prototype identity client segmentation

Author: alexanderMontague

packages/app/tsconfig.json

@@ -1,6 +1,6 @@
 {
   "extends": "../../configurations/tsconfig.json",
-  "include": ["./src/**/*.ts", "./src/**/*.js", "./src/**/*.tsx"],
+  "include": ["./src/**/*.ts", "./src/**/*.js", "./src/**/*.tsx", "../cli-kit/src/public/node/api/identity-client.ts"],
   "exclude": ["./dist", "./src/templates/**/*"],
   "compilerOptions": {
     "outDir": "dist",

packages/cli-kit/src/private/node/session.test.ts

@@ -18,7 +18,7 @@ import {store as storeSessions, fetch as fetchSessions, remove as secureRemove}
 import {ApplicationToken, IdentityToken, Sessions} from './session/schema.js'
 import {validateSession} from './session/validate.js'
 import {applicationId} from './session/identity.js'
-import {pollForDeviceAuthorization, requestDeviceAuthorization} from './session/device-authorization.js'
+import {pollForDeviceAuthorization} from './session/device-authorization.js'
 import {getCurrentSessionId} from './conf-store.js'
 import * as fqdnModule from '../../public/node/context/fqdn.js'
 import {themeToken} from '../../public/node/context/local.js'
@@ -27,6 +27,7 @@ import {businessPlatformRequest} from '../../public/node/api/business-platform.j
 import {getPartnersToken} from '../../public/node/environment.js'
 import {nonRandomUUID} from '../../public/node/crypto.js'
 import {terminalSupportsPrompting} from '../../public/node/system.js'
+import {ProdIC} from '../../public/node/api/identity-client.js'
 import {vi, describe, expect, test, beforeEach} from 'vitest'
 
 const futureDate = new Date(2022, 1, 1, 11)
@@ -119,6 +120,7 @@ vi.mock('../../public/node/environment.js')
 vi.mock('./session/device-authorization')
 vi.mock('./conf-store')
 vi.mock('../../public/node/system.js')
+vi.mock('../../public/node/api/identity-client.js')
 
 beforeEach(() => {
   vi.spyOn(fqdnModule, 'identityFqdn').mockResolvedValue(fqdn)
@@ -134,7 +136,7 @@ beforeEach(() => {
   setLastSeenUserIdAfterAuth(undefined as any)
   setLastSeenAuthMethod('none')
 
-  vi.mocked(requestDeviceAuthorization).mockResolvedValue({
+  vi.mocked(ProdIC.requestDeviceAuthorization).mockResolvedValue({
     deviceCode: 'device_code',
     userCode: 'user_code',
     verificationUri: 'verification_uri',

packages/cli-kit/src/private/node/session.ts

@@ -11,7 +11,6 @@ import {
 } from './session/exchange.js'
 import {IdentityToken, Session, Sessions} from './session/schema.js'
 import * as sessionStore from './session/store.js'
-import {pollForDeviceAuthorization, requestDeviceAuthorization} from './session/device-authorization.js'
 import {isThemeAccessSession} from './api/rest.js'
 import {getCurrentSessionId, setCurrentSessionId} from './conf-store.js'
 import {UserEmailQueryString, UserEmailQuery} from './api/graphql/business-platform-destinations/user-email.js'
@@ -25,6 +24,8 @@ import {nonRandomUUID} from '../../public/node/crypto.js'
 import {isEmpty} from '../../public/common/object.js'
 import {businessPlatformRequest} from '../../public/node/api/business-platform.js'
 
+import {getIdentityClient} from '../../public/node/api/identity-client.js'
+
 /**
  * Fetches the user's email from the Business Platform API
  * @param businessPlatformToken - The business platform token
@@ -308,11 +309,12 @@ async function executeCompleteFlow(applications: OAuthApplications): Promise<Ses
   } else {
     // Request a device code to authorize without a browser redirect.
     outputDebug(outputContent`Requesting device authorization code...`)
-    const deviceAuth = await requestDeviceAuthorization(scopes)
+    const client = getIdentityClient()
+    const deviceAuth = await client.requestDeviceAuthorization(scopes)
 
     // Poll for the identity token
     outputDebug(outputContent`Starting polling for the identity token...`)
-    identityToken = await pollForDeviceAuthorization(deviceAuth.deviceCode, deviceAuth.interval)
+    identityToken = await client.pollForDeviceAuthorization(deviceAuth)
   }
 
   // Exchange identity token for application tokens

packages/cli-kit/src/private/node/session/device-authorization.test.ts

@@ -1,9 +1,8 @@
 import {
   DeviceAuthorizationResponse,
   pollForDeviceAuthorization,
-  requestDeviceAuthorization,
 } from './device-authorization.js'
-import {clientId} from './identity.js'
+import {clientId, ProdIC} from '../../../public/node/api/identity-client.js'
 import {IdentityToken} from './schema.js'
 import {exchangeDeviceCodeForAccessToken} from './exchange.js'
 import {identityFqdn} from '../../../public/node/context/fqdn.js'
@@ -20,6 +19,7 @@ vi.mock('../../../public/node/http.js')
 vi.mock('../../../public/node/ui.js')
 vi.mock('./exchange.js')
 vi.mock('../../../public/node/system.js')
+vi.mock('../../../public/node/api/identity-client.js')
 
 beforeEach(() => {
   vi.mocked(isTTY).mockReturnValue(true)
@@ -53,7 +53,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When
-    const got = await requestDeviceAuthorization(['scope1', 'scope2'])
+    const got = await ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])
 
