shopify-app-js 0.0.1-security → 1.0.1

package/packages/shopify-app-remix/src/server/authenticate/admin/strategies/__tests__/token-exchange/authenticate.test.ts

@@ -0,0 +1,310 @@
+import {Session} from '@shopify/shopify-api';
+
+import {shopifyApp} from '../../../../..';
+import {
+  API_KEY,
+  API_SECRET_KEY,
+  APP_URL,
+  BASE64_HOST,
+  TEST_SHOP,
+  getJwt,
+  getThrownResponse,
+  mockExternalRequest,
+  setUpValidSession,
+  testConfig,
+} from '../../../../../__test-helpers';
+
+const USER_ID = 902541635;
+
+describe('authenticate', () => {
+  it('performs token exchange when there is no offline session', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+
+    const {token} = getJwt();
+    await mockTokenExchangeRequest(token, 'offline');
+
+    // WHEN
+    const {session} = await shopify.authenticate.admin(
+      new Request(
+        `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+
+    // THEN
+    const [persistedSession] =
+      await config.sessionStorage.findSessionsByShop(TEST_SHOP);
+
+    expect(persistedSession).toEqual(session);
+    expect(session).toMatchObject({
+      accessToken: '123abc-exchanged-from-session-token',
+      id: `offline_${TEST_SHOP}`,
+      isOnline: false,
+      scope: 'read_orders',
+      shop: TEST_SHOP,
+      state: '',
+    });
+  });
+
+  it('performs token exchange when existing session is no longer valid', async () => {
+    // GIVEN
+    const config = testConfig({useOnlineTokens: true});
+    const shopify = shopifyApp(config);
+    const anHourAgo = new Date(Date.now() - 1000 * 3600);
+    await setUpValidSession(shopify.sessionStorage, {
+      isOnline: true,
+      expires: anHourAgo,
+    });
+
+    const {token} = getJwt();
+    await mockTokenExchangeRequest(token, 'offline');
+    await mockTokenExchangeRequest(token, 'online');
+
+    // WHEN
+    const {session} = await shopify.authenticate.admin(
+      new Request(
+        `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+
+    // THEN
+    const [_, onlineSession] =
+      await config.sessionStorage.findSessionsByShop(TEST_SHOP);
+
+    expect(onlineSession).toEqual(session);
+    expect(session).toMatchObject({
+      accessToken: '123abc-exchanged-from-session-token',
+      id: `${TEST_SHOP}_${USER_ID}`,
+      isOnline: true,
+      scope: 'read_orders',
+      shop: TEST_SHOP,
+      state: '',
+      onlineAccessInfo: expect.any(Object),
+    });
+  });
+
+  describe.each([true, false])(
+    'existing sessions when isOnline: %s',
+    (isOnline) => {
+      it('returns the context if the session is valid', async () => {
+        // GIVEN
+        const shopify = shopifyApp(testConfig({useOnlineTokens: isOnline}));
+
+        let testSession: Session;
+        testSession = await setUpValidSession(shopify.sessionStorage);
+        if (isOnline) {
+          testSession = await setUpValidSession(shopify.sessionStorage, {
+            isOnline,
+          });
+        }
+
+        // WHEN
+        const {token} = getJwt();
+        const {admin, session} = await shopify.authenticate.admin(
+          new Request(
+            `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+          ),
+        );
+
+        // THEN
+        expect(session).toBe(testSession);
+        expect(admin.rest.session).toBe(testSession);
+        expect(session.isOnline).toEqual(isOnline);
+      });
+    },
+  );
+
+  test('redirects to bounce page on document request when receiving an invalid subject token response from token exchange API', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+
+    const {token} = getJwt();
+    await mockInvalidTokenExchangeRequest('invalid_subject_token');
+
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(
+        `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+
+    // THEN
+    const {pathname, searchParams} = new URL(
+      response.headers.get('location')!,
+      APP_URL,
+    );
+
+    expect(response.status).toBe(302);
+    expect(pathname).toBe('/auth/session-token');
+    expect(searchParams.get('shop')).toBe(TEST_SHOP);
+    expect(searchParams.get('host')).toBe(BASE64_HOST);
+    expect(searchParams.get('shopify-reload')).toBe(
+      `${APP_URL}/?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}`,
+    );
+  });
+
+  test('throws 401 unauthorized on XHR request when receiving an invalid subject token response from token exchange API', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+
+    const {token} = getJwt();
+    await mockInvalidTokenExchangeRequest('invalid_subject_token');
+
