npm - shopify-nuxt - Versions diffs - 0.0.1 - Mend

shopify-nuxt 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (239) hide show

package/dist/runtime/server/utils/authenticate-flow.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { H3Event } from 'h3';
+import type { FlowContext } from '../../types.js';
+/**
+ * Authenticate a Shopify Flow extension request.
+ *
+ * Validates the HMAC signature and returns the flow context:
+ *
+ * ```ts
+ * // server/api/flow.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { admin, session, payload } = await useShopifyFlow(event)
+ *   // Perform flow extension logic
+ *   return { success: true }
+ * })
+ * ```
+ */
+export declare function useShopifyFlow(event: H3Event): Promise<FlowContext>;

package/dist/runtime/server/utils/authenticate-flow.js ADDED Viewed

@@ -0,0 +1,70 @@
+import { getHeader, readRawBody, createError } from "h3";
+import { getShopifyApi, getSessionStorage } from "../services/shopify.js";
+import { createAdminApiContext } from "./clients.js";
+export async function useShopifyFlow(event) {
+  const api = getShopifyApi();
+  if (event.method !== "POST") {
+    throw createError({
+      statusCode: 405,
+      statusMessage: "Method Not Allowed - Flow requests must be POST"
+    });
+  }
+  const shop = getHeader(event, "x-shopify-shop-domain");
+  const hmac = getHeader(event, "x-shopify-hmac-sha256");
+  if (!shop || !hmac) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing required headers"
+    });
+  }
+  const rawBody = await readRawBody(event);
+  if (!rawBody) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing request body"
+    });
+  }
+  const { createHmac: hmacCreate } = await import("node:crypto");
+  const generatedHmac = hmacCreate("sha256", api.config.apiSecretKey).update(rawBody, "utf8").digest("base64");
+  if (!safeCompare(generatedHmac, hmac)) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "HMAC validation failed"
+    });
+  }
+  let payload;
+  try {
+    payload = JSON.parse(rawBody);
+  } catch {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid JSON body"
+    });
+  }
+  const sessionStorage = getSessionStorage();
+  const offlineId = api.session.getOfflineId(shop);
+  const session = await sessionStorage.loadSession(offlineId);
+  if (!session) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `No session found for shop ${shop}`
+    });
+  }
+  const admin = createAdminApiContext(api, session);
+  return {
+    session,
+    admin,
+    payload
+  };
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
+  }
+  return result === 0;
+}

package/dist/runtime/server/utils/authenticate-fulfillment-service.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { H3Event } from 'h3';
+/**
+ * Authenticate a request from a fulfillment service.
+ *
+ * ```ts
+ * // server/api/fulfillment-service.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { admin, session } = await useShopifyFulfillmentService(event)
+ *   return { success: true }
+ * })
+ * ```
+ */
+export declare function useShopifyFulfillmentService(event: H3Event): Promise<{
+    session: import("@shopify/shopify-api").Session;
+    admin: import("./clients.js").AdminApiContext;
+}>;

package/dist/runtime/server/utils/authenticate-fulfillment-service.js ADDED Viewed

@@ -0,0 +1,54 @@
+import { getHeader, readRawBody, createError } from "h3";
+import { getShopifyApi, getSessionStorage } from "../services/shopify.js";
+import { createAdminApiContext } from "./clients.js";
+export async function useShopifyFulfillmentService(event) {
+  const api = getShopifyApi();
+  const shop = getHeader(event, "x-shopify-shop-domain");
+  const hmac = getHeader(event, "x-shopify-hmac-sha256");
+  if (!shop || !hmac) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing required headers"
+    });
+  }
+  const rawBody = await readRawBody(event);
+  if (!rawBody) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing request body"
+    });
+  }
+  const { createHmac: hmacCreate } = await import("node:crypto");
+  const generatedHmac = hmacCreate("sha256", api.config.apiSecretKey).update(rawBody, "utf8").digest("base64");
+  if (!safeCompare(generatedHmac, hmac)) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "HMAC validation failed"
+    });
+  }
+  const sessionStorage = getSessionStorage();
+  const offlineId = api.session.getOfflineId(shop);
+  const session = await sessionStorage.loadSession(offlineId);
+  if (!session) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: `No session found for shop ${shop}`
+    });
+  }
+  const admin = createAdminApiContext(api, session);
+  return {
+    session,
+    admin
+  };
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
+  }
+  return result === 0;
+}

