Add CLI token support for app management and BP API

Co-authored-by: Ryan DJ Lee <[email protected]>
Co-authored-by: Zoey Lan <[email protected]>

Author: zzooeeyy

packages/app/src/cli/api/graphql/business-platform-destinations/generated/user-info.ts

@@ -5,7 +5,9 @@ import {TypedDocumentNode as DocumentNode} from '@graphql-typed-document-node/co
 
 export type UserInfoQueryVariables = Types.Exact<{[key: string]: never}>
 
-export type UserInfoQuery = {currentUserAccount?: {uuid: string; email: string} | null}
+export type UserInfoQuery = {
+  currentUserAccount?: {uuid: string; email: string; organizations: {nodes: {name: string}[]}} | null
+}
 
 export const UserInfo = {
   kind: 'Document',
@@ -25,6 +27,30 @@ export const UserInfo = {
               selections: [
                 {kind: 'Field', name: {kind: 'Name', value: 'uuid'}},
                 {kind: 'Field', name: {kind: 'Name', value: 'email'}},
+                {
+                  kind: 'Field',
+                  name: {kind: 'Name', value: 'organizations'},
+                  arguments: [
+                    {kind: 'Argument', name: {kind: 'Name', value: 'first'}, value: {kind: 'IntValue', value: '5'}},
+                  ],
+                  selectionSet: {
+                    kind: 'SelectionSet',
+                    selections: [
+                      {
+                        kind: 'Field',
+                        name: {kind: 'Name', value: 'nodes'},
+                        selectionSet: {
+                          kind: 'SelectionSet',
+                          selections: [
+                            {kind: 'Field', name: {kind: 'Name', value: 'name'}},
+                            {kind: 'Field', name: {kind: 'Name', value: '__typename'}},
+                          ],
+                        },
+                      },
+                      {kind: 'Field', name: {kind: 'Name', value: '__typename'}},
+                    ],
+                  },
+                },
                 {kind: 'Field', name: {kind: 'Name', value: '__typename'}},
               ],
             },

packages/app/src/cli/api/graphql/business-platform-destinations/queries/user-info.graphql

@@ -2,5 +2,10 @@ query UserInfo {
   currentUserAccount {
     uuid
     email
+    organizations(first: 2){
+      nodes {
+        name
+      }
+    }
   }
 }

packages/app/src/cli/utilities/developer-platform-client.ts

@@ -60,9 +60,7 @@ import {
   AppLogsSubscribeMutation,
   AppLogsSubscribeMutationVariables,
 } from '../api/graphql/app-management/generated/app-logs-subscribe.js'
-import {isAppManagementDisabled} from '@shopify/cli-kit/node/context/local'
 import {blockPartnersAccess} from '@shopify/cli-kit/node/environment'
-import {AbortError} from '@shopify/cli-kit/node/error'
 
 export enum ClientName {
   AppManagement = 'app-management',
@@ -88,12 +86,8 @@ export function allDeveloperPlatformClients(): DeveloperPlatformClient[] {
   if (!blockPartnersAccess()) {
     clients.push(new PartnersClient())
   }
-  if (!isAppManagementDisabled()) {
-    clients.push(new AppManagementClient())
-  }
-  if (clients.length === 0) {
-    throw new AbortError('Both Partners and App Management APIs are deactivated.')
-  }
+
+  clients.push(new AppManagementClient())
   return clients
 }
 
@@ -133,7 +127,6 @@ export function selectDeveloperPlatformClient({
   configuration,
   organization,
 }: SelectDeveloperPlatformClientOptions = {}): DeveloperPlatformClient {
-  if (isAppManagementDisabled()) return new PartnersClient()
   if (organization) return selectDeveloperPlatformClientByOrg(organization)
   return selectDeveloperPlatformClientByConfig(configuration)
 }

packages/app/src/cli/utilities/developer-platform-client/app-management-client.ts