     // Then
     expect(shopifyFetch).toBeCalledWith('https://fqdn.com/oauth/device_authorization', {
@@ -74,7 +74,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When/Then
-    await expect(requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
+    await expect(ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
       'Received invalid response from authorization service (HTTP 200). Response could not be parsed as valid JSON. If this issue persists, please contact support at https://help.shopify.com',
     )
   })
@@ -89,7 +89,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When/Then
-    await expect(requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
+    await expect(ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
       'Received invalid response from authorization service (HTTP 200). Received empty response body. If this issue persists, please contact support at https://help.shopify.com',
     )
   })
@@ -105,7 +105,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When/Then
-    await expect(requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
+    await expect(ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
       'Received invalid response from authorization service (HTTP 404). The request may be malformed or unauthorized. Received HTML instead of JSON - the service endpoint may have changed. If this issue persists, please contact support at https://help.shopify.com',
     )
   })
@@ -120,7 +120,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When/Then
-    await expect(requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
+    await expect(ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
       'Received invalid response from authorization service (HTTP 500). The service may be experiencing issues. Response could not be parsed as valid JSON. If this issue persists, please contact support at https://help.shopify.com',
     )
   })
@@ -137,7 +137,7 @@ describe('requestDeviceAuthorization', () => {
     vi.mocked(clientId).mockReturnValue('clientId')
 
     // When/Then
-    await expect(requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
+    await expect(ProdIC.requestDeviceAuthorization(['scope1', 'scope2'])).rejects.toThrowError(
       'Failed to read response from authorization service (HTTP 200). Network or streaming error occurred.',
     )
   })

packages/cli-kit/src/private/node/session/device-authorization.ts

@@ -1,15 +1,3 @@
-import {clientId} from './identity.js'
-import {exchangeDeviceCodeForAccessToken} from './exchange.js'
-import {IdentityToken} from './schema.js'
-import {identityFqdn} from '../../../public/node/context/fqdn.js'
-import {shopifyFetch} from '../../../public/node/http.js'
-import {outputContent, outputDebug, outputInfo, outputToken} from '../../../public/node/output.js'
-import {AbortError, BugError} from '../../../public/node/error.js'
-import {isCloudEnvironment} from '../../../public/node/context/local.js'
-import {isCI, openURL} from '../../../public/node/system.js'
-import {isTTY, keypress} from '../../../public/node/ui.js'
-import {Response} from 'node-fetch'
-
 export interface DeviceAuthorizationResponse {
   deviceCode: string
   userCode: string
@@ -19,179 +7,4 @@ export interface DeviceAuthorizationResponse {
   interval?: number
 }
 
