- a60c214: Fix type error in graphql error handler
- 513f9e6: Fixed an issue with the
RecurringApplicationCharge
REST resource currency type
- 3415a8c: Added support for the 2024-04 API version.
- c9dff9f: Add
Shop.current()
method to the REST resources
- b60c6c9: Fixes bug, that is returning the onlineAccessInfo field on the session, when the session if offline
- 96a0aab: Fix bug that was causing duplicate keys in Session when using FromPropertyArray with returnUserData = true
-
b912ecd: Updates the Session class to handle the associated user information on the session object.
Updates the Session
fromPropertyArray
to handle all user info fields. New optional argumentreturnUserData
, (defaulted tofalse
), will return the user data if it is apart of the property array. This will be defaulted totrue
in an upcoming version.const sessionProperties = session.toPropertyArray(true); /* if sessionProperties has the following data... [ ['id', 'online_session_id'], ['shop', 'online-session-shop'], ['state', 'online-session-state'], ['isOnline', true], ['scope', 'online-session-scope'], ['accessToken', 'online-session-token'], ['expires', 1641013200000], // example = January 1, 2022, as number of milliseconds since Jan 1, 1970 ['userId', 1], ['first_name', 'online-session-first-name'], ['last_name', 'online-session-last-name'], ['email', 'online-session-email'], ['locale', 'online-session-locale'], ['email_verified', false] ['account_owner', true,] ['collaborator', false], ], */ const session = Session.fromPropertyArray(sessionProperties, true); /* ... then session will have the following data... { id: 'online_session_id', shop: 'online-session-shop', state: 'online-session-state', isOnline: true, scope: 'online-session-scope', accessToken: 'online-session-token', expires: 2022-01-01T05:00:00.000Z, // Date object onlineAccessInfo: { associated_user: { id: 1, first_name: 'online-session-first-name' last_name: 'online-session-last-name', email: 'online-session-email', locale: 'online-session-locale', email_verified: false, account_owner: true, collaborator: false, }, } } */
Updates the Session
toPropertyArray
to handle all user info fields. New optional argumentreturnUserData
, (defaulted tofalse
), will return the user data as part of property array object. This will be defaulted totrue
in an upcoming version.const { session, headers } = shopify.auth.callback({ rawRequest: req, rawResponse: res, }); /* If session has the following data content... { id: 'online_session_id', shop: 'online-session-shop', state: 'online-session-state', isOnline: true, scope: 'online-session-scope', accessToken: 'online-session-token', expires: 2022-01-01T05:00:00.000Z, // Date object onlineAccessInfo: { expires_in: 1, associated_user_scope: 'online-session-user-scope', associated_user: { id: 1, first_name: 'online-session-first-name', last_name: 'online-session-last-name', email: 'online-session-email', locale: 'online-session-locale', email_verified: true, account_owner: true, collaborator: false, }, } } */ const sessionProperties = session.toPropertyArray(); /* ... then sessionProperties will have the following data... [ ['id', 'online_session_id'], ['shop', 'online-session-shop'], ['state', 'online-session-state'], ['isOnline', true], ['scope', 'online-session-scope'], ['accessToken', 'online-session-token'], ['expires', 1641013200000], // example = January 1, 2022, as number of milliseconds since Jan 1, 1970 ['userId', 1], // New returns the user id under the userId key instead of onlineAccessInfo ['first_name', 'online-session-first-name'], ['last_name', 'online-session-last-name'], ['email', 'online-session-email'], ['locale', 'online-session-locale'], ['email_verified', false] ['account_owner', true,] ['collaborator', false], ], */
-
87208ea: Add a context argument to webhooks process function to make it easier for Cloudflare apps (and others that might use a context object) to pass information to the handler.
- 1344258: Bumps jose from 5.2.2 to 5.2.3.
- 01371f7: Add function to authenticate fulfillment service requests
- 4e7c479: Show an INFO log for disabled future flags to encourage apps to migrate ahead of time, making major version bumps simpler.
