shopify 3.93.0 → 3.93.1

package/dist/cli/services/store/auth/index.js

@@ -0,0 +1,88 @@
+import { normalizeStoreFqdn } from '@shopify/cli-kit/node/context/fqdn';
+import { AbortError } from '@shopify/cli-kit/node/error';
+import { outputContent, outputDebug, outputToken } from '@shopify/cli-kit/node/output';
+import { openURL } from '@shopify/cli-kit/node/system';
+import { STORE_AUTH_APP_CLIENT_ID } from './config.js';
+import { setStoredStoreAppSession } from './session-store.js';
+import { exchangeStoreAuthCodeForToken } from './token-client.js';
+import { waitForStoreAuthCode } from './callback.js';
+import { createPkceBootstrap } from './pkce.js';
+import { mergeRequestedAndStoredScopes, parseStoreAuthScopes, resolveGrantedScopes } from './scopes.js';
+import { resolveExistingStoreAuthScopes } from './existing-scopes.js';
+import { createStoreAuthPresenter } from './result.js';
+const defaultStoreAuthDependencies = {
+    openURL,
+    waitForStoreAuthCode,
+    exchangeStoreAuthCodeForToken,
+    resolveExistingScopes: resolveExistingStoreAuthScopes,
+    presenter: createStoreAuthPresenter('text'),
+};
+export async function authenticateStoreWithApp(input, dependencies = {}) {
+    const resolvedDependencies = { ...defaultStoreAuthDependencies, ...dependencies };
+    const store = normalizeStoreFqdn(input.store);
+    const requestedScopes = parseStoreAuthScopes(input.scopes);
+    const existingScopeResolution = await resolvedDependencies.resolveExistingScopes(store);
+    const scopes = mergeRequestedAndStoredScopes(requestedScopes, existingScopeResolution.scopes);
+    const validationScopes = existingScopeResolution.authoritative ? scopes : requestedScopes;
+    if (existingScopeResolution.scopes.length > 0) {
+        outputDebug(outputContent `Merged requested scopes ${outputToken.raw(requestedScopes.join(','))} with existing scopes ${outputToken.raw(existingScopeResolution.scopes.join(','))} for ${outputToken.raw(store)}`);
+    }
+    const bootstrap = createPkceBootstrap({
+        store,
+        scopes,
+        exchangeCodeForToken: resolvedDependencies.exchangeStoreAuthCodeForToken,
+    });
+    const { authorization: { authorizationUrl }, } = bootstrap;
+    resolvedDependencies.presenter.openingBrowser();
+    const code = await resolvedDependencies.waitForStoreAuthCode({
+        ...bootstrap.waitForAuthCodeOptions,
+        onListening: async () => {
+            const opened = await resolvedDependencies.openURL(authorizationUrl);
+            if (!opened)
+                resolvedDependencies.presenter.manualAuthUrl(authorizationUrl);
+        },
+    });
+    const tokenResponse = await bootstrap.exchangeCodeForToken(code);
+    const userId = tokenResponse.associated_user?.id?.toString();
+    if (!userId) {
+        throw new AbortError('Shopify did not return associated user information for the online access token.');
+    }
+    const now = Date.now();
+    const expiresAt = tokenResponse.expires_in ? new Date(now + tokenResponse.expires_in * 1000).toISOString() : undefined;
+    const result = {
+        store,
+        userId,
+        scopes: resolveGrantedScopes(tokenResponse, validationScopes),
+        acquiredAt: new Date(now).toISOString(),
+        expiresAt,
+        refreshTokenExpiresAt: tokenResponse.refresh_token_expires_in
+            ? new Date(now + tokenResponse.refresh_token_expires_in * 1000).toISOString()
+            : undefined,
+        hasRefreshToken: !!tokenResponse.refresh_token,
+        associatedUser: tokenResponse.associated_user
+            ? {
+                id: tokenResponse.associated_user.id,
+                email: tokenResponse.associated_user.email,
+                firstName: tokenResponse.associated_user.first_name,
+                lastName: tokenResponse.associated_user.last_name,
+                accountOwner: tokenResponse.associated_user.account_owner,
+            }
+            : undefined,
+    };
+    setStoredStoreAppSession({
+        store,
+        clientId: STORE_AUTH_APP_CLIENT_ID,
+        userId,
+        accessToken: tokenResponse.access_token,
+        refreshToken: tokenResponse.refresh_token,
+        scopes: result.scopes,
+        acquiredAt: result.acquiredAt,
+        expiresAt,
+        refreshTokenExpiresAt: result.refreshTokenExpiresAt,
+        associatedUser: result.associatedUser,
+    });
+    outputDebug(outputContent `Session persisted for ${outputToken.raw(store)} (user ${outputToken.raw(userId)}, expires ${outputToken.raw(expiresAt ?? 'unknown')})`);
+    resolvedDependencies.presenter.success(result);
+    return result;
+}
+//# sourceMappingURL=index.js.map

