Use ensureAuthenticatedAdminAsApp in shopify app execute

[ericlee878]

Resolves: https://github.com/orgs/shop/projects/208/views/34?pane=issue&itemId=140363951&issue=shop%7Cissues-api-foundations%7C1128
Inspired by: #6596 (comment)

Background

The bulk operations execute command currently authenticates using the CLI user's credentials, which has two critical limitations:

1. No access to $app metafields - Cannot query or mutate app-specific metafields
2. Ignores app scopes - Does not respect the app's configured access scopes.

This prevents bulk operations from working properly with app-owned data.

Solution

Implemented ensureAuthenticatedAdminAsApp() that authenticates as the app using OAuth 2.0 client credentials grant. This provides:

• Full access to $app metafields
• Respects the app's configured scopes
• Proper app-context authentication

This idea originally came from a hack days.

EDIT: Actually #6649 beat us to it! This PR now just adjusts app execute to use this feature, and doesn't have to implement it itself.

Implementation Notes

• The API secret extraction pattern follows the existing approach in webhook/trigger-options.ts.
• Currently both app and remoteApp are passed to executeBulkOperation. The app parameter is only used for:
  • Display name (app.name)
  • Client ID (app.configuration.client_id)

Both values are also available on remoteApp as title and apiKey. Could be simplified in the future to only use remoteApp for consistency.

Testing

To test with this new authentification, you must install the app on the store. You can do this by:

cd <PATH_TO_TEST_APP>
pnpm shopify app dev

Then, we can use the existing command works unchanged:

For queries:

pnpm shopify:run app execute \
  --path <PATH_TO_TEST_APPP> \
  -q '{ products(first: 10) { edges { node { id title } } } }'

For mutations:

pnpm shopify:run app execute \
  --path <PATH_TO_TEST_APPP> \
  -q 'mutation productUpdate($input: ProductInput!) { productUpdate(input: $input) { product { id tags } userErrors { field message } } }' \
  -v '[{"input": {"id": "gid://shopify/Product/9721830834416", "tags": ["bulk-test"]}}]'

Now authenticates as the app instead of the CLI user, enabling access to app-scoped resources.

[ericlee878]

• Use ensureAuthenticatedAdminAsApp in shopify app execute #6643 : 2 dependent PRs (#6663 , #6667 ) 👈 (View in Graphite)
• Add --variable-file flag for bulk operation mutations #6636
• Add GraphQL Operation Validation for Bulk Operations CLI #6632
• Add erroring for when variables are given for a BulkOps query #6622
• Implement mutation support for BulkOps CLI command #6596
• Initial Setup: Bulk Operations Infrastructure for Shopify CLI  #6588 : 1 other dependent PR (#6595 )
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	79.27% (+0.04% 🔼)	13725/17314
🟡	Branches	73.17% (+0.06% 🔼)	6699/9155
🟡	Functions	79.42% (+0.04% 🔼)	3530/4445
🟡	Lines	79.64% (+0.06% 🔼)	12970/16286

Show new covered files 🐣

St.❔	File	Statements	Branches	Functions	Lines
🟢	... / admin-as-app.ts	100%	100%	100%	100%
🟢	... / bulk-operation-run-mutation.ts	100%	100%	100%	100%
🟢	... / bulk-operation-run-query.ts	100%	100%	100%	100%
🟢	... / get-bulk-operation-by-id.ts	100%	100%	100%	100%
🟢	... / staged-uploads-create.ts	100%	100%	100%	100%
🟢	... / download-bulk-operation-results.ts	100%	100%	100%	100%
🟢	... / execute-bulk-operation.ts	90.91%	80.56%	100%	92.31%
🟢	... / format-bulk-operation-status.ts	100%	100%	100%	100%
🟢	... / run-mutation.ts	100%	100%	100%	100%
🟢	... / run-query.ts	100%	100%	100%	100%
🟡	... / stage-file.ts	72.73%	62.5%	83.33%	71.88%
🟢	... / watch-bulk-operation.ts	100%	100%	100%	100%