- 13a230d: Enabled returning the full response object in
Customer.search()
andGiftCard.search()
, so that apps can paginate through the results. - f57712c: Refactor HMAC validation to use a common function.
- 01a803d: Reintroduced logging of HTTP requests for OAuth processes, which was incorrectly removed when the new clients were introduced.
- @shopify/[email protected]
- @shopify/[email protected]
- @shopify/[email protected]
- @shopify/[email protected]
- d6657e8: Return additional app subscription plan information, including the line item IDs
- 6eb8091: Updated dependency on
jose
- @shopify/[email protected]
- @shopify/[email protected]
- Updated dependencies [9df4bacf]
- @shopify/[email protected]
- @shopify/[email protected]
- 661d52dd: Fix bug with creation of webhooks with subtopics
- 35e06823: Add webhook subtopic as an additional option field when creating webhook subscriptions
- fbae4bcc: Bumps compare-versions from 5.0.3 to 6.1.0.
- cc52aaca: Fix linked reference for session in token exchange docs
- @shopify/[email protected]
- @shopify/[email protected]
-
e2d4fee2: Update lineItemBilling future flag to v10. Current users of
unstable_lineItemBilling
will need to update tov10_lineItemBilling
to continue using this feature.const shopify = shopifyApi({ // ... future: { v10_lineItemBilling: true, });
- db7d9cff: Remove gating of the token exchange API behind the
unstable_tokenExchange
flag.
-
9c41d910: Added support for validating Flow extension requests, using
shopify.authenticate.flow
.Please see the
flow
object documentation for more information. -
348b138a: Export GraphqlClient class from types
- 224fbf57: Fixed the types of the
balance
andcurrency
fields in theGiftCard
object. - 0f0ffb8a: Updated global fetch types to more closely match reality
- Updated dependencies [0f0ffb8a]
- @shopify/[email protected]
- @shopify/[email protected]
- 4d7f9a01: Update documentation with required shopifyApi params
- 1b4caf91: Return "body" field from GraphqlQueryError type
- Updated dependencies [b2414c2f]
- @shopify/[email protected]
- @shopify/[email protected]
- fdd25e13: Fixed an issue in the
RestClient
class'request
method, which was incorrectly madeprivate
instead ofprotected.
- @shopify/[email protected]
- @shopify/[email protected]
-
64f61414:
[!NOTE] This change only affects apps that are using custom runtime adapters. If you're using a default adapter from this package, you don't need to make this change.
Changed
setAbstractFetchFunc
to accept afetch
API instead of one based onNormalizedRequest
andNormalizedResponse
.With this change, we can return a
Response
object for requests with the upcoming clients, which can help make the interface for requests more familiar to users.For more information and examples, see the migration guide to v9.
-
7bd4be08: Rephrased
gdprTopics
toprivacyTopics
to account for other privacy regulations with data subject requests.This changes the name of the exported object. You can fix this by changing your
import
statements:Before:
import { gdprTopics } from "@shopify/shopify-api";
After:
import { privacyTopics } from "@shopify/shopify-api";
-
83b15905: Allow access tokens to be marked as expired before actual expiry.
-
218f4521: Use the new GraphQL API clients in shopify-api to use all of the latest features, including automatic types for query / mutation return object and variables.
For more information and examples, see the migration guide to v9.
-
18781092: Updated shopify-api GraphQL clients' APIs to be closer to the underlying clients
-
4dd7612d: Underpinned the new REST client from
admin-api-client
intoshopify-api
, so apps can access it as a standalone client as well. -
5e85e15b: Added support for the 2024-01 API version.
-
64cda80a: Add helpers to convert between shop admin URLs and legacy URLs.
sanitizeShop
utility method can now support shop admin URLs.