package/dist/cli/services/store/auth/pkce.d.ts

@@ -0,0 +1,36 @@
+import type { StoreTokenResponse } from './token-client.js';
+import type { WaitForAuthCodeOptions } from './callback.js';
+interface StoreAuthorizationContext {
+    store: string;
+    scopes: string[];
+    state: string;
+    port: number;
+    redirectUri: string;
+    authorizationUrl: string;
+    codeVerifier: string;
+}
+interface StoreAuthBootstrap {
+    authorization: StoreAuthorizationContext;
+    waitForAuthCodeOptions: WaitForAuthCodeOptions;
+    exchangeCodeForToken: (code: string) => Promise<StoreTokenResponse>;
+}
+export declare function generateCodeVerifier(): string;
+export declare function computeCodeChallenge(verifier: string): string;
+export declare function buildStoreAuthUrl(options: {
+    store: string;
+    scopes: string[];
+    state: string;
+    redirectUri: string;
+    codeChallenge: string;
+}): string;
+export declare function createPkceBootstrap(options: {
+    store: string;
+    scopes: string[];
+    exchangeCodeForToken: (options: {
+        store: string;
+        code: string;
+        codeVerifier: string;
+        redirectUri: string;
+    }) => Promise<StoreTokenResponse>;
+}): StoreAuthBootstrap;
+export {};

package/dist/cli/services/store/auth/pkce.js

@@ -0,0 +1,49 @@
+import { randomUUID } from '@shopify/cli-kit/node/crypto';
+import { outputContent, outputDebug, outputToken } from '@shopify/cli-kit/node/output';
+import { createHash, randomBytes } from 'crypto';
+import { DEFAULT_STORE_AUTH_PORT, STORE_AUTH_APP_CLIENT_ID, storeAuthRedirectUri } from './config.js';
+export function generateCodeVerifier() {
+    return randomBytes(32).toString('base64url');
+}
+export function computeCodeChallenge(verifier) {
+    return createHash('sha256').update(verifier).digest('base64url');
+}
+export function buildStoreAuthUrl(options) {
+    const params = new URLSearchParams();
+    params.set('client_id', STORE_AUTH_APP_CLIENT_ID);
+    params.set('scope', options.scopes.join(','));
+    params.set('redirect_uri', options.redirectUri);
+    params.set('state', options.state);
+    params.set('response_type', 'code');
+    params.set('code_challenge', options.codeChallenge);
+    params.set('code_challenge_method', 'S256');
+    return `https://${options.store}/admin/oauth/authorize?${params.toString()}`;
+}
+export function createPkceBootstrap(options) {
+    const { store, scopes, exchangeCodeForToken } = options;
+    const port = DEFAULT_STORE_AUTH_PORT;
+    const state = randomUUID();
+    const redirectUri = storeAuthRedirectUri(port);
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = computeCodeChallenge(codeVerifier);
+    const authorizationUrl = buildStoreAuthUrl({ store, scopes, state, redirectUri, codeChallenge });
+    outputDebug(outputContent `Starting PKCE auth for ${outputToken.raw(store)} with scopes ${outputToken.raw(scopes.join(','))} (redirect_uri=${outputToken.raw(redirectUri)})`);
+    return {
+        authorization: {
+            store,
+            scopes,
+            state,
+            port,
+            redirectUri,
+            authorizationUrl,
+            codeVerifier,
+        },
+        waitForAuthCodeOptions: {
+            store,
+            state,
+            port,
+        },
+        exchangeCodeForToken: (code) => exchangeCodeForToken({ store, code, codeVerifier, redirectUri }),
+    };
+}
+//# sourceMappingURL=pkce.js.map

