Merge pull request #5340 from Shopify/02-03-dont_introspect_token_if_already_expired

isaacroldan · web-flow · commit 336fcb8b7c67 · 2025-02-04T09:34:51.000Z
Dont introspect token if already expired
diff --git a/packages/cli-kit/src/private/node/session/validate.test.ts b/packages/cli-kit/src/private/node/session/validate.test.ts
@@ -167,6 +167,7 @@ describe('validateSession', () => {
 
     // Then
     expect(got).toBe('needs_refresh')
+    expect(validateIdentityToken).not.toHaveBeenCalled()
   })
 
   test('returns needs_refresh if requesting partners and is expired', async () => {
@@ -184,6 +185,7 @@ describe('validateSession', () => {
 
     // Then
     expect(got).toBe('needs_refresh')
+    expect(validateIdentityToken).not.toHaveBeenCalled()
   })
 
   test('returns needs_refresh if requesting storefront and is expired', async () => {
@@ -201,6 +203,7 @@ describe('validateSession', () => {
 
     // Then
     expect(got).toBe('needs_refresh')
+    expect(validateIdentityToken).not.toHaveBeenCalled()
   })
 
   test('returns needs_refresh if requesting admin and is expired', async () => {
@@ -218,6 +221,7 @@ describe('validateSession', () => {
 
     // Then
     expect(got).toBe('needs_refresh')
+    expect(validateIdentityToken).not.toHaveBeenCalled()
   })
 
   test('returns needs_refresh if session does not include requested store', async () => {
@@ -235,5 +239,6 @@ describe('validateSession', () => {
 
     // Then
     expect(got).toBe('needs_refresh')
+    expect(validateIdentityToken).not.toHaveBeenCalled()
   })
 })
diff --git a/packages/cli-kit/src/private/node/session/validate.ts b/packages/cli-kit/src/private/node/session/validate.ts
@@ -3,9 +3,9 @@ import {applicationId} from './identity.js'
 import {ApplicationToken, IdentityToken, validateCachedIdentityTokenStructure} from './schema.js'
 import {validateIdentityToken} from './identity-token-validation.js'
 import {sessionConstants} from '../constants.js'
-import {outputDebug} from '../../../public/node/output.js'
 import {firstPartyDev} from '../../../public/node/context/local.js'
 import {OAuthApplications} from '../session.js'
+import {outputDebug} from '@shopify/cli-kit/node/output'
 
 type ValidationResult = 'needs_refresh' | 'needs_full_auth' | 'ok'
 
@@ -35,7 +35,6 @@ export async function validateSession(
 ): Promise<ValidationResult> {
   if (!session) return 'needs_full_auth'
   const scopesAreValid = validateScopes(scopes, session.identity)
-  const identityIsValid = await validateIdentityToken(session.identity.accessToken)
   if (!scopesAreValid) return 'needs_full_auth'
   let tokensAreExpired = isTokenExpired(session.identity)
 
@@ -64,18 +63,18 @@ export async function validateSession(
     tokensAreExpired = tokensAreExpired || isTokenExpired(token)
   }
 
-  outputDebug(`
-The validation of the token for application/identity completed with the following results:
-- It's expired: ${tokensAreExpired}
-- It's invalid in identity: ${!identityIsValid}
-  `)
+  outputDebug(`- Token validation -> It's expired: ${tokensAreExpired}`)
 
   if (!validateCachedIdentityTokenStructure(session.identity)) {
     return 'needs_full_auth'
   }
 
   if (tokensAreExpired) return 'needs_refresh'
+
+  const identityIsValid = await validateIdentityToken(session.identity.accessToken)
+  outputDebug(`- Token validation -> It's invalid in identity: ${!identityIsValid}`)
   if (!identityIsValid) return 'needs_full_auth'
+
   return 'ok'
 }
 
