Skip to content

Escape store auth session keys#7864

Open
alfonso-noriega wants to merge 1 commit into
donald/store-list-local-fallbackfrom
donald/store-auth-escaped-session-keys
Open

Escape store auth session keys#7864
alfonso-noriega wants to merge 1 commit into
donald/store-list-local-fallbackfrom
donald/store-auth-escaped-session-keys

Conversation

@alfonso-noriega

@alfonso-noriega alfonso-noriega commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

WHY are these changes introduced?

Follow-up to discussion on #7709 about avoiding recursive crawling of conf storage for store-auth sessions.

WHAT is this pull request doing?

Escapes dots in store-auth session keys before passing them to conf, so a store domain is persisted as one top-level key instead of a nested dotted path. The listing code now scans only top-level store-auth buckets and ignores legacy nested entries.

This intentionally means stores authenticated with the old nested key format may need to be re-authenticated.

How to test your changes?

pnpm --filter @shopify/store vitest src/cli/services/store/auth/session-store.test.ts src/cli/services/store/auth/stored-auth.test.ts
pnpm --filter @shopify/store lint
pnpm --filter @shopify/store type-check

Post-release steps

None.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (patch for bug fixes · minor for new features · major for breaking changes) and added a changeset with pnpm changeset add

This was referenced Jun 19, 2026
Open
Open
@alfonso-noriega alfonso-noriega mentioned this pull request Jun 19, 2026
Merged
@alfonso-noriega Graphite App

alfonso-noriega commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label Jun 19, 2026
@alfonso-noriega alfonso-noriega marked this pull request as ready for review June 19, 2026 11:13
@alfonso-noriega alfonso-noriega requested a review from a team as a code owner June 19, 2026 11:13
isaacroldan
isaacroldan reviewed Jun 19, 2026
View reviewed changes
Comment thread packages/store/src/cli/services/store/auth/config.ts
}

function escapeStoreAuthSessionKeySegment(value: string): string {
return value.replace(/\./g, '\\.')

@isaacroldan isaacroldan Jun 19, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it better to escape or to replace them? maybe is safer to use -?

@alfonso-noriega alfonso-noriega Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think escaping is safer here than replacing with -: - is valid in store domains, so replacement can create collisions between distinct domains. dot-prop explicitly supports escaped dots for this exact case, and the persisted JSON key remains the original domain string rather than an encoded/replaced value. If we want to avoid relying on dot-prop escaping semantics entirely, I think encodeURIComponent(store) would be the safer alternative over - replacement.

@alfonso-noriega alfonso-noriega force-pushed the donald/store-auth-escaped-session-keys branch from a571bc3 to 9e2c4f3 Compare June 19, 2026 11:18
@alfonso-noriega alfonso-noriega force-pushed the donald/store-list-local-fallback branch 2 times, most recently from 067f712 to 57d47f2 Compare June 19, 2026 11:55
@alfonso-noriega alfonso-noriega force-pushed the donald/store-auth-escaped-session-keys branch 2 times, most recently from 4513bd6 to a868c3a Compare June 19, 2026 12:28
@alfonso-noriega
Escape store auth session keys
c324278 
Assisted-By: devx/a802aefd-9486-4d1e-bf5d-9541c093b99d
@alfonso-noriega alfonso-noriega force-pushed the donald/store-auth-escaped-session-keys branch from a868c3a to c324278 Compare June 19, 2026 12:29
@alfonso-noriega alfonso-noriega force-pushed the donald/store-list-local-fallback branch from 57d47f2 to 3f7e81a Compare June 19, 2026 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isaacroldan isaacroldan isaacroldan approved these changes

Assignees

No one assigned

Labels

no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alfonso-noriega @isaacroldan