package/dist/cli/services/store/{auth-recovery.js → auth/recovery.js}

@@ -14,4 +14,4 @@ export function reauthenticateStoreAuthError(message, store, scopes) {
 export function retryStoreAuthWithPermanentDomainError(returnedStore) {
     return new AbortError('OAuth callback store does not match the requested store.', `Shopify returned ${returnedStore} during authentication. Re-run using the permanent store domain:`, storeAuthCommandNextSteps(returnedStore, '<comma-separated-scopes>'));
 }
-//# sourceMappingURL=auth-recovery.js.map
+//# sourceMappingURL=recovery.js.map

package/dist/cli/services/store/auth/result.d.ts

@@ -0,0 +1,24 @@
+export interface StoreAuthResult {
+    store: string;
+    userId: string;
+    scopes: string[];
+    acquiredAt: string;
+    expiresAt?: string;
+    refreshTokenExpiresAt?: string;
+    hasRefreshToken: boolean;
+    associatedUser?: {
+        id: number;
+        email?: string;
+        firstName?: string;
+        lastName?: string;
+        accountOwner?: boolean;
+    };
+}
+type StoreAuthOutputFormat = 'text' | 'json';
+export interface StoreAuthPresenter {
+    openingBrowser: () => void;
+    manualAuthUrl: (authorizationUrl: string) => void;
+    success: (result: StoreAuthResult) => void;
+}
+export declare function createStoreAuthPresenter(format?: StoreAuthOutputFormat): StoreAuthPresenter;
+export {};

package/dist/cli/services/store/auth/result.js

@@ -0,0 +1,39 @@
+import { outputCompleted, outputInfo, outputResult, outputToken, outputContent } from '@shopify/cli-kit/node/output';
+function serializeStoreAuthResult(result) {
+    return JSON.stringify(result, null, 2);
+}
+function buildStoreAuthSuccessText(result) {
+    const displayName = result.associatedUser?.email ? ` as ${result.associatedUser.email}` : '';
+    return {
+        completed: ['Logged in.', `Authenticated${displayName} against ${result.store}.`],
+        info: ['', 'To verify that authentication worked, run:', `shopify store execute --store ${result.store} --query 'query { shop { name id } }'`],
+    };
+}
+function displayStoreAuthOpeningBrowser() {
+    outputInfo('Shopify CLI will open the app authorization page in your browser.');
+    outputInfo('');
+}
+function displayStoreAuthManualAuthUrl(authorizationUrl) {
+    outputInfo('Browser did not open automatically. Open this URL manually:');
+    outputInfo(outputContent `${outputToken.link(authorizationUrl)}`);
+    outputInfo('');
+}
+function displayStoreAuthResult(result, format = 'text') {
+    if (format === 'json') {
+        outputResult(serializeStoreAuthResult(result));
+        return;
+    }
+    const text = buildStoreAuthSuccessText(result);
+    text.completed.forEach((line) => outputCompleted(line));
+    text.info.forEach((line) => outputInfo(line));
+}
+export function createStoreAuthPresenter(format = 'text') {
+    return {
+        openingBrowser: displayStoreAuthOpeningBrowser,
+        manualAuthUrl: displayStoreAuthManualAuthUrl,
+        success(result) {
+            displayStoreAuthResult(result, format);
+        },
+    };
+}
+//# sourceMappingURL=result.js.map