@@ -125,6 +125,7 @@ import {
   AppLogsSubscribeMutation,
   AppLogsSubscribeMutationVariables,
 } from '../../api/graphql/app-management/generated/app-logs-subscribe.js'
+import {getPartnersToken} from '@shopify/cli-kit/node/environment'
 import {ensureAuthenticatedAppManagementAndBusinessPlatform} from '@shopify/cli-kit/node/session'
 import {isUnitTest} from '@shopify/cli-kit/node/context/local'
 import {AbortError, BugError} from '@shopify/cli-kit/node/error'
@@ -251,7 +252,25 @@ export class AppManagementClient implements DeveloperPlatformClient {
         cacheExtraKey: userId,
       })
 
-      if (userInfoResult.currentUserAccount) {
+      if (getPartnersToken() && userInfoResult.currentUserAccount) {
+        const organizations = userInfoResult.currentUserAccount.organizations.nodes.map((org) => ({
+          name: org.name,
+        }))
+
+        if (organizations.length > 1) {
+          throw new Error('Multiple organizations found for the CLI token')
+        }
+
+        this._session = {
+          token: appManagementToken,
+          businessPlatformToken,
+          accountInfo: {
+            type: 'ServiceAccount',
+            orgName: organizations[0]?.name || '',
+          },
+          userId,
+        }
+      } else if (userInfoResult.currentUserAccount) {
         this._session = {
           token: appManagementToken,
           businessPlatformToken,

packages/cli-kit/src/private/node/session/exchange.ts

@@ -5,7 +5,6 @@ import {identityFqdn} from '../../../public/node/context/fqdn.js'
 import {shopifyFetch} from '../../../public/node/http.js'
 import {err, ok, Result} from '../../../public/node/result.js'
 import {AbortError, BugError, ExtendableError} from '../../../public/node/error.js'
-import {isAppManagementDisabled} from '../../../public/node/context/local.js'
 import {setLastSeenAuthMethod, setLastSeenUserIdAfterAuth} from '../session.js'
 import * as jose from 'jose'
 import {nonRandomUUID} from '@shopify/cli-kit/node/crypto'
@@ -40,7 +39,7 @@ export async function exchangeAccessForApplicationTokens(
     requestAppToken('storefront-renderer', token, scopes.storefront),
     requestAppToken('business-platform', token, scopes.businessPlatform),
     store ? requestAppToken('admin', token, scopes.admin, store) : {},
-    isAppManagementDisabled() ? {} : requestAppToken('app-management', token, scopes.appManagement),
+    requestAppToken('app-management', token, scopes.appManagement),
   ])
 
   return {
@@ -69,26 +68,55 @@ export async function refreshAccessToken(currentToken: IdentityToken): Promise<I
 }
 
 /**
- * Given a custom CLI token passed as ENV variable, request a valid partners API token
- * This token does not accept extra scopes, just the cli one.
+ * Given a custom CLI token passed as ENV variable (`SHOPIFY_CLI_PARTNERS_TOKEN`), request a valid API access token
  * @param token - The CLI token passed as ENV variable
  * @returns An instance with the application access tokens.
  */
-export async function exchangeCustomPartnerToken(token: string): Promise<{accessToken: string; userId: string}> {
-  const appId = applicationId('partners')
+export async function exchangeCliTokenForAccessToken(
+  apiName: API,
+  token: string,
+  scopes: string[],
+): Promise<{accessToken: string; userId: string}> {
+  const appId = applicationId(apiName)
   try {
-    const newToken = await requestAppToken('partners', token, ['https://api.shopify.com/auth/partners.app.cli.access'])
+    const newToken = await requestAppToken(apiName, token, scopes)
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     const accessToken = newToken[appId]!.accessToken
     const userId = nonRandomUUID(token)
     setLastSeenUserIdAfterAuth(userId)
     setLastSeenAuthMethod('partners_token')
     return {accessToken, userId}
   } catch (error) {
-    throw new AbortError('The custom token provided is invalid.', 'Ensure the token is correct and not expired.')
+    const prettyName = apiName.replace(/-/g, ' ').replace(/\b\w/g, (char) => char.toUpperCase())
+
+    throw new AbortError(
+      `The custom token provided can't be used for the ${prettyName} API.`,
+      'Ensure the token is correct and not expired.',
+    )
   }
 }
 