- Updated dependencies [88858305]
- Updated dependencies [218f4521]
- Updated dependencies [0286e7fe]
- Updated dependencies [18781092]
- Updated dependencies [2b9e06f6]
- Updated dependencies [194ddcf2]
- Updated dependencies [c9622cd7]
- @shopify/[email protected]
- @shopify/[email protected]
- 880c9ddf: Add isExpired() and isScopeChanged() functions to Session class
-
bf0664bb: Line Item Billing
Now with the future flag
unstable_lineItemBilling
you can specify multiple line items in a single billing request. This will allow you to create a single billing request for a subscription with both recurring and usage based app billing.You will define the new billingConfig as follows.
const shopify = shopifyApp({ billing: { MultipleLineItems: { replacementBehavior: BillingReplacementBehavior.ApplyImmediately, trialDays: 7, lineItems: [ { interval: BillingInterval.Usage, amount: 30, currencyCode: "USD", terms: "per 1000 emails", }, { interval: BillingInterval.Every30Days, amount: 30, currencyCode: "USD", discount: { durationLimitInIntervals: 3, value: { amount: 10, }, }, }, ], }, }, futures: { unstable_lineItemBilling: true, }, });
-
eae5a4a8: Introduce token exchange API for fetching access tokens. This feature is currently unstable and is hidden behind the
unstable_tokenExchange
future flag.❗ To learn more about Token Exchange, see Performing OAuth
- 58a20daf: Changed LATEST_API_VERSION export to point to October23. Thanks @SeanMythen!
- c8eebf30: Fixing publishing process to prevent empty packages
-
737838dd: Removed support for Node 14, and removed existing code deprecations.
For details on what's changed in this version, please see the V8 migration guide.
- df5fb586: Added support for the
future
configuration option. This will allow apps to opt in to upcoming features without needing to install RC packages. - cf60b3d1: Added support for the 2023-10 API version.
- 5da6add9 / 3382a958: Allow overriding billing configurations when requesting payment, so that apps can use different values for different requests.
- be262ba1: Allow using Session objects to create Storefront API clients that make requests using private access tokens.
- 8187031f: Fix CustomerAddress.all not returning anything
- d2df0b1b: validateHmac now accepts an optional second param. Use this to support HMAC validation for app proxy requests
- c2962537: Fix storefront client incorrectly setting private token as access token
- 6f075397: Allow not checking a session token payload's
aud
field to support tokens generated outside of the Shopify Admin. - ce638203: Fixing host validation to work with unified admin shops
- 7a953a92: Adding support for 2023-07 API version
- 9735d0c3: Stop sending the privateMetafieldNamespaces field in webhook queries to avoid the API duplication warning, and added a new shopify.utils.versionPriorTo method to help with cases like this one where apps will need to stop doing something that was deprecated.
- 1d84c135: Add Web API runtime adapter
- a9ef2e20: Fix crypto module set up for node, so it doesn't break webpack apps
- 85e7478f: [Internal] Improved tracking of webhook registration GraphQL calls
-
52047d68: Add optional parameter to
billing.check
andbilling.request
to modify return value to be a more detailed object. -
9b8ef033: Added Subscription cancel capabilities for App Billing. Fixes #771
Usage:
const canceledSubscription = await shopify.billing.cancel({ session, subscriptionId, });
See Billing Guide for more details.