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(APP_URL, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      }),
+    );
+
+    // THEN
+    expect(response.status).toBe(401);
+    expect(
+      response.headers.get('X-Shopify-Retry-Invalid-Session-Request'),
+    ).toEqual('1');
+  });
+
+  test('throws 500 for any other error from token exchange API', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp(config);
+
+    const {token} = getJwt();
+    await mockInvalidTokenExchangeRequest('im_broke', 401);
+
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(APP_URL, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+        },
+      }),
+    );
+
+    // THEN
+    expect(response.status).toBe(500);
+  });
+
+  test('throws a 500 if afterAuth hook throws an error', async () => {
+    // GIVEN
+    const config = testConfig();
+    const shopify = shopifyApp({
+      ...config,
+      hooks: {
+        afterAuth: () => {
+          throw new Error('test');
+        },
+      },
+    });
+
+    const {token} = getJwt();
+    await mockTokenExchangeRequest(token, 'offline');
+
+    // WHEN
+    const response = await getThrownResponse(
+      shopify.authenticate.admin,
+      new Request(
+        `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+
+    // THEN
+    expect(response.status).toBe(500);
+  });
+
+  test('Runs the afterAuth hooks passing', async () => {
+    // GIVEN
+    const afterAuthMock = jest.fn();
+    const config = testConfig({
+      hooks: {
+        afterAuth: afterAuthMock,
+      },
+    });
+    const shopify = shopifyApp(config);
+
+    const {token} = getJwt();
+    await mockTokenExchangeRequest(token, 'offline');
+
+    // WHEN
+    const {session} = await shopify.authenticate.admin(
+      new Request(
+        `${APP_URL}?embedded=1&shop=${TEST_SHOP}&host=${BASE64_HOST}&id_token=${token}`,
+      ),
+    );
+
+    // THEN
+    expect(session).toBeDefined();
+    expect(afterAuthMock).toHaveBeenCalledTimes(1);
+  });
+});
+
+async function mockTokenExchangeRequest(
+  sessionToken,
+  tokenType: 'online' | 'offline' = 'offline',
+) {
+  const responseBody = {
+    access_token: '123abc-exchanged-from-session-token',
+    scope: 'read_orders',
+  };
+
+  await mockExternalRequest({
+    request: new Request(`https://${TEST_SHOP}/admin/oauth/access_token`, {
+      method: 'POST',
+      body: JSON.stringify({
+        client_id: API_KEY,
+        client_secret: API_SECRET_KEY,
+        grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+        subject_token: sessionToken,
+        subject_token_type: 'urn:ietf:params:oauth:token-type:id_token',
+        requested_token_type:
+          tokenType === 'offline'
+            ? 'urn:shopify:params:oauth:token-type:offline-access-token'
+            : 'urn:shopify:params:oauth:token-type:online-access-token',
+      }),
+    }),
+    response:
+      tokenType === 'offline'
+        ? new Response(JSON.stringify(responseBody))
+        : new Response(
+            JSON.stringify({
+              ...responseBody,
+              expires_in: Math.trunc(Date.now() / 1000) + 3600,
+              associated_user_scope: 'read_orders',
+              associated_user: {
+                id: USER_ID,
+                first_name: 'John',
+                last_name: 'Smith',
+                email: 'john@example.com',
+                email_verified: true,
+                account_owner: true,
+                locale: 'en',
+                collaborator: false,
+              },
+            }),
+          ),
+  });
+}
+
+async function mockInvalidTokenExchangeRequest(error: string, status = 400) {
+  await mockExternalRequest({
+    request: new Request(`https://${TEST_SHOP}/admin/oauth/access_token`, {
+      method: 'POST',
+    }),
+    response: new Response(
+      JSON.stringify({
+        error,
+      }),
+      {
+        status,
+      },
+    ),
+  });
+}

package/packages/shopify-app-remix/src/server/authenticate/admin/strategies/auth-code-flow.ts

@@ -0,0 +1,333 @@
+import {
+  CookieNotFound,
+  GraphqlQueryError,
+  HttpResponseError,
+  InvalidHmacError,
+  InvalidOAuthError,
+  Session,
+  Shopify,
+  ShopifyRestResources,
+} from '@shopify/shopify-api';
+
+import type {BasicParams} from '../../../types';
+import {
+  beginAuth,
+  handleClientErrorFactory,
+  redirectToAuthPage,
+  redirectToShopifyOrAppRoot,
+  redirectWithExitIframe,
+  triggerAfterAuthHook,
+  validateShopAndHostParams,
+} from '../helpers';
+import {AppConfig, AppConfigArg} from '../../../config-types';
+import {getSessionTokenHeader} from '../../helpers';
+import {HandleAdminClientError} from '../../../clients';
+import type {
+  ApiConfigWithFutureFlags,
+  ApiFutureFlags,
+} from '../../../future/flags';
+
+import {AuthorizationStrategy, SessionContext, OnErrorOptions} from './types';
+
+export class AuthCodeFlowStrategy<
+  Config extends AppConfigArg,
+  Resources extends ShopifyRestResources = ShopifyRestResources,
+> implements AuthorizationStrategy
+{
+  protected api: Shopify<
+    ApiConfigWithFutureFlags<Config['future']>,
+    ShopifyRestResources,
+    ApiFutureFlags<Config['future']>
+  >;
+
+  protected config: AppConfig;
+  protected logger: Shopify['logger'];
+
+  public constructor({api, config, logger}: BasicParams) {
+    this.api = api;
+    this.config = config;
+    this.logger = logger;
+  }
+
+  public async respondToOAuthRequests(request: Request): Promise<void | never> {
+    const {api, config} = this;
+
+    const url = new URL(request.url);
+    const isAuthRequest = url.pathname === config.auth.path;
+    const isAuthCallbackRequest = url.pathname === config.auth.callbackPath;
+
+    if (isAuthRequest || isAuthCallbackRequest) {
+      const shop = api.utils.sanitizeShop(url.searchParams.get('shop')!);
+      if (!shop) throw new Response('Shop param is invalid', {status: 400});
+
+      if (isAuthRequest) {
+        throw await this.handleAuthBeginRequest(request, shop);
+      } else {
+        throw await this.handleAuthCallbackRequest(request, shop);
+      }
+    }
+
+    if (!getSessionTokenHeader(request)) {
+      // This is a document request that doesn't contain a session token. We check if the app is installed.
+      // If the app isn't installed, we initiate the OAuth auth code flow.
+      // Requests with a header can only happen after the app is installed.
+      await this.ensureInstalledOnShop(request);
+    }
+  }
+
+  public async authenticate(
+    request: Request,
+    sessionContext: SessionContext,
+  ): Promise<Session | never> {
+    const {api, config, logger} = this;
+
+    const {shop, session} = sessionContext;
+
+    if (!session) {
+      logger.debug('No session found, redirecting to OAuth', {shop});
+      await redirectToAuthPage({config, logger, api}, request, shop);
+    } else if (!session.isActive(config.scopes)) {
+      logger.debug(
+        'Found a session, but it has expired, redirecting to OAuth',
+        {shop},
+      );
+      await redirectToAuthPage({config, logger, api}, request, shop);
+    }
+
+    logger.debug('Found a valid session', {shop});
+
+    return session!;
+  }
+
+  public handleClientError(request: Request): HandleAdminClientError {
+    const {api, config, logger} = this;
+    return handleClientErrorFactory({
+      request,
+      onError: async ({session, error}: OnErrorOptions) => {
+        if (error.response.code === 401) {
+          throw await redirectToAuthPage(
+            {api, config, logger},
+            request,
+            session.shop,
+          );
+        }
+      },
+    });
+  }
+
+  private async ensureInstalledOnShop(request: Request) {
+    const {api, config, logger} = this;
+
+    validateShopAndHostParams({api, config, logger}, request);
+
+    const url = new URL(request.url);
+    let shop = url.searchParams.get('shop');
+
+    // Ensure app is installed
+    logger.debug('Ensuring app is installed on shop', {shop});
+
+    if (!(await this.hasValidOfflineId(request))) {
+      logger.info("Could not find a shop, can't authenticate request");
+      throw new Response(undefined, {
+        status: 400,
+        statusText: 'Bad Request',
+      });
+    }
+
+    const offlineSession = await this.getOfflineSession(request);
+    const isEmbedded = url.searchParams.get('embedded') === '1';
+
+    if (!offlineSession) {
+      logger.info("Shop hasn't installed app yet, redirecting to OAuth", {
+        shop,
+      });
+      if (isEmbedded) {
+        redirectWithExitIframe({api, config, logger}, request, shop!);
+      } else {
+        throw await beginAuth({api, config, logger}, request, false, shop!);
+      }
+    }
+
+    shop = shop || offlineSession.shop;
+
+    if (config.isEmbeddedApp && !isEmbedded) {
+      try {
+        logger.debug('Ensuring offline session is valid before embedding', {
+          shop,
+        });
+        await this.testSession(offlineSession);
+
+        logger.debug('Offline session is still valid, embedding app', {shop});
+      } catch (error) {
+        await this.handleInvalidOfflineSession(error, request, shop);
+      }
+    }
+  }
+
+  private async handleAuthBeginRequest(
