",
+        shopDomain: shop,
+        outcome: "failure",
+        metadata: {
+          error: query["error"],
+          errorDescription: errorDesc
+        }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    return {
+      success: false,
+      error: {
+        code: "ACCESS_DENIED",
+        message: errorDesc,
+        statusCode: 403
+      }
+    };
+  }
+  if (!validateOAuthHmac(query, config.apiSecretKey)) {
+    if (config.eventHandler) {
+      const event = (0, import_auth5.createAuthEvent)({
+        type: "oauth_callback_failure",
+        shopDomain: shop,
+        outcome: "failure",
+        metadata: { error: "HMAC validation failed" }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    return {
+      success: false,
+      error: {
+        code: "HMAC_VALIDATION_FAILED",
+        message: "HMAC validation failed on OAuth callback.",
+        statusCode: 403
+      }
+    };
+  }
+  try {
+    const callbackFn = input.callbackFn ?? await createShopifyOAuthCallbackFn(config);
+    const { session: shopifySession } = await callbackFn({ query });
+    const now = /* @__PURE__ */ new Date();
+    const session = mapOAuthSession(shopifySession, shop, now);
+    const grantedScopes = new Set(
+      (session.scope || "").split(",").map((s) => s.trim())
+    );
+    const requiredScopes = config.scopes;
+    const missingScopes = requiredScopes.filter(
+      (scope) => !grantedScopes.has(scope)
+    );
+    if (missingScopes.length > 0) {
+      if (config.eventHandler) {
+        const event = (0, import_auth5.createAuthEvent)({
+          type: "oauth_callback_failure",
+          shopDomain: shop,
+          outcome: "failure",
+          metadata: {
+            error: "scope_mismatch",
+            missingScopes: missingScopes.join(",")
+          }
+        });
+        await Promise.resolve(config.eventHandler.onAuthEvent(event));
+      }
+      return {
+        success: false,
+        error: {
+          code: "SCOPE_MISMATCH",
+          message: `Missing required scopes: ${missingScopes.join(", ")}. Granted: ${session.scope}`,
+          statusCode: 403
+        }
+      };
+    }
+    const encryption = new import_auth6.TokenEncryptionServiceImpl(config.encryption);
+    const encryptedStorage = new import_auth6.EncryptedSessionStorage(
+      config.sessionStorage,
+      encryption
+    );
+    await encryptedStorage.storeSession(session);
+    if (config.eventHandler) {
+      const event = (0, import_auth5.createAuthEvent)({
+        type: "oauth_callback_success",
+        shopDomain: shop,
+        outcome: "success",
+        sessionId: session.id,
+        metadata: { scope: session.scope }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    return {
+      success: true,
+      session,
+      redirectUrl: `${config.hostName}/?shop=${shop}`
+    };
+  } catch (error) {
+    if (config.eventHandler) {
+      const event = (0, import_auth5.createAuthEvent)({
+        type: "oauth_callback_failure",
+        shopDomain: shop,
+        outcome: "failure",
+        metadata: {
+          error: error instanceof Error ? error.message : String(error)
+        }
+      });
+      await Promise.resolve(config.eventHandler.onAuthEvent(event));
+    }
+    return {
+      success: false,
+      error: {
+        code: "OAUTH_CALLBACK_FAILED",
+        message: error instanceof Error ? error.message : String(error),
+        statusCode: 500
+      }
+    };
+  }
+}
+async function createShopifyOAuthBeginFn(config) {
+  return async (params) => {
+    const nonce = (0, import_node_crypto3.randomUUID)();
+    const scopeString = config.scopes.join(",");
+    const redirectUri = `${config.hostName}${params.callbackPath}`;
+    const redirectUrl = `https://${params.shop}/admin/oauth/authorize?client_id=${config.apiKey}&scope=${encodeURIComponent(scopeString)}&redirect_uri=${encodeURIComponent(redirectUri)}&state=${nonce}`;
+    return { redirectUrl };
+  };
+}
+async function createShopifyOAuthCallbackFn(config) {
+  const { shopifyApi, LogSeverity } = await import("@shopify/shopify-api");
+  await import("@shopify/shopify-api/adapters/node");
+  const shopify = shopifyApi({
+    apiKey: config.apiKey,
+    apiSecretKey: config.apiSecretKey,
+    scopes: config.scopes,
+    hostName: config.hostName,
+    apiVersion: config.apiVersion,
+    isEmbeddedApp: config.isEmbeddedApp ?? false,
+    logger: { level: LogSeverity.Error }
+  });
+  return async (params) => {
+    const result = await shopify.auth.callback(params);
+    return result;
+  };
+}
+function mapOAuthSession(shopifySession, shop, now) {
+  const session = {
+    id: shopifySession.id,
+    shop: shopifySession.shop || shop,
+    state: shopifySession.state || (0, import_node_crypto3.randomUUID)(),
+    isOnline: shopifySession.isOnline,
+    scope: shopifySession.scope || "",
+    expires: shopifySession.expires ?? null,
+    createdAt: now,
+    updatedAt: now
+  };
+  if (shopifySession.accessToken) {
+    session.accessToken = shopifySession.accessToken;
+  }
+  if (shopifySession.refreshToken) {
+    session.refreshToken = shopifySession.refreshToken;
+  }
+  return session;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ShopifySessionManager,
+  beginOAuth,
+  createShopifyTokenExchangeFn,
+  extractSessionToken,
+  extractShop,
+  handleOAuthCallback,
+  performTokenExchange,
+  validateOAuthHmac
+});
+//# sourceMappingURL=index.js.map