feat(api-gen): support for client_credentials grant type auth#2262
feat(api-gen): support for client_credentials grant type auth#2262
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR adds support for client_credentials grant type authentication for the Admin API, providing an alternative to the existing username/password authentication method. This enables authentication using Shopware integrations instead of user credentials.
Changes:
- Modified authentication logic to support both
passwordandclient_credentialsgrant types based on environment variables - Updated environment variable validation to conditionally check for username/password OR client credentials
- Enhanced documentation to explain both authentication methods and their usage
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| packages/api-gen/src/apiClient.ts | Added conditional logic to create credentials object based on whether SHOPWARE_ADMIN_CLIENT_SECRET is set, supporting both password and client_credentials grant types |
| packages/api-gen/src/commands/loadSchema.ts | Modified environment variable validation to require either username/password OR client_secret for admin API authentication |
| packages/api-gen/README.md | Added documentation for the new client_credentials authentication option with configuration examples |
| .changeset/heavy-bushes-open.md | Added changeset describing the new feature |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| : ({ | ||
| grant_type: "password", | ||
| client_id: "administration", | ||
| scope: "write", |
There was a problem hiding this comment.
The field name should be "scopes" (plural), not "scope" (singular). This is inconsistent with the password grant type credentials structure used in the api-client package tests and throughout the codebase. The tests in packages/api-client/src/adminApiClientCredentials.test.ts show that password credentials use "scopes" field (lines 99, 110, 141).
| scope: "write", | |
| scopes: "write", |
| "@shopware/api-gen": minor | ||
| --- | ||
|
|
||
| Added support for `client_credentials` grant type authentication when loading Admin API schema. Set `SHOPWARE_ADMIN_CLIENT_SECRET` and `SHOPWARE_ADMIN_CLIENT_ID`environment variables to use integration credentials instead of username/password. |
There was a problem hiding this comment.
Missing space between "SHOPWARE_ADMIN_CLIENT_ID" and "environment". Should be "SHOPWARE_ADMIN_CLIENT_ID environment variables".
| Added support for `client_credentials` grant type authentication when loading Admin API schema. Set `SHOPWARE_ADMIN_CLIENT_SECRET` and `SHOPWARE_ADMIN_CLIENT_ID`environment variables to use integration credentials instead of username/password. | |
| Added support for `client_credentials` grant type authentication when loading Admin API schema. Set `SHOPWARE_ADMIN_CLIENT_SECRET` and `SHOPWARE_ADMIN_CLIENT_ID` environment variables to use integration credentials instead of username/password. |
| const hasClientCredentials = !!process.env.SHOPWARE_ADMIN_CLIENT_SECRET; | ||
| if (!hasClientCredentials) { |
There was a problem hiding this comment.
When using client_credentials grant type, SHOPWARE_ADMIN_CLIENT_SECRET should be a required environment variable. Currently, the code only checks for username/password when SHOPWARE_ADMIN_CLIENT_SECRET is not set, but it doesn't validate that SHOPWARE_ADMIN_CLIENT_SECRET is actually provided when the client_credentials flow is selected. This could lead to runtime errors when trying to authenticate. Consider adding SHOPWARE_ADMIN_CLIENT_SECRET to requiredEnvVars when hasClientCredentials is true.
| const hasClientCredentials = !!process.env.SHOPWARE_ADMIN_CLIENT_SECRET; | |
| if (!hasClientCredentials) { | |
| const hasClientCredentials = | |
| process.env.SHOPWARE_ADMIN_CLIENT_SECRET !== undefined; | |
| if (hasClientCredentials) { | |
| requiredEnvVars.push("SHOPWARE_ADMIN_CLIENT_SECRET"); | |
| } else { |
| grant_type: "client_credentials", | ||
| client_id: process.env.SHOPWARE_ADMIN_CLIENT_ID || "administration", | ||
| client_secret: process.env.SHOPWARE_ADMIN_CLIENT_SECRET, | ||
| } as const) |
There was a problem hiding this comment.
The type casting for client_credentials uses "as const" while the password grant uses "as unknown as adminOperations[...]". This inconsistency suggests a potential type safety issue. The client_credentials object should also be cast to the proper type (adminOperations["token post /oauth/token"]["body"]) to ensure type safety and consistency with the password grant type casting approach.
| } as const) | |
| } as unknown as adminOperations["token post /oauth/token"]["body"]) |
| const credentials = process.env.SHOPWARE_ADMIN_CLIENT_SECRET | ||
| ? ({ | ||
| grant_type: "client_credentials", | ||
| client_id: process.env.SHOPWARE_ADMIN_CLIENT_ID || "administration", | ||
| client_secret: process.env.SHOPWARE_ADMIN_CLIENT_SECRET, | ||
| } as const) | ||
| : ({ | ||
| grant_type: "password", | ||
| client_id: "administration", | ||
| scope: "write", | ||
| username: process.env.SHOPWARE_ADMIN_USERNAME || "", | ||
| password: process.env.SHOPWARE_ADMIN_PASSWORD || "", | ||
| } as unknown as adminOperations["token post /oauth/token"]["body"]); |
There was a problem hiding this comment.
The logic to determine which authentication method to use is based solely on whether SHOPWARE_ADMIN_CLIENT_SECRET is set. This could lead to unexpected behavior if a user has both password credentials (SHOPWARE_ADMIN_USERNAME, SHOPWARE_ADMIN_PASSWORD) and client credentials (SHOPWARE_ADMIN_CLIENT_SECRET) configured in their environment. Consider documenting this precedence clearly or adding a warning when both sets of credentials are present.
1 participant
Description
Added support for
client_credentialsgrant type authentication when loading Admin API schema.