Skip to content

Fix store auth scope parsing for space-separated input#7257

Closed
RyanDJLee wants to merge 1 commit into
mainfrom
ryandjlee/fix/store-auth-scope-delimiter-parsing
Closed

Fix store auth scope parsing for space-separated input#7257
RyanDJLee wants to merge 1 commit into
mainfrom
ryandjlee/fix/store-auth-scope-delimiter-parsing

Conversation

@RyanDJLee

Copy link
Copy Markdown
Contributor

Summary

Fixes shopify store auth failing with "Shopify granted fewer scopes than were requested" on Windows PowerShell despite a successful OAuth code exchange.

  • parseStoreAuthScopes split on commas only, but Windows PowerShell can transform comma-separated CLI args into space-separated strings before they reach Node.js
  • This caused "read_products read_inventory" to be treated as a single unrecognized scope
  • The server-side parser (Access::ScopeSet.parse_scopes) already handles both delimiters via /[ ,]/ — the CLI parser now matches that behavior

Root cause

When a partner runs:

shopify store auth --scopes read_products,read_inventory

PowerShell's argument handling can deliver "read_products read_inventory" (space, no comma) to process.argv. The CLI's parseStoreAuthScopes splits on , only, producing ["read_products read_inventory"] — one scope element. The server parses both formats correctly and returns scope: "read_products,read_inventory" (comma-separated). The CLI then fails validation because the single requested scope "read_products read_inventory" isn't in the granted set {"read_products", "read_inventory"}.

Confirmed via partner verbose logs showing the debug output with scopes read_products read_inventory (no comma in scopes.join(',') output, proving a single-element array) and analytics args "--scopes read_products read_inventory".

Slack thread: https://shopify.slack.com/archives/C07UJ7UNMTK/p1776085829940879

Changes

  • scopes.ts: .split(',').split(/[\s,]+/) to handle both comma and space delimiters
  • scopes.test.ts: 3 new tests covering space-separated input, mixed delimiters, and the end-to-end PowerShell scenario

Test plan

  • Existing 6 unit tests in scopes.test.ts pass (no regressions)
  • New test parseStoreAuthScopes splits space-separated scopes fails before fix, passes after
  • All 11 integration tests in index.test.ts pass
  • Manual: shopify store auth --scopes read_products,read_inventory on Windows PowerShell
  • Backport to stable/3.93 for partner unblock

🤖 Generated with Claude Code

parseStoreAuthScopes splits on commas only, but Windows PowerShell
can transform comma-separated CLI args into space-separated strings
before they reach Node.js. This causes the entire string
"read_products read_inventory" to be treated as one unrecognized
scope, triggering a false "fewer scopes than requested" error.

Split on /[\s,]+/ instead — matching Core's own ScopeSet.parse_scopes
which already handles both delimiters.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@RyanDJLee RyanDJLee requested a review from a team as a code owner April 13, 2026 14:10
Copilot AI review requested due to automatic review settings April 13, 2026 14:10
@RyanDJLee

Copy link
Copy Markdown
Contributor Author

Closing — rebasing on latest main and resubmitting via Graphite.

@RyanDJLee RyanDJLee closed this Apr 13, 2026
@RyanDJLee RyanDJLee deleted the ryandjlee/fix/store-auth-scope-delimiter-parsing branch April 13, 2026 14:11

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes shopify store auth scope parsing so PowerShell-transformed --scopes arguments (spaces instead of commas) are correctly interpreted, matching the server-side delimiter behavior and preventing false “granted fewer scopes” failures.

Changes:

  • Update parseStoreAuthScopes to split scopes on whitespace and/or commas.
  • Add unit tests for space-separated scopes and mixed delimiters.
  • Add a test intended to cover the PowerShell end-to-end scenario for requested vs. granted scope validation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/cli/src/cli/services/store/auth/scopes.ts Adjusts scope parsing to support whitespace-delimited lists (in addition to commas).
packages/cli/src/cli/services/store/auth/scopes.test.ts Adds test coverage for the new parsing behavior and the reported PowerShell scenario.
Comments suppressed due to low confidence (1)

packages/cli/src/cli/services/store/auth/scopes.ts:11

  • parseStoreAuthScopes now accepts both comma- and whitespace-delimited scope lists, but the AbortError help text in this function still says "Pass --scopes as a comma-separated list." Please update the guidance to reflect the supported formats (comma and/or whitespace), so the error message stays accurate for users on PowerShell and other shells.
    .split(/[\s,]+/)
    .map((scope) => scope.trim())
    .filter(Boolean)

  if (scopes.length === 0) {

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

access_token: 'token',
scope: 'read_products,read_inventory',
},
['read_products', 'read_inventory'],

Copilot AI Apr 13, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test description claims to cover the PowerShell space-separated input scenario, but the test passes an already-split requestedScopes array. To actually cover the reported bug (and match the PR description), build requestedScopes via parseStoreAuthScopes('read_products read_inventory') or rename the test to reflect what it currently asserts.

Suggested change
['read_products', 'read_inventory'],
parseStoreAuthScopes('read_products read_inventory'),

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants