Skip to content

Canonicalize scopes for store auth#7149

Merged
isaacroldan merged 1 commit intomainfrom
dlm-store-execute-scope-canon
Apr 2, 2026
Merged

Canonicalize scopes for store auth#7149
isaacroldan merged 1 commit intomainfrom
dlm-store-execute-scope-canon

Conversation

@dmerand
Copy link
Copy Markdown
Contributor

@dmerand dmerand commented Apr 1, 2026
edited
Loading

What

Canonicalize the scopes returned by shopify store auth before comparing them to the requested scopes.

This treats compressed returned scopes like write_products as satisfying read_products,write_products, while still failing auth when unrelated requested scopes are actually missing.

Why

In the PKCE flow, Shopify can return the highest-privilege scope instead of echoing every requested scope. That makes store auth reject valid responses when the request includes both read and write access for the same resource.

This PR aligns scope validation with that behavior so store auth only fails when a real requested scope is missing.

How

  • expand implied write_* -> read_* scopes when validating the token response
  • use the same scope-compression approach as the existing AuthScopes implementation in shopify-api-js
  • keep storing the raw scopes returned by Shopify
  • document that stored session scopes are raw, not an expanded effective set
  • add focused coverage for:
    • compressed write scopes satisfying requested read+write scopes
    • unrelated missing scopes still failing auth

Testing

To test manually:

  1. Run shopify store auth --store <store> --scopes read_products,write_products
  2. Complete the PKCE flow
  3. Confirm auth succeeds when Shopify returns write_products

Measuring impact

How do we know this change was effective? Please choose one:

  • n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
  • Existing analytics will cater for this addition
  • PR includes analytics changes to measure impact

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes

@dmerand Graphite App
Copy link
Copy Markdown
Contributor Author

dmerand commented Apr 1, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

@dmerand dmerand mentioned this pull request Apr 1, 2026
Merged
5 tasks
@dmerand dmerand marked this pull request as ready for review April 1, 2026 21:19
@dmerand dmerand requested a review from a team as a code owner April 1, 2026 21:19
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 1, 2026

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

@dmerand dmerand changed the base branch from dlm-store-execute-client-id to graphite-base/7149 April 1, 2026 21:35
@dmerand dmerand force-pushed the graphite-base/7149 branch from f4f6a4c to ffdf400 Compare April 1, 2026 21:37
@dmerand dmerand force-pushed the dlm-store-execute-scope-canon branch from cb6e240 to 00cbcd2 Compare April 1, 2026 21:37
@dmerand dmerand changed the base branch from graphite-base/7149 to dlm-store-execute-client-id April 1, 2026 21:37
@dmerand dmerand mentioned this pull request Apr 1, 2026
Merged
5 tasks
@dmerand dmerand force-pushed the dlm-store-execute-scope-canon branch from 00cbcd2 to 0d60e8d Compare April 1, 2026 23:01
@dmerand dmerand force-pushed the dlm-store-execute-client-id branch from ffdf400 to 20d4186 Compare April 1, 2026 23:01
@dmerand dmerand mentioned this pull request Apr 1, 2026
Merged
ryancbahan
ryancbahan reviewed Apr 2, 2026
View reviewed changes
packages/cli/src/cli/services/store/auth.ts
return [...new Set(scopes)]
}

function expandImpliedStoreScopes(scopes: string[]): Set<string> {
Copy link
Copy Markdown
Contributor

@ryancbahan ryancbahan Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe worth adding a code comment for context on why we need this

Base automatically changed from dlm-store-execute-client-id to main April 2, 2026 08:11
@isaacroldan isaacroldan added this pull request to the merge queue Apr 2, 2026
Merged via the queue into main with commit 2488015 Apr 2, 2026
26 of 47 checks passed
@isaacroldan isaacroldan deleted the dlm-store-execute-scope-canon branch April 2, 2026 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isaacroldan isaacroldan isaacroldan approved these changes

@ryancbahan ryancbahan ryancbahan approved these changes

@nickwesselman nickwesselman Awaiting requested review from nickwesselman

@RyanDJLee RyanDJLee Awaiting requested review from RyanDJLee

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dmerand @isaacroldan @ryancbahan