Merge pull request #6148 from Shopify/migration-to-essentials-cookie

Handles migration of storefront_digest to essentials cookie

Author: tsov

.changeset/six-masks-jump.md

@@ -0,0 +1,5 @@
+---
+'@shopify/theme': minor
+---
+
+Uses \_shopify_essential cookie for storefront authentication

packages/theme/src/cli/utilities/theme-environment/dev-server-session.ts

@@ -94,7 +94,7 @@ export async function getStorefrontSessionCookiesWithVerification(
   storefrontPassword?: string,
 ): Promise<{[key: string]: string}> {
   try {
-    return await getStorefrontSessionCookies(storeUrl, themeId, storefrontPassword, {
+    return await getStorefrontSessionCookies(storeUrl, adminSession.storeFqdn, themeId, storefrontPassword, {
       'X-Shopify-Shop': adminSession.storeFqdn,
       'X-Shopify-Access-Token': adminSession.token,
       Authorization: `Bearer ${storefrontToken}`,

packages/theme/src/cli/utilities/theme-environment/storefront-session.test.ts

@@ -9,6 +9,7 @@ import {shopifyFetch} from '@shopify/cli-kit/node/http'
 import {AbortError} from '@shopify/cli-kit/node/error'
 import {passwordProtected} from '@shopify/cli-kit/node/themes/api'
 import {type AdminSession} from '@shopify/cli-kit/node/session'
+import {getThemeKitAccessDomain} from '@shopify/cli-kit/node/context/local'
 
 vi.mock('@shopify/cli-kit/node/http')
 vi.mock('@shopify/cli-kit/node/themes/api')
@@ -45,7 +46,11 @@ describe('Storefront API', () => {
       )
 
       // When
-      const cookies = await getStorefrontSessionCookies('https://example-store.myshopify.com', '123456')
+      const cookies = await getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+      )
 
       // Then
       expect(cookies).toEqual({_shopify_essential: ':AABBCCDDEEFFGGHH==123:'})
@@ -62,13 +67,21 @@ describe('Storefront API', () => {
         )
         .mockResolvedValueOnce(
           response({
-            status: 200,
-            headers: {'set-cookie': 'storefront_digest=digest-value; path=/; HttpOnly'},
+            status: 302,
+            headers: {
+              'set-cookie': 'storefront_digest=digest-value; path=/; HttpOnly',
+              location: 'https://example-store.myshopify.com/',
+            },
           }),
         )
 
       // When
-      const cookies = await getStorefrontSessionCookies('https://example-store.myshopify.com', '123456', 'password')
+      const cookies = await getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+        'password',
+      )
 
       // Then
       expect(cookies).toEqual({_shopify_essential: ':AABBCCDDEEFFGGHH==123:', storefront_digest: 'digest-value'})
@@ -135,7 +148,12 @@ describe('Storefront API', () => {
         )
 
       // When
-      const cookies = getStorefrontSessionCookies('https://example-store.myshopify.com', '123456', 'wrongpassword')
+      const cookies = getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+        'wrongpassword',
+      )
 
       // Then
       await expect(cookies).rejects.toThrow(
@@ -171,12 +189,153 @@ describe('Storefront API', () => {
         )
 
       // When
-      const cookies = await getStorefrontSessionCookies('https://example-store.myshopify.com', '123456')
+      const cookies = await getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+      )
 