+export async function exchangeCustomPartnerToken(token: string): Promise<{accessToken: string; userId: string}> {
+  return exchangeCliTokenForAccessToken('partners', token, ['https://api.shopify.com/auth/partners.app.cli.access'])
+}
+
+export async function exchangeCliTokenForAppManagementAccessToken(
+  token: string,
+): Promise<{accessToken: string; userId: string}> {
+  return exchangeCliTokenForAccessToken('app-management', token, [
+    'https://api.shopify.com/auth/organization.apps.manage',
+  ])
+}
+
+export async function exchangeCliTokenForBusinessPlatformAccessToken(
+  token: string,
+): Promise<{accessToken: string; userId: string}> {
+  return exchangeCliTokenForAccessToken('business-platform', token, [
+    'https://api.shopify.com/auth/destinations.readonly',
+    'https://api.shopify.com/auth/organization.store-management',
+  ])
+}
+
 type IdentityDeviceError = 'authorization_pending' | 'access_denied' | 'expired_token' | 'slow_down' | 'unknown_failure'
 
 /**

packages/cli-kit/src/public/node/context/local.test.ts

@@ -7,11 +7,9 @@ import {
   analyticsDisabled,
   cloudEnvironment,
   macAddress,
-  isAppManagementDisabled,
   getThemeKitAccessDomain,
   opentelemetryDomain,
 } from './local.js'
-import {getPartnersToken} from '../environment.js'
 import {fileExists} from '../fs.js'
 import {exec} from '../system.js'
 import {expect, describe, vi, test} from 'vitest'
@@ -104,30 +102,6 @@ describe('hasGit', () => {
   })
 })
 
-describe('isAppManagementDisabled', () => {
-  test('returns true when a Partners token is present', () => {
-    // Given
-    vi.mocked(getPartnersToken).mockReturnValue('token')
-
-    // When
-    const got = isAppManagementDisabled()
-
-    // Then
-    expect(got).toBe(true)
-  })
-
-  test('returns false when a Partners token is not present', () => {
-    // Given
-    vi.mocked(getPartnersToken).mockReturnValue(undefined)
-
-    // When
-    const got = isAppManagementDisabled()
-
-    // Then
-    expect(got).toBe(false)
-  })
-})
-
 describe('analitycsDisabled', () => {
   test('returns true when SHOPIFY_CLI_NO_ANALYTICS is truthy', () => {
     // Given

packages/cli-kit/src/public/node/context/local.ts

@@ -4,7 +4,6 @@ import {getCIMetadata, isSet, Metadata} from '../../../private/node/context/util
 import {defaultThemeKitAccessDomain, environmentVariables, pathConstants} from '../../../private/node/constants.js'
 import {fileExists} from '../fs.js'
 import {exec} from '../system.js'
-import {getPartnersToken} from '../environment.js'
 import isInteractive from 'is-interactive'
 import macaddress from 'macaddress'
 import {homedir} from 'os'
@@ -47,16 +46,6 @@ export function isVerbose(env = process.env): boolean {
   return isTruthy(env[environmentVariables.verbose]) || process.argv.includes('--verbose')
 }
 
-/**
- * It returns true if the App Management API is disabled.
- * This should only be relevant when using a Partners token.
- *
- * @returns True if the App Management API is disabled.
- */
-export function isAppManagementDisabled(): boolean {
-  return Boolean(getPartnersToken())
-}
-
 /**
  * Returns true if the environment in which the CLI is running is either
  * a local environment (where dev is present) or a cloud environment (spin).

