All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and adheres to Semantic Versioning.
- [Minor] Validate HMAC timestamp during OAuth #671
- [Patch] Improve logger call on different API versions #664
- [Patch] Prevent leakage of session object with REST resources #690
- [Patch] Improve typing of
PREV_PAGE_INFOandNEXT_PAGE_INFOfor REST resources #701 - [Minor] Change
isPrivateAppconfiguration item toisCustomStoreApp, keepisPrivateAppbut with a deprecation notice, addshopify.session.customAppSessionmethod to create a session suitable for use with clients, REST resources in a store-specific custom app #710
- [Minor] Allow api version overrides #660
- [Minor] Add support for 2023-01 API version #659
- [Patch] Force
/path on session cookie #658 - [Patch] Don't ignore previous headers when beginning OAuth #652
- [Patch] Export missing client types from package #648
- [Patch] Add an info-level log of API library version and runtime environment string during initialization, to aid in troubleshooting 650
- [Patch] Add new tracking SDK headers to Storefront API client #649
- [Patch] Raise an
InvalidSessionifSession.fromPropertyArrayreceive an object that is not an array - [Patch] Validate content of host parameter using sanitizeShop regex #634
- [Patch] Use the GraphQL format of webhook topics in the error message #626
- [Patch] Export deprecation notices for v5 main interface #639
- [Patch] Fixed an issue when parsing the response body in the AssignedFulfillmentOrder REST resource #644
- [Patch] Auto-detect session type in auth callback, deprecate
isOnlineargument #628 - [Patch] Removed callback URL path check from webhook processing #629
- [Patch] Pass api version to webhook handlers #630
⚠️ [Breaking] Major overhaul ofShopify/shopify-api-node, which is a complete breaking change across all surfaces of the library. See the migration guide for instructions on how to update your app.
- [Minor] Pass webhook id to handlers #606
- Added support for the
2022-10API version #535
- Increased tolerance for expired JWT session tokens from 5s to 10s #462
- Add support for billing to the library #449
- Allow dynamically typing the body of REST and GraphQL request responses, so callers don't need to cast it #447
- Rather than create a temporary session in order to store a session id in a cookie for the OAuth transaction, we can store the
statein the cookie instead, that can then be compared against thestateprovided by Shopify in the callback. #438
- Make
sanitizeHostvalidation more flexible #446
⚠️ [Breaking] If a response from a GraphQL query contains anerrorsattribute,GraphqlClientwill now throw aGraphqlQueryError. The caller can check theerror.responseattribute to see what was returned from the GraphQL API. #431⚠️ [Breaking] Add utils functions to sanitize shops and hosts, and remove thevalidateShoputils function #434- Allow passing in options for the Redis client used by the session storage strategy #430
- Fix User-Agent header sent in PUT / POST requests #435
- Return a 401 instead of 403 when webhooks fail validation #425
- Add optional new methods
deleteSessionandfindSessionsByShoptoSessionStorage, with the corresponding implementations for the various session storage adapters #418 - Include subset of query body in API deprecation logs #426
- Add new method to construct the host app URL #419
⚠️ [Breaking] Add REST resources for July 2022 API version, addLATEST_API_VERSIONconstant, remove support and REST resources for July 2021 (2021-07) API version #415- Add support for July 2022 API version #409
- Fix a bug where the PostgreSQL session storage always attempted to create the sessions table #413
- Return instances of
Sessionfrom session storages, not POJOs.
- Store user id and expiration date of online tokens
- Properly parse a non-json HTTP response #257
- Don’t create a SQLite DB file if the SQLite storage is not used.
- Support for specifying the URI scheme of the host #385
- Add optional
savingparameter toserializeofBaseclass - default isfalseand will include read-only attributes in returned object;trueused forsavewhen committing via API to Shopify.
- Fixes #363
- Webhooks
registernow checks for any attempt to register a GDPR topic (not done via API but by Partner Dashboard), provides an error message in response - For topics that don't exist,
registerchecks the response from the initial API call for anerrorsfield and returns accordingly
- Webhooks
- Allow REST resources to configure a deny list of attributes to be excluded when saving #355
⚠️ [Breaking] Removing API version2021-04#343⚠️ [Breaking] TheHttpResponseErrorerror and its flavours (all returned from HTTP requests) have been slightly altered:- They now take in a hash of values, and will always include the response code, body (as a string if the response is not JSON), and headers
- All response fields are now contained within a
responseobject, to make it easier to access them
⚠️ [Breaking] Update supported Admin API versions #310- Allow full paths in REST requests #301
-
⚠️ [Breaking] Stop responding to the request in the GraphQL Proxy function, returning Shopify's response instead #312The examples below are in express; you will now need to handle the response yourself.
Before:
app.post('/graphql', async (req, res) => { await Shopify.Utils.graphqlProxy(req, res); });
After:
app.post('/graphql', async (req, res) => { const response = await Shopify.Utils.graphqlProxy(req, res); res.status(200).send(response.body); });
- Add support for January 2022 API version #285
- Add a 5 second
clockToleranceto fixjwt not activeerror #227 ⚠️ [Breaking] Change default for OAuth.beginAuth to online sessions #203- see oauth.md for updated docs
⚠️ [Breaking] Return and delete session invalidateAuthCallback#217- see oauth.md for updated usage
⚠️ [Breaking] ExtractaddHandlerandgetHandlermethods for webhooks out ofregister#205⚠️ [Breaking] Sessions no longer default tofalseforisOnline#169- Required
Sessionarguments must be passed to the constructor #169 - Allow
undefinedinAuthScopes#169
- Fixed the HTTP client error messages to expand objects #252
- Added
October21toApiVersion#247
- Don't include extra params when calculating local hmac #196
- Added Storefront API client under
Shopify.Clients.Storefront - Add
isActive()method toSessionclass to check if session is active, replaceSessionwithSessionInterfacewhen used as a type #153
- Added
April21toApiVersion#149
- Allow plain objects to be returned from the
loadCallbackonCustomSessionStorage#126 - Documentation and example code for
CustomSessionStorage#129
- Throw a different error for a missing cookie upon OAuth return #131
- Improved documentation for GraphQL and Rest Clients. #123
- Made Docs directory more browseable in GitHub. #136
- Make sure
CustomSessionStorageconverts theexpiresfield from a string toDate. #132 - Made
limitoptional for get-requests with query #135
- Minor text/doc changes
- Added
2021-01API version to enum. #117 - Allow retrieving offline sessions using
loadCurrentSession. #119
- Initial public release
- Added
AuthScopesvalue object to allow apps to easily check whether scopes have been updated. #110
- GraphQL Proxy attempts to parse the request body as JSON before passing it to the client. #106
- Webhooks types are now exported outside the library #91
- Added support for private apps #99
USER_AGENT_PREFIXadded to Context, to add agent to all requests #101- Add link to tutorial on how to rotate credentials if neccesary #107
- Export
withSessionutility method #96 - GraphQL Client appropriately handles queries with variables #97
- Use cryptographically random bytes to generate nonce #98
- Stop using
SameSite=nonecookies for OAuth, usinglaxinstead #100
- Fixed an issue when deleting the current session for embedded apps #88
- Add
withSessionutility method #83
- Preserve the OAuth cookie session for a few seconds so SPA can perform their initial load using it #70
- Session fetches now return
undefinedwhen a session is not available #64 - Add
deleteCurrentSessionutils method #60
- Beta release
- Test releasing scripts
- Start of Changelog