Handle invalid access tokens in token exchange

[zzooeeyy]

• closes https://github.com/Shopify/develop-app-access/issues/146

📹 Demo video

What this PR does

• Handles 401 error in around_action in token exchange concern activate_shopfiy_session.
• It'll retry once by performing token exchange to retrieve new access token.
• Subsequent errors will be thrown.
• Introduces ShopifyApp::Auth::TokenExchange.perform(session_token)
• Introduces ShopifyApp::AdminAPI::WithTokenRefetch module with a method to allow easy token refetch/retry on Unauthorized errors

  with_token_refetch(@session, @shopify_id_token) do
  # Admin API call here
  end

So developers handling their own errors can still have their access tokens refetched:

# my_controller.rb

def count_and_rescue
  with_token_refetch(current_shopify_session, shopify_id_token) do
    ShopifyAPI::Product.count
  end
rescue =>
  # performing error handling
end

Checklist

Before submitting the PR, please consider if any of the following are needed:

• [ will update when token exchange feature is complete ] Update CHANGELOG.md if the changes would impact users
• [ will update when token exchange feature is complete ] Update README.md, if appropriate.
• [ will update when token exchange feature is complete ] Update any relevant pages in /docs, if necessary
• [ will update when token exchange feature is complete ] For security fixes, the Disclosure Policy must be followed.

[rachel-carvalho]

We'll create an API wrapper and handle errors differently, so I'm moving this back to draft.

[rachel-carvalho]

We decided to keep retrying in the around_action, but will also introduce a module ShopifyApp::AdminAPI::WithTokenRefetch that offers a method that will automatically re-fetch an access token on Unauthorized errors and retry the block.

with_token_refetch(@session, @session_token) do
  # Admin API call here
end

[rachel-carvalho]

The tests that execute the new Session#copy_attributes_from method are now failing until we update the shopify_api version to include it.