-/**
- * Initiate a device authorization flow.
- * This will return a DeviceAuthorizationResponse containing the URL where user
- * should go to authorize the device without the need of a callback to the CLI.
- *
- * Also returns a `deviceCode` used for polling the token endpoint in the next step.
- *
- * @param scopes - The scopes to request
- * @returns An object with the device authorization response.
- */
-export async function requestDeviceAuthorization(scopes: string[]): Promise<DeviceAuthorizationResponse> {
-  const fqdn = await identityFqdn()
-  const identityClientId = clientId()
-  const queryParams = {client_id: identityClientId, scope: scopes.join(' ')}
-  const url = `https://${fqdn}/oauth/device_authorization`
-
-  const response = await shopifyFetch(url, {
-    method: 'POST',
-    headers: {'Content-type': 'application/x-www-form-urlencoded'},
-    body: convertRequestToParams(queryParams),
-  })
-
-  // First read the response body as text so we have it for debugging
-  let responseText: string
-  try {
-    responseText = await response.text()
-  } catch (error) {
-    throw new BugError(
-      `Failed to read response from authorization service (HTTP ${response.status}). Network or streaming error occurred.`,
-      'Check your network connection and try again.',
-    )
-  }
-
-  // Now try to parse the text as JSON
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  let jsonResult: any
-  try {
-    jsonResult = JSON.parse(responseText)
-  } catch {
-    // JSON.parse failed, handle the parsing error
-    const errorMessage = buildAuthorizationParseErrorMessage(response, responseText)
-    throw new BugError(errorMessage)
-  }
-
-  outputDebug(outputContent`Received device authorization code: ${outputToken.json(jsonResult)}`)
-  if (!jsonResult.device_code || !jsonResult.verification_uri_complete) {
-    throw new BugError('Failed to start authorization process')
-  }
-
-  outputInfo('\nTo run this command, log in to Shopify.')
-
-  if (isCI()) {
-    throw new AbortError(
-      'Authorization is required to continue, but the current environment does not support interactive prompts.',
-      'To resolve this, specify credentials in your environment, or run the command in an interactive environment such as your local terminal.',
-    )
-  }
-
-  outputInfo(outputContent`User verification code: ${jsonResult.user_code}`)
-  const linkToken = outputToken.link(jsonResult.verification_uri_complete)
-
-  const cloudMessage = () => {
-    outputInfo(outputContent`👉 Open this link to start the auth process: ${linkToken}`)
-  }
-
-  if (isCloudEnvironment() || !isTTY()) {
-    cloudMessage()
-  } else {
-    outputInfo('👉 Press any key to open the login page on your browser')
-    await keypress()
-    const opened = await openURL(jsonResult.verification_uri_complete)
-    if (opened) {
-      outputInfo(outputContent`Opened link to start the auth process: ${linkToken}`)
-    } else {
-      cloudMessage()
-    }
-  }
-
-  return {
-    deviceCode: jsonResult.device_code,
-    userCode: jsonResult.user_code,
-    verificationUri: jsonResult.verification_uri,
-    expiresIn: jsonResult.expires_in,
-    verificationUriComplete: jsonResult.verification_uri_complete,
-    interval: jsonResult.interval,
-  }
-}
-
-/**
- * Poll the Oauth token endpoint with the device code obtained from a DeviceAuthorizationResponse.
- * The endpoint will return `authorization_pending` until the user completes the auth flow in the browser.
- * Once the user completes the auth flow, the endpoint will return the identity token.
- *
- * Timeout for the polling is defined by the server and is around 600 seconds.
- *
- * @param code - The device code obtained after starting a device identity flow
- * @param interval - The interval to poll the token endpoint
- * @returns The identity token
- */
-export async function pollForDeviceAuthorization(code: string, interval = 5): Promise<IdentityToken> {
-  let currentIntervalInSeconds = interval
-
-  return new Promise<IdentityToken>((resolve, reject) => {
-    const onPoll = async () => {
-      const result = await exchangeDeviceCodeForAccessToken(code)
-      if (!result.isErr()) {
-        resolve(result.value)
-        return
-      }
-
-      const error = result.error ?? 'unknown_failure'
-
-      outputDebug(outputContent`Polling for device authorization... status: ${error}`)
-      switch (error) {
-        case 'authorization_pending': {
-          startPolling()
-          return
-        }
-        case 'slow_down':
-          currentIntervalInSeconds += 5
-          startPolling()
-          return
-        case 'access_denied':
-        case 'expired_token':
-        case 'unknown_failure': {
-          reject(new Error(`Device authorization failed: ${error}`))
-        }
-      }
-    }
-
-    const startPolling = () => {
-      // eslint-disable-next-line @typescript-eslint/no-misused-promises
-      setTimeout(onPoll, currentIntervalInSeconds * 1000)
-    }
-
-    startPolling()
-  })
-}
-
-function convertRequestToParams(queryParams: {client_id: string; scope: string}): string {
-  return Object.entries(queryParams)
-    .map(([key, value]) => value && `${key}=${value}`)
-    .filter((hasValue) => Boolean(hasValue))
-    .join('&')
-}
-
-/**
- * Build a detailed error message for JSON parsing failures from the authorization service.
- * Provides context-specific error messages based on response status and content.
- *
- * @param response - The HTTP response object
- * @param responseText - The raw response body text
- * @returns Detailed error message about the failure
- */
-function buildAuthorizationParseErrorMessage(response: Response, responseText: string): string {
-  // Build helpful error message based on response status and content
-  let errorMessage = `Received invalid response from authorization service (HTTP ${response.status}).`
-
-  // Add status-based context
-  if (response.status >= 500) {
-    errorMessage += ' The service may be experiencing issues.'
-  } else if (response.status >= 400) {
-    errorMessage += ' The request may be malformed or unauthorized.'
-  }
-
-  // Add content-based context (check these regardless of status)
-  if (responseText.trim().startsWith('<!DOCTYPE') || responseText.trim().startsWith('<html')) {
-    errorMessage += ' Received HTML instead of JSON - the service endpoint may have changed.'
-  } else if (responseText.trim() === '') {
-    errorMessage += ' Received empty response body.'
-  } else {
-    errorMessage += ' Response could not be parsed as valid JSON.'
-  }
-
-  return `${errorMessage} If this issue persists, please contact support at https://help.shopify.com`
-}
+// export async function pollForDeviceAuthorization(code: string, interval = 5): Promise<IdentityToken> {}

packages/cli-kit/src/private/node/session/exchange.test.ts

@@ -8,7 +8,8 @@ import {
   refreshAccessToken,
   requestAppToken,
 } from './exchange.js'
-import {applicationId, clientId} from './identity.js'
+import {applicationId} from './identity.js'
+import {clientId} from '../../../public/node/api/identity-client.js'
 import {IdentityToken} from './schema.js'
 import {shopifyFetch} from '../../../public/node/http.js'
 import {identityFqdn} from '../../../public/node/context/fqdn.js'