package/dist/cli/services/store/auth/scopes.d.ts

@@ -0,0 +1,4 @@
+import type { StoreTokenResponse } from './token-client.js';
+export declare function parseStoreAuthScopes(input: string): string[];
+export declare function mergeRequestedAndStoredScopes(requestedScopes: string[], storedScopes: string[]): string[];
+export declare function resolveGrantedScopes(tokenResponse: StoreTokenResponse, requestedScopes: string[]): string[];

package/dist/cli/services/store/auth/scopes.js

@@ -0,0 +1,53 @@
+import { AbortError } from '@shopify/cli-kit/node/error';
+import { outputContent, outputDebug } from '@shopify/cli-kit/node/output';
+export function parseStoreAuthScopes(input) {
+    const scopes = input
+        .split(',')
+        .map((scope) => scope.trim())
+        .filter(Boolean);
+    if (scopes.length === 0) {
+        throw new AbortError('At least one scope is required.', 'Pass --scopes as a comma-separated list.');
+    }
+    return [...new Set(scopes)];
+}
+function expandImpliedStoreScopes(scopes) {
+    const expandedScopes = new Set(scopes);
+    for (const scope of scopes) {
+        const matches = scope.match(/^(unauthenticated_)?write_(.*)$/);
+        if (matches) {
+            expandedScopes.add(`${matches[1] ?? ''}read_${matches[2]}`);
+        }
+    }
+    return expandedScopes;
+}
+export function mergeRequestedAndStoredScopes(requestedScopes, storedScopes) {
+    const mergedScopes = [...storedScopes];
+    const expandedScopes = expandImpliedStoreScopes(storedScopes);
+    for (const scope of requestedScopes) {
+        if (expandedScopes.has(scope))
+            continue;
+        mergedScopes.push(scope);
+        for (const expandedScope of expandImpliedStoreScopes([scope])) {
+            expandedScopes.add(expandedScope);
+        }
+    }
+    return mergedScopes;
+}
+export function resolveGrantedScopes(tokenResponse, requestedScopes) {
+    if (!tokenResponse.scope) {
+        outputDebug(outputContent `Token response did not include scope; falling back to requested scopes`);
+        return requestedScopes;
+    }
+    const grantedScopes = parseStoreAuthScopes(tokenResponse.scope);
+    const expandedGrantedScopes = expandImpliedStoreScopes(grantedScopes);
+    const missingScopes = requestedScopes.filter((scope) => !expandedGrantedScopes.has(scope));
+    if (missingScopes.length > 0) {
+        throw new AbortError('Shopify granted fewer scopes than were requested.', `Missing scopes: ${missingScopes.join(', ')}.`, [
+            'Update the app or store installation scopes.',
+            'See https://shopify.dev/app/scopes',
+            'Re-run shopify store auth.',
+        ]);
+    }
+    return grantedScopes;
+}
+//# sourceMappingURL=scopes.js.map

package/dist/cli/services/store/auth/session-lifecycle.d.ts

@@ -0,0 +1,3 @@
+import type { StoredStoreAppSession } from './session-store.js';
+export declare function isSessionExpired(session: StoredStoreAppSession): boolean;
+export declare function loadStoredStoreSession(store: string): Promise<StoredStoreAppSession>;

