implement-ensureAuthenticatedAdminAsApp-for-BulkOps-CLI

ericlee878 · ericlee878 · commit 0e7b7652e762 · 2025-11-20T10:00:10.000-08:00
diff --git a/packages/app/src/cli/commands/app/execute.ts b/packages/app/src/cli/commands/app/execute.ts
@@ -36,6 +36,7 @@ export default class Execute extends AppLinkedCommand {
 
     await executeBulkOperation({
       app: appContextResult.app,
+      remoteApp: appContextResult.remoteApp,
       storeFqdn: store.shopDomain,
       query: flags.query,
       variables: flags.variables,
diff --git a/packages/app/src/cli/services/bulk-operations/execute-bulk-operation.test.ts b/packages/app/src/cli/services/bulk-operations/execute-bulk-operation.test.ts
@@ -2,22 +2,38 @@ import {executeBulkOperation} from './execute-bulk-operation.js'
 import {runBulkOperationQuery} from './run-query.js'
 import {runBulkOperationMutation} from './run-mutation.js'
 import {AppLinkedInterface} from '../../models/app/app.js'
+import {OrganizationApp} from '../../models/organization.js'
 import {renderSuccess, renderWarning} from '@shopify/cli-kit/node/ui'
-import {ensureAuthenticatedAdmin} from '@shopify/cli-kit/node/session'
+import {ensureAuthenticatedAdminAsApp} from '@shopify/cli-kit/node/session'
 import {inTemporaryDirectory, writeFile} from '@shopify/cli-kit/node/fs'
 import {joinPath} from '@shopify/cli-kit/node/path'
 import {describe, test, expect, vi, beforeEach} from 'vitest'
 
 vi.mock('./run-query.js')
 vi.mock('./run-mutation.js')
 vi.mock('@shopify/cli-kit/node/ui')
-vi.mock('@shopify/cli-kit/node/session')
+vi.mock('@shopify/cli-kit/node/session', async () => {
+  const actual = await vi.importActual('@shopify/cli-kit/node/session')
+  return {
+    ...actual,
+    ensureAuthenticatedAdminAsApp: vi.fn(),
+  }
+})
 
 describe('executeBulkOperation', () => {
   const mockApp = {
     name: 'Test App',
+    configuration: {
+      client_id: 'test-app-client-id',
+    },
   } as AppLinkedInterface
 
+  const mockRemoteApp = {
+    apiKey: 'test-app-client-id',
+    apiSecretKeys: [{secret: 'test-api-secret'}],
+    title: 'Test App',
+  } as OrganizationApp
+
   const storeFqdn = 'test-store.myshopify.com'
   const mockAdminSession = {token: 'test-token', storeFqdn}
 
@@ -32,7 +48,7 @@ describe('executeBulkOperation', () => {
   }
 
   beforeEach(() => {
-    vi.mocked(ensureAuthenticatedAdmin).mockResolvedValue(mockAdminSession)
+    vi.mocked(ensureAuthenticatedAdminAsApp).mockResolvedValue(mockAdminSession)
   })
 
   test('runs query operation when GraphQL document starts with query', async () => {
@@ -45,6 +61,7 @@ describe('executeBulkOperation', () => {
 
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query,
     })
@@ -66,6 +83,7 @@ describe('executeBulkOperation', () => {
 
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query,
     })
@@ -87,6 +105,7 @@ describe('executeBulkOperation', () => {
 
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query: mutation,
     })
@@ -110,6 +129,7 @@ describe('executeBulkOperation', () => {
 
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query: mutation,
       variables,
@@ -131,6 +151,7 @@ describe('executeBulkOperation', () => {
     vi.mocked(runBulkOperationQuery).mockResolvedValue(mockResponse as any)
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query,
     })
@@ -154,6 +175,7 @@ describe('executeBulkOperation', () => {
 
     await executeBulkOperation({
       app: mockApp,
+      remoteApp: mockRemoteApp,
       storeFqdn,
       query,
     })
@@ -172,6 +194,7 @@ describe('executeBulkOperation', () => {
     await expect(
       executeBulkOperation({
         app: mockApp,
+        remoteApp: mockRemoteApp,
         storeFqdn,
         query: malformedQuery,
       }),
@@ -188,6 +211,7 @@ describe('executeBulkOperation', () => {
     await expect(
       executeBulkOperation({
         app: mockApp,
+        remoteApp: mockRemoteApp,
         storeFqdn,
         query: multipleOperations,
       }),
@@ -208,6 +232,7 @@ describe('executeBulkOperation', () => {
     await expect(
       executeBulkOperation({
         app: mockApp,
+        remoteApp: mockRemoteApp,
         storeFqdn,
         query: noOperations,
       }),
@@ -236,6 +261,7 @@ describe('executeBulkOperation', () => {
 
