Skip to content

Revert "Simplify authentication flow"#7037

Merged
isaacroldan merged 1 commit intomainfrom
revert-6928-cursor/cli-pcat-authentication-07e0
Mar 18, 2026
Merged

Revert "Simplify authentication flow"#7037
isaacroldan merged 1 commit intomainfrom
revert-6928-cursor/cli-pcat-authentication-07e0

Conversation

@isaacroldan
Copy link
Copy Markdown
Contributor

@isaacroldan isaacroldan commented Mar 18, 2026

Reverts #6928

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 18, 2026

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

  • Some seemingly private modules might be re-exported through public modules.
  • If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/private/node/session/exchange.d.ts 
@@ -6,6 +6,20 @@ export declare class InvalidGrantError extends ExtendableError {
 }
 export declare class InvalidRequestError extends ExtendableError {
 }
+export interface ExchangeScopes {
+    admin: string[];
+    partners: string[];
+    storefront: string[];
+    businessPlatform: string[];
+    appManagement: string[];
+}
+/**
+ * Given an identity token, request an application token.
+ * @param identityToken - access token obtained in a previous step
+ * @param store - the store to use, only needed for admin API
+ * @returns An array with the application access tokens.
+ */
+export declare function exchangeAccessForApplicationTokens(identityToken: IdentityToken, scopes: ExchangeScopes, store?: string): Promise<Record<string, ApplicationToken>>;
 /**
  * Given an expired access token, refresh it to get a new one.
  */
packages/cli-kit/dist/private/node/session/schema.d.ts 
@@ -12,8 +12,8 @@ declare const IdentityTokenSchema: zod.ZodObject<{
 }, "strip", zod.ZodTypeAny, {
     accessToken: string;
     refreshToken: string;
-    expiresAt: Date;
     scopes: string[];
+    expiresAt: Date;
     userId: string;
     alias?: string | undefined;
 }, {
@@ -34,8 +34,8 @@ declare const ApplicationTokenSchema: zod.ZodObject<{
     storeFqdn: zod.ZodOptional<zod.ZodString>;
 }, "strip", zod.ZodTypeAny, {
     accessToken: string;
-    expiresAt: Date;
     scopes: string[];
+    expiresAt: Date;
     storeFqdn?: string | undefined;
 }, {
     accessToken: string;
@@ -54,8 +54,8 @@ declare const SessionSchema: zod.ZodObject<{
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -73,8 +73,8 @@ declare const SessionSchema: zod.ZodObject<{
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -88,8 +88,8 @@ declare const SessionSchema: zod.ZodObject<{
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -103,8 +103,8 @@ declare const SessionSchema: zod.ZodObject<{
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -116,16 +116,16 @@ declare const SessionSchema: zod.ZodObject<{
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -166,8 +166,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -185,8 +185,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -200,8 +200,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -215,8 +215,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -228,16 +228,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -269,8 +269,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -288,8 +288,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -303,8 +303,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -318,8 +318,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -331,16 +331,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -372,8 +372,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -391,8 +391,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -406,8 +406,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -421,8 +421,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -434,16 +434,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -475,8 +475,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -494,8 +494,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -509,8 +509,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -524,8 +524,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -537,16 +537,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -578,8 +578,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -597,8 +597,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -612,8 +612,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -627,8 +627,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -640,16 +640,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -681,8 +681,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -700,8 +700,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -715,8 +715,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -730,8 +730,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -743,16 +743,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -784,8 +784,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -803,8 +803,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -818,8 +818,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -833,8 +833,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -846,16 +846,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -887,8 +887,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -906,8 +906,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -921,8 +921,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -936,8 +936,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -949,16 +949,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
@@ -990,8 +990,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     }, {
@@ -1009,8 +1009,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -1024,8 +1024,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -1039,8 +1039,8 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
         storeFqdn: zod.ZodOptional<zod.ZodString>;
     }, "strip", zod.ZodTypeAny, {
         accessToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         storeFqdn?: string | undefined;
     }, {
         accessToken: string;
@@ -1052,16 +1052,16 @@ export declare const SessionsSchema: zod.ZodObject<{}, "strip", zod.ZodObject<{}
     identity: {
         accessToken: string;
         refreshToken: string;
-        expiresAt: Date;
         scopes: string[];
+        expiresAt: Date;
         userId: string;
         alias?: string | undefined;
     };
     applications: {} & {
         [k: string]: {
             accessToken: string;
-            expiresAt: Date;
             scopes: string[];
+            expiresAt: Date;
             storeFqdn?: string | undefined;
         };
     };
packages/cli-kit/dist/private/node/session/validate.d.ts 
@@ -1,11 +1,12 @@
 import { Session } from './schema.js';
+import { OAuthApplications } from '../session.js';
 type ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok';
 /**
- * Validate if the current session is valid or we need to refresh/re-authenticate.
- * With PCAT, only the identity token needs validation - no per-application tokens.
+ * Validate if the current session is valid or we need to refresh/re-authenticate
  * @param scopes - requested scopes to validate
- * @param session - current session with identity token
+ * @param applications - requested applications
+ * @param session - current session with identity and application tokens
  * @returns 'ok' if the session is valid, 'needs_full_auth' if we need to re-authenticate, 'needs_refresh' if we need to refresh the session
  */
-export declare function validateSession(scopes: string[], session: Session | undefined): Promise<ValidationResult>;
+export declare function validateSession(scopes: string[], applications: OAuthApplications, session: Session | undefined): Promise<ValidationResult>;
 export {};
\ No newline at end of file

