Merge pull request #2123 from Shopify/liz/dont-retry-invalid-session-…

…extensions [Patch] Don't set retry headers on extension requests
Shopify · Feb 20, 2025 · c762ca0 · c762ca0
2 parents b65baa5 + 355c4a3
commit c762ca0
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/.changeset/brown-singers-collect.md b/.changeset/brown-singers-collect.md
@@ -0,0 +1,8 @@
+---
+'@shopify/shopify-app-remix': patch
+---
+# Don't retry extension requests with invalid session tokens
+
+Requests from the embedded app admin UI are not retried when the session token is invalid. This is done with the special app bridge header `x-shopify-session-token-retry-request`.
+
+Requests from extensions cannot be retried, so we are no longer adding this header to the response.
diff --git a/packages/apps/shopify-app-remix/src/server/authenticate/helpers/validate-session-token.ts b/packages/apps/shopify-app-remix/src/server/authenticate/helpers/validate-session-token.ts
@@ -7,13 +7,14 @@ import {getShopFromRequest} from './get-shop-from-request';
 
 interface ValidateSessionTokenOptions {
   checkAudience?: boolean;
+  retryRequest?: boolean;
 }
 
 export async function validateSessionToken(
   params: BasicParams,
   request: Request,
   token: string,
-  {checkAudience = true}: ValidateSessionTokenOptions = {},
+  {checkAudience = true, retryRequest = true}: ValidateSessionTokenOptions = {},
 ): Promise<JwtPayload> {
   const {api, logger} = params;
   const shop = getShopFromRequest(request);
@@ -34,6 +35,6 @@ export async function validateSessionToken(
       shop,
     });
 
-    throw respondToInvalidSessionToken({params, request, retryRequest: true});
+    throw respondToInvalidSessionToken({params, request, retryRequest});
   }
 }
diff --git a/packages/apps/shopify-app-remix/src/server/authenticate/public/extension/authenticate.ts b/packages/apps/shopify-app-remix/src/server/authenticate/public/extension/authenticate.ts
@@ -46,7 +46,7 @@ export function authenticateExtensionFactory(
         params,
         request,
         sessionTokenHeader,
-        {checkAudience: false},
+        {checkAudience: false, retryRequest: false},
       ),
       cors: ensureCORSHeadersFactory(params, request, corsHeaders),
     };