Clone the JWT session before overriding the expiration

Shopify · Jan 14, 2021 · 3032958 · 3032958
1 parent 10b2267
commit 3032958
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/src/auth/oauth/oauth.ts b/src/auth/oauth/oauth.ts
@@ -143,14 +143,15 @@ const ShopifyOAuth = {
       oauthSessionExpiration = new Date();
     }
     else if (Context.IS_EMBEDDED_APP) {
-      oauthSessionExpiration = new Date(Date.now() + 30000);
-      currentSession.expires = oauthSessionExpiration;
-
-      // If this is an online session for an embedded app, prepare a JWT session to be used from here on out
+      // If this is an online session for an embedded app, prepare a JWT session to be used going forward
       const onlineInfo = currentSession.onlineAccesInfo as OnlineAccessInfo;
       const jwtSessionId = this.getJwtSessionId(currentSession.shop, '' + onlineInfo.associated_user.id);
       const jwtSession = Session.cloneSession(currentSession, jwtSessionId);
       await Context.storeSession(jwtSession);
+
+      // Make sure the current OAuth session expires along with the cookie
+      oauthSessionExpiration = new Date(Date.now() + 30000);
+      currentSession.expires = oauthSessionExpiration;
     }
 
     cookies.set(ShopifyOAuth.SESSION_COOKIE_NAME, currentSession.id, {

diff --git a/src/auth/oauth/test/oauth.test.ts b/src/auth/oauth/test/oauth.test.ts
@@ -259,7 +259,7 @@ describe('validateAuthCallback', () => {
     const successResponse = {
       access_token: 'some access token',
       scope: 'pet_kitties, walk_dogs',
-      expires_in: '525600',
+      expires_in: 525600,
       associated_user_scope: 'pet_kitties',
       associated_user: {
         id: '1',
@@ -299,15 +299,19 @@ describe('validateAuthCallback', () => {
       dest: `https://${shop}`,
       aud: Context.API_KEY,
       sub: '1',
-      exp: Date.now() / 1000 + 3600,
+      exp: new Date(Date.now() + successResponse.expires_in * 1000).getTime() / 1000,
       nbf: 1234,
       iat: 1234,
       jti: '4321',
       sid: 'abc123',
     };
 
     const jwtSessionId = `${shop}_${jwtPayload.sub}`;
-    await expect(Context.loadSession(jwtSessionId)).resolves.not.toBeUndefined();
+    const actualJwtSession = await Context.loadSession(jwtSessionId);
+    expect(actualJwtSession).not.toBeUndefined();
+
+    const actualJwtExpiration = actualJwtSession?.expires ? actualJwtSession.expires.getTime() / 1000 : 0;
+    expect(Math.abs(actualJwtExpiration - jwtPayload.exp)).toBeLessThan(1); // 1-second grace period
 
     // Simulate a subsequent JWT request to see if the session is loaded as the current one