- c700888a: Deprecated privateMetafieldNamespaces field in HTTP webhook configurations
- b6e9f83c: Add shop search param to default billing return URL for non-embedded apps
- 18671105: Return the performed operation for each handler when registering webhooks
- 57f31117: Add webhooks.validate method to support webhooks without callbacks
- 65eb416f: Export BillingCheckParams, BillingRequestParams and session.getJwtSessionId
- 1a64d96c: Added
returnUrl
as optional parameter to billingrequest
function, improvedreturnUrl
logic. See documentation ofreturnUrl
parameter for more details. - 89cca000: Discount functionality for App Billing. Fixes #731
-
8de3c783: Removed
setCrypto
function to simplify runtimes -
2628a7fc: Add scopes validation for AuthScopes object and convert it to array. Fixes #1208, 1221
-
d028ec0f: Replace
semver
withcompare-versions
lib to reduce dependency on nodejs builtin-libs -
7dcecb65: [Custom store apps only] Add new
adminApiAccessToken
parameter toconfig
for whenisCustomStoreApp
istrue
. If set, it will be used for API access.apiSecretKey
should now be set to the custom store app's API secret key, which is used to validate the HMAC of webhook events received from Shopify for a custom store app. Fixes #772, #800For apps that don't receive HTTP webhook events from Shopify, no change is required yet -
apiSecretKey
will be used for client authentication as the fallback option.Starting with the next major release
adminApiAccessToken
will be mandatory for custom store apps and must be set to the Admin API access tokenapiSecretKey
will not be used for client authentication but must be set for HMAC validation of HTTP webhook events
See setting up a custom store app for more details.
-
450c9e7f: Add deprecation notice for removal of Node 14 support from next major release
-
9c095d12: Bumps jose from 4.13.1 to 4.14.1. See jose's changelog for more details.
-
f04f0f64:
apiKey
configuration parameter is no longer mandatory whenisCustomStoreApp
istrue
. Fixes #782 -
464fd4f2: Extend support for Event topic names
-
e8966d50: Restoring REST resources for 2022-04, updates to certain resources for other API versions
-
8de6024f: [Fix] Forward original graphql error message to client
-
f09417c4: Adds check for Google's Crawler in the authorization functions to prevent
CookieNotFound
error loops. Fixes #686 -
cbffa2f6: Add trial days and replacement behavior to usage billing mutation. Fixes #770
-
5a68e4a5:
⚠️ [Breaking] Return pagination info as part of .all() requests in REST resources, and remove the[PREV|NEXT]_PAGE_INFO
static, thread unsafe attributes. Instead of returning a plain array of objects, it will now return an object containing that array, as well as the response headers and pagination info.This enables apps to use locally-scoped pagination info, which makes it possible to use pagination in a thread-safe way.
You'll need to make 2 changes to use this version:
- Where you accessed resources from the response, you'll now access the
data
property. - Where you accessed pagination data from the static variables, you'll now retrieve it from the response.
const response = await shopify.rest.Product.all({ /* ... */ }); // BEFORE const products: Product[] = response; const nextPageInfo = shopify.rest.Product.NEXT_PAGE_INFO; // AFTER const products: Product[] = response.data; const nextPageInfo = response.pageInfo?.nextPage; const responseHeaders = response.headers;
- Where you accessed resources from the response, you'll now access the
-
fc2692f0:
⚠️ [Breaking] Removing deprecated code:- The
isPrivateApp
param fromshopifyApi()
was removed in favour ofisCustomStoreApp
. - The
isOnline
param fromshopify.auth.callback()
was removed, because it's now handled automatically.
- The
-
8acc71da: Adding support for 2023-04 API version.
⚠️ [Breaking] Removing support for 2022-04 and 2022-07 API versions. -
2096f9e4: The logger is now synchronous. This removes unnecessary
await
's from functions that use the logger but functionally don't need toawait
anything else.webhooks.addHandlers
is the main impacted public method (it wasasync
only because of the logging mechanism).Apps that use the default logging methods (which send to
console
) will not be impacted by this change. Apps that implement their own loggers may be impacted; async logging functions can still be used but they need to be handled as promises.// BEFORE const myLogFunction = async (severity, message) => { try { await MyService.log(severity, message); // After external call } catch { // Handle error } }; // AFTER const myLogFunction = (severity, message) => { MyService.log(severity, message) .then(() => { // After external call }) .catch(() => { // Handle error }); };
- f06912d3: Bump jose from 4.11.2 to 4.13.1. See jose changelog for details.
