Shopify
diff --git a/‎packages/cli/src/cli/services/store/auth/callback.test.ts‎
Lines changed: 189 additions & 0 deletions b/‎packages/cli/src/cli/services/store/auth/callback.test.ts‎
Lines changed: 189 additions & 0 deletions
diff --git a/‎packages/cli/src/cli/services/store/auth/callback.ts‎
Lines changed: 185 additions & 0 deletions b/‎packages/cli/src/cli/services/store/auth/callback.ts‎
Lines changed: 185 additions & 0 deletions
@@ -0,0 +1,189 @@
+import {createServer} from 'http'
+import {describe, expect, test} from 'vitest'
+import {waitForStoreAuthCode} from './callback.js'
+
+async function getAvailablePort(): Promise<number> {
+  return await new Promise<number>((resolve, reject) => {
+    const server = createServer()
+
+    server.on('error', reject)
+    server.listen(0, '127.0.0.1', () => {
+      const address = server.address()
+      if (!address || typeof address === 'string') {
+        reject(new Error('Expected an ephemeral port.'))
+        return
+      }
+
+      server.close((error) => {
+        if (error) {
+          reject(error)
+          return
+        }
+
+        resolve(address.port)
+      })
+    })
+  })
+}
+
+function callbackParams(options?: {
+  code?: string
+  shop?: string
+  state?: string
+  error?: string
+}): URLSearchParams {
+  const params = new URLSearchParams()
+  params.set('shop', options?.shop ?? 'shop.myshopify.com')
+  params.set('state', options?.state ?? 'state-123')
+
+  if (options?.code) params.set('code', options.code)
+  if (options?.error) params.set('error', options.error)
+  if (!options?.code && !options?.error) params.set('code', 'abc123')
+
+  return params
+}
+
+describe('store auth callback server', () => {
+  test('waitForStoreAuthCode resolves after a valid callback', async () => {
+    const port = await getAvailablePort()
+    const params = callbackParams()
+    const onListening = async () => {
+      const response = await globalThis.fetch(`http://127.0.0.1:${port}/auth/callback?${params.toString()}`)
+      expect(response.status).toBe(200)
+      await response.text()
+    }
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+        onListening,
+      }),
+    ).resolves.toBe('abc123')
+  })
+
+  test('waitForStoreAuthCode rejects when callback state does not match', async () => {
+    const port = await getAvailablePort()
+    const params = callbackParams({state: 'wrong-state'})
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+        onListening: async () => {
+          const response = await globalThis.fetch(`http://127.0.0.1:${port}/auth/callback?${params.toString()}`)
+          expect(response.status).toBe(400)
+          await response.text()
+        },
+      }),
+    ).rejects.toThrow('OAuth callback state does not match the original request.')
+  })
+
+  test('waitForStoreAuthCode rejects when callback store does not match and suggests the returned permanent domain', async () => {
+    const port = await getAvailablePort()
+    const params = callbackParams({shop: 'other-shop.myshopify.com'})
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+        onListening: async () => {
+          const response = await globalThis.fetch(`http://127.0.0.1:${port}/auth/callback?${params.toString()}`)
+          expect(response.status).toBe(400)
+          await response.text()
+        },
+      }),
+    ).rejects.toMatchObject({
+      message: 'OAuth callback store does not match the requested store.',
+      tryMessage: 'Shopify returned other-shop.myshopify.com during authentication. Re-run using the permanent store domain:',
+      nextSteps: [[{command: 'shopify store auth --store other-shop.myshopify.com --scopes <comma-separated-scopes>'}]],
+    })
+  })
+
+  test('waitForStoreAuthCode rejects when Shopify returns an OAuth error', async () => {
+    const port = await getAvailablePort()
+    const params = callbackParams({error: 'access_denied'})
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+        onListening: async () => {
+          const response = await globalThis.fetch(`http://127.0.0.1:${port}/auth/callback?${params.toString()}`)
+          expect(response.status).toBe(400)
+          await response.text()
+        },
+      }),
+    ).rejects.toThrow('Shopify returned an OAuth error: access_denied')
+  })
+
+  test('waitForStoreAuthCode rejects when callback does not include an authorization code', async () => {
+    const port = await getAvailablePort()
+    const params = callbackParams()
+    params.delete('code')
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+        onListening: async () => {
+          const response = await globalThis.fetch(`http://127.0.0.1:${port}/auth/callback?${params.toString()}`)
+          expect(response.status).toBe(400)
+          await response.text()
+        },
+      }),
+    ).rejects.toThrow('OAuth callback did not include an authorization code.')
+  })
+
+  test('waitForStoreAuthCode rejects when the port is already in use', async () => {
+    const port = await getAvailablePort()
+    const server = createServer()
+    await new Promise<void>((resolve, reject) => {
+      server.on('error', reject)
+      server.listen(port, '127.0.0.1', () => resolve())
+    })
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 1000,
+      }),
+    ).rejects.toThrow(`Port ${port} is already in use.`)
+
+    await new Promise<void>((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error)
+          return
+        }
+
+        resolve()
+      })
+    })
+  })
+
+  test('waitForStoreAuthCode rejects on timeout', async () => {
+    const port = await getAvailablePort()
+
+    await expect(
+      waitForStoreAuthCode({
+        store: 'shop.myshopify.com',
+        state: 'state-123',
+        port,
+        timeoutMs: 25,
+      }),
+    ).rejects.toThrow('Timed out waiting for OAuth callback.')
