Skip to content

Comments

bugfix: Upgrade to Saleor App SDK v1.3.0 and improve APL configuration#28

Open
sultan18kh wants to merge 3 commits intosaleor:mainfrom
sultan18kh:main
Open

bugfix: Upgrade to Saleor App SDK v1.3.0 and improve APL configuration#28
sultan18kh wants to merge 3 commits intosaleor:mainfrom
sultan18kh:main

Conversation

@sultan18kh
Copy link

@sultan18kh sultan18kh commented Aug 29, 2025

Upgrade to Saleor App SDK v1.3.0 and improve APL configuration

  • Upgrade @saleor/app-sdk from 0.50.1 to 1.3.0 with breaking changes
  • Update APL imports to use individual modules (file, saleor-cloud, upstash)
  • Add proper environment variable validation for Upstash APL configuration
  • Add metadata deletion functionality to metadata manager
  • Update tRPC and webhook implementations for SDK compatibility
  • Update dependencies: next, graphql, zod, tsx, vite, vitest
  • Add comprehensive environment configuration documentation (env.example)
  • Update pnpm lockfile

sultan18kh and others added 3 commits August 28, 2025 13:29
@sultan18kh
feat: upgrade to Saleor App SDK v1.3.0 and improve APL configuration
1e87aeb 
- Upgrade @saleor/app-sdk from 0.50.1 to 1.3.0 with breaking changes
- Update APL imports to use individual modules (file, saleor-cloud, upstash)
- Add proper environment variable validation for Upstash APL configuration
- Add metadata deletion functionality to metadata manager
- Update tRPC and webhook implementations for SDK compatibility
- Update dependencies: next, graphql, zod, tsx, vite, vitest
- Add comprehensive environment configuration documentation (env.example)
@sultan18kh
Update pnpm lockfile
5ea3fe8
@sultan18kh
Merge pull request #1 from sultan18kh/staging
d866ed0 
feat: upgrade to Saleor App SDK v1.3.0 and improve APL configuration
@sultan18kh sultan18kh requested a review from a team as a code owner August 29, 2025 12:19
@CLAassistant
Copy link

CLAassistant commented Aug 29, 2025
edited
Loading

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ sultan18kh
❌ Sultan Mustafa Khan

Sultan Mustafa Khan seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@CLAassistant
Copy link

CLAassistant commented Aug 29, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
0 out of 2 committers have signed the CLA.

❌ Sultan Mustafa Khan
❌ sultan18kh

Sultan Mustafa Khan seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@sultan18kh
Copy link
Author

sultan18kh commented Aug 29, 2025
edited
Loading

@witoszekdev, @lkostrowski, secondary email has been added, but still the CLA status hasn't been updated. Kindly verify. Thanks!

witoszekdev
witoszekdev requested changes Sep 3, 2025
View reviewed changes
Copy link
Member

@witoszekdev witoszekdev left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contribution! Unfortunately we cannot merge this because it removes JWT validation for tRPC router, which would allow anyone to make requests to protected route 🙈

Please see my first comment :)

example-app-invoices/src/modules/trpc/protected-client-procedure.ts
Comment on lines +78 to +98
// TODO: JWT verification is temporarily disabled due to missing verifyJWT function
// try {
// logger.debug("trying to verify JWT token from frontend");
// logger.debug({ token: ctx.token ? `${ctx.token[0]}...` : undefined });

// await verifyJWT({
// appId: ctx.appId,
// token: ctx.token,
// saleorApiUrl: ctx.saleorApiUrl,
// requiredPermissions: [
// ...REQUIRED_SALEOR_PERMISSIONS,
// ...(meta?.requiredClientPermissions || []),
// ],
// });
// } catch (e) {
// logger.debug("JWT verification failed, throwing");
// throw new TRPCError({
// code: "UNAUTHORIZED",
// message: "JWT verification failed",
// });
// }
Copy link
Member

@witoszekdev witoszekdev Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue: we cannot merge this with missing JWT validation. It looks like there shouldn't be any issue here, since we also use this method in other Saleor apps. Example avatax app: https://github.com/saleor/apps/blob/3935a8bec907e05e94287bf330a4bd3b4fbe7849/apps/avatax/src/modules/trpc/protected-client-procedure.ts?plain=1#L1 (it uses app sdk v1.3.0)

Could you please add this back?

example-app-invoices/env.example
Comment on lines +25 to +39
# App URLs and Base Configuration
# ===============================

# Base URL for your app (used for manifest and webhooks)
# In development, this is typically http://localhost:3000
# In production, this should be your deployed app URL
APP_BASE_URL=http://localhost:3000

# Optional: Override iframe base URL (for embedded app interface)
# If not set, uses APP_BASE_URL
APP_IFRAME_BASE_URL=http://localhost:3000

# Optional: Override API base URL (for webhooks and API endpoints)
# If not set, uses APP_BASE_URL
APP_API_BASE_URL=http://localhost:3000
Copy link
Member

@witoszekdev witoszekdev Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: These are actually not required to run the app. It's used when you need to have app work with Saleor running in a Docker container for example

It's described here in our docs: https://docs.saleor.io/developer/extending/apps/local-app-development#apps-url-overriding

I'm worried this description suggests you must provide this, which would be incorrect: it's used only for development, if you would use these env variables on production app it wouldn't have any multitenancy, since it would always try to connect to the same Saleor instance.

example-app-invoices/env.example
Comment on lines +96 to +99
# 1. For local development, you only need:
# - SECRET_KEY (required)
# - APP_BASE_URL (optional, defaults to http://localhost:3000)
# - APL=file (default)
Copy link
Member

@witoszekdev witoszekdev Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: I think if we only need these 3 we should probably have only these variables commented out, rest should be commented to avoid accidentaly using them

example-app-invoices/env.example
Comment on lines +107 to +110
# 3. For Saleor Cloud deployment:
# - Set APL=rest
# - Configure REST_APL_ENDPOINT and REST_APL_TOKEN
# - Set SALEOR_CLOUD_TOKEN and SALEOR_CLOUD_RESOURCE_URL for migrations
Copy link
Member

@witoszekdev witoszekdev Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: could you please remove this part? 🙏🏻 we don't need instructions for Saleor Cloud deployment in example 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@witoszekdev witoszekdev witoszekdev requested changes

@lkostrowski lkostrowski Awaiting requested review from lkostrowski lkostrowski was automatically assigned from saleor/js

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sultan18kh @CLAassistant @witoszekdev