- 89847cac: Bump @shopify/network from 1.5.1 to 3.2.1. See network changelog for details.
- 896ef0d8: Add response headers to
GraphqlQueryError
. Fixes #553 - 97449f9e: validateHmac will now check for a
hmac
or asignature
query argument. Fixes #776
- [Minor] Validate HMAC timestamp during OAuth #671
- [Patch] Improve logger call on different API versions #664
- [Patch] Prevent leakage of session object with REST resources #690
- [Patch] Improve typing of
PREV_PAGE_INFO
andNEXT_PAGE_INFO
for REST resources #701 - [Minor] Change
isPrivateApp
configuration item toisCustomStoreApp
, keepisPrivateApp
but with a deprecation notice, addshopify.session.customAppSession
method to create a session suitable for use with clients, REST resources in a store-specific custom app #710
- [Minor] Allow api version overrides #660
- [Minor] Add support for 2023-01 API version #659
- [Patch] Force
/
path on session cookie #658 - [Patch] Don't ignore previous headers when beginning OAuth #652
- [Patch] Export missing client types from package #648
- [Patch] Add an info-level log of API library version and runtime environment string during initialization, to aid in troubleshooting 650
- [Patch] Add new tracking SDK headers to Storefront API client #649
- [Patch] Raise an
InvalidSession
ifSession.fromPropertyArray
receive an object that is not an array - [Patch] Validate content of host parameter using sanitizeShop regex #634
- [Patch] Use the GraphQL format of webhook topics in the error message #626
- [Patch] Export deprecation notices for v5 main interface #639
- [Patch] Fixed an issue when parsing the response body in the AssignedFulfillmentOrder REST resource #644
- [Patch] Auto-detect session type in auth callback, deprecate
isOnline
argument #628 - [Patch] Removed callback URL path check from webhook processing #629
- [Patch] Pass api version to webhook handlers #630
⚠️ [Breaking] Major overhaul ofShopify/shopify-api-node
, which is a complete breaking change across all surfaces of the library. See the migration guide for instructions on how to update your app.
- [Minor] Pass webhook id to handlers #606
- Added support for the
2022-10
API version #535
- Increased tolerance for expired JWT session tokens from 5s to 10s #462
- Add support for billing to the library #449
- Allow dynamically typing the body of REST and GraphQL request responses, so callers don't need to cast it #447
- Rather than create a temporary session in order to store a session id in a cookie for the OAuth transaction, we can store the
state
in the cookie instead, that can then be compared against thestate
provided by Shopify in the callback. #438
- Make
sanitizeHost
validation more flexible #446
⚠️ [Breaking] If a response from a GraphQL query contains anerrors
attribute,GraphqlClient
will now throw aGraphqlQueryError
. The caller can check theerror.response
attribute to see what was returned from the GraphQL API. #431⚠️ [Breaking] Add utils functions to sanitize shops and hosts, and remove thevalidateShop
utils function #434- Allow passing in options for the Redis client used by the session storage strategy #430
- Fix User-Agent header sent in PUT / POST requests #435
- Return a 401 instead of 403 when webhooks fail validation #425
- Add optional new methods
deleteSession
andfindSessionsByShop
toSessionStorage
, with the corresponding implementations for the various session storage adapters #418 - Include subset of query body in API deprecation logs #426
- Add new method to construct the host app URL #419
⚠️ [Breaking] Add REST resources for July 2022 API version, addLATEST_API_VERSION
constant, remove support and REST resources for July 2021 (2021-07
) API version #415- Add support for July 2022 API version #409
- Fix a bug where the PostgreSQL session storage always attempted to create the sessions table #413
- Return instances of
Session
from session storages, not POJOs.
- Store user id and expiration date of online tokens
- Properly parse a non-json HTTP response #257
- Don’t create a SQLite DB file if the SQLite storage is not used.