package/dist/runtime/server/utils/authenticate-pos.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { H3Event } from 'h3';
+import type { JwtPayload } from '@shopify/shopify-api';
+export interface POSContext {
+    sessionToken: JwtPayload;
+    cors: (response: Response) => Response;
+}
+/**
+ * Authenticate a request from a POS UI extension.
+ *
+ * ```ts
+ * // server/api/pos/widgets.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { sessionToken, cors } = await useShopifyPos(event)
+ *   return cors(new Response(JSON.stringify({ shop: sessionToken.dest })))
+ * })
+ * ```
+ */
+export declare function useShopifyPos(event: H3Event): Promise<POSContext>;

package/dist/runtime/server/utils/authenticate-pos.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { createError } from "h3";
+import {
+  getSessionTokenHeader,
+  getSessionTokenFromUrlParam,
+  validateSessionToken
+} from "./helpers.js";
+export async function useShopifyPos(event) {
+  const headerToken = getSessionTokenHeader(event);
+  const paramToken = getSessionTokenFromUrlParam(event);
+  const sessionToken = headerToken || paramToken;
+  if (!sessionToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Missing session token"
+    });
+  }
+  const payload = await validateSessionToken(sessionToken);
+  const cors = (response) => {
+    response.headers.set("Access-Control-Allow-Origin", "*");
+    response.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    response.headers.set(
+      "Access-Control-Allow-Headers",
+      "Content-Type, Authorization"
+    );
+    return response;
+  };
+  return {
+    sessionToken: payload,
+    cors
+  };
+}

package/dist/runtime/server/utils/authenticate-public.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { H3Event } from 'h3';
+import type { PublicContext } from '../../types.js';
+/**
+ * Authenticate a public request (e.g., from checkout extensions, app proxy).
+ *
+ * Returns the decoded session token for verification, but does NOT load a full session.
+ *
+ * ```ts
+ * // server/api/public/widgets.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { sessionToken, cors } = await useShopifyPublic(event)
+ *   const data = await getWidgets(sessionToken)
+ *   return cors(new Response(JSON.stringify(data)))
+ * })
+ * ```
+ */
+export declare function useShopifyPublic(event: H3Event): Promise<PublicContext>;

package/dist/runtime/server/utils/authenticate-public.js ADDED Viewed

@@ -0,0 +1,31 @@
+import { createError } from "h3";
+import {
+  getSessionTokenHeader,
+  getSessionTokenFromUrlParam,
+  validateSessionToken
+} from "./helpers.js";
+export async function useShopifyPublic(event) {
+  const headerToken = getSessionTokenHeader(event);
+  const paramToken = getSessionTokenFromUrlParam(event);
+  const sessionToken = headerToken || paramToken;
+  if (!sessionToken) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Missing session token"
+    });
+  }
+  const payload = await validateSessionToken(sessionToken);
+  const cors = (response) => {
+    response.headers.set("Access-Control-Allow-Origin", "*");
+    response.headers.set("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    response.headers.set(
+      "Access-Control-Allow-Headers",
+      "Content-Type, Authorization"
+    );
+    return response;
+  };
+  return {
+    sessionToken: payload,
+    cors
+  };
+}

package/dist/runtime/server/utils/authenticate-webhook.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { H3Event } from 'h3';
+import type { WebhookContext } from '../../types.js';
+/**
+ * Authenticate a Shopify webhook request.
+ *
+ * Validates the HMAC signature and returns the webhook context:
+ *
+ * ```ts
+ * // server/api/webhooks.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { topic, shop, session, payload } = await useShopifyWebhook(event)
+ *
+ *   switch (topic) {
+ *     case 'PRODUCTS_CREATE':
+ *       // handle product creation
+ *       break
+ *     case 'APP_UNINSTALLED':
+ *       // clean up shop data
+ *       break
+ *   }
+ *
+ *   return { success: true }
+ * })
+ * ```
+ */
+export declare function useShopifyWebhook(event: H3Event): Promise<WebhookContext>;

package/dist/runtime/server/utils/authenticate-webhook.js ADDED Viewed

@@ -0,0 +1,76 @@
+import { getHeader, readRawBody, createError } from "h3";
+import {
+  getShopifyApi,
+  getResolvedConfig,
+  getSessionStorage
+} from "../services/shopify.js";
+export async function useShopifyWebhook(event) {
+  const api = getShopifyApi();
+  const config = getResolvedConfig();
+  if (event.method !== "POST") {
+    throw createError({
+      statusCode: 405,
+      statusMessage: "Method Not Allowed - Webhooks must be POST"
+    });
+  }
+  const topic = getHeader(event, "x-shopify-topic");
+  const shop = getHeader(event, "x-shopify-shop-domain");
+  const hmac = getHeader(event, "x-shopify-hmac-sha256");
+  const apiVersion = getHeader(event, "x-shopify-api-version") || config.apiVersion;
+  if (!topic || !shop || !hmac) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing required webhook headers (x-shopify-topic, x-shopify-shop-domain, x-shopify-hmac-sha256)"
+    });
+  }
+  const rawBody = await readRawBody(event);
+  if (!rawBody) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Missing request body"
+    });
+  }
+  const { createHmac } = await import("node:crypto");
+  const generatedHmac = createHmac("sha256", api.config.apiSecretKey).update(rawBody, "utf8").digest("base64");
+  if (!safeCompare(generatedHmac, hmac)) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: "Webhook HMAC validation failed"
+    });
+  }
+  let payload;
+  try {
+    payload = JSON.parse(rawBody);
+  } catch {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Invalid JSON in webhook body"
+    });
+  }
+  let session;
+  try {
+    const sessionStorage = getSessionStorage();
+    const offlineId = api.session.getOfflineId(shop);
+    session = await sessionStorage.loadSession(offlineId) || void 0;
+  } catch {
+    session = void 0;
+  }
+  return {
+    topic: topic.toUpperCase().replace(/\//g, "_"),
+    shop,
+    session,
+    payload,
+    apiVersion
+  };
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
+  }
+  return result === 0;
+}

package/dist/runtime/server/utils/clients.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import type { Session, Shopify } from '@shopify/shopify-api';
+export interface AdminApiContext {
+    /** Make a GraphQL request to the Shopify Admin API */
+    graphql: (query: string, options?: {
+        variables?: Record<string, any>;
+    }) => Promise<any>;
+    /** Make a REST request to the Shopify Admin API */
+    rest: {
+        get: (params: {
+            path: string;
+        }) => Promise<any>;
+        post: (params: {
+            path: string;
+            data?: any;
+        }) => Promise<any>;
+        put: (params: {
+            path: string;
+            data?: any;
+        }) => Promise<any>;
+        delete: (params: {
+            path: string;
+        }) => Promise<any>;
+    };
+}
+export declare function createAdminApiContext(api: Shopify, session: Session, onError?: (error: any) => void): AdminApiContext;

package/dist/runtime/server/utils/clients.js ADDED Viewed

@@ -0,0 +1,36 @@
+export function createAdminApiContext(api, session, onError) {
+  const graphql = async (query, options) => {
+    const client = new api.clients.Graphql({ session });
+    try {
+      const response = await client.request(query, {
+        variables: options?.variables
+      });
+      return response;
+    } catch (error) {
+      if (onError) onError(error);
+      throw error;
+    }
+  };
+  const restRequest = async (method, params) => {
+    const client = new api.clients.Rest({ session });
+    try {
+      const response = await client[method.toLowerCase()]({
+        path: params.path,
+        data: params.data
+      });
+      return response;
+    } catch (error) {
+      if (onError) onError(error);
+      throw error;
+    }
+  };
+  return {
+    graphql,
+    rest: {
+      get: (params) => restRequest("get", params),
+      post: (params) => restRequest("post", params),
+      put: (params) => restRequest("put", params),
+      delete: (params) => restRequest("delete", params)
+    }
+  };
+}

package/dist/runtime/server/utils/helpers.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { H3Event } from 'h3';
+import type { JwtPayload } from '@shopify/shopify-api';
+export declare function getSessionTokenHeader(event: H3Event): string | undefined;
+export declare function getSessionTokenFromUrlParam(event: H3Event): string | undefined;
+export declare function getShopFromEvent(event: H3Event): string | undefined;
+export declare function validateSessionToken(sessionToken: string): Promise<JwtPayload>;
+export declare function ensureCORSHeaders(event: H3Event): void;
+export declare function isBotRequest(event: H3Event): boolean;
+export declare function verifyWebhookHmac(event: H3Event): Promise<boolean>;
+export declare function renderAppBridgePage(apiKey: string, _appUrl: string, redirectUrl?: string): string;

