Extract post authenticate tasks from CallbackController

[zzooeeyy]

What this PR does

• https://github.com/Shopify/develop-app-access/issues/235

• Extract common logic to run post authenticate task from CallbackController so that it can be used after the token exchange flow.

• Added PostAuthenticateTasks to run the authenticated task

• This is configurable as config.custom_post_authenticate_tasks, if that's not set, the default config.post_authenticate_tasks will return PostAuthenticateTasks class

• Updated docs on post authenticate tasks

• Added deprecation warnings

Tophatting:

Deprecation warning in server start from configuration

Deprecation reminder in tests logs

When config.custom_post_authenticate_tasks is set, it will be used to handle post authenticate tasks

• I also tested not setting the custom_post_authenticate_tasks to ensure the methods in CallbackController to perform post authenticate tasks are done.

Checklist

Before submitting the PR, please consider if any of the following are needed:

• Update CHANGELOG.md if the changes would impact users
• Update README.md, if appropriate.
• Update any relevant pages in /docs, if necessary
• For security fixes, the Disclosure Policy must be followed.

[zzooeeyy]

All of this is copied from CallbackController

shopify_app/app/controllers/shopify_app/callback_controller.rb

Lines 151 to 178 in 1f993c2

	def perform_post_authenticate_jobs(session)
	# Ensure we use the shop session to install webhooks
	session_for_shop = session.online? ? shop_session : session
	install_webhooks(session_for_shop)
	perform_after_authenticate_job(session)
	end
	def install_webhooks(session)
	return unless ShopifyApp.configuration.has_webhooks?
	WebhooksManager.queue(session.shop, session.access_token)
	end
	def perform_after_authenticate_job(session)
	config = ShopifyApp.configuration.after_authenticate_job
	return unless config && config[:job].present?
	job = config[:job]
	job = job.constantize if job.is_a?(String)
	if config[:inline] == true
	job.perform_now(shop_domain: session.shop)
	else
	job.perform_later(shop_domain: session.shop)
	end

[paulomarg]

Had a few thoughts but most of them are just me trying to understand things better so take them with a grain of salt :)

[paulomarg]

Could we simplify this by adding a check for the version itself instead of adding the comments? We should still have a comment with the word deprecated in it because that makes it easier to search / replace when we're releasing a new major version.

[zzooeeyy]

[paulomarg]

Nit: would it make more sense to have a post_authenticate_tasks setting that defaults to the new class rather than a custom setting?

[zzooeeyy]

yess that does make sense, but in this pre-deprecation case we don't want to use the post_authenticate_tasks with a default if it's not manually set since we still want to call the old methods. I think it does make sense to have a single config with a default once we roll out the deprecation.

[paulomarg]

Hmm yeah, fair. It wouldn't be ideal to change the setting name in the future though - so I think we should stick with what we add in this PR, whichever way we prefer to do it.

[paulomarg]

I like this as a setup for logging general duplications - we might want to do that too when we go ahead with token exchange, so there might be an opportunity to make this a little bit more generic (like given an array of messages, log if it isn't empty).

Also, can we add some conditions to logging this? Is there any way we can detect that there is a controller that responds to the old methods we want to hide? We can probably build it back from the route path. It's more work but I think it would be worth it to not log every time.

[zzooeeyy]

I agree we should make it more generic, but I think that could be done when we know we'll have another need for it? It's hard to know what specs to build for until we know how the new messages might look? e.g. is it generic messages or is it specific to deprecations...

and also, I disagree on conditionally logging this by checking for controllers in route.. I don't think that's worth the effort since it'll be deprecated in next release anyways, plus this will only be logged when you first start the server, so it's not tooo noisy. 🤔

[paulomarg]

Fair. I think this comment is big enough that most folks would see it.

When I suggested we log this conditionally, I meant that ideally we wouldn't log it if there is no usage of the deprecated setup, i.e. if the app is configured in the "new" way, we just skip this to avoid confusion.

[paulomarg]

Personal opinion, but I'm not sure I'd explicitly log these - just adding a comment saying they're deprecated (or better yet, adding actual deprecation logs) rather than puts-ing might be enough. The logger call would actually error out so it would create actual test failures when we get there, which is nice.

[paulomarg]

Should we have a very simple test here to ensure that the default behaviour gets called (even if we have to stub it)?

[paulomarg]

Nit: why do we have to call add_registrations here but not in the success tests? Makes me feel like there's a wrong check somewhere in the code :)

[zzooeeyy]

ooops that's my oversight, I copied straight from CallbackControllTest LOL I'll also remove it from that test case

https://github.com/Shopify/shopify_app/blob/main/test/controllers/callback_controller_test.rb#L180

[paulomarg]

This is just a question for my own benefit: will any class that defines a perform method do here? Should we check if it extends a job class instead to standardize things a bit more?

[zzooeeyy]

I didn't put too much consideration there, because I didn't think the standardization is too necessary? This way it's more flexible, plus the configuration will raise a ConfigurationError if "perform" isn't a method.. What do you think?

[paulomarg]

I also don't think it matters too much, but I remember the documentation said it could "run this later", which I took to mean it would deal with a perform_later type of thing. But just for the sake of standardization, I don't think it's necessary.

[paulomarg]

I also don't think it matters too much, but I remember the documentation said it could "run this later", which I took to mean it would deal with a perform_later type of thing. But just for the sake of standardization, I don't think it's necessary.

[paulomarg]

Nice that we can just compare it this way, makes this very easy to understand :)

[paulomarg]

Hmm yeah, fair. It wouldn't be ideal to change the setting name in the future though - so I think we should stick with what we add in this PR, whichever way we prefer to do it.

[paulomarg]

Fair. I think this comment is big enough that most folks would see it.

When I suggested we log this conditionally, I meant that ideally we wouldn't log it if there is no usage of the deprecated setup, i.e. if the app is configured in the "new" way, we just skip this to avoid confusion.

[paulomarg]

Should this be the global test config value, so that other tests start with this as an assumption?

[zzooeeyy]

Not necessary I only did it to "reset" the configuration state, but I can move that to the teardown so it doesn't become and assumption for other tests!

[paulomarg]

Just a general question, but if this is the way, LGTM

[paulomarg]

Nit: this breaks the ToC at the top of this file :)

[zzooeeyy]

Good catch!

[paulomarg]

I know this is a bit late in the game, but isn't this essentially the same as enqueueing a special job that does these tasks?

[zzooeeyy]

It is very similar, but the after_authenticate_job only accepts a shop domain as the parameter, in which case it might not be enough for task customization?? If devs want to use the user session for whatever post auth task for their app, they wouldn't be able to since the task would only know the shop domain?? And since that's also setup in the configuration file, we'll need to somehow magically add this new special job to existing apps, and ensure there isn't conflict if they have already declared jobs?