SessionUtils.current_session_id is unable to verify session token signed with old API secret

[tatsuya]

Issue summary

Related issue: Shopify/shopify_app#1459

This gem provides ShopifyAPI::Utils::SessionUtils.current_session_id function to verify the JWT session token and extract the shop domain inside its payload to build the session ID for currently logged in shops/users. The problem is that this JWT verification uses only one API secret passed from ShopifyAPI::Context and because of this limitation, it is currently unable to verify the session token signed with the old API secret.

Adding the ability to verify session tokens using both old and new API secrets is critical to rotate API secrets without downtime to address security risks. See also Shopify/shopify_app#1459

Expected behavior

shopify_app provides the solution for rotating API secrets by taking both secret and old_secret. My suggestion here is the same update ShopifyAPI::Context to take both api_secret_key and old_api_secret_key and verify JWT using both keys when possible.

Actual behavior

Unable to verify the session token signed with the old API secret.

Steps to reproduce the problem

See Shopify/shopify_app#1459

Logs

N/A

Specifications

• shopify_api version: v10+
• Shopify API version used (example: 2020-07): Any