package/dist/runtime/server/utils/helpers.js ADDED Viewed

@@ -0,0 +1,96 @@
+import {
+  getHeader,
+  getQuery,
+  setResponseHeader,
+  readRawBody
+} from "h3";
+import { getShopifyApi, getResolvedConfig } from "../services/shopify.js";
+export function getSessionTokenHeader(event) {
+  const authHeader = getHeader(event, "authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return void 0;
+}
+export function getSessionTokenFromUrlParam(event) {
+  const query = getQuery(event);
+  return query.id_token;
+}
+export function getShopFromEvent(event) {
+  const query = getQuery(event);
+  if (query.shop) return query.shop;
+  const shopHeader = getHeader(event, "x-shopify-shop-domain");
+  if (shopHeader) return shopHeader;
+  return void 0;
+}
+export async function validateSessionToken(sessionToken) {
+  const api = getShopifyApi();
+  const payload = await api.session.decodeSessionToken(sessionToken);
+  return payload;
+}
+export function ensureCORSHeaders(event) {
+  const config = getResolvedConfig();
+  setResponseHeader(event, "Access-Control-Allow-Origin", config.appUrl);
+  setResponseHeader(event, "Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+  setResponseHeader(event, "Access-Control-Allow-Headers", "Content-Type, Authorization");
+  setResponseHeader(event, "Access-Control-Allow-Credentials", "true");
+}
+export function isBotRequest(event) {
+  const ua = getHeader(event, "user-agent") || "";
+  try {
+    const isbotModule = require("isbot");
+    const isbotFn = isbotModule.isbot || isbotModule.default || isbotModule;
+    return typeof isbotFn === "function" ? isbotFn(ua) : false;
+  } catch {
+    return false;
+  }
+}
+export async function verifyWebhookHmac(event) {
+  const api = getShopifyApi();
+  const hmac = getHeader(event, "x-shopify-hmac-sha256");
+  const topic = getHeader(event, "x-shopify-topic");
+  const shop = getHeader(event, "x-shopify-shop-domain");
+  if (!hmac || !topic || !shop) {
+    return false;
+  }
+  const rawBody = await readRawBody(event);
+  if (!rawBody) return false;
+  try {
+    const { createHmac } = await import("node:crypto");
+    const generatedHmac = createHmac("sha256", api.config.apiSecretKey).update(rawBody, "utf8").digest("base64");
+    return safeCompare(generatedHmac, hmac);
+  } catch {
+    return false;
+  }
+}
+function safeCompare(a, b) {
+  if (a.length !== b.length) return false;
+  const encoder = new TextEncoder();
+  const bufA = encoder.encode(a);
+  const bufB = encoder.encode(b);
+  let result = 0;
+  for (let i = 0; i < bufA.length; i++) {
+    result |= bufA[i] ^ bufB[i];
+  }
+  return result === 0;
+}
+export function renderAppBridgePage(apiKey, _appUrl, redirectUrl) {
+  const parts = [
+    "<!DOCTYPE html>",
+    "<html>",
+    "  <head>",
+    '    <meta charset="utf-8" />',
+    '    <meta name="shopify-api-key" content="' + apiKey + '" />',
+    '    <script src="https://cdn.shopify.com/shopifycloud/app-bridge.js"><\/script>',
+    "  </head>",
+    "  <body>",
+    "    <script>"
+  ];
+  if (redirectUrl) {
+    parts.push("      window.open('" + redirectUrl + "', '_top');");
+  }
+  parts.push("    <\/script>");
+  parts.push("  </body>");
+  parts.push("</html>");
+  return parts.join("\n");
+}

package/dist/runtime/server/utils/login.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { H3Event } from 'h3';
+import { type LoginError } from '../../types.js';
+/**
+ * Handle merchant login for non-embedded apps (AppStore and SingleMerchant distribution).
+ *
+ * Validates the shop domain and returns any errors, or redirects to auth flow.
+ *
+ * ```ts
+ * // server/api/auth/login.post.ts
+ * export default defineEventHandler(async (event) => {
+ *   const errors = await useShopifyLogin(event)
+ *   if (errors) return errors
+ *   // redirect happened — this won't be reached
+ * })
+ * ```
+ */
+export declare function useShopifyLogin(event: H3Event): Promise<LoginError | never>;

