Use token exchange instead of redirecting for online session (#20)

Author: TheSecurityDev

README.md

@@ -55,7 +55,8 @@ _Importing differs slightly from the official library in that the `createShopify
 For requests, create the middleware like this:
 
 ```js
-// For requests from the frontend, we want to return headers, so we can check if we need to reauth on the client side
+// For API requests from the frontend, we want to return headers, so we can check if we need to reauthenticate on the client side.
+// NOTE: Now this isn't needed as often since we use the token exchange endpoint to get the online token.
 const verifyApiRequest = verifyRequest({ returnHeader: true });
 const verifyPageRequest = verifyRequest();
 ```

package.json

@@ -1,7 +1,7 @@
 {
   "name": "simple-koa-shopify-auth",
-  "version": "2.1.17",
-  "description": "A better, simplified version of the (no longer supported) @Shopify/koa-shopify-auth middleware library. It removes the use of cookies for sessions (which greatly smooths the auth process), replaces a deprecated API call, and supports v2 of the official @shopify/shopify-api package.",
+  "version": "3.0.0",
+  "description": "A better, simplified version of the now deprecated @Shopify/koa-shopify-auth middleware library. It removes the use of cookies for sessions (which greatly smooths the auth process), replaces a deprecated API call, and supports v2 of the official @shopify/shopify-api package.",
   "author": "TheSecurityDev",
   "license": "MIT",
   "repository": {
@@ -29,10 +29,10 @@
     "prepublish": "npm run build"
   },
   "dependencies": {
-    "lru-cache": "^9.1.2"
+    "lru-cache": "^10.2.0"
   },
   "peerDependencies": {
-    "@shopify/shopify-api": "^5.0.1"
+    "@shopify/shopify-api": "^5.3.0"
   },
   "devDependencies": {
     "@types/koa": "^2.14.0",

src/create-shopify-auth.ts

@@ -42,7 +42,7 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
       (path === oAuthStartPath && shouldPerformTopLevelOAuth(ctx))
     ) {
       // Auth started
-      if (!validateShop(shop)) {
+      if (!Shopify.Utils.sanitizeShop(shop)) {
         // Invalid shop
         ctx.response.status = 400;
         ctx.response.body = shop ? "Invalid shop parameter" : "Missing shop parameter";
@@ -74,9 +74,7 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
           query as unknown as AuthQuery
         );
         ctx.state.shopify = session;
-        if (config.afterAuth) {
-          await config.afterAuth(ctx);
-        }
+        await config.afterAuth?.(ctx);
       } catch (err) {
         const message = (err as Error).message;
         switch (true) {
@@ -87,8 +85,6 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
             // This is likely because the OAuth session cookie expired before the merchant approved the request
             ctx.redirect(`${oAuthStartPath}?${querystring}`);
             break;
-          case err instanceof Shopify.Errors.InvalidJwtError:
-            ctx.throw(401, message);
           default:
             ctx.throw(500, message);
         }
@@ -99,8 +95,3 @@ export default function createShopifyAuth(options: OAuthBeginConfig) {
     await next();
   };
 }
-
-export function validateShop(shop: string): boolean {
-  const shopUrlRegex = /^[a-zA-Z0-9][a-zA-Z0-9-]*\.myshopify\.(com|io)[/]*$/;
-  return shopUrlRegex.test(shop);
-}

src/index.ts

@@ -1,4 +1,6 @@
-import createShopifyAuth, { validateShop } from "./create-shopify-auth";
-import verifyRequest from "./verify-request";
+import createShopifyAuth from "./create-shopify-auth";
+import verifyRequest, { AuthFailureHeader } from "./verify-request";
 
