Remove token exchange step from authentication flow

Made-with: Cursor

Author: gonzaloriestra

packages/cli-kit/src/private/node/session.test.ts

@@ -50,35 +50,13 @@ const validIdentityToken: IdentityToken = {
 }
 
 const validTokens: OAuthSession = {
-  admin: {token: 'admin_token', storeFqdn: 'mystore.myshopify.com'},
-  storefront: 'storefront_token',
-  partners: 'partners_token',
+  admin: {token: 'access_token', storeFqdn: 'mystore.myshopify.com'},
+  storefront: 'access_token',
+  partners: 'access_token',
   userId,
 }
 
-const appTokens: Record<string, ApplicationToken> = {
-  // Admin APIs includes domain in the key
-  'mystore.myshopify.com-admin': {
-    accessToken: 'admin_token',
-    expiresAt: futureDate,
-    scopes: ['scope', 'scope2'],
-  },
-  'storefront-renderer': {
-    accessToken: 'storefront_token',
-    expiresAt: futureDate,
-    scopes: ['scope1'],
-  },
-  partners: {
-    accessToken: 'partners_token',
-    expiresAt: futureDate,
-    scopes: ['scope2'],
-  },
-  'business-platform': {
-    accessToken: 'business_platform_token',
-    expiresAt: futureDate,
-    scopes: ['scope3'],
-  },
-}
+const appTokens: Record<string, ApplicationToken> = {}
 
 const partnersToken: ApplicationToken = {
   accessToken: 'custom_partners_token',
@@ -162,7 +140,7 @@ describe('ensureAuthenticated when previous session is invalid', () => {
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
     expect(refreshAccessToken).not.toBeCalled()
     expect(businessPlatformRequest).toHaveBeenCalled()
     expect(storeSessions).toHaveBeenCalledOnce()
@@ -211,7 +189,7 @@ The CLI is currently unable to prompt for reauthentication.`,
             ...validIdentityToken,
             alias: 'user@example.com',
           },
-          applications: appTokens,
+          applications: {},
         },
       },
     }
@@ -220,7 +198,7 @@ The CLI is currently unable to prompt for reauthentication.`,
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
     expect(refreshAccessToken).not.toBeCalled()
     expect(storeSessions).toBeCalledWith(expectedSessions)
     expect(got).toEqual(validTokens)
@@ -239,7 +217,7 @@ The CLI is currently unable to prompt for reauthentication.`,
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
     expect(businessPlatformRequest).toHaveBeenCalled()
     expect(storeSessions).toHaveBeenCalledOnce()
 
@@ -250,26 +228,20 @@ The CLI is currently unable to prompt for reauthentication.`,
     expect(got).toEqual(validTokens)
   })
 
-  test('falls back to userId when no business platform token available', async () => {
+  test('uses identity token to fetch email during full auth flow', async () => {
     // Given
     vi.mocked(validateSession).mockResolvedValueOnce('needs_full_auth')
     vi.mocked(fetchSessions).mockResolvedValue(undefined)
-    const appTokensWithoutBusinessPlatform = {
-      'mystore.myshopify.com-admin': appTokens['mystore.myshopify.com-admin']!,
-      'storefront-renderer': appTokens['storefront-renderer']!,
-      partners: appTokens.partners!,
-    }
-    vi.mocked(exchangeAccessForApplicationTokens).mockResolvedValueOnce(appTokensWithoutBusinessPlatform)
 
     // When
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(businessPlatformRequest).not.toHaveBeenCalled()
+    expect(businessPlatformRequest).toHaveBeenCalledWith(expect.any(String), 'access_token')
 
-    // Verify the session was stored with userId as alias (fallback)
+    // Verify the session was stored with email as alias
     const storedSession = vi.mocked(storeSessions).mock.calls[0]![0]
-    expect(storedSession[fqdn]![userId]!.identity.alias).toBe(userId)
+    expect(storedSession[fqdn]![userId]!.identity.alias).toBe('user@example.com')
   })
 
   test('executes complete auth flow if requesting additional scopes', async () => {
@@ -281,7 +253,7 @@ The CLI is currently unable to prompt for reauthentication.`,
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
     expect(refreshAccessToken).not.toBeCalled()
     expect(businessPlatformRequest).toHaveBeenCalled()
     expect(storeSessions).toHaveBeenCalledOnce()
@@ -320,7 +292,12 @@ describe('when existing session is valid', () => {
     vi.mocked(validateSession).mockResolvedValueOnce('ok')
     vi.mocked(fetchSessions).mockResolvedValue(validSessions)
     vi.mocked(getPartnersToken).mockReturnValue('custom_cli_token')
-    const expected = {...validTokens, partners: 'custom_partners_token'}
+    const expected = {
+      admin: {token: 'access_token', storeFqdn: 'mystore.myshopify.com'},
+      storefront: 'access_token',
+      partners: 'custom_partners_token',
+      userId,
+    }
 
