Disable app management when using a Partners CLI token

Otherwise we hit permissions issues.

Author: amcaplan

packages/app/src/cli/utilities/developer-platform-client.ts

@@ -55,6 +55,7 @@ import {
 import {DevSessionCreateMutation} from '../api/graphql/app-dev/generated/dev-session-create.js'
 import {DevSessionUpdateMutation} from '../api/graphql/app-dev/generated/dev-session-update.js'
 import {DevSessionDeleteMutation} from '../api/graphql/app-dev/generated/dev-session-delete.js'
+import {isAppManagementDisabled} from '@shopify/cli-kit/node/context/local'
 
 export enum ClientName {
   AppManagement = 'app-management',
@@ -76,8 +77,7 @@ export interface AppVersionIdentifiers {
 }
 
 export function allDeveloperPlatformClients(): DeveloperPlatformClient[] {
-  const clients: DeveloperPlatformClient[] = [new PartnersClient(), new AppManagementClient()]
-  return clients
+  return isAppManagementDisabled() ? [new PartnersClient()] : [new PartnersClient(), new AppManagementClient()]
 }
 
 /**
@@ -116,6 +116,7 @@ export function selectDeveloperPlatformClient({
   configuration,
   organization,
 }: SelectDeveloperPlatformClientOptions = {}): DeveloperPlatformClient {
+  if (isAppManagementDisabled()) return new PartnersClient()
   if (organization) return selectDeveloperPlatformClientByOrg(organization)
   return selectDeveloperPlatformClientByConfig(configuration)
 }

packages/cli-kit/src/private/node/session/exchange.test.ts

@@ -63,12 +63,9 @@ describe('exchange identity token for application tokens', () => {
     // Then
     const expected = {
       'app-management': {
-        accessToken: "access_token",
+        accessToken: 'access_token',
         expiresAt: expiredDate,
-        scopes: [
-          "scope",
-          "scope2",
-        ],
+        scopes: ['scope', 'scope2'],
       },
       partners: {
         accessToken: 'access_token',
@@ -111,12 +108,9 @@ describe('exchange identity token for application tokens', () => {
     // Then
     const expected = {
       'app-management': {
-        accessToken: "access_token",
+        accessToken: 'access_token',
         expiresAt: expiredDate,
-        scopes: [
-          "scope",
-          "scope2",
-        ],
+        scopes: ['scope', 'scope2'],
       },
       partners: {
         accessToken: 'access_token',

packages/cli-kit/src/private/node/session/exchange.ts

@@ -5,6 +5,7 @@ import {identityFqdn} from '../../../public/node/context/fqdn.js'
 import {shopifyFetch} from '../../../public/node/http.js'
 import {err, ok, Result} from '../../../public/node/result.js'
 import {AbortError, BugError, ExtendableError} from '../../../public/node/error.js'
+import {isAppManagementDisabled} from '../../../public/node/context/local.js'
 import {setLastSeenAuthMethod, setLastSeenUserIdAfterAuth} from '../session.js'
 import * as jose from 'jose'
 import {nonRandomUUID} from '@shopify/cli-kit/node/crypto'
@@ -39,7 +40,7 @@ export async function exchangeAccessForApplicationTokens(
     requestAppToken('storefront-renderer', token, scopes.storefront),
     requestAppToken('business-platform', token, scopes.businessPlatform),
     store ? requestAppToken('admin', token, scopes.admin, store) : {},
-    requestAppToken('app-management', token, scopes.appManagement),
+    isAppManagementDisabled() ? {} : requestAppToken('app-management', token, scopes.appManagement),
   ])
 
   return {

packages/cli-kit/src/public/node/context/local.test.ts

@@ -7,13 +7,16 @@ import {
   analyticsDisabled,
   cloudEnvironment,
   macAddress,
+  isAppManagementDisabled,
 } from './local.js'
+import {getPartnersToken} from '../environment.js'
 import {fileExists} from '../fs.js'
 import {exec} from '../system.js'
 import {expect, describe, vi, test} from 'vitest'
 
 vi.mock('../fs.js')
 vi.mock('../system.js')
+vi.mock('../environment.js')
 
 describe('isUnitTest', () => {
   test('returns true when SHOPIFY_UNIT_TEST is truthy', () => {
@@ -99,6 +102,30 @@ describe('hasGit', () => {
   })
 })
 
+describe('isAppManagementDisabled', () => {
+  test('returns true when a Partners token is present', () => {
+    // Given
+    vi.mocked(getPartnersToken).mockReturnValue('token')
+
+    // When
+    const got = isAppManagementDisabled()
+
+    // Then
+    expect(got).toBe(true)
+  })
+
+  test('returns false when a Partners token is not present', () => {
+    // Given
+    vi.mocked(getPartnersToken).mockReturnValue(undefined)
+
+    // When
+    const got = isAppManagementDisabled()
+
+    // Then
+    expect(got).toBe(false)
+  })
+})
+
 describe('analitycsDisabled', () => {
   test('returns true when SHOPIFY_CLI_NO_ANALYTICS is truthy', () => {
     // Given

packages/cli-kit/src/public/node/context/local.ts

@@ -4,6 +4,7 @@ import {getCIMetadata, isSet, Metadata} from '../../../private/node/context/util
 import {environmentVariables, pathConstants} from '../../../private/node/constants.js'
 import {fileExists} from '../fs.js'
 import {exec} from '../system.js'
+import {getPartnersToken} from '../environment.js'
 import isInteractive from 'is-interactive'
 import macaddress from 'macaddress'
 import {homedir} from 'os'
@@ -46,6 +47,16 @@ export function isVerbose(env = process.env): boolean {
   return isTruthy(env[environmentVariables.verbose]) || process.argv.includes('--verbose')
 }
 
+/**
+ * It returns true if the App Management API is disabled.
+ * This should only be relevant when using a Partners token.
+ *
+ * @returns True if the App Management API is disabled.
+ */
+export function isAppManagementDisabled(): boolean {
+  return Boolean(getPartnersToken())
+}
+
 /**
  * Returns true if the environment in which the CLI is running is either
  * a local environment (where dev is present) or a cloud environment (spin).