Patch JwtPayload in order to correctly parse Checkout UI extensions session tokens

[linucs]

Checkout UI session tokens are actually missing "iss" and "sid" keys (see: https://shopify.dev/docs/api/checkout-ui-extensions/2024-10/apis/session-token). The current implementation makes them mandatory, generating exceptions while verifying JWT tokens (see the new ShopifyApp::WithShopifyIdToken concern, and the legacy ShopifyApp::JWTMiddleware middleware).

Description

The PR is for:

• Solving exceptions raised in the ShopifyAPI::Auth::JwtPayload constructor (line 30) when the JWT Token is missing the "iss" and "sid" keys (both optional in Checkout UI session tokens)
• Any Checkout UI extension making authenticated API calls to an endpoint developed using the ShopifyApp engine fails, raising an obscure exception
• PR impact: make "iss" and "sid" keys optional, and extract the correct shopify_user_id from the "sid" key, even when it's formatted as gid://shopify/Customer/<customerId>

How has this been tested?

Develop a basic frontend Checkout UI extension and make cors authenticated calls to a Rails backend developed using shopify_app gem (v22.4). Any request fails without reaching the corresponding controller, since an exception is raised in the ShopifyApp::JWTMiddleware middleware injected by the ShopifyApp engine (see engine.rb, row 20).
After applying the patch, requests are nomally executed without raising any exception.

Checklist:

• My commit message follow the pattern described in here
• I have performed a self-review of my own code.
• I have added tests that prove my fix is effective or that my feature works.
• I have updated the project documentation.
• I have added a changelog line.

[linucs]

I have signed the CLA!

[lizkenyon]

Thank you for your contribution good find that these tokens are inconsistent.

Could you add a test case to jwt_payload_test.rb to prevent regressions.

Could you also add to the CHANGELOG.md

[lizkenyon]

In my testing I found that the sub claim could also be nil, if the customer is not logged in.

[lizkenyon]

Is there a reason why you are extracting the ID?

[BaggioGiacomo]

Any news here?
sessionToken is needed when calling the app proxy from the checkout ui extension to know the logged in customer id

Should I open another PR so we fix this as soon as possible?

[lizkenyon]

@BaggioGiacomo
Could you confirm you are still receiving the same error? I believe we should now be adding the ISS claim to the session tokens?

[BaggioGiacomo]

Hi @lizkenyon!

The iss is correctly set as https://<shopify_domain>/checkouts
The missing property is the sid.

Here's an example of a generated await sessionToken.get():

When adding this token to the fetch call, I get this error on the console:

GET
/app_proxy/forms/checkoutshop=iop-lab-jack.myshopify.com&logged_in_customer_id=&path_prefix=%2Fapps%2Famplius&timestamp=1743172558&signature=c6c06aeaa4b16a9cf7025c8fe0fe243edba91e9279f219b030b9041241661071" -
(79.54.125.75,2a06:98c0:3600::103)): #<TypeError:"T.let: Expected type String, got type NilClass\nCaller: /Users/jack/.rbenv/versions/3.3.4/lib/ruby/gems/3.3.0/gems/shopify_api-14.7.0/lib/shopify_api/auth/jwt_payload.rb:38">

This row is the one that throw the exception

[lizkenyon]

@BaggioGiacomo Thank you!

Yes! If you make a PR setting the sid claim as optional, I will review it ASAP.

[BaggioGiacomo]

@lizkenyon We can close this since we've merged #1369