-export { createShopifyAuth, validateShop, verifyRequest };
+export { createShopifyAuth, verifyRequest, AuthFailureHeader };
+export { createSession } from "./session";
+export { exchangeSessionTokenForAccessTokenSession } from "./token-exchange";

src/session.ts

@@ -0,0 +1,28 @@
+import Shopify, { OnlineAccessResponse } from "@shopify/shopify-api";
+
+/* Creates a new session from the response from the access token request. */
+export function createSession(responseBody: OnlineAccessResponse, shop: string, state = "") {
+  const { access_token, scope, ...rest } = responseBody;
+  const isOnline = !!rest.associated_user; // If there's an associated user, then it's an online access token
+
+  // Get the session ID
+  const sessionId = Shopify.Context.IS_EMBEDDED_APP
+    ? isOnline
+      ? Shopify.Auth.getJwtSessionId(shop, `${rest.associated_user.id}`)
+      : Shopify.Auth.getOfflineSessionId(shop)
+    : `${shop}_${Date.now()}`;
+
+  // Initialize the session object
+  const session = new Shopify.Session.Session(sessionId, shop, state, isOnline);
+  session.accessToken = access_token;
+  session.scope = scope;
+
+  if (isOnline) {
+    // Add the online access info
+    const sessionExpiration = new Date(Date.now() + responseBody.expires_in * 1000);
+    session.expires = sessionExpiration;
+    session.onlineAccessInfo = rest;
+  }
+
+  return session;
+}

src/token-exchange.ts

@@ -0,0 +1,110 @@
+import Shopify, { DataType, OnlineAccessResponse } from "@shopify/shopify-api";
+import { HttpResponseError } from "@shopify/shopify-api/dist/error";
+import { Session } from "@shopify/shopify-api/dist/auth/session";
+
+import { createSession } from "./session";
+
+// Cache object with current requests so we can avoid making the same request multiple times.
+// The key is in the format `{shop}:{tokenType}:{encodedSessionToken}:{saveSession}` and the value is the promise of the request.
+const currentTokenExchangeRequests = new Map<string, Promise<Session>>();
+
+/** Given the shop, encoded JWT session token, and token type, return a session object with an access token.
+    https://shopify.dev/docs/apps/auth/get-access-tokens/token-exchange
+
+    The request will be de-duplicated, so if multiple requests are made at once with the same shop, token and token type, only one request will be made.
+
+    @param shop The shop's myshopify domain
+    @param encodedSessionToken The encoded JWT session token
+    @param tokenType The type of access token to exchange for ('online' or 'offline')
+    @param saveSession If true, the new session will be saved to storage (default)
+
+    @returns The new session object
+    */
+export async function exchangeSessionTokenForAccessTokenSession(
+  shop: string,
+  encodedSessionToken: string,
+  tokenType: "online" | "offline",
+  saveSession = true // If true, the new session will be saved to storage
+) {
+  // Check if we already have a request in progress
+  const key = `${shop}:${tokenType}:${encodedSessionToken}:${saveSession}`;
+  const existingRequest = currentTokenExchangeRequests.get(key);
+  if (existingRequest) return existingRequest; // If we already have a request in progress, use it
+
+  // Otherwise make the request with a timeout
+  const requestOrTimeout = Promise.race([
+    makeTokenExchangeRequest({ shop, encodedSessionToken, tokenType, saveSession }),
+    new Promise<Session>((resolve, reject) =>
+      setTimeout(() => reject(new Error("Request timed out")), 10000)
+    ),
+  ]);
+
+  // Save the request to the cache
+  currentTokenExchangeRequests.set(key, requestOrTimeout);
+
+  // When the request is done, remove it from the cache
+  requestOrTimeout.finally(() => {
+    currentTokenExchangeRequests.delete(key);
+  });
+
+  return requestOrTimeout;
+}
+
+// Internal function that makes the request to Shopify to exchange the session token for an access token. The main function is a wrapper around this one that implements de-duplicating the requests.
+async function makeTokenExchangeRequest(params: {
+  shop: string;
+  encodedSessionToken: string;
+  tokenType: "online" | "offline";
+  saveSession: boolean;
+}) {
+  const { shop, encodedSessionToken, tokenType, saveSession } = params;
+
+  const sanitizedShop = Shopify.Utils.sanitizeShop(shop, true);
+
+  // Construct the request body
+  const body = {
+    client_id: Shopify.Context.API_KEY,
+    client_secret: Shopify.Context.API_SECRET_KEY,
+    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange",
+    subject_token: encodedSessionToken,
+    subject_token_type: "urn:ietf:params:oauth:token-type:id_token",
+    requested_token_type: `urn:shopify:params:oauth:token-type:${tokenType}-access-token`,
+  };
+
+  // Make the request
+  const response = await fetch(`https://${sanitizedShop}/admin/oauth/access_token`, {
+    method: "POST",
+    headers: { "Content-Type": DataType.JSON, Accept: DataType.JSON },
+    body: JSON.stringify(body),
+  });
+
+  // Check the response for errors
+  if (!response.ok) {
+    const { status, statusText, headers } = response;
+    throw new HttpResponseError({
+      message: `Failed to exchange session token for access token: ${status} ${statusText}`,
+      code: status,
+      statusText,
+      body,
+      headers: headers as any,
+    });
+  }
+
+  // Parse the response
+  const sessionResponse: OnlineAccessResponse = await response.json();
+
+  // Create the session
+  const session = createSession(sessionResponse, shop);
+
+  // Make sure the session is active
+  if (!session.isActive()) {
+    throw new Error(
+      `The session '${session?.id}' we just got from Shopify is not active for shop '${shop}'`
+    );
+  }
+
+  // Save the session to storage if requested
+  if (saveSession) await Shopify.Utils.storeSession(session);
+
+  return session;
+}