+    request: Request,
+    shop: string,
+  ): Promise<never> {
+    const {api, config, logger} = this;
+
+    logger.info('Handling OAuth begin request', {shop});
+
+    // If we're loading from an iframe, we need to break out of it
+    if (
+      config.isEmbeddedApp &&
+      request.headers.get('Sec-Fetch-Dest') === 'iframe'
+    ) {
+      logger.debug('Auth request in iframe detected, exiting iframe', {shop});
+      throw redirectWithExitIframe({api, config, logger}, request, shop);
+    } else {
+      throw await beginAuth({api, config, logger}, request, false, shop);
+    }
+  }
+
+  private async handleAuthCallbackRequest(
+    request: Request,
+    shop: string,
+  ): Promise<never> {
+    const {api, config, logger} = this;
+
+    logger.info('Handling OAuth callback request');
+
+    try {
+      const {session, headers: responseHeaders} = await api.auth.callback({
+        rawRequest: request,
+      });
+
+      await config.sessionStorage.storeSession(session);
+
+      if (config.useOnlineTokens && !session.isOnline) {
+        logger.info('Requesting online access token for offline session');
+        await beginAuth({api, config, logger}, request, true, shop);
+      }
+
+      await triggerAfterAuthHook<Resources>(
+        {api, config, logger},
+        session,
+        request,
+        this,
+      );
+
+      throw await redirectToShopifyOrAppRoot(
+        request,
+        {api, config, logger},
+        responseHeaders,
+      );
+    } catch (error) {
+      if (error instanceof Response) throw error;
+
+      throw await this.oauthCallbackError(error, request, shop);
+    }
+  }
+
+  private async getOfflineSession(
+    request: Request,
+  ): Promise<Session | undefined> {
+    const offlineId = await this.getOfflineSessionId(request);
+    return this.config.sessionStorage.loadSession(offlineId!);
+  }
+
+  private async hasValidOfflineId(request: Request) {
+    return Boolean(await this.getOfflineSessionId(request));
+  }
+
+  private async getOfflineSessionId(
+    request: Request,
+  ): Promise<string | undefined> {
+    const {api} = this;
+    const url = new URL(request.url);
+    const shop = url.searchParams.get('shop');
+
+    return shop
+      ? api.session.getOfflineId(shop)
+      : api.session.getCurrentId({isOnline: false, rawRequest: request});
+  }
+
+  private async testSession(session: Session): Promise<void> {
+    const {api} = this;
+
+    const client = new api.clients.Graphql({
+      session,
+    });
+
+    await client.request(`#graphql
+      query shopifyAppShopName {
+        shop {
+          name
+        }
+      }
+    `);
+  }
+
+  private async oauthCallbackError(
+    error: Error,
+    request: Request,
+    shop: string,
+  ) {
+    const {logger} = this;
+    logger.error('Error during OAuth callback', {error: error.message});
+
+    if (error instanceof CookieNotFound) {
+      return this.handleAuthBeginRequest(request, shop);
+    }
+
+    if (
+      error instanceof InvalidHmacError ||
+      error instanceof InvalidOAuthError
+    ) {
+      return new Response(undefined, {
+        status: 400,
+        statusText: 'Invalid OAuth Request',
+      });
+    }
+
+    return new Response(undefined, {
+      status: 500,
+      statusText: 'Internal Server Error',
+    });
+  }
+
+  private async handleInvalidOfflineSession(
+    error: Error,
+    request: Request,
+    shop: string,
+  ) {
+    const {api, logger, config} = this;
+    if (error instanceof HttpResponseError) {
+      if (error.response.code === 401) {
+        logger.info('Shop session is no longer valid, redirecting to OAuth', {
+          shop,
+        });
+        throw await beginAuth({api, config, logger}, request, false, shop);
+      } else {
+        const message = JSON.stringify(error.response.body, null, 2);
+        logger.error(`Unexpected error during session validation: ${message}`, {
+          shop,
+        });
+
+        throw new Response(undefined, {
+          status: error.response.code,
+          statusText: error.response.statusText,
+        });
+      }
+    } else if (error instanceof GraphqlQueryError) {
+      const context: Record<string, string> = {shop};
+      if (error.response) {
+        context.response = JSON.stringify(error.body);
+      }
+
+      logger.error(
+        `Unexpected error during session validation: ${error.message}`,
+        context,
+      );
+
+      throw new Response(undefined, {
+        status: 500,
+        statusText: 'Internal Server Error',
+      });
+    }
+  }
+}