Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ShopifyAPI::Context.old_api_secret_key to support API key rotation #979

Merged
merged 2 commits into from
Jun 24, 2022
Merged

Add ShopifyAPI::Context.old_api_secret_key to support API key rotation #979

merged 2 commits into from
Jun 24, 2022

Conversation

tatsuya
Copy link
Contributor

@tatsuya tatsuya commented Jun 24, 2022
edited
Loading

Description

Fixes #978

Add old_api_secret_key to ShopifyAPI::Context in addition to the existing api_secret_key so that ShopifyAPI::Utils::SessionUtils.current_session_id can verify JWT signed either old or new API secrets, making it possible to rotate API secrets without causing downtime. Details are in #978 and Shopify/shopify_app#1459.

How has this been tested?

Added test cases to make sure that JWTs signed both old and new API secrets are verified correctly.

Checklist:

  • My commit message follow the pattern described in here
  • I have performed a self-review of my own code.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have updated the project documentation.
  • I have added a changelog line.

@tatsuya tatsuya force-pushed the add-old-api-secret-key-to-context branch from 6b29be3 to 16e5ece Compare June 24, 2022 05:22
@tatsuya tatsuya mentioned this pull request Jun 24, 2022
Closed
@tatsuya tatsuya force-pushed the add-old-api-secret-key-to-context branch from 16e5ece to 73a2f8a Compare June 24, 2022 07:16
tatsuya
tatsuya commented Jun 24, 2022
View reviewed changes
Gemfile.lock Outdated Show resolved Hide resolved
tatsuya
tatsuya commented Jun 24, 2022
View reviewed changes
sorbet/rbi/todo.rbi Outdated Show resolved Hide resolved
@tatsuya tatsuya marked this pull request as ready for review June 24, 2022 07:26
@tatsuya tatsuya requested a review from a team as a code owner June 24, 2022 07:26
@tatsuya tatsuya force-pushed the add-old-api-secret-key-to-context branch from 73a2f8a to 8801759 Compare June 24, 2022 07:32
@tatsuya tatsuya changed the title Add Context.old_api_secret_key to support API key rotation Add ShopifyAPI::Context.old_api_secret_key to support API key rotation Jun 24, 2022
mkevinosullivan
mkevinosullivan approved these changes Jun 24, 2022
View reviewed changes
Copy link
Contributor

@mkevinosullivan mkevinosullivan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

andyw8
andyw8 reviewed Jun 24, 2022
View reviewed changes
README.md Outdated Show resolved Hide resolved
@tatsuya tatsuya force-pushed the add-old-api-secret-key-to-context branch from 8801759 to 72c65af Compare June 24, 2022 20:36
@tatsuya tatsuya merged commit eccef0c into main Jun 24, 2022
@tatsuya tatsuya deleted the add-old-api-secret-key-to-context branch June 24, 2022 20:42
@shopify-shipit shopify-shipit bot temporarily deployed to rubygems July 4, 2022 16:27 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andyw8 andyw8 andyw8 left review comments

@mkevinosullivan mkevinosullivan mkevinosullivan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SessionUtils.current_session_id is unable to verify session token signed with old API secret
3 participants
@tatsuya @andyw8 @mkevinosullivan