Auth callback should throw 403 if CookieNotFound occured to handle OAuth retries

[kazukinagata]

Overview/summary

When validateAuthCallback called, shopify-api will throw a CookieNotFound error if sessionCookie has been expired. In the scenario, koa should throw 403 instead of 500 to handle retrying OAuth process.

catch (e) {
        switch (true) {
          case (e instanceof Shopify.Errors.InvalidOAuthError):
            ctx.throw(400, e.message);
            break;
          case (e instanceof Shopify.Errors.SessionNotFound):
          case (e instanceof Shopify.Errors.CookieNotFound): // Add here
            ctx.throw(403, e.message);
            break;
          default:
            ctx.throw(500, e.message);
            break;
       }
}

https://github.com/Shopify/koa-shopify-auth/blob/ba16b8344ce2fa4c24b0855246838d6d02af9ce7/src/auth/index.ts#L110

Motivation

You know the OAuth process has a limit of 60s to be completed, and it will expire the sessionCookie after that point. Shopify testers sometimes wait 60s before continuing the OAuth process then cause Internal Server Error. In order to pass the test, we need to handle OAuth retries, but with a 500 error, error handling is difficult.

Related issue: https://github.com/Shopify/shopify-node-api/issues/130#issuecomment-826465888

---

Checklist

• [x] Please delete the labels section before submitting your issue
• [x] I have described this enhancement in a way that is actionable (if possible)

[github-actions[bot]]

Note that this repo is no longer maintained and this issue will not be reviewed. Prefer the official JavaScript API library. If you still want to use Koa, see simple-koa-shopify-auth for a potential community solution.