Replace isStorefrontPasswordProtected with API call

We were previously determining whether or not a storefront was password
protected by making a HTTP request to the storefront and checking the
response status. This worked for us in the past but is a known fragile
piece.

We've now shipped the ability to query whether the storefront is
password protected directly in the Admin API so we no longer need to
guess. This replaces all instances of `isStorefrontPasswordProtected`
with the updated API call.

Author: graygilmore

.changeset/young-windows-deliver.md

@@ -0,0 +1,7 @@
+---
+'@shopify/cli-kit': patch
+'@shopify/theme': patch
+'@shopify/app': patch
+---
+
+Utilize Admin API to determine if a storefront is password protected

packages/app/src/cli/services/dev/processes/theme-app-extension.ts

@@ -52,7 +52,7 @@ export async function setupPreviewThemeAppExtensionsProcess(
   ])
 
   const storeFqdn = adminSession.storeFqdn
-  const storefrontPassword = (await isStorefrontPasswordProtected(storeFqdn))
+  const storefrontPassword = (await isStorefrontPasswordProtected(adminSession))
     ? await ensureValidPassword('', storeFqdn)
     : undefined
 

packages/cli-kit/src/cli/api/graphql/admin/generated/online_store_password_protection.ts

@@ -0,0 +1,45 @@
+/* eslint-disable @typescript-eslint/consistent-type-definitions */
+import * as Types from './types.js'
+
+import {TypedDocumentNode as DocumentNode} from '@graphql-typed-document-node/core'
+
+export type OnlineStorePasswordProtectionQueryVariables = Types.Exact<{[key: string]: never}>
+
+export type OnlineStorePasswordProtectionQuery = {onlineStore: {passwordProtection: {enabled: boolean}}}
+
+export const OnlineStorePasswordProtection = {
+  kind: 'Document',
+  definitions: [
+    {
+      kind: 'OperationDefinition',
+      operation: 'query',
+      name: {kind: 'Name', value: 'OnlineStorePasswordProtection'},
+      selectionSet: {
+        kind: 'SelectionSet',
+        selections: [
+          {
+            kind: 'Field',
+            name: {kind: 'Name', value: 'onlineStore'},
+            selectionSet: {
+              kind: 'SelectionSet',
+              selections: [
+                {
+                  kind: 'Field',
+                  name: {kind: 'Name', value: 'passwordProtection'},
+                  selectionSet: {
+                    kind: 'SelectionSet',
+                    selections: [
+                      {kind: 'Field', name: {kind: 'Name', value: 'enabled'}},
+                      {kind: 'Field', name: {kind: 'Name', value: '__typename'}},
+                    ],
+                  },
+                },
+                {kind: 'Field', name: {kind: 'Name', value: '__typename'}},
+              ],
+            },
+          },
+        ],
+      },
+    },
+  ],
+} as unknown as DocumentNode<OnlineStorePasswordProtectionQuery, OnlineStorePasswordProtectionQueryVariables>

packages/cli-kit/src/cli/api/graphql/admin/queries/online_store_password_protection.graphql

@@ -0,0 +1,7 @@
+query OnlineStorePasswordProtection {
+  onlineStore {
+    passwordProtection {
+      enabled
+    }
+  }
+}

packages/cli-kit/src/public/node/themes/api.ts

@@ -18,6 +18,7 @@ import {
 import {MetafieldDefinitionsByOwnerType} from '../../../cli/api/graphql/admin/generated/metafield_definitions_by_owner_type.js'
 import {GetThemes} from '../../../cli/api/graphql/admin/generated/get_themes.js'
 import {GetTheme} from '../../../cli/api/graphql/admin/generated/get_theme.js'
+import {OnlineStorePasswordProtection} from '../../../cli/api/graphql/admin/generated/online_store_password_protection.js'
 import {restRequest, RestResponse, adminRequestDoc} from '@shopify/cli-kit/node/api/admin'
 import {AdminSession} from '@shopify/cli-kit/node/session'
 import {AbortError} from '@shopify/cli-kit/node/error'
@@ -356,6 +357,17 @@ export async function metafieldDefinitionsByOwnerType(type: MetafieldOwnerType,
   }))
 }
 
+export async function passwordProtected(session: AdminSession): Promise<boolean> {
+  const {onlineStore} = await adminRequestDoc(OnlineStorePasswordProtection, session)
+  if (!onlineStore) {
+    unexpectedGraphQLError("Unable to get details about the storefront's password protection")
+  }
+
+  const {passwordProtection} = onlineStore
+
+  return passwordProtection.enabled
+}
+
 async function request<T>(
   method: string,
   path: string,

packages/theme/src/cli/services/console.ts

@@ -9,7 +9,7 @@ import {consoleLog} from '@shopify/cli-kit/node/output'
 export async function ensureReplEnv(adminSession: AdminSession, storePasswordFlag?: string) {
   const themeId = await findOrCreateReplTheme(adminSession)
 
