Handle invalid session token

[zzooeeyy]

• closes https://github.com/Shopify/develop-app-access/issues/145

What this PR does

• Handle invalid session token errors
• Redirect to app-bridge-next bounce page if session token is invalid & Auth header doesn't exist
• Respond with 401 if auth header exists and session token is invalid. If the app's front-end is using CDN version of app bridge next, it'll automatically be retried. otherwise, the 401 error will be exposed.

Tophatting-

• 📹 Redirecting to bounce page on initial app render (we are not parsing id_token from URL param yet, so session token will be invalid initially, this redirect shouldn't be hit as often once we are using id_token)
• For testing - I created a temp global variable count that raises an "invalid session token" error on every other try.
  • 📹 App configured with app bridge from CDN - The initial create failed from invalid session token, since X-Shopify-Retry-Invalid-Session-Request is set from the response, app bridge will retry create with new session token, thus passing the second time
  • 📹 App configured with old version of app bridge NOT using the CDN - Response for create returns 401 in every other request from my test setup..

Checklist

Before submitting the PR, please consider if any of the following are needed:

• [ will update once feature is released ] Update CHANGELOG.md if the changes would impact users
• [will update once feature is released ] Update README.md, if appropriate.
• [will update once feature is released ] Update any relevant pages in /docs, if necessary

[rachel-carvalho]

I noticed that the docs mention EnsureInstalled provides the installed_shop_session method and EnsureHasSession provides current_shopify_session. I think TokenExchange#activate_shopify_session provides current_shopify_session, right? Should it be different for EnsureInstalled? Or maybe provide both methods?

[zzooeeyy]

Yess, so EnsureInstalled concern itself implements the installed_shop_session method, so it'll still be able to be used. Having TokenExchange enabled, they'll just get both 'current_shopify_sessionandinstalled_shop_session` !

[rachel-carvalho]

Could we rescue these errors for the entire activate_shopify_session method? with_token_refetch might also end up raising this error, since it performs token exchange.

[zzooeeyy]

I was pairing with Mike and we thought that's not worth it since we already check for validity before we call token exchange, it'd just be adding extra work for the slightest chance that it might expire within that timeframe... There are leeways in-place to ensure we don't encounter these problems..?

[rachel-carvalho]

Oh but what if we don't perform token exchange there because current_shopify_session exists and then do during with_token_refetch? In that case it wouldn't be double validation/rescue, right?

[zzooeeyy]

hmmm I think this will cause a "Double render/redirect" error since this is around the controller action.. so if we handle the error and respond with retry or redirect to bounce page and the controller action also renders... 🤔

[rachel-carvalho]

If the action raises a token exchange error it will likely not have rendered yet, but you're right that it could happen if the app doesn't follow the pattern of rendering/redirecting as the last thing in the action 🤔

I looked up and saw there's a performed? method we can call in the controller to avoid a double render/redirect. What if we bounce unless performed?

[rachel-carvalho]

Maybe we shouldn't respond to invalid cookies with a bounce page now that we'll be using the method that exclusively checks shopify_id_token.

[zzooeeyy]

Yea once I use the new utility method, we won't be handling CookieNotFoundError error anymore, but it'll be checking for MissingJwtTokenError instead

[rachel-carvalho]

Nit: maybe we could URL encode the param for better readability of the test?

Suggested change

	expected_redirect_url = "/my-root/patch_shopify_id_token?my_param=for-keeps&shop=my-shop.myshopify.com"
	expected_redirect_url += "&shopify-reload=%2Freloaded_path%3Fmy_param%3Dfor-keeps%26shop%3Dmy-shop.myshopify.com"
	reload_url = CGI.escape("/reloaded_path?my_param=for-keeps&shop=#{@shop}")
	expected_redirect_url = "/my-root/patch_shopify_id_token?my_param=for-keeps&shop=my-shop.myshopify.com&shopify-reload=#{reload_url}"

[zzooeeyy]

🤯 NICE!

[rachel-carvalho]

I wish there was a way to use the Rails URL helper method patch_shopify_id_token_path here which already does most of the URL assembly work for us, but the way our tests are setup using with_routing it's not including engine's routes, so I think it would be a bit too much work for it to be worth it.

[paulomarg]

Would we ever have a cookie present for token exchange? If it's only meant to run for embedded apps there should never be any cookies involved, right?

[zzooeeyy]

Yea cookies are never involved.. but the way ShopifyAPI::current_session_id is setup, it'll throw a "CookieNotFoundError" if we pass in a nil auth header (which will be the case for the initial server load when we're not using id_token from URL params), so once I change this to use the new util method, we won't be catching this CookieNotFoundError but MissingJwtTokenError instead.

[paulomarg]

Hmm that's fair. I guess we can't change this without it potentially breaking apps out there, right?

[zzooeeyy]

Yea exactly :(

[rachel-carvalho]

Looks good to me, thanks Zoey!