- Support for specifying the URI scheme of the host #385
- Add optional
saving
parameter toserialize
ofBase
class - default isfalse
and will include read-only attributes in returned object;true
used forsave
when committing via API to Shopify.
- Fixes #363
- Webhooks
register
now checks for any attempt to register a GDPR topic (not done via API but by Partner Dashboard), provides an error message in response - For topics that don't exist,
register
checks the response from the initial API call for anerrors
field and returns accordingly
- Webhooks
- Allow REST resources to configure a deny list of attributes to be excluded when saving #355
⚠️ [Breaking] Removing API version2021-04
#343⚠️ [Breaking] TheHttpResponseError
error and its flavours (all returned from HTTP requests) have been slightly altered:- They now take in a hash of values, and will always include the response code, body (as a string if the response is not JSON), and headers
- All response fields are now contained within a
response
object, to make it easier to access them
⚠️ [Breaking] Update supported Admin API versions #310- Allow full paths in REST requests #301
-
⚠️ [Breaking] Stop responding to the request in the GraphQL Proxy function, returning Shopify's response instead #312The examples below are in express; you will now need to handle the response yourself.
Before:
app.post("/graphql", async (req, res) => { await Shopify.Utils.graphqlProxy(req, res); });
After:
app.post("/graphql", async (req, res) => { const response = await Shopify.Utils.graphqlProxy(req, res); res.status(200).send(response.body); });
- Add support for January 2022 API version #285
- Add a 5 second
clockTolerance
to fixjwt not active
error #227 ⚠️ [Breaking] Change default for OAuth.beginAuth to online sessions #203- see oauth.md for updated docs
⚠️ [Breaking] Return and delete session invalidateAuthCallback
#217- see oauth.md for updated usage
⚠️ [Breaking] ExtractaddHandler
andgetHandler
methods for webhooks out ofregister
#205⚠️ [Breaking] Sessions no longer default tofalse
forisOnline
#169- Required
Session
arguments must be passed to the constructor #169 - Allow
undefined
inAuthScopes
#169
- Fixed the HTTP client error messages to expand objects #252
- Added
October21
toApiVersion
#247
- Don't include extra params when calculating local hmac #196
- Added Storefront API client under
Shopify.Clients.Storefront
- Add
isActive()
method toSession
class to check if session is active, replaceSession
withSessionInterface
when used as a type #153
- Added
April21
toApiVersion
#149
- Allow plain objects to be returned from the
loadCallback
onCustomSessionStorage
#126 - Documentation and example code for
CustomSessionStorage
#129
- Throw a different error for a missing cookie upon OAuth return #131
- Improved documentation for GraphQL and Rest Clients. #123
- Made Docs directory more browseable in GitHub. #136
- Make sure
CustomSessionStorage
converts theexpires
field from a string toDate
. #132 - Made
limit
optional for get-requests with query #135
- Minor text/doc changes
- Added
2021-01
API version to enum. #117 - Allow retrieving offline sessions using
loadCurrentSession
. #119
- Initial public release
- Added
AuthScopes
value object to allow apps to easily check whether scopes have been updated. #110
- GraphQL Proxy attempts to parse the request body as JSON before passing it to the client. #106
- Webhooks types are now exported outside the library #91
- Added support for private apps #99
USER_AGENT_PREFIX
added to Context, to add agent to all requests #101- Add link to tutorial on how to rotate credentials if neccesary #107
- Export
withSession
utility method #96 - GraphQL Client appropriately handles queries with variables #97
- Use cryptographically random bytes to generate nonce #98
- Stop using
SameSite=none
cookies for OAuth, usinglax
instead #100
- Fixed an issue when deleting the current session for embedded apps #88
- Add
withSession
utility method #83
- Preserve the OAuth cookie session for a few seconds so SPA can perform their initial load using it #70
- Session fetches now return
undefined
when a session is not available #64 - Add
deleteCurrentSession
utils method #60
- Beta release
- Test releasing scripts
- Start of Changelog