package/dist/runtime/server/utils/login.js ADDED Viewed

@@ -0,0 +1,44 @@
+import { readBody, getQuery, createError } from "h3";
+import { getResolvedConfig } from "../services/shopify.js";
+import { AppDistribution, LoginErrorType } from "../../types.js";
+export async function useShopifyLogin(event) {
+  const config = getResolvedConfig();
+  if (config.distribution === AppDistribution.ShopifyAdmin) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Login is not available for ShopifyAdmin apps"
+    });
+  }
+  let shop;
+  if (event.method === "POST") {
+    const body = await readBody(event);
+    shop = body?.shop;
+  } else {
+    const query = getQuery(event);
+    shop = query.shop;
+  }
+  if (!shop) {
+    return { shop: LoginErrorType.MissingShop };
+  }
+  const sanitized = sanitizeShop(shop);
+  if (!sanitized) {
+    return { shop: LoginErrorType.InvalidShop };
+  }
+  throw new Response(null, {
+    status: 302,
+    headers: {
+      Location: `${config.auth.path}?shop=${sanitized}`
+    }
+  });
+}
+function sanitizeShop(shop) {
+  shop = shop.replace(/^https?:\/\//, "");
+  shop = shop.split("/")[0] || "";
+  if (/^[a-z0-9][a-z0-9-]*\.myshopify\.com$/i.test(shop)) {
+    return shop;
+  }
+  if (/^[a-z0-9][a-z0-9-]*$/i.test(shop)) {
+    return `${shop}.myshopify.com`;
+  }
+  return null;
+}

package/dist/runtime/server/utils/register-webhooks.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { Session } from '@shopify/shopify-api';
+/**
+ * Register shop-specific webhooks using the Admin GraphQL API.
+ *
+ * In most cases, app-specific webhooks defined in `shopify.app.toml` are sufficient.
+ * Use this only when you need shop-specific webhooks.
+ *
+ * ```ts
+ * // In your afterAuth hook:
+ * configureShopify({
+ *   hooks: {
+ *     afterAuth: async ({ session }) => {
+ *       await registerShopifyWebhooks(session)
+ *     }
+ *   }
+ * })
+ * ```
+ */
+export declare function registerShopifyWebhooks(session: Session): Promise<import("@shopify/shopify-api").RegisterReturn>;

package/dist/runtime/server/utils/register-webhooks.js ADDED Viewed

@@ -0,0 +1,5 @@
+import { getShopifyApi } from "../services/shopify.js";
+export async function registerShopifyWebhooks(session) {
+  const api = getShopifyApi();
+  return api.webhooks.register({ session });
+}

package/dist/runtime/server/utils/unauthenticated-admin.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { AdminApiContext } from './clients.js';
+import type { Session } from '@shopify/shopify-api';
+/**
+ * Get an unauthenticated Admin API context for a given shop.
+ *
+ * Uses the stored offline session to access the Admin API without an incoming request.
+ * Useful for background jobs, cron tasks, or requests from external systems.
+ *
+ * ```ts
+ * // server/api/cron/sync-products.ts
+ * export default defineEventHandler(async (event) => {
+ *   const { admin, session } = await useShopifyUnauthenticatedAdmin('my-shop.myshopify.com')
+ *   const products = await admin.graphql(`{ products(first: 10) { edges { node { id title } } } }`)
+ *   return products
+ * })
+ * ```
+ */
+export declare function useShopifyUnauthenticatedAdmin(shop: string): Promise<{
+    admin: AdminApiContext;
+    session: Session;
+}>;

package/dist/runtime/server/utils/unauthenticated-admin.js ADDED Viewed

@@ -0,0 +1,15 @@
+import { getShopifyApi, getSessionStorage } from "../services/shopify.js";
+import { createAdminApiContext } from "./clients.js";
+export async function useShopifyUnauthenticatedAdmin(shop) {
+  const api = getShopifyApi();
+  const sessionStorage = getSessionStorage();
+  const offlineId = api.session.getOfflineId(shop);
+  const session = await sessionStorage.loadSession(offlineId);
+  if (!session) {
+    throw new Error(
+      `No offline session found for shop "${shop}". The shop must install the app first.`
+    );
+  }
+  const admin = createAdminApiContext(api, session);
+  return { admin, session };
+}