packages/cli-kit/src/public/node/session.test.ts

@@ -10,7 +10,11 @@ import {
 import {getPartnersToken} from './environment.js'
 import {ApplicationToken} from '../../private/node/session/schema.js'
 import {ensureAuthenticated, setLastSeenAuthMethod, setLastSeenUserIdAfterAuth} from '../../private/node/session.js'
-import {exchangeCustomPartnerToken} from '../../private/node/session/exchange.js'
+import {
+  exchangeCustomPartnerToken,
+  exchangeCliTokenForAppManagementAccessToken,
+  exchangeCliTokenForBusinessPlatformAccessToken,
+} from '../../private/node/session/exchange.js'
 import {vi, describe, expect, test} from 'vitest'
 
 const futureDate = new Date(2022, 1, 1, 11)
@@ -242,4 +246,28 @@ describe('ensureAuthenticatedAppManagementAndBusinessPlatform', () => {
     // Then
     await expect(got).rejects.toThrow('No App Management or Business Platform token found after ensuring authenticated')
   })
+
+  test('returns app managment and business platform tokens if CLI token envvar is defined', async () => {
+    // Given
+    vi.mocked(getPartnersToken).mockReturnValue('custom_cli_token')
+    vi.mocked(exchangeCliTokenForAppManagementAccessToken).mockResolvedValueOnce({
+      accessToken: 'app-management-token',
+      userId: '575e2102-cb13-7bea-4631-ce3469eac491cdcba07d',
+    })
+    vi.mocked(exchangeCliTokenForBusinessPlatformAccessToken).mockResolvedValueOnce({
+      accessToken: 'business-platform-token',
+      userId: '575e2102-cb13-7bea-4631-ce3469eac491cdcba07d',
+    })
+
+    // When
+    const got = await ensureAuthenticatedAppManagementAndBusinessPlatform()
+
+    // Then
+    expect(got).toEqual({
+      appManagementToken: 'app-management-token',
+      userId: '575e2102-cb13-7bea-4631-ce3469eac491cdcba07d',
+      businessPlatformToken: 'business-platform-token',
+    })
+    expect(ensureAuthenticated).not.toHaveBeenCalled()
+  })
 })

packages/cli-kit/src/public/node/session.ts

@@ -3,7 +3,11 @@ import {BugError} from './error.js'
 import {getPartnersToken} from './environment.js'
 import {nonRandomUUID} from './crypto.js'
 import * as secureStore from '../../private/node/session/store.js'
-import {exchangeCustomPartnerToken} from '../../private/node/session/exchange.js'
+import {
+  exchangeCustomPartnerToken,
+  exchangeCliTokenForAppManagementAccessToken,
+  exchangeCliTokenForBusinessPlatformAccessToken,
+} from '../../private/node/session/exchange.js'
 import {outputContent, outputToken, outputDebug} from '../../public/node/output.js'
 import {
   AdminAPIScope,
@@ -77,6 +81,19 @@ export async function ensureAuthenticatedAppManagementAndBusinessPlatform(
   outputDebug(outputContent`Ensuring that the user is authenticated with the App Management API with the following scopes:
 ${outputToken.json(appManagementScopes)}
 `)
+
+  const envToken = getPartnersToken()
+  if (envToken) {
+    const appManagmentToken = await exchangeCliTokenForAppManagementAccessToken(envToken)
+    const businessPlatformToken = await exchangeCliTokenForBusinessPlatformAccessToken(envToken)
+
+    return {
+      appManagementToken: appManagmentToken.accessToken,
+      userId: appManagmentToken.userId,
+      businessPlatformToken: businessPlatformToken.accessToken,
+    }
+  }
+
   const tokens = await ensureAuthenticated(
     {appManagementApi: {scopes: appManagementScopes}, businessPlatformApi: {scopes: businessPlatformScopes}},
     env,