Allow not checking session token aud field

Shopify · Aug 3, 2023 · 6148967 · 6148967
1 parent 52976cf
commit 6148967
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 3 deletions.
diff --git a/.changeset/brown-hounds-suffer.md b/.changeset/brown-hounds-suffer.md
@@ -0,0 +1,5 @@
+---
+'@shopify/shopify-api': patch
+---
+
+Allow not checking a session token payload's `aud` field to support tokens generated outside of the Shopify Admin.
diff --git a/.github/workflows/markdown_link_checker_config.json b/.github/workflows/markdown_link_checker_config.json
@@ -1,4 +1,12 @@
 {
   "retryOn429": true,
-  "fallbackRetryDelay": "1s"
+  "fallbackRetryDelay": "1s",
+  "httpHeaders": [
+    {
+      "urls": ["https://help.shopify.com"],
+      "headers": {
+        "Cookie": "new_help=1"
+      }
+    }
+  ]
 }
diff --git a/docs/reference/session/decodeSessionToken.md b/docs/reference/session/decodeSessionToken.md
@@ -22,6 +22,19 @@ app.get('/fetch-some-data', async (req, res) => {
 
 The token to parse.
 
+### options
+
+`Object`
+
+An object that allows the following fields:
+
+#### checkAudience
+
+`boolean` | Defaults to `true`
+
+Whether the method should check the `aud` field in the decoded payload.
+This should always be set to `true` if the token is coming from the Shopify Admin.
+
 ## Return
 
 `Promise<JwtPayload>`

diff --git a/lib/session/__tests__/decode-session-token.test.ts b/lib/session/__tests__/decode-session-token.test.ts
@@ -65,4 +65,29 @@ describe('JWT session token', () => {
       ShopifyErrors.InvalidJwtError,
     );
   });
+
+  test("doesn't fail on a mismatching API key when not checking the token's audience", async () => {
+    shopify.config.apiKey = 'something_else';
+
+    // The token is signed with a key that is not the current value
+    const token = await signJWT(shopify.config.apiSecretKey, payload);
+
+    const actualPayload = await shopify.session.decodeSessionToken(token, {
+      checkAudience: false,
+    });
+    expect(actualPayload).toStrictEqual(payload);
+  });
+
+  test("doesn't fail on a missing aud field when not checking the token's audience", async () => {
+    const payloadWithoutAud = {...payload};
+    delete (payloadWithoutAud as any).aud;
+
+    // The token is signed with a key that is not the current value
+    const token = await signJWT(shopify.config.apiSecretKey, payload);
+
+    const actualPayload = await shopify.session.decodeSessionToken(token, {
+      checkAudience: false,
+    });
+    expect(actualPayload).toStrictEqual(payload);
+  });
 });
diff --git a/lib/session/decode-session-token.ts b/lib/session/decode-session-token.ts
@@ -8,8 +8,15 @@ import {JwtPayload} from './types';
 
 const JWT_PERMITTED_CLOCK_TOLERANCE = 10;
 
+export interface DecodeSessionTokenOptions {
+  checkAudience?: boolean;
+}
+
 export function decodeSessionToken(config: ConfigInterface) {
-  return async (token: string): Promise<JwtPayload> => {
+  return async (
+    token: string,
+    {checkAudience = true}: DecodeSessionTokenOptions = {},
+  ): Promise<JwtPayload> => {
     let payload: JwtPayload;
     try {
       payload = (
@@ -26,7 +33,7 @@ export function decodeSessionToken(config: ConfigInterface) {
 
     // The exp and nbf fields are validated by the JWT library
 
-    if (payload.aud !== config.apiKey) {
+    if (checkAudience && payload.aud !== config.apiKey) {
       throw new ShopifyErrors.InvalidJwtError(
         'Session token had invalid API key',
       );