package/dist/cli/services/store/auth/session-lifecycle.js

@@ -0,0 +1,69 @@
+import { AbortError } from '@shopify/cli-kit/node/error';
+import { outputContent, outputDebug, outputToken } from '@shopify/cli-kit/node/output';
+import { maskToken } from './config.js';
+import { createStoredStoreAuthError, reauthenticateStoreAuthError } from './recovery.js';
+import { clearStoredStoreAppSession, getCurrentStoredStoreAppSession, setStoredStoreAppSession, } from './session-store.js';
+import { refreshStoreAccessToken } from './token-client.js';
+const EXPIRY_MARGIN_MS = 4 * 60 * 1000;
+export function isSessionExpired(session) {
+    if (!session.expiresAt)
+        return false;
+    const expiresAtMs = new Date(session.expiresAt).getTime();
+    if (Number.isNaN(expiresAtMs))
+        return true;
+    return expiresAtMs - EXPIRY_MARGIN_MS < Date.now();
+}
+function buildRefreshedStoredSession(session, refresh) {
+    const now = Date.now();
+    const expiresAt = refresh.expiresIn ? new Date(now + refresh.expiresIn * 1000).toISOString() : session.expiresAt;
+    return {
+        ...session,
+        accessToken: refresh.accessToken,
+        refreshToken: refresh.refreshToken ?? session.refreshToken,
+        expiresAt,
+        refreshTokenExpiresAt: refresh.refreshTokenExpiresIn
+            ? new Date(now + refresh.refreshTokenExpiresIn * 1000).toISOString()
+            : session.refreshTokenExpiresAt,
+        acquiredAt: new Date(now).toISOString(),
+    };
+}
+export async function loadStoredStoreSession(store) {
+    let session = getCurrentStoredStoreAppSession(store);
+    if (!session) {
+        throw createStoredStoreAuthError(store);
+    }
+    outputDebug(outputContent `Loaded stored session for ${outputToken.raw(store)}: token=${outputToken.raw(maskToken(session.accessToken))}, expires=${outputToken.raw(session.expiresAt ?? 'unknown')}`);
+    if (!isSessionExpired(session)) {
+        return session;
+    }
+    if (!session.refreshToken) {
+        throw reauthenticateStoreAuthError(`No refresh token stored for ${session.store}.`, session.store, session.scopes.join(','));
+    }
+    outputDebug(outputContent `Refreshing expired token for ${outputToken.raw(session.store)} (expired at ${outputToken.raw(session.expiresAt ?? 'unknown')}, refresh_token=${outputToken.raw(maskToken(session.refreshToken))})`);
+    const previousAccessToken = session.accessToken;
+    let refreshed;
+    try {
+        refreshed = await refreshStoreAccessToken({
+            store: session.store,
+            refreshToken: session.refreshToken,
+        });
+    }
+    catch (error) {
+        clearStoredStoreAppSession(session.store, session.userId);
+        if (error instanceof AbortError && error.message.startsWith(`Token refresh failed for ${session.store} (HTTP `)) {
+            throw reauthenticateStoreAuthError(error.message, session.store, session.scopes.join(','));
+        }
+        if (error instanceof AbortError && error.message === `Token refresh returned an invalid response for ${session.store}.`) {
+            throw reauthenticateStoreAuthError(error.message, session.store, session.scopes.join(','));
+        }
+        if (error instanceof AbortError && error.message === 'Received an invalid refresh response from Shopify.') {
+            throw error;
+        }
+        throw error;
+    }
+    session = buildRefreshedStoredSession(session, refreshed);
+    outputDebug(outputContent `Token refresh succeeded for ${outputToken.raw(session.store)}: ${outputToken.raw(maskToken(previousAccessToken))} → ${outputToken.raw(maskToken(session.accessToken))}, new expiry ${outputToken.raw(session.expiresAt ?? 'unknown')}`);
+    setStoredStoreAppSession(session);
+    return session;
+}
+//# sourceMappingURL=session-lifecycle.js.map

package/dist/cli/services/store/{session.d.ts → auth/session-store.d.ts}

@@ -26,8 +26,7 @@ interface StoredStoreAppSessionBucket {
 interface StoreSessionSchema {
     [key: string]: StoredStoreAppSessionBucket;
 }
-export declare function getStoredStoreAppSession(store: string, storage?: LocalStorage<StoreSessionSchema>): StoredStoreAppSession | undefined;
+export declare function getCurrentStoredStoreAppSession(store: string, storage?: LocalStorage<StoreSessionSchema>): StoredStoreAppSession | undefined;
 export declare function setStoredStoreAppSession(session: StoredStoreAppSession, storage?: LocalStorage<StoreSessionSchema>): void;
 export declare function clearStoredStoreAppSession(store: string, userIdOrStorage?: string | LocalStorage<StoreSessionSchema>, maybeStorage?: LocalStorage<StoreSessionSchema>): void;
-export declare function isSessionExpired(session: StoredStoreAppSession): boolean;
 export {};