-  const storePassword = (await isStorefrontPasswordProtected(adminSession.storeFqdn))
+  const storePassword = (await isStorefrontPasswordProtected(adminSession))
     ? await ensureValidPassword(storePasswordFlag, adminSession.storeFqdn)
     : undefined
 

packages/theme/src/cli/services/dev.ts

@@ -42,9 +42,8 @@ export async function dev(options: DevOptions) {
     return
   }
 
-  const storefrontPasswordPromise = isStorefrontPasswordProtected(options.adminSession.storeFqdn).then(
-    (needsPassword) =>
-      needsPassword ? ensureValidPassword(options.storePassword, options.adminSession.storeFqdn) : undefined,
+  const storefrontPasswordPromise = await isStorefrontPasswordProtected(options.adminSession).then((needsPassword) =>
+    needsPassword ? ensureValidPassword(options.storePassword, options.adminSession.storeFqdn) : undefined,
   )
 
   const localThemeExtensionFileSystem = emptyThemeExtFileSystem()

packages/theme/src/cli/utilities/theme-environment/storefront-session.test.ts

@@ -7,96 +7,29 @@ import {
 import {describe, expect, test, vi} from 'vitest'
 import {fetch} from '@shopify/cli-kit/node/http'
 import {AbortError} from '@shopify/cli-kit/node/error'
+import {passwordProtected} from '@shopify/cli-kit/node/themes/api'
+import {type AdminSession} from '@shopify/cli-kit/node/session'
 
 vi.mock('@shopify/cli-kit/node/http')
+vi.mock('@shopify/cli-kit/node/themes/api')
 
 describe('Storefront API', () => {
   describe('isStorefrontPasswordProtected', () => {
-    test('returns true when the request is redirected to the password page', async () => {
-      // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.com/password'}))
-
-      // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(isProtected).toBe(true)
-      expect(fetch).toBeCalledWith('https://store.myshopify.com', {
-        method: 'GET',
-      })
-    })
-
-    test('returns false when request is not redirected', async () => {
-      // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.com'}))
-
-      // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(isProtected).toBe(false)
-      expect(fetch).toBeCalledWith('https://store.myshopify.com', {
-        method: 'GET',
-      })
-    })
-
-    test('returns false when store redirects to a different domain', async () => {
-      // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.se'}))
-
-      // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(isProtected).toBe(false)
-    })
+    const adminSession: AdminSession = {
+      storeFqdn: 'example-store.myshopify.com',
+      token: '123456',
+    }
 
-    test('returns false when store redirects to a different URI', async () => {
+    test('makes an API call to check if the storefront is password protected', async () => {
       // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.com/random'}))
+      vi.mocked(passwordProtected).mockResolvedValueOnce(true)
 
       // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(isProtected).toBe(false)
-    })
-
-    test('return true when store redirects to /<locale>/password', async () => {
-      // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.com/fr-CA/password'}))
-
-      // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
+      const isProtected = await isStorefrontPasswordProtected(adminSession)
 
       // Then
       expect(isProtected).toBe(true)
-    })
-
-    test('returns false if response is not a 302', async () => {
-      // Given
-      vi.mocked(fetch).mockResolvedValue(response({status: 200, url: 'https://store.myshopify.com/random'}))
-
-      // When
-      const isProtected = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(isProtected).toBe(false)
-    })
-
-    test('ignores query params', async () => {
-      // Given
-      vi.mocked(fetch)
-        .mockResolvedValueOnce(response({status: 200, url: 'https://store.myshopify.com/random?a=b'}))
-        .mockResolvedValueOnce(response({status: 200, url: 'https://store.myshopify.com/password?a=b'}))
-
-      // When
-      const redirectToRandomPath = await isStorefrontPasswordProtected('store.myshopify.com')
-      const redirectToPasswordPath = await isStorefrontPasswordProtected('store.myshopify.com')
-
-      // Then
-      expect(redirectToRandomPath).toBe(false)
-      expect(redirectToPasswordPath).toBe(true)
+      expect(passwordProtected).toHaveBeenCalledWith(adminSession)
     })
   })
 

packages/theme/src/cli/utilities/theme-environment/storefront-session.ts

@@ -3,16 +3,13 @@ import {defaultHeaders} from './storefront-utils.js'
 import {fetch} from '@shopify/cli-kit/node/http'
 import {AbortError} from '@shopify/cli-kit/node/error'
 import {outputDebug} from '@shopify/cli-kit/node/output'
+import {type AdminSession} from '@shopify/cli-kit/node/session'
+import {passwordProtected} from '@shopify/cli-kit/node/themes/api'
 
 export class ShopifyEssentialError extends Error {}
 
-export async function isStorefrontPasswordProtected(storeURL: string): Promise<boolean> {
-  const response = await fetch(prependHttps(storeURL), {
-    method: 'GET',
-  })
-
-  const redirectLocation = new URL(response.url)
-  return redirectLocation.pathname.endsWith('/password')
+export async function isStorefrontPasswordProtected(session: AdminSession): Promise<boolean> {
+  return passwordProtected(session)
 }
 
 /**