       await executeBulkOperation({
         app: mockApp,
+        remoteApp: mockRemoteApp,
         storeFqdn,
         query: mutation,
         variableFile: variableFilePath,
@@ -261,6 +287,7 @@ describe('executeBulkOperation', () => {
       await expect(
         executeBulkOperation({
           app: mockApp,
+          remoteApp: mockRemoteApp,
           storeFqdn,
           query: mutation,
           variables,
@@ -282,6 +309,7 @@ describe('executeBulkOperation', () => {
       await expect(
         executeBulkOperation({
           app: mockApp,
+          remoteApp: mockRemoteApp,
           storeFqdn,
           query: mutation,
           variableFile: nonExistentPath,
@@ -300,6 +328,7 @@ describe('executeBulkOperation', () => {
     await expect(
       executeBulkOperation({
         app: mockApp,
+        remoteApp: mockRemoteApp,
         storeFqdn,
         query,
         variables,
@@ -320,6 +349,7 @@ describe('executeBulkOperation', () => {
       await expect(
         executeBulkOperation({
           app: mockApp,
+          remoteApp: mockRemoteApp,
           storeFqdn,
           query,
           variableFile: variableFilePath,
diff --git a/packages/app/src/cli/services/bulk-operations/execute-bulk-operation.ts b/packages/app/src/cli/services/bulk-operations/execute-bulk-operation.ts
@@ -1,15 +1,17 @@
 import {runBulkOperationQuery} from './run-query.js'
 import {runBulkOperationMutation} from './run-mutation.js'
 import {AppLinkedInterface} from '../../models/app/app.js'
+import {OrganizationApp} from '../../models/organization.js'
 import {renderSuccess, renderInfo, renderWarning} from '@shopify/cli-kit/node/ui'
 import {outputContent, outputToken} from '@shopify/cli-kit/node/output'
-import {ensureAuthenticatedAdmin} from '@shopify/cli-kit/node/session'
+import {ensureAuthenticatedAdminAsApp} from '@shopify/cli-kit/node/session'
 import {AbortError} from '@shopify/cli-kit/node/error'
 import {parse} from 'graphql'
 import {readFile, fileExists} from '@shopify/cli-kit/node/fs'
 
 interface ExecuteBulkOperationInput {
   app: AppLinkedInterface
+  remoteApp: OrganizationApp
   storeFqdn: string
   query: string
   variables?: string[]
@@ -42,13 +44,16 @@ async function parseVariablesToJsonl(variables?: string[], variableFile?: string
 }
 
 export async function executeBulkOperation(input: ExecuteBulkOperationInput): Promise<void> {
-  const {app, storeFqdn, query, variables, variableFile} = input
+  const {app, remoteApp, storeFqdn, query, variables, variableFile} = input
 
   renderInfo({
     headline: 'Starting bulk operation.',
     body: `App: ${app.name}\nStore: ${storeFqdn}`,
   })
-  const adminSession = await ensureAuthenticatedAdmin(storeFqdn)
+
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const apiSecret = remoteApp.apiSecretKeys.find((elm) => elm.secret)!.secret
+  const adminSession = await ensureAuthenticatedAdminAsApp(storeFqdn, app.configuration.client_id, apiSecret)
 
   validateGraphQLDocument(query, variables)
 
diff --git a/packages/cli-kit/src/public/node/session.test.ts b/packages/cli-kit/src/public/node/session.test.ts
@@ -1,5 +1,6 @@
 import {
   ensureAuthenticatedAdmin,
+  ensureAuthenticatedAdminAsApp,
   ensureAuthenticatedAppManagementAndBusinessPlatform,
   ensureAuthenticatedBusinessPlatform,
   ensureAuthenticatedPartners,
@@ -8,6 +9,7 @@ import {
 } from './session.js'
 