package/dist/cli/services/store/auth/session-store.js

@@ -0,0 +1,127 @@
+import { LocalStorage } from '@shopify/cli-kit/node/local-storage';
+import { storeAuthSessionKey } from './config.js';
+let _storeSessionStorage;
+function storeSessionStorage() {
+    _storeSessionStorage ?? (_storeSessionStorage = new LocalStorage({ projectName: 'shopify-cli-store' }));
+    return _storeSessionStorage;
+}
+function isString(value) {
+    return typeof value === 'string';
+}
+function sanitizeAssociatedUser(value) {
+    if (!value || typeof value !== 'object')
+        return undefined;
+    const associatedUser = value;
+    if (typeof associatedUser.id !== 'number')
+        return undefined;
+    return {
+        id: associatedUser.id,
+        ...(isString(associatedUser.email) ? { email: associatedUser.email } : {}),
+        ...(isString(associatedUser.firstName) ? { firstName: associatedUser.firstName } : {}),
+        ...(isString(associatedUser.lastName) ? { lastName: associatedUser.lastName } : {}),
+        ...(typeof associatedUser.accountOwner === 'boolean' ? { accountOwner: associatedUser.accountOwner } : {}),
+    };
+}
+function sanitizeStoredStoreAppSession(value) {
+    if (!value || typeof value !== 'object')
+        return undefined;
+    const session = value;
+    if (!isString(session.store) ||
+        !isString(session.clientId) ||
+        !isString(session.userId) ||
+        !isString(session.accessToken) ||
+        !Array.isArray(session.scopes) ||
+        !session.scopes.every(isString) ||
+        !isString(session.acquiredAt)) {
+        return undefined;
+    }
+    return {
+        store: session.store,
+        clientId: session.clientId,
+        userId: session.userId,
+        accessToken: session.accessToken,
+        scopes: session.scopes,
+        acquiredAt: session.acquiredAt,
+        ...(isString(session.refreshToken) ? { refreshToken: session.refreshToken } : {}),
+        ...(isString(session.expiresAt) ? { expiresAt: session.expiresAt } : {}),
+        ...(isString(session.refreshTokenExpiresAt) ? { refreshTokenExpiresAt: session.refreshTokenExpiresAt } : {}),
+        ...(sanitizeAssociatedUser(session.associatedUser) ? { associatedUser: sanitizeAssociatedUser(session.associatedUser) } : {}),
+    };
+}
+function readStoredStoreAppSessionBucket(store, storage) {
+    const key = storeAuthSessionKey(store);
+    const storedBucket = storage.get(key);
+    if (!storedBucket || typeof storedBucket !== 'object')
+        return undefined;
+    const { sessionsByUserId, currentUserId } = storedBucket;
+    if (!sessionsByUserId || typeof sessionsByUserId !== 'object' || Array.isArray(sessionsByUserId) || typeof currentUserId !== 'string') {
+        storage.delete(key);
+        return undefined;
+    }
+    const sanitizedSessionsByUserId = Object.fromEntries(Object.entries(sessionsByUserId).flatMap(([userId, session]) => {
+        const sanitizedSession = sanitizeStoredStoreAppSession(session);
+        return sanitizedSession ? [[userId, sanitizedSession]] : [];
+    }));
+    if (Object.keys(sanitizedSessionsByUserId).length !== Object.keys(sessionsByUserId).length) {
+        if (sanitizedSessionsByUserId[currentUserId]) {
+            storage.set(key, {
+                currentUserId,
+                sessionsByUserId: sanitizedSessionsByUserId,
+            });
+        }
+        else {
+            storage.delete(key);
+            return undefined;
+        }
+    }
+    return {
+        currentUserId,
+        sessionsByUserId: sanitizedSessionsByUserId,
+    };
+}
+export function getCurrentStoredStoreAppSession(store, storage = storeSessionStorage()) {
+    const bucket = readStoredStoreAppSessionBucket(store, storage);
+    if (!bucket)
+        return undefined;
+    const session = bucket.sessionsByUserId[bucket.currentUserId];
+    if (!session) {
+        storage.delete(storeAuthSessionKey(store));
+        return undefined;
+    }
+    return session;
+}
+export function setStoredStoreAppSession(session, storage = storeSessionStorage()) {
+    const key = storeAuthSessionKey(session.store);
+    const existingBucket = readStoredStoreAppSessionBucket(session.store, storage);
+    const nextBucket = {
+        currentUserId: session.userId,
+        sessionsByUserId: {
+            ...(existingBucket?.sessionsByUserId ?? {}),
+            [session.userId]: session,
+        },
+    };
+    storage.set(key, nextBucket);
+}
+export function clearStoredStoreAppSession(store, userIdOrStorage, maybeStorage) {
+    const userId = typeof userIdOrStorage === 'string' ? userIdOrStorage : undefined;
+    const storage = (typeof userIdOrStorage === 'string' ? maybeStorage : userIdOrStorage) ?? storeSessionStorage();
+    const key = storeAuthSessionKey(store);
+    if (!userId) {
+        storage.delete(key);
+        return;
+    }
+    const existingBucket = readStoredStoreAppSessionBucket(store, storage);
+    if (!existingBucket)
+        return;
+    const { [userId]: _removedSession, ...remainingSessions } = existingBucket.sessionsByUserId;
+    const remainingUserIds = Object.keys(remainingSessions);
+    if (remainingUserIds.length === 0) {
+        storage.delete(key);
+        return;
+    }
+    storage.set(key, {
+        currentUserId: existingBucket.currentUserId === userId ? remainingUserIds[0] : existingBucket.currentUserId,
+        sessionsByUserId: remainingSessions,
+    });
+}
+//# sourceMappingURL=session-store.js.map

