Allow custom scopes during the auth process

CHANGELOG.md

@@ -4,6 +4,8 @@ Note: For changes to the API, see https://shopify.dev/changelog?filter=api
 
 ## Unreleased
 
+- [#1023](https://github.com/Shopify/shopify-api-ruby/pull/1023) Allow custom scopes during the OAuth process
+
 ## Version 12.1.0
 
 - [#1017](https://github.com/Shopify/shopify-api-ruby/pull/1017) Add support for `http` with localhost development without using a TLS tunnel

lib/shopify_api/auth/oauth.rb

@@ -16,9 +16,18 @@ class << self
             shop: String,
             redirect_path: String,
             is_online: T.nilable(T::Boolean),
+            scope_override: T.nilable(T.any(ShopifyAPI::Auth::AuthScopes, T::Array[String], String)),
           ).returns(T::Hash[Symbol, T.any(String, SessionCookie)])
         end
-        def begin_auth(shop:, redirect_path:, is_online: true)
+        def begin_auth(shop:, redirect_path:, is_online: true, scope_override: nil)
+          scope = if scope_override.nil?
+            ShopifyAPI::Context.scope
+          elsif scope_override.is_a?(ShopifyAPI::Auth::AuthScopes)
+            scope_override
+          else
+            ShopifyAPI::Auth::AuthScopes.new(scope_override)
+          end
+
           unless Context.setup?
             raise Errors::ContextNotSetupError, "ShopifyAPI::Context not setup, please call ShopifyAPI::Context.setup"
           end
@@ -30,7 +39,7 @@ def begin_auth(shop:, redirect_path:, is_online: true)
 
           query = {
             client_id: ShopifyAPI::Context.api_key,
-            scope: ShopifyAPI::Context.scope.to_s,
+            scope: scope.to_s,
             redirect_uri: "#{ShopifyAPI::Context.host}#{redirect_path}",
             state: state,
             "grant_options[]": is_online ? "per-user" : "",

test/auth/oauth_test.rb

@@ -85,6 +85,27 @@ def test_begin_auth_online
         verify_oauth_begin(auth_route: result[:auth_route], cookie: result[:cookie], is_online: true)
       end
 
+      def test_custom_scope_with_auth_scopes
+        result = ShopifyAPI::Auth::Oauth.begin_auth(shop: @shop, redirect_path: "/redirect",
+          scope_override: ShopifyAPI::Auth::AuthScopes.new("read_orders,write_products"))
+        verify_oauth_begin(auth_route: result[:auth_route], cookie: result[:cookie], is_online: true,
+          scope: "read_orders,write_products")
+      end
+
+      def test_custom_scope_with_array_of_strings
+        result = ShopifyAPI::Auth::Oauth.begin_auth(shop: @shop, redirect_path: "/redirect",
+          scope_override: ["read_orders", "write_products"])
+        verify_oauth_begin(auth_route: result[:auth_route], cookie: result[:cookie], is_online: true,
+          scope: "read_orders,write_products")
+      end
+
+      def test_custom_scope_with_a_comma_separated_string
+        result = ShopifyAPI::Auth::Oauth.begin_auth(shop: @shop, redirect_path: "/redirect",
+          scope_override: ["read_orders,write_products"])
+        verify_oauth_begin(auth_route: result[:auth_route], cookie: result[:cookie], is_online: true,
+          scope: "read_orders,write_products")
+      end
+
       def test_begin_auth_context_not_setup
         modify_context(api_key: "", api_secret_key: "", host_name: "")
 
@@ -280,10 +301,10 @@ def test_validate_auth_callback_save_session_fails
 
       private
 
-      def verify_oauth_begin(auth_route:, cookie:, is_online:)
+      def verify_oauth_begin(auth_route:, cookie:, is_online:, scope: ShopifyAPI::Context.scope)
         expected_query_params = {
           client_id: ShopifyAPI::Context.api_key,
-          scope: ShopifyAPI::Context.scope.to_s,
+          scope: scope.to_s,
           redirect_uri: "https://#{ShopifyAPI::Context.host_name}/redirect",
           "grant_options[]": is_online ? "per-user" : "",
         }