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 18, 2026

Coverage report

St.
 Category Percentage Covered / Total
🟢 Statements 82.02% 14694/17915
🟡 Branches 74.39% 7285/9793
🟢 Functions 81.17% 3720/4583
🟢 Lines 82.42% 13895/16859

Test suite run success

3817 tests passing in 1474 suites.

Report generated by 🧪jest coverage report action from 9d46d44

@isaacroldan Graphite App
Copy link
Copy Markdown
Contributor Author

isaacroldan commented Mar 18, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@isaacroldan isaacroldan mentioned this pull request Mar 18, 2026
Closed
5 tasks
@gonzaloriestra
Copy link
Copy Markdown
Contributor

gonzaloriestra commented Mar 18, 2026

/snapit

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 18, 2026

🫰✨ Thanks @gonzaloriestra! Your snapshot has been published to npm.

Test the snapshot by installing your package globally:

npm i -g --@shopify:registry=https://registry.npmjs.org @shopify/cli@0.0.0-snapshot-20260318142634

Caution

After installing, validate the version by running shopify version in your terminal.
If the versions don't match, you might have multiple global instances installed.
Use which shopify to find out which one you are running and uninstall it.

@isaacroldan isaacroldan marked this pull request as ready for review March 18, 2026 14:38
@isaacroldan isaacroldan requested a review from a team as a code owner March 18, 2026 14:38
Copilot AI review requested due to automatic review settings March 18, 2026 14:38
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 18, 2026

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

@isaacroldan isaacroldan added this pull request to the merge queue Mar 18, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 18, 2026
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the CLI authentication session model to exchange the Identity (CLI) token for per-application access tokens, store them in the session cache, and validate them on subsequent runs.

Changes:

  • Extend session validation to consider requested application tokens (not just the identity token).
  • Add exchangeAccessForApplicationTokens to exchange an identity token into application-scoped tokens in parallel.
  • Update session flow + tests to store/use application tokens (including using Business Platform token to fetch user email).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
packages/cli-kit/src/private/node/session/validate.ts Validate session freshness using identity + requested application tokens (but currently misses Business Platform validation).
packages/cli-kit/src/private/node/session/validate.test.ts Expand validation test coverage for application tokens and refresh behavior.
packages/cli-kit/src/private/node/session/exchange.ts Add a helper to exchange an identity token for multiple application tokens.
packages/cli-kit/src/private/node/session/exchange.test.ts Add tests for the new multi-token exchange helper.
packages/cli-kit/src/private/node/session.ts Update auth flow to exchange/store application tokens and source email lookup from Business Platform token.
packages/cli-kit/src/private/node/session.test.ts Update session/auth tests to reflect application token storage + exchange behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

packages/cli-kit/src/private/node/session/validate.ts
const token = session.applications[realAppId]!
tokensAreExpired = tokensAreExpired || isTokenExpired(token)
}

packages/cli-kit/src/private/node/session/validate.ts
Comment on lines +73 to +76
function isTokenExpired(token: ApplicationToken): boolean {
if (!token) return true
return token.expiresAt < expireThreshold()
}
packages/cli-kit/src/private/node/session/validate.ts
import {applicationId} from './identity.js'
import {sessionConstants} from '../constants.js'
import {firstPartyDev} from '../../../public/node/context/local.js'
import {OAuthApplications} from '../session.js'
packages/cli-kit/src/private/node/session/exchange.ts
* Given an identity token, request an application token.
* @param identityToken - access token obtained in a previous step
* @param store - the store to use, only needed for admin API
* @returns An array with the application access tokens.
packages/cli-kit/src/private/node/session/exchange.test.ts
// Given
const response = new Response(JSON.stringify(data))

// Need to do it 3 times because a Response can only be used once
packages/cli-kit/src/private/node/session/validate.test.ts
})

test('returns needs_full_auth if requested scopes are not included in token', async () => {
test('returns needs_full_auth if there is requested scopes are not included in token', async () => {
@isaacroldan isaacroldan added this pull request to the merge queue Mar 18, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 18, 2026
@isaacroldan isaacroldan added this pull request to the merge queue Mar 18, 2026
Merged via the queue into main with commit e28b8af Mar 18, 2026
34 checks passed
@isaacroldan isaacroldan deleted the revert-6928-cursor/cli-pcat-authentication-07e0 branch March 18, 2026 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gonzaloriestra gonzaloriestra gonzaloriestra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@isaacroldan @gonzaloriestra