Merge pull request #1414 from Shopify/remove-passing-public-storefront-token

lizkenyon · web-flow · commit 13012657580d · 2025-10-21T12:20:44.000-05:00
[Breaking] Remove deprecated storefront_access_token positional parameter
diff --git a/BREAKING_CHANGES_FOR_V15.md b/BREAKING_CHANGES_FOR_V15.md
@@ -1,5 +1,39 @@
 # Breaking change notice for version 15.0.0
 
+## Removal of positional `storefront_access_token` parameter from Storefront GraphQL Client
+
+The `ShopifyAPI::Clients::Graphql::Storefront` class no longer accepts the public Storefront access token as a positional parameter. You must now use the named parameters `private_token:` or `public_token:` instead.
+
+This parameter was deprecated in [PR #1302](https://github.com/Shopify/shopify-api-ruby/pull/1302) (v14.1.0).
+
+### Previous implementation (deprecated in v14.1.0)
+
+```ruby
+# Old way: passing token as positional parameter
+client = ShopifyAPI::Clients::Graphql::Storefront.new(shop_url, storefront_access_token)
+
+# With API version
+client = ShopifyAPI::Clients::Graphql::Storefront.new(shop_url, storefront_access_token, api_version: "2024-01")
+```
+
+### New implementation (required in v15.0.0)
+
+```ruby
+# Use private token (recommended)
+client = ShopifyAPI::Clients::Graphql::Storefront.new(shop_url, private_token: storefront_private_access_token)
+
+# Or use public token
+client = ShopifyAPI::Clients::Graphql::Storefront.new(shop_url, public_token: storefront_public_access_token)
+
+# With API version
+client = ShopifyAPI::Clients::Graphql::Storefront.new(
+  shop_url,
+  private_token: storefront_private_access_token