     // When
     const got = await ensureAuthenticated(defaultApplications)
@@ -344,8 +321,16 @@ describe('when existing session is valid', () => {
 
     // Then
     expect(refreshAccessToken).toBeCalled()
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
-    expect(storeSessions).toBeCalledWith(validSessions)
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
+    const expectedSessions = {
+      [fqdn]: {
+        [userId]: {
+          identity: validIdentityToken,
+          applications: {},
+        },
+      },
+    }
+    expect(storeSessions).toBeCalledWith(expectedSessions)
     expect(got).toEqual(validTokens)
     await expect(getLastSeenUserIdAfterAuth()).resolves.toBe('1234-5678')
     await expect(getLastSeenAuthMethod()).resolves.toEqual('device_auth')
@@ -364,8 +349,16 @@ describe('when existing session is expired', () => {
 
     // Then
     expect(refreshAccessToken).toBeCalled()
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
-    expect(storeSessions).toBeCalledWith(validSessions)
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
+    const expectedSessions = {
+      [fqdn]: {
+        [userId]: {
+          identity: validIdentityToken,
+          applications: {},
+        },
+      },
+    }
+    expect(storeSessions).toBeCalledWith(expectedSessions)
     expect(got).toEqual(validTokens)
     await expect(getLastSeenUserIdAfterAuth()).resolves.toBe('1234-5678')
     await expect(getLastSeenAuthMethod()).resolves.toEqual('device_auth')
@@ -385,7 +378,7 @@ describe('when existing session is expired', () => {
 
     // Then
     expect(refreshAccessToken).toBeCalled()
-    expect(exchangeAccessForApplicationTokens).toBeCalled()
+    expect(exchangeAccessForApplicationTokens).not.toBeCalled()
     expect(businessPlatformRequest).toHaveBeenCalled()
     expect(storeSessions).toHaveBeenCalledOnce()
 
@@ -644,7 +637,15 @@ describe('ensureAuthenticated email fetch functionality', () => {
     const got = await ensureAuthenticated(defaultApplications)
 
     // Then
-    expect(storeSessions).toBeCalledWith(validSessions)
+    const expectedSessions = {
+      [fqdn]: {
+        [userId]: {
+          identity: validIdentityToken,
+          applications: {},
+        },
+      },
+    }
+    expect(storeSessions).toBeCalledWith(expectedSessions)
     expect(got).toEqual(validTokens)
   })
 
@@ -659,7 +660,15 @@ describe('ensureAuthenticated email fetch functionality', () => {
     // Then
     // The email fetch is not called during refresh - the session keeps its existing alias
     expect(businessPlatformRequest).not.toHaveBeenCalled()
-    expect(storeSessions).toBeCalledWith(validSessions)
+    const expectedSessions = {
+      [fqdn]: {
+        [userId]: {
+          identity: validIdentityToken,
+          applications: {},
+        },
+      },
+    }
+    expect(storeSessions).toBeCalledWith(expectedSessions)
     expect(got).toEqual(validTokens)
   })
 

packages/cli-kit/src/private/node/session.ts

@@ -1,10 +1,7 @@
-import {applicationId} from './session/identity.js'
 import {validateSession} from './session/validate.js'
-import {allDefaultScopes, apiScopes} from './session/scopes.js'
+import {allDefaultScopes} from './session/scopes.js'
 import {
-  exchangeAccessForApplicationTokens,
   exchangeCustomPartnerToken,
-  ExchangeScopes,
   refreshAccessToken,
   InvalidGrantError,
   InvalidRequestError,
@@ -293,8 +290,6 @@ The CLI is currently unable to prompt for reauthentication.`,
  */
 async function executeCompleteFlow(applications: OAuthApplications): Promise<Session> {
   const scopes = getFlattenScopes(applications)
-  const exchangeScopes = getExchangeScopes(applications)
-  const store = applications.adminApi?.storeFqdn
   if (firstPartyDev()) {
     outputDebug(outputContent`Authenticating as Shopify Employee...`)
     scopes.push('employee')
@@ -314,20 +309,18 @@ async function executeCompleteFlow(applications: OAuthApplications): Promise<Ses
     identityToken = await pollForDeviceAuthorization(deviceAuth.deviceCode, deviceAuth.interval)
   }
 
-  // Exchange identity token for application tokens
-  outputDebug(outputContent`CLI token received. Exchanging it for application tokens...`)
-  const result = await exchangeAccessForApplicationTokens(identityToken, exchangeScopes, store)
+  outputDebug(outputContent`CLI token received (PCAT). Using it directly for API access...`)
 