       // Then
       expect(cookies).toEqual({_shopify_essential: ':AABBCCDDEEFFGGHH==RETRYCOOKIE:'})
       expect(shopifyFetch).toHaveBeenCalledTimes(3)
     })
+
+    test('handles storefront_digest migration to _shopify_essential cookie', async () => {
+      const originalEssential = ':AABBCCDDEEFFGGHH==123:'
+      const authenticatedEssential = ':NEWESSENTIAL==456:'
+
+      vi.mocked(shopifyFetch)
+        .mockResolvedValueOnce(
+          response({
+            status: 200,
+            headers: {'set-cookie': `_shopify_essential=${originalEssential}; path=/; HttpOnly`},
+          }),
+        )
+        .mockResolvedValueOnce(
+          response({
+            status: 302,
+            headers: {
+              'set-cookie': `_shopify_essential=${authenticatedEssential}; path=/; HttpOnly`,
+              location: 'https://example-store.myshopify.com/',
+            },
+          }),
+        )
+
+      // When
+      const cookies = await getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+        'password',
+      )
+
+      // Then
+      expect(cookies).toEqual({
+        _shopify_essential: authenticatedEssential,
+      })
+    })
+
+    test('handles theme kit access with _shopify_essential cookies', async () => {
+      const originalEssential = ':AABBCCDDEEFFGGHH==123:'
+      const authenticatedEssential = ':NEWESSENTIAL==456:'
+
+      vi.mocked(shopifyFetch)
+        .mockResolvedValueOnce(
+          response({
+            status: 200,
+            headers: {'set-cookie': `_shopify_essential=${originalEssential}; path=/; HttpOnly`},
+          }),
+        )
+        .mockResolvedValueOnce(
+          response({
+            status: 302,
+            headers: {
+              'set-cookie': `_shopify_essential=${authenticatedEssential}; path=/; HttpOnly`,
+              location: 'https://example-store.myshopify.com/',
+            },
+          }),
+        )
+
+      // When
+      const cookies = await getStorefrontSessionCookies(
+        `https://${getThemeKitAccessDomain()}`,
+        'example-store.myshopify.com',
+        '123456',
+        'password',
+      )
+
+      // Then
+      expect(cookies).toEqual({
+        _shopify_essential: authenticatedEssential,
+      })
+    })
+
+    test('handles case when storefront_digest is present (non-migrated case)', async () => {
+      // Given: storefront_digest is still being used
+      vi.mocked(shopifyFetch)
+        .mockResolvedValueOnce(
+          response({
+            status: 200,
+            headers: {'set-cookie': '_shopify_essential=:AABBCCDDEEFFGGHH==123:; path=/; HttpOnly'},
+          }),
+        )
+        .mockResolvedValueOnce(
+          response({
+            status: 302,
+            headers: {
+              'set-cookie': 'storefront_digest=digest-value; path=/; HttpOnly',
+              location: 'https://example-store.myshopify.com/',
+            },
+          }),
+        )
+
+      // When
+      const cookies = await getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+        'password',
+      )
+
+      // Then
+      expect(cookies).toEqual({
+        _shopify_essential: ':AABBCCDDEEFFGGHH==123:',
+        storefront_digest: 'digest-value',
+      })
+    })
+
+    test('throws error when pasword page does not return a 302', async () => {
+      // Given: password redirects correctly but _shopify_essential doesn't change (shouldn't happen)
+      const sameEssential = ':AABBCCDDEEFFGGHH==123:'
+
+      vi.mocked(shopifyFetch)
+        .mockResolvedValueOnce(
+          response({
+            status: 200,
+            headers: {'set-cookie': `_shopify_essential=${sameEssential}; path=/; HttpOnly`},
+          }),
+        )
+        .mockResolvedValueOnce(
+          response({
+            status: 200,
+          }),
+        )
+
+      // When
+      const cookies = getStorefrontSessionCookies(
+        'https://example-store.myshopify.com',
+        'example-store.myshopify.com',
+        '123456',
+        'password',
+      )
+
+      // Then
+      await expect(cookies).rejects.toThrow(
+        new AbortError(
+          'Your development session could not be created because the store password is invalid. Please, retry with a different password.',
+        ),
+      )
+    })
   })
 
   // Tests rely on this function because the 'packages/theme' package cannot

packages/theme/src/cli/utilities/theme-environment/storefront-session.ts

@@ -1,6 +1,6 @@
 import {parseCookies, serializeCookies} from './cookies.js'
 import {defaultHeaders} from './storefront-utils.js'
-import {shopifyFetch} from '@shopify/cli-kit/node/http'
+import {shopifyFetch, Response} from '@shopify/cli-kit/node/http'
 import {AbortError} from '@shopify/cli-kit/node/error'
 import {outputDebug} from '@shopify/cli-kit/node/output'
 import {type AdminSession} from '@shopify/cli-kit/node/session'
@@ -41,31 +41,19 @@ export async function isStorefrontPasswordCorrect(password: string | undefined,
     )
   }
 