src/top-level-oauth-redirect.ts

@@ -37,8 +37,8 @@ export async function startTopLevelOauthRedirect(ctx: Context, apiKey: string, p
   setTopLevelOAuthCookieValue(ctx, "1");
   let { query } = ctx;
   const hostName = Shopify.Context.HOST_NAME; // Use this instead of ctx.host to prevent issues when behind a proxy
-  const shop = query.shop ? query.shop.toString() : "";
-  const host = query.host ? query.host.toString() : "";
+  const shop = Shopify.Utils.sanitizeShop(query.shop?.toString() ?? "") ?? "";
+  const host = Shopify.Utils.sanitizeHost(query.host?.toString() ?? "") ?? "";
   const params = { shop, host };
   const queryString = new URLSearchParams(params).toString(); // Use this instead of ctx.querystring, because it sanitizes the query parameters we are using
   ctx.body = await getTopLevelRedirectScript(

src/utils.ts

@@ -0,0 +1,47 @@
+import Shopify from "@shopify/shopify-api";
+import { MissingJwtTokenError, HttpResponseError } from "@shopify/shopify-api/dist/error";
+import { JwtPayload } from "@shopify/shopify-api/dist/utils/decode-session-token";
+import { Context } from "koa";
+
+/** Throw the error, unless it's an `HttpResponseError` with status `401`. */
+export function throwUnlessAuthError(err: HttpResponseError | Error | unknown) {
+  if (err instanceof HttpResponseError) {
+    // NOTE: Shopify API v3+ uses 'response.code' instead of 'code'
+    const code = (err as any)?.code ?? err.response?.code;
+    if (code === 401) return; // Catch the 401 error so we can re-authorize
+  }
+  throw err; // Throw any other errors
+}
+
+////////////////////////////
+// Session token utils
+////////////////////////////
+
+/** Find and return the base64 encoded JWT session token from the request authorization header in the given context. Throws an error if it wasn't found. */
+export function getEncodedSessionToken(ctx: Context) {
+  if (Shopify.Context.IS_EMBEDDED_APP) {
+    const authHeader = ctx.req.headers.authorization ?? "";
+    const matches = authHeader?.match(/Bearer (.*)/);
+    if (!matches) throw new MissingJwtTokenError("Missing Bearer token in authorization header");
+    return matches[1];
+  } else {
+    throw new Error("Session tokens are only available in embedded apps");
+  }
+}
+
+/** Get the shop from the JWT session token. */
+export function getShopFromSessionToken(sessionToken: JwtPayload) {
+  return sessionToken.dest.replace("https://", "");
+}
+
+/** Get the base64 encoded host from the JWT session token. */
+function getHostFromSessionToken(sessionToken: JwtPayload) {
+  return Buffer.from(sessionToken.iss.replace("https://", "")).toString("base64");
+}
+
+/** Parse given decoded session token and return the shop and host query string params. */
+export function getShopAndHostQueryStringFromSessionToken(sessionToken: JwtPayload) {
+  const shop = getShopFromSessionToken(sessionToken);
+  const host = getHostFromSessionToken(sessionToken);
+  return new URLSearchParams({ shop, host }).toString();
+}