Add token exchange concern

[zzooeeyy]

What this PR does

• https://github.com/Shopify/develop-app-access/issues/144

Tophat:
📹 https://videobin.shopify.io/v/J4j8l2

Happy path for token exchange

• Add token exchange concern to retrieve current session. This replaces "LoginProtection" logic when "use_new_embedded_auth_strategy" is turned on.
• "EnsureHasSession" concern can be used with token exchange.

Note on what else needs to be implemented in other tasks:

• Handle invalid or missing session tokens
• Handle invalid access tokens
• Handle post auth tasks (webhooks, jobs, etc)
• Add support to use id_token from URL params.
• Ensure billing works with token exchange

Impact on existing apps:

• None - All the code is gated behind the configuration flag: config.wip_new_embedded_auth_strategy

Checklist

Before submitting the PR, please consider if any of the following are needed:

• [ will update when the feature is complete ] Update CHANGELOG.md if the changes would impact users
• [ will update when the feature is complete ] Update README.md, if appropriate.
• [ will update when the feature is complete ] Update any relevant pages in /docs, if necessary

[paulomarg]

Had some general questions, not necessarily things we need / want to apply.

[paulomarg]

Just wondering - is this repeated in both paths because we need the after_action to kick in after this in the else branch?

Not that I mind the repetition, just curious.

[zzooeeyy]

I repeated it so that it's explicit in which action is called, if we leave this as a shared/common action outside of this condition, then we're implicitly forcing the method name to be the same between the 2 concerns. Which would also work, but I feel like less implicit dependency the better? 🤔

[paulomarg]

Yeah I agree - less magic, more good.

[paulomarg]

I believe these conditions should only apply if the app is embedded, right? We'd still want to use LoginProtection for non-embedded?

[zzooeeyy]

Yes that's right, use_new_embedded_auth_strategy is only true if app is embedded AND has wip_new_embedded_auth_strategy enabled.

[paulomarg]

Oh perfect, I missed that part :)

[paulomarg]

Could we call this just TokenExchange? Would that be confusing?

[paulomarg]

A couple of these methods seem to be the same for both cases, right? Should we create one or more helper concerns for them?

[zzooeeyy]

yes and no --?

Some of the functions might change as we add more error handling (e.g. current_shopify_session might raise and rescue error so we can redirect to bounce page to get session token)

Some methods are only extracted to call 1 single method from the ShopifyAPI, which I think we should keep as is to reduce even more magic from more concerns..

I think the only method that makes sense is online_token_configured? this doesn't seem like it belongs in the concerns but in the configuration itself.. I've extracted this one so we don't check the business logic from the concerns - bcc2e1e

[paulomarg]

That's fair - I think if we expect the code to change then it won't make sense to extract them. We can live with some minor duplications here, as long as we're aware we'll need to consider both cases when making changes.

[paulomarg]

This should happen as part of this PR, right?

[zzooeeyy]

Hmmm not necessarily. We won't always have session token in the query params (beta flag can still be turned off), so our feature shouldn't rely on having session tokens from the params. Thus I think that could be handled as a part of another ticket to add support for using id_token from param.

[paulomarg]

But won't that mean apps won't be able to do the first install flow with the setting turned on?

[zzooeeyy]

Yess, so the EnsureInstalled concern doesn't work yet. We'll have to handle reloading from AppBridge with session token in request headers (part of this ticket: https://github.com/Shopify/develop-app-access/issues/145) to make the first install flow work. That's why EnsureInstalled doesn't work with token exchange yet

[paulomarg]

That makes sense

[paulomarg]

Should we log these error messages as info?

[zzooeeyy]

Good catch, I'll change them to :error!

[paulomarg]

That makes sense

[paulomarg]

That's fair - I think if we expect the code to change then it won't make sense to extract them. We can live with some minor duplications here, as long as we're aware we'll need to consider both cases when making changes.

[paulomarg]

I think this makes sense, assuming the TODOs will be resolved before we release :)

[ragalie]

This looks good to me! One question: should we have unit tests around the TokenExchange class?

[paulomarg]

Great callout, we should definitely add some tests for the new paths.

[zzooeeyy]

This looks good to me! One question: should we have unit tests around the TokenExchange class?

Yes we totally should, I was going to tackle that after we handle all the special invalid token cases. That way we can ensure we have all the test cases and ways to recover in 1 go... I've added that another task so we don't forget about it:

• https://github.com/Shopify/develop-app-access/issues/267

[ragalie]

I was going to tackle that after we handle all the special invalid token cases

I'd encourage you to test the happy path in the happy path PR, and the sad path in the sad path PR! Doing all the tests at once can make it harder to discover what caused errors, whereas doing them more iteratively makes it more obvious when a change is breaking an assumption.

[zzooeeyy]

Thanks @ragalie & @paulomarg -- I've updated this PR with tests!

[ragalie]

I'd maybe go with a stubs here instead of an expectation. It doesn't seem essential to the test outcome that this gets called twice; that's an implementation detail. The thing we care about is that the exchange_token happens once, which you're expecting below. What do you think?

[zzooeeyy]

Sure I don't disagree with that!

[ragalie]

Left a comment on test tactics but otherwise LGTM!