Merge pull request #6490 from Shopify/fix-token-refresh-on-bp

gonzaloriestra · web-flow · commit abed43c645d4 · 2025-10-08T08:59:05.000Z
Fix token refresh for Business Platform API
diff --git a/.changeset/tall-olives-tie.md b/.changeset/tall-olives-tie.md
@@ -0,0 +1,5 @@
+---
+'@shopify/app': patch
+---
+
+Fix automatic token refresh in some situations to avoid 401 errors
diff --git a/packages/app/src/cli/utilities/developer-platform-client.test.ts b/packages/app/src/cli/utilities/developer-platform-client.test.ts
@@ -2,7 +2,8 @@ import {createUnauthorizedHandler, DeveloperPlatformClient} from './developer-pl
 import {describe, expect, test, vi} from 'vitest'
 
 describe('createUnauthorizedHandler', () => {
-  const mockToken = 'mock-refreshed-token'
+  const mockAppManagementToken = 'mock-app-management-token'
+  const mockBusinessPlatformToken = 'mock-business-platform-token'
   const createMockClient = () => {
     let tokenRefreshPromise: Promise<string> | undefined
     return {
@@ -13,17 +14,21 @@ describe('createUnauthorizedHandler', () => {
       clearCurrentlyRefreshingToken: () => {
         tokenRefreshPromise = undefined
       },
-      unsafeRefreshToken: vi.fn().mockResolvedValue(mockToken),
+      unsafeRefreshToken: vi.fn().mockResolvedValue(mockAppManagementToken),
+      session: vi.fn().mockResolvedValue({
+        token: mockAppManagementToken,
+        businessPlatformToken: mockBusinessPlatformToken,
+      }),
     } as unknown as DeveloperPlatformClient
   }
 
-  test('refreshes token on first attempt', async () => {
+  test('refreshes token on first attempt and returns appManagement token by default', async () => {
     const mockClient = createMockClient()
     const handler = createUnauthorizedHandler(mockClient)
 
     const result = await handler.handler()
 
-    expect(result).toEqual({token: mockToken})
+    expect(result).toEqual({token: mockAppManagementToken})
     expect(mockClient.unsafeRefreshToken).toHaveBeenCalledTimes(1)
   })
 
@@ -35,7 +40,7 @@ describe('createUnauthorizedHandler', () => {
     handler.handler()
     const result = await handler.handler()
 
-    expect(result).toEqual({token: mockToken})
+    expect(result).toEqual({token: mockAppManagementToken})
     expect(mockClient.unsafeRefreshToken).toHaveBeenCalledTimes(1)
   })
 
@@ -51,4 +56,24 @@ describe('createUnauthorizedHandler', () => {
     // The following is evidence that the finally block is called correctly
     expect(mockClient.unsafeRefreshToken).toHaveBeenCalledTimes(2)
   })
+
+  test('returns businessPlatform token when tokenType is businessPlatform', async () => {
+    const mockClient = createMockClient()
+    const handler = createUnauthorizedHandler(mockClient, 'businessPlatform')
+
+    const result = await handler.handler()
+
+    expect(result).toEqual({token: mockBusinessPlatformToken})
+    expect(mockClient.unsafeRefreshToken).toHaveBeenCalledTimes(1)
+  })
+
+  test('returns default token when tokenType is default', async () => {
+    const mockClient = createMockClient()
+    const handler = createUnauthorizedHandler(mockClient, 'default')
+
+    const result = await handler.handler()
+
+    expect(result).toEqual({token: mockAppManagementToken})
+    expect(mockClient.unsafeRefreshToken).toHaveBeenCalledTimes(1)
+  })
 })
diff --git a/packages/app/src/cli/utilities/developer-platform-client.ts b/packages/app/src/cli/utilities/developer-platform-client.ts
@@ -296,24 +296,39 @@ export interface DeveloperPlatformClient {
 
 const inProgressRefreshes = new WeakMap<DeveloperPlatformClient, Promise<string>>()
 
-export function createUnauthorizedHandler(client: DeveloperPlatformClient): UnauthorizedHandler {
+/**
+ * Creates an unauthorized handler for a developer platform client that will refresh the token
+ * and return the appropriate token based on the token type.
+ * If the tokenType is 'businessPlatform', the handler will return the business platform token.
+ * Otherwise, it will return the default token (App Management API or Partners API).
+ * @param client - The developer platform client.
+ * @param tokenType - The type of token to return ('default' or 'businessPlatform')
+ * @returns The unauthorized handler.
+ */
+export function createUnauthorizedHandler(
+  client: DeveloperPlatformClient,
+  tokenType: 'default' | 'businessPlatform' = 'default',
+): UnauthorizedHandler {
   return {
     type: 'token_refresh',
     handler: async () => {
       let tokenRefresher = inProgressRefreshes.get(client)
       if (tokenRefresher) {
-        const token = await tokenRefresher
-        return {token}
+        await tokenRefresher
       } else {
         try {
           tokenRefresher = client.unsafeRefreshToken()
           inProgressRefreshes.set(client, tokenRefresher)
-          const token = await tokenRefresher
-          return {token}
+          await tokenRefresher
         } finally {
           inProgressRefreshes.delete(client)
         }
       }
+
+      // After refresh, get the appropriate token based on the request type
+      const session = await client.session()
+      const token = tokenType === 'businessPlatform' ? session.businessPlatformToken : session.token
+      return {token}
     },
   }
 }
diff --git a/packages/app/src/cli/utilities/developer-platform-client/app-management-client.ts b/packages/app/src/cli/utilities/developer-platform-client/app-management-client.ts
@@ -285,7 +285,7 @@ export class AppManagementClient implements DeveloperPlatformClient {
           cacheExtraKey: userId,
         },
         token: businessPlatformToken,
-        unauthorizedHandler: this.createUnauthorizedHandler(),
+        unauthorizedHandler: this.createUnauthorizedHandler('businessPlatform'),
       })
 
       if (getPartnersToken() && userInfoResult.currentUserAccount) {
@@ -1104,7 +1104,7 @@ export class AppManagementClient implements DeveloperPlatformClient {
     return businessPlatformRequestDoc({
       ...options,
       token: await this.businessPlatformToken(),
-      unauthorizedHandler: this.createUnauthorizedHandler(),
+      unauthorizedHandler: this.createUnauthorizedHandler('businessPlatform'),
     })
   }
 
@@ -1114,7 +1114,7 @@ export class AppManagementClient implements DeveloperPlatformClient {
     return businessPlatformOrganizationsRequestDoc({
       ...options,
       token: await this.businessPlatformToken(),
-      unauthorizedHandler: this.createUnauthorizedHandler(),
+      unauthorizedHandler: this.createUnauthorizedHandler('businessPlatform'),
     })
   }
 
@@ -1138,8 +1138,8 @@ export class AppManagementClient implements DeveloperPlatformClient {
     })
   }
 
-  private createUnauthorizedHandler(): UnauthorizedHandler {
-    return createUnauthorizedHandler(this)
+  private createUnauthorizedHandler(tokenType: 'default' | 'businessPlatform' = 'default'): UnauthorizedHandler {
+    return createUnauthorizedHandler(this, tokenType)
   }
 }
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@shopify/app': patch
 +---
++
 +Fix automatic token refresh in some situations to avoid 401 errors