Show files with reduced coverage 🔻

St.❔	File	Statements	Branches	Functions	Lines
🟡	... / specification.ts	68.52% (-0.57% 🔻)	75.61% (+2.44% 🔼)	76.47% (-1.31% 🔻)	68.09% (-0.66% 🔻)
🟢	... / developer-platform-client.ts	84.62% (-1.5% 🔻)	73.68% (+3.1% 🔼)	81.82% (+1.82% 🔼)	90.63% (-2.71% 🔻)
🟢	... / api.ts	87.07% (-0.43% 🔻)	76.71% (-0.1% 🔻)	100%	86.49% (-0.43% 🔻)
🟢	... / ConcurrentOutput.tsx	98.36% (-1.64% 🔻)	92% (-4% 🔻)	100%	98.33% (-1.67% 🔻)
🔴	... / ui.tsx	50.82% (-0.79% 🔻)	42.86% (-5.53% 🔻)	54.55% (+1.42% 🔼)	50% (-0.82% 🔻)
🟢	... / console.ts	81.82% (+15.15% 🔼)	75% (-25% 🔻)	100% (+33.33% 🔼)	81.82% (+15.15% 🔼)
🔴	... / dev.ts	12.77% (-0.57% 🔻)	2.78% (-0.16% 🔻)	57.14%	12.77% (-0.57% 🔻)
🟡	... / theme-environment.ts	69.57% (-1.86% 🔻)	50%	55.56% (-3.27% 🔻)	69.57% (-1.86% 🔻)

Test suite run success

3406 tests passing in 1386 suites.

Report generated by 🧪jest coverage report action from 02b54ed

[github-actions]

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

[nickwesselman]

Would like both CLI and someone w/ knowledge of app access to confirm this approach but this meets the Product requirements 👍🏻

[github-actions]

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

• Some seemingly private modules might be re-exported through public modules.
• If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/public/node/session.d.ts

@@ -97,6 +97,17 @@ export declare function ensureAuthenticatedStorefront(scopes?: StorefrontRendere
  * @returns The access token for the Admin API.
  */
 export declare function ensureAuthenticatedAdmin(store: string, scopes?: AdminAPIScope[], options?: EnsureAuthenticatedAdditionalOptions): Promise<AdminSession>;
+/**
+ * Ensure that we have a valid Admin session for the given store, acting on behalf of the app.
+ *
+ * This will fail if the app has not already been installed.
+ *
+ * @param storeFqdn - Store fqdn to request auth for.
+ * @param apiKey - API key for the app.
+ * @param apiSecret - API secret for the app.
+ * @returns The access token for the Admin API.
+ */
+export declare function ensureAuthenticatedAdminAsApp(storeFqdn: string, apiKey: string, apiSecret: string): Promise<AdminSession>;
 /**
  * Ensure that we have a valid session to access the Theme API.
  * If a password is provided, that token will be used against Theme Access API.

[RyanDJLee]

Changes make sense to me, but let's make sure we do not expose the access token before we ship.

[jordanverasamy]

What actually is a remote app? It seems odd to me to set up a session using the client ID from app but the API secret from remoteApp... but I'm guessing this is correct for some complicated reason. Can you explain?

[jordanverasamy]

Ah, I see this from the PR desc:

Both values are also available on remoteApp as title and apiKey. Could be simplified in the future to only use remoteApp for consistency.

Maybe we should adjust it to use remoteApp all the way through for consistency and to minimize confusion, if possible? How big of a lift is that you think?

[ericlee878]

I kept it for consistency. All other CLI's used app. Didn't seem like it would hurt to keep it in there?

[isaacroldan]

remoteApp is the remote representation of the App obtained via the API. The secret can only be obtained from the remoteApp, is not available in the "local" app

[isaacroldan]

you can use remoteApp​ to access the client_id value too yes.

[ericlee878]

Removed app and using remoteApp for everything.

[jordanverasamy]

Assuming that this is all following the directions from app access, this PR seems reasonable to me, but I don't currently understand deeply enough to have a meaningful ✅ .

[graphite-app]

Merge activity

• Nov 26, 7:37 PM UTC: This pull request can not be added to the Graphite merge queue. Please try rebasing and resubmitting to merge when ready.
• Nov 26, 7:37 PM UTC: Graphite disabled "merge when ready" on this PR due to: a merge conflict with the target branch; resolve the conflict and try again..

[gonzaloriestra]

I was going to say that ensureAuthenticatedAdminAsApp was already added by #6649, but I guess you already realized, no?

The description is outdated, but the changes make sense.

[jordanverasamy]

Yeah, sorry for the outdated description -- I'll update at least the title so it'll be clearer to future readers what this PR is actually doing.

Thanks for the quick review!