package/dist/cli/services/store/auth/token-client.d.ts

@@ -0,0 +1,40 @@
+export interface StoreTokenResponse {
+    access_token: string;
+    token_type?: string;
+    scope?: string;
+    expires_in?: number;
+    refresh_token?: string;
+    refresh_token_expires_in?: number;
+    associated_user_scope?: string;
+    associated_user?: {
+        id: number;
+        first_name?: string;
+        last_name?: string;
+        email?: string;
+        account_owner?: boolean;
+        locale?: string;
+        collaborator?: boolean;
+        email_verified?: boolean;
+    };
+}
+interface StoreTokenRefreshPayload {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    refreshTokenExpiresIn?: number;
+}
+export declare function exchangeStoreAuthCodeForToken(options: {
+    store: string;
+    code: string;
+    codeVerifier: string;
+    redirectUri: string;
+}): Promise<StoreTokenResponse>;
+export declare function refreshStoreAccessToken(options: {
+    store: string;
+    refreshToken: string;
+}): Promise<StoreTokenRefreshPayload>;
+export declare function fetchCurrentStoreAuthScopes(options: {
+    store: string;
+    accessToken: string;
+}): Promise<string[]>;
+export {};

package/dist/cli/services/store/auth/token-client.js

@@ -0,0 +1,95 @@
+import { adminUrl } from '@shopify/cli-kit/node/api/admin';
+import { graphqlRequest } from '@shopify/cli-kit/node/api/graphql';
+import { AbortError } from '@shopify/cli-kit/node/error';
+import { fetch } from '@shopify/cli-kit/node/http';
+import { outputContent, outputDebug, outputToken } from '@shopify/cli-kit/node/output';
+import { maskToken, STORE_AUTH_APP_CLIENT_ID } from './config.js';
+function truncateHttpErrorBody(body, length = 300) {
+    return body.slice(0, length);
+}
+export async function exchangeStoreAuthCodeForToken(options) {
+    const endpoint = `https://${options.store}/admin/oauth/access_token`;
+    outputDebug(outputContent `Exchanging authorization code for token at ${outputToken.raw(endpoint)}`);
+    const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            client_id: STORE_AUTH_APP_CLIENT_ID,
+            code: options.code,
+            code_verifier: options.codeVerifier,
+            redirect_uri: options.redirectUri,
+        }),
+    });
+    const body = await response.text();
+    if (!response.ok) {
+        outputDebug(outputContent `Token exchange failed with HTTP ${outputToken.raw(String(response.status))}: ${outputToken.raw(truncateHttpErrorBody(body || response.statusText))}`);
+        throw new AbortError(`Failed to exchange OAuth code for an access token (HTTP ${response.status}).`, body || response.statusText);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(body);
+    }
+    catch {
+        throw new AbortError('Received an invalid token response from Shopify.');
+    }
+    outputDebug(outputContent `Token exchange succeeded: access_token=${outputToken.raw(maskToken(parsed.access_token))}, refresh_token=${outputToken.raw(parsed.refresh_token ? maskToken(parsed.refresh_token) : 'none')}, expires_in=${outputToken.raw(String(parsed.expires_in ?? 'unknown'))}s, user=${outputToken.raw(String(parsed.associated_user?.id ?? 'unknown'))} (${outputToken.raw(parsed.associated_user?.email ?? 'no email')})`);
