-
Notifications
You must be signed in to change notification settings - Fork 678
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle invalid access tokens in token exchange #1822
Conversation
f5f33bf
to
01c0995
Compare
We'll create an API wrapper and handle errors differently, so I'm moving this back to draft. |
0caec9b
to
6c8e444
Compare
We decided to keep retrying in the with_token_refetch(@session, @session_token) do
# Admin API call here
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clean up, I just have some questions! ❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is great! We should also make sure to document the new public-facing aspects of these changes - ideally with some examples of how folks might use them.
The tests that execute the new |
docs/shopify_app/sessions.md
Outdated
@@ -203,6 +204,64 @@ user.with_shopify_session do | |||
end | |||
``` | |||
|
|||
#### Re-fetching an access token when API returns Unauthorized |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this section to the sessions doc to document usage cc @zzooeeyy @paulomarg
beb3b6c
to
f2998d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Some more 💭
docs/shopify_app/sessions.md
Outdated
|
||
def index | ||
client = ShopifyAPI::Clients::Graphql::Admin.new(session: current_shopify_session) | ||
with_token_refetch(current_shopify_session, session_token) do # Unauthorized errors raised in this block will initiate token exchange and the block will be retried once |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm looking at the example here, do you think it might be confusing to devs on the difference between current_shopify_session
and session_token
? There are so many cases where we just use "session" to describe something, should we rename (in the actual method implementation as well) session_token
to be like session_jwt_token
to be more explicit on which one we're talking about?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I agree it's very confusing. I noticed we call it id_token
in the URL and also in App Bridge, so I'm leaning towards shopify_id_token
here to keep consistence, especially because those are the two sources of the token we're using here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I think that's good, we also use the phrase session token
in quite a few places (docs, etc), even though it's really an id token. We'd probably want to be consistent with that, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was chatting with @ragalie about this to get a better understanding of session token
vs ID token
, and what I got is that this session token
is a type of id token
, which is part of the Open ID spec and is supposed to be a claim by the server about a user's identity. session token
is Shopify's claim about the current user that's logged in, it's an ID token
and it's in JWT format.
I do agree that we need to make it clear that id_token
in some places and session_token
in others means the same thing, just like session
in the context of the libraries usually means access_token
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Had some nits but looking really good!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
2e3952f
to
f94727f
Compare
…ange concern Co-authored-by: Rachel Carvalho <rachel.carvalho@shopify.com>
fae7175
to
0ddf652
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one last nit, non-blocking if it is the case :)
ShopifyApp::Auth::TokenExchange.perform(shopify_id_token) | ||
# TODO: Rescue JWT validation errors when bounce page is ready |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this TODO also covers requests where no id token is present?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yesss
📹 Demo video
What this PR does
around_action
in token exchange concernactivate_shopfiy_session
.ShopifyApp::Auth::TokenExchange.perform(session_token)
ShopifyApp::AdminAPI::WithTokenRefetch
module with a method to allow easy token refetch/retry on Unauthorized errorsSo developers handling their own errors can still have their access tokens refetched:
Checklist
Before submitting the PR, please consider if any of the following are needed:
CHANGELOG.md
if the changes would impact usersREADME.md
, if appropriate./docs
, if necessary