Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle error cases for embedded apps using token exchange strategy #532

Merged
merged 6 commits into from
Dec 13, 2023
Merged

Handle error cases for embedded apps using token exchange strategy #532

merged 6 commits into from
Dec 13, 2023

Conversation

rezaansyed
Copy link
Contributor

@rezaansyed rezaansyed commented Dec 11, 2023
edited
Loading

WHY are these changes introduced?

Fixes https://github.com/Shopify/develop-app-access/issues/135 & https://github.com/Shopify/develop-app-access/issues/136

WHAT is this pull request doing?

  • Handles invalid session token errors on request
    • Document request: redirect to bounce page
    • XHR: 401 with App Bridge retry request header
  • Handles invalid subject token error on token exchange
    • Document request: redirect to bounce page
    • XHR: 401 with App Bridge retry request header
  • Handles invalid access token on API request
    • Document request: Delete the access token and redirect to bounce page (which eventually triggers token exchange)
    • XHR: Delete access token and return 401 without App Bridge retry header (since part of the request may already have been processed).

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have used yarn changeset to create a draft changelog entry (do NOT update the CHANGELOG.md files manually)
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs)

@rezaansyed rezaansyed force-pushed the add-handle-client-error-token-exchange branch 2 times, most recently from e471df0 to 9a1ecf8 Compare December 11, 2023 21:05
@rezaansyed rezaansyed force-pushed the add-handle-client-error-token-exchange branch from 9a1ecf8 to 34e1752 Compare December 11, 2023 21:06
@rezaansyed rezaansyed marked this pull request as ready for review December 11, 2023 21:52
@rezaansyed rezaansyed requested a review from a team as a code owner December 11, 2023 21:52
@rezaansyed rezaansyed changed the title Add handle client error token exchange Handle error cases for embedded apps using token exchange strategy Dec 11, 2023
paulomarg
paulomarg reviewed Dec 12, 2023
View reviewed changes
packages/shopify-app-remix/src/server/authenticate/admin/strategies/token-exchange.ts Outdated

config.sessionStorage.deleteSession(session.id);

respondToInvalidSessionToken({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be throwing?

packages/shopify-app-remix/src/server/authenticate/admin/authenticate.ts Outdated
request,
session,
params,
authStrategy,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the solution of having the strategy determine how we handle errors, but I'm a little on the fence about passing in the entire auth strategy as a parameter for creating the context, it feels like we're mixing concerns a little bit.

What if, instead of passing the strategy in to handleClientErrorFactory, we have the strategy export its own flavour of handleClientErrorFactory, something like

  public async handleClientError({
    request,
    session,
  }: StrategyHandleClientErrorOptions): Promise<HandleAdminClientError> {
    const {config, api, logger} = this;
    return handleClientErrorFactory({
      onError: // Do token exchange things
    });
  }

That way, each strategy can determine how it handles the errors and they all subscribe to a common interface without the strategy having to be shared around.

IIRC handleClientErrorFactory is pretty much tied to the strategy already anyway, so it shouldn't really affect anything else. Perhaps it makes more sense for the strategy to just export a callback for its own error handling.

Does that sound sensible?

@rezaansyed rezaansyed force-pushed the feature/token-exchange branch from 8e7c99c to cd99a7a Compare December 12, 2023 16:01
@rezaansyed rezaansyed force-pushed the add-handle-client-error-token-exchange branch from 1d91f9e to 3fc0466 Compare December 13, 2023 01:09
@rezaansyed rezaansyed merged commit d2a7613 into feature/token-exchange Dec 13, 2023
10 checks passed
@rezaansyed rezaansyed deleted the add-handle-client-error-token-exchange branch December 13, 2023 15:57
@rezaansyed rezaansyed mentioned this pull request Jan 17, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulomarg paulomarg paulomarg approved these changes

Assignees

@rachel-carvalho rachel-carvalho

@rezaansyed rezaansyed

Labels
#gsd:35360
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rezaansyed @paulomarg @rachel-carvalho