+    return parsed;
+}
+export async function refreshStoreAccessToken(options) {
+    const endpoint = `https://${options.store}/admin/oauth/access_token`;
+    outputDebug(outputContent `Refreshing access token for ${outputToken.raw(options.store)} using refresh_token=${outputToken.raw(maskToken(options.refreshToken))}`);
+    const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            client_id: STORE_AUTH_APP_CLIENT_ID,
+            grant_type: 'refresh_token',
+            refresh_token: options.refreshToken,
+        }),
+    });
+    const body = await response.text();
+    if (!response.ok) {
+        outputDebug(outputContent `Token refresh failed with HTTP ${outputToken.raw(String(response.status))}: ${outputToken.raw(truncateHttpErrorBody(body || response.statusText))}`);
+        throw new AbortError(`Token refresh failed for ${options.store} (HTTP ${response.status}).`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(body);
+    }
+    catch {
+        throw new AbortError('Received an invalid refresh response from Shopify.');
+    }
+    if (!parsed.access_token) {
+        throw new AbortError(`Token refresh returned an invalid response for ${options.store}.`);
+    }
+    return {
+        accessToken: parsed.access_token,
+        refreshToken: parsed.refresh_token,
+        expiresIn: parsed.expires_in,
+        refreshTokenExpiresIn: parsed.refresh_token_expires_in,
+    };
+}
+const CurrentAppInstallationAccessScopesQuery = `#graphql
+  query CurrentAppInstallationAccessScopes {
+    currentAppInstallation {
+      accessScopes {
+        handle
+      }
+    }
+  }
+`;
+export async function fetchCurrentStoreAuthScopes(options) {
+    outputDebug(outputContent `Fetching current app installation scopes for ${outputToken.raw(options.store)} using token ${outputToken.raw(maskToken(options.accessToken))}`);
+    const data = await graphqlRequest({
+        query: CurrentAppInstallationAccessScopesQuery,
+        api: 'Admin',
+        url: adminUrl(options.store, 'unstable'),
+        token: options.accessToken,
+        responseOptions: { handleErrors: false },
+    });
+    if (!Array.isArray(data.currentAppInstallation?.accessScopes)) {
+        throw new Error('Shopify did not return currentAppInstallation.accessScopes.');
+    }
+    return data.currentAppInstallation.accessScopes.flatMap((scope) => typeof scope.handle === 'string' ? [scope.handle] : []);
+}
+//# sourceMappingURL=token-client.js.map

package/dist/cli/services/store/{admin-graphql-context.d.ts → execute/admin-context.d.ts}

@@ -1,8 +1,9 @@
-import { AdminSession } from '@shopify/cli-kit/node/session';
+import type { AdminSession } from '@shopify/cli-kit/node/session';
+import type { StoredStoreAppSession } from '../auth/session-store.js';
 export interface AdminStoreGraphQLContext {
     adminSession: AdminSession;
     version: string;
-    sessionUserId: string;
+    session: StoredStoreAppSession;
 }
 export declare function prepareAdminStoreGraphQLContext(input: {
     store: string;