+  })
+})
@@ -0,0 +1,185 @@
+import {normalizeStoreFqdn} from '@shopify/cli-kit/node/context/fqdn'
+import {AbortError} from '@shopify/cli-kit/node/error'
+import {outputContent, outputDebug, outputToken} from '@shopify/cli-kit/node/output'
+import {timingSafeEqual} from 'crypto'
+import {createServer} from 'http'
+import {STORE_AUTH_CALLBACK_PATH, maskToken} from './config.js'
+import {retryStoreAuthWithPermanentDomainError} from './recovery.js'
+
+export interface WaitForAuthCodeOptions {
+  store: string
+  state: string
+  port: number
+  timeoutMs?: number
+  onListening?: () => void | Promise<void>
+}
+
+function renderAuthCallbackPage(title: string, message: string): string {
+  const safeTitle = title
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+  const safeMessage = message
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${safeTitle}</title>
+  </head>
+  <body style="margin:0;background:#f6f6f7;color:#202223;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;">
+    <main style="max-width:32rem;margin:12vh auto;padding:0 1rem;">
+      <section style="background:#fff;border:1px solid #e1e3e5;border-radius:12px;padding:1.5rem 1.25rem;box-shadow:0 1px 3px rgba(0,0,0,0.06);">
+        <h1 style="margin:0 0 0.75rem 0;font-size:1.375rem;line-height:1.2;">${safeTitle}</h1>
+        <p style="margin:0;font-size:1rem;line-height:1.5;">${safeMessage}</p>
+      </section>
+    </main>
+  </body>
+</html>`
+}
+
+export async function waitForStoreAuthCode({
+  store,
+  state,
+  port,
+  timeoutMs = 5 * 60 * 1000,
+  onListening,
+}: WaitForAuthCodeOptions): Promise<string> {
+  const normalizedStore = normalizeStoreFqdn(store)
+
+  return new Promise<string>((resolve, reject) => {
+    let settled = false
+    let isListening = false
+
+    const timeout = setTimeout(() => {
+      settleWithError(new AbortError('Timed out waiting for OAuth callback.'))
+    }, timeoutMs)
+
+    const server = createServer((req, res) => {
+      const requestUrl = new URL(req.url ?? '/', `http://127.0.0.1:${port}`)
+
+      if (requestUrl.pathname !== STORE_AUTH_CALLBACK_PATH) {
+        res.statusCode = 404
+        res.end('Not found')
+        return
+      }
+
+      const {searchParams} = requestUrl
+
+      const fail = (error: AbortError | string, tryMessage?: string) => {
+        const abortError = typeof error === 'string' ? new AbortError(error, tryMessage) : error
+
+        res.statusCode = 400
+        res.setHeader('Content-Type', 'text/html')
+        res.setHeader('Connection', 'close')
+        res.once('finish', () => settleWithError(abortError))
+        res.end(renderAuthCallbackPage('Authentication failed', abortError.message))
+      }
+
+      const returnedStore = searchParams.get('shop')
+      outputDebug(outputContent`Received OAuth callback for shop ${outputToken.raw(returnedStore ?? 'unknown')}`)
+
+      if (!returnedStore) {
+        fail('OAuth callback store does not match the requested store.')
+        return
+      }
+
+      const normalizedReturnedStore = normalizeStoreFqdn(returnedStore)
+      if (normalizedReturnedStore !== normalizedStore) {
+        fail(retryStoreAuthWithPermanentDomainError(normalizedReturnedStore))
+        return
+      }
+
+      const returnedState = searchParams.get('state')
+      if (!returnedState || !constantTimeEqual(returnedState, state)) {
+        fail('OAuth callback state does not match the original request.')
+        return
+      }
+
+      const error = searchParams.get('error')
+      if (error) {
+        fail(`Shopify returned an OAuth error: ${error}`)
+        return
+      }
+
+      const code = searchParams.get('code')
+      if (!code) {
+        fail('OAuth callback did not include an authorization code.')
+        return
+      }
+
+      outputDebug(outputContent`Received authorization code ${outputToken.raw(maskToken(code))}`)
+
+      res.statusCode = 200
+      res.setHeader('Content-Type', 'text/html')
+      res.setHeader('Connection', 'close')
+      res.once('finish', () => settle(() => resolve(code)))
+      res.end(renderAuthCallbackPage('Authentication succeeded', 'You can close this window and return to the terminal.'))
+    })
+
+    const settle = (callback: () => void) => {
+      if (settled) return
+      settled = true
+      clearTimeout(timeout)
+
+      const finalize = () => {
+        callback()
+      }
+
+      if (!isListening) {
+        finalize()
+        return
+      }
+
+      server.close(() => {
+        isListening = false
+        finalize()
+      })
+      server.closeIdleConnections?.()
+    }
+
+    const settleWithError = (error: Error) => {
+      settle(() => reject(error))
+    }
+
+    server.on('error', (error: NodeJS.ErrnoException) => {
+      if (error.code === 'EADDRINUSE') {
+        settleWithError(
+          new AbortError(
+            `Port ${port} is already in use.`,
+            `Free port ${port} and re-run ${outputToken.genericShellCommand(`shopify store auth --store ${store} --scopes <comma-separated-scopes>`).value}. Ensure that redirect URI is allowed in the app configuration.`,
+          ),
+        )
+        return
+      }
+
+      settleWithError(error)
+    })
+
+    server.listen(port, '127.0.0.1', async () => {
+      isListening = true
+      outputDebug(
+        outputContent`PKCE callback server listening on http://127.0.0.1:${outputToken.raw(String(port))}${outputToken.raw(STORE_AUTH_CALLBACK_PATH)}`,
+      )
+
+      if (!onListening) return
+
+      try {
+        await onListening()
+      } catch (error) {
+        settleWithError(error instanceof Error ? error : new Error(String(error)))
+      }
+    })
+  })
+}
+
+function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) return false
+  return timingSafeEqual(Buffer.from(a, 'utf8'), Buffer.from(b, 'utf8'))
+}