-  const locationHeader = response.headers.get('location') ?? ''
-  let redirectUrl: URL
-
-  try {
-    redirectUrl = new URL(locationHeader, storeUrl)
-  } catch (error) {
-    if (error instanceof TypeError) {
-      return false
-    }
-    throw error
-  }
-
-  const storeOrigin = new URL(storeUrl).origin
-
-  return response.status === 302 && redirectUrl.origin === storeOrigin
+  return redirectsToStorefront(response, storeUrl)
 }
 
 export async function getStorefrontSessionCookies(
   storeUrl: string,
+  storeFqdn: string,
   themeId: string,
   password?: string,
   headers: {[key: string]: string} = {},
 ): Promise<{[key: string]: string}> {
   const cookieRecord: {[key: string]: string} = {}
   const shopifyEssential = await sessionEssentialCookie(storeUrl, themeId, headers)
+  const storeOrigin = prependHttps(storeFqdn)
 
   cookieRecord._shopify_essential = shopifyEssential
 
@@ -77,11 +65,15 @@ export async function getStorefrontSessionCookies(
     return cookieRecord
   }
 
-  const storefrontDigest = await enrichSessionWithStorefrontPassword(shopifyEssential, storeUrl, password, headers)
-
-  cookieRecord.storefront_digest = storefrontDigest
+  const additionalCookies = await enrichSessionWithStorefrontPassword(
+    shopifyEssential,
+    storeUrl,
+    storeOrigin,
+    password,
+    headers,
+  )
 
-  return cookieRecord
+  return {...cookieRecord, ...additionalCookies}
 }
 
 async function sessionEssentialCookie(
@@ -140,9 +132,10 @@ async function sessionEssentialCookie(
 async function enrichSessionWithStorefrontPassword(
   shopifyEssential: string,
   storeUrl: string,
+  storeOrigin: string,
   password: string,
   headers: {[key: string]: string},
-) {
+): Promise<{[key: string]: string}> {
   const params = new URLSearchParams({password})
 
   const response = await shopifyFetch(`${storeUrl}/password`, {
@@ -156,21 +149,45 @@ async function enrichSessionWithStorefrontPassword(
     },
   })
 
-  const setCookies = response.headers.raw()['set-cookie'] ?? []
-  const storefrontDigest = getCookie(setCookies, 'storefront_digest')
-
-  if (!storefrontDigest) {
-    outputDebug(
-      `Failed to obtain storefront_digest cookie.\n
-       -Request ID: ${response.headers.get('x-request-id') ?? 'unknown'}\n
-       -Body: ${await response.text()}`,
-    )
+  if (!redirectsToStorefront(response, storeOrigin)) {
     throw new AbortError(
       'Your development session could not be created because the store password is invalid. Please, retry with a different password.',
     )
   }
 
-  return storefrontDigest
+  const setCookies = response.headers.raw()['set-cookie'] ?? []
+  const storefrontDigest = getCookie(setCookies, 'storefront_digest')
+  const newShopifyEssential = getCookie(setCookies, '_shopify_essential')
+
+  const result: {[key: string]: string} = {}
+
+  if (storefrontDigest) {
+    result.storefront_digest = storefrontDigest
+  }
+
+  if (newShopifyEssential) {
+    result._shopify_essential = newShopifyEssential
+  }
+
+  return result
+}
+
+function redirectsToStorefront(response: Response, storeUrl: string) {
+  const locationHeader = response.headers.get('location') ?? ''
+  let redirectUrl: URL
+
+  try {
+    redirectUrl = new URL(locationHeader, storeUrl)
+  } catch (error) {
+    if (error instanceof TypeError) {
+      return false
+    }
+    throw error
+  }
+
+  const storeOrigin = new URL(storeUrl).origin
+
+  return response.status === 302 && redirectUrl.origin === storeOrigin
 }
 
 function getCookie(setCookieArray: string[], cookieName: string) {