   // Get the alias for the session (email or userId)
-  const businessPlatformToken = result[applicationId('business-platform')]?.accessToken
-  const alias = (await fetchEmail(businessPlatformToken)) ?? identityToken.userId
+  // Use the PCAT identity token directly to fetch the email
+  const alias = (await fetchEmail(identityToken.accessToken)) ?? identityToken.userId
 
   const session: Session = {
     identity: {
       ...identityToken,
       alias,
     },
-    applications: result,
+    applications: {},
   }
 
   outputCompleted(`Logged in.`)
@@ -340,25 +333,19 @@ async function executeCompleteFlow(applications: OAuthApplications): Promise<Ses
  *
  * @param session - The session to refresh.
  */
-async function refreshTokens(session: Session, applications: OAuthApplications): Promise<Session> {
-  // Refresh Identity Token
+async function refreshTokens(session: Session, _applications: OAuthApplications): Promise<Session> {
+  // Refresh Identity Token (PCAT) - no exchange needed
   const identityToken = await refreshAccessToken(session.identity)
-  // Exchange new identity token for application tokens
-  const exchangeScopes = getExchangeScopes(applications)
-  const applicationTokens = await exchangeAccessForApplicationTokens(
-    identityToken,
-    exchangeScopes,
-    applications.adminApi?.storeFqdn,
-  )
 
   return {
     identity: identityToken,
-    applications: applicationTokens,
+    applications: {},
   }
 }
 
 /**
  * Get the application tokens for a given session.
+ * With PCAT, the identity token can be used directly for all APIs.
  *
  * @param applications - An object containing the applications we need the tokens for.
  * @param session - The current session.
@@ -369,33 +356,26 @@ async function tokensFor(applications: OAuthApplications, session: Session): Pro
     userId: session.identity.userId,
   }
 
+  const pcatToken = session.identity.accessToken
+
   if (applications.adminApi) {
-    const appId = applicationId('admin')
-    const realAppId = `${applications.adminApi.storeFqdn}-${appId}`
-    const token = session.applications[realAppId]?.accessToken
-    if (token) {
-      tokens.admin = {token, storeFqdn: applications.adminApi.storeFqdn}
-    }
+    tokens.admin = {token: pcatToken, storeFqdn: applications.adminApi.storeFqdn}
   }
 
   if (applications.partnersApi) {
-    const appId = applicationId('partners')
-    tokens.partners = session.applications[appId]?.accessToken
+    tokens.partners = pcatToken
   }
 
   if (applications.storefrontRendererApi) {
-    const appId = applicationId('storefront-renderer')
-    tokens.storefront = session.applications[appId]?.accessToken
+    tokens.storefront = pcatToken
   }
 
   if (applications.businessPlatformApi) {
-    const appId = applicationId('business-platform')
-    tokens.businessPlatform = session.applications[appId]?.accessToken
+    tokens.businessPlatform = pcatToken
   }
 
   if (applications.appManagementApi) {
-    const appId = applicationId('app-management')
-    tokens.appManagement = session.applications[appId]?.accessToken
+    tokens.appManagement = pcatToken
   }
 
   return tokens
@@ -418,27 +398,6 @@ function getFlattenScopes(apps: OAuthApplications): string[] {
   return allDefaultScopes(requestedScopes)
 }
 
-/**
- * Get the scopes for the given applications.
- *
- * @param apps - An object containing the applications we need the scopes for.
- * @returns An object containing the scopes for each application.
- */
-function getExchangeScopes(apps: OAuthApplications): ExchangeScopes {
-  const adminScope = apps.adminApi?.scopes ?? []
-  const partnerScope = apps.partnersApi?.scopes ?? []
-  const storefrontScopes = apps.storefrontRendererApi?.scopes ?? []
-  const businessPlatformScopes = apps.businessPlatformApi?.scopes ?? []
-  const appManagementScopes = apps.appManagementApi?.scopes ?? []
-  return {
-    admin: apiScopes('admin', adminScope),
-    partners: apiScopes('partners', partnerScope),
-    storefront: apiScopes('storefront-renderer', storefrontScopes),
-    businessPlatform: apiScopes('business-platform', businessPlatformScopes),
-    appManagement: apiScopes('app-management', appManagementScopes),
-  }
-}
-
 function buildIdentityTokenFromEnv(
   scopes: string[],
   identityTokenInformation: {accessToken: string; refreshToken: string; userId: string},

packages/cli-kit/src/private/node/session/exchange.ts

@@ -15,7 +15,7 @@ export class InvalidGrantError extends ExtendableError {}
 export class InvalidRequestError extends ExtendableError {}
 class InvalidTargetError extends AbortError {}
 
-export interface ExchangeScopes {
+interface ExchangeScopes {
   admin: string[]
   partners: string[]
   storefront: string[]

packages/ui-extensions-dev-console/package.json

@@ -26,7 +26,6 @@
   "devDependencies": {
     "@shopify/react-testing": "^3.0.0",
     "@shopify/ui-extensions-test-utils": "3.26.0",
-    "@types/qrcode.react": "^1.0.2",
     "@types/react": "16.14.0",
     "@types/react-dom": "^16.9.11",
     "@vitejs/plugin-react-refresh": "^1.3.6",