Make sub and sid jwt claims optional

BaggioGiacomo · BaggioGiacomo · commit 4bc85389ad5c · 2025-03-31T15:48:13.000+02:00
The generated session token on the checkout ui extensions doesn't contain:
- The `sid` claim
- The `sub` claim if the customer is not logged in

Making them mandatory causes an `Expected type String, got type NilClass` error
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 ## Unreleased
 
 - [#1362](https://github.com/Shopify/shopify-api-ruby/pull/1362) Add support for client credentials grant
+- [#1369](https://github.com/Shopify/shopify-api-ruby/pull/1369) Make `sub` and `sid` jwt claims optional (Checkout ui extension support)
 
 ## 14.8.0
 
diff --git a/lib/shopify_api/auth/jwt_payload.rb b/lib/shopify_api/auth/jwt_payload.rb
@@ -30,12 +30,12 @@ def initialize(token)
         @iss = T.let(payload_hash["iss"], String)
         @dest = T.let(payload_hash["dest"], String)
         @aud = T.let(payload_hash["aud"], String)
-        @sub = T.let(payload_hash["sub"], String)
+        @sub = T.let(payload_hash["sub"], T.nilable(String))
         @exp = T.let(payload_hash["exp"], Integer)
         @nbf = T.let(payload_hash["nbf"], Integer)
         @iat = T.let(payload_hash["iat"], Integer)
         @jti = T.let(payload_hash["jti"], String)
-        @sid = T.let(payload_hash["sid"], String)
+        @sid = T.let(payload_hash["sid"], T.nilable(String))
 
         raise ShopifyAPI::Errors::InvalidJwtTokenError,
           "Session token had invalid API key" unless @aud == Context.api_key
@@ -47,19 +47,11 @@ def shop
       end
       alias_method :shopify_domain, :shop
 
-      sig { returns(Integer) }
+      sig { returns(T.nilable(Integer)) }
       def shopify_user_id
-        @sub.to_i
-      end
+        return unless @sub
 
-      # TODO: Remove before releasing v11
-      sig { params(shop: String).returns(T::Boolean) }
-      def validate_shop(shop)
-        Context.logger.warn(
-          "Deprecation notice: ShopifyAPI::Auth::JwtPayload.validate_shop no longer checks the given shop and always " \
-            "returns true. It will be removed in v11.",
-        )
-        true
+        @sub.tr("^0-9", "").to_i
       end
 
       alias_method :eql?, :==
diff --git a/test/auth/jwt_payload_test.rb b/test/auth/jwt_payload_test.rb
@@ -139,6 +139,55 @@ def test_decode_jwt_payload_succeeds_with_not_before_in_the_future_within_10s_le
           sid: decoded.sid,
         })
       end
+
+      def test_decode_jwt_payload_coming_from_checkout_ui_extension
+        payload = @jwt_payload.dup
+        payload[:sid] = nil
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+        assert_equal(payload,
+          {
+            iss: decoded.iss,
+            dest: decoded.dest,
+            aud: decoded.aud,
+            sub: decoded.sub,
+            exp: decoded.exp,
+            nbf: decoded.nbf,
+            iat: decoded.iat,
+            jti: decoded.jti,
+            sid: decoded.sid,
+          })
+
+        assert_equal(decoded.expire_at, @jwt_payload[:exp])
+        assert_equal("test-shop.myshopify.io", decoded.shopify_domain)
+        assert_equal("test-shop.myshopify.io", decoded.shop)
+        assert_equal(1, decoded.shopify_user_id)
+      end
+
+      def test_decode_jwt_payload_coming_from_checkout_ui_extension_without_user_logged_in
+        payload = @jwt_payload.dup
+        payload[:sid] = nil
+        payload[:sub] = nil
+        jwt_token = JWT.encode(payload, ShopifyAPI::Context.api_secret_key, "HS256")
+        decoded = ShopifyAPI::Auth::JwtPayload.new(jwt_token)
+        assert_equal(payload,
+          {
+            iss: decoded.iss,
+            dest: decoded.dest,
+            aud: decoded.aud,
+            sub: decoded.sub,
+            exp: decoded.exp,
+            nbf: decoded.nbf,
+            iat: decoded.iat,
+            jti: decoded.jti,
+            sid: decoded.sid,
+          })
+
+        assert_equal(decoded.expire_at, @jwt_payload[:exp])
+        assert_equal("test-shop.myshopify.io", decoded.shopify_domain)
+        assert_equal("test-shop.myshopify.io", decoded.shop)
+        assert_nil(decoded.shopify_user_id)
+      end
     end
   end
 end