 import {getPartnersToken} from './environment.js'
+import {shopifyFetch} from './http.js'
 import {ApplicationToken} from '../../private/node/session/schema.js'
 import {ensureAuthenticated, setLastSeenAuthMethod, setLastSeenUserIdAfterAuth} from '../../private/node/session.js'
 import {
@@ -29,6 +31,7 @@ vi.mock('../../private/node/session.js')
 vi.mock('../../private/node/session/exchange.js')
 vi.mock('../../private/node/session/store.js')
 vi.mock('./environment.js')
+vi.mock('./http.js')
 
 describe('ensureAuthenticatedStorefront', () => {
   test('returns only storefront token if success', async () => {
@@ -216,6 +219,39 @@ describe('ensureAuthenticatedBusinessPlatform', () => {
   })
 })
 
+describe('ensureAuthenticatedAdminAsApp', () => {
+  test('returns admin token authenticated as app using client credentials', async () => {
+    // Given
+    const apiKey = 'test-api-key'
+    const apiSecret = 'test-api-secret'
+    const store = 'mystore.myshopify.com'
+    const mockToken = 'shpat_admin-as-app-token'
+
+    vi.mocked(shopifyFetch).mockResolvedValueOnce({
+      json: async () => ({access_token: mockToken}),
+    } as any)
+
+    // When
+    const got = await ensureAuthenticatedAdminAsApp(store, apiKey, apiSecret)
+
+    // Then
+    expect(got).toEqual({token: mockToken, storeFqdn: store})
+    expect(shopifyFetch).toHaveBeenCalledWith(
+      expect.stringContaining(`https://${store}/admin/oauth/access_token`),
+      expect.objectContaining({
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+      }),
+    )
+    const call = vi.mocked(shopifyFetch).mock.calls[0]![0]
+    expect(call).toContain('client_id=test-api-key')
+    expect(call).toContain('client_secret=test-api-secret')
+    expect(call).toContain('grant_type=client_credentials')
+  })
+})
+
 describe('ensureAuthenticatedAppManagementAndBusinessPlatform', () => {
   test('returns app management and business platform tokens if success', async () => {
     // Given
diff --git a/packages/cli-kit/src/public/node/session.ts b/packages/cli-kit/src/public/node/session.ts
@@ -1,6 +1,8 @@
 import {BugError} from './error.js'
 import {getPartnersToken} from './environment.js'
 import {nonRandomUUID} from './crypto.js'
+import {normalizeStoreFqdn} from './context/fqdn.js'
+import {shopifyFetch} from './http.js'
 import * as sessionStore from '../../private/node/session/store.js'
 import {
   exchangeCustomPartnerToken,
@@ -20,6 +22,7 @@ import {
   setLastSeenUserIdAfterAuth,
 } from '../../private/node/session.js'
 import {isThemeAccessSession} from '../../private/node/api/rest.js'
+import {encode as queryStringEncode} from 'node:querystring'
 
 /**
  * Session Object to access the Admin API, includes the token and the store FQDN.
@@ -226,6 +229,39 @@ ${outputToken.json(scopes)}
   return tokens.admin
 }
 
+/**
+ * Ensure that we have a valid Admin session for the given store, acting on behalf of the app.
+ *
+ * This will fail if the app has not already been installed.
+ *
+ * @param storeFqdn - Store fqdn to request auth for.
+ * @param apiKey - API key for the app.
+ * @param apiSecret - API secret for the app.
+ * @returns The access token for the Admin API.
+ */
+export async function ensureAuthenticatedAdminAsApp(
+  storeFqdn: string,
+  apiKey: string,
+  apiSecret: string,
+): Promise<AdminSession> {
+  const queryString = queryStringEncode({
+    client_id: apiKey,
+    client_secret: apiSecret,
+    grant_type: 'client_credentials',
+  })
+  const normalised = await normalizeStoreFqdn(storeFqdn)
+  const tokenResponse = await shopifyFetch(`https://${normalised}/admin/oauth/access_token?${queryString}`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  })
+  const tokenJson = (await tokenResponse.json()) as {access_token: string}
+  outputDebug(outputContent`Token: ${outputToken.raw(tokenJson.access_token)}`)
+  const token = tokenJson.access_token
+  return {token, storeFqdn: normalised}
+}
+
 /**
  * Ensure that we have a valid session to access the Theme API.
  * If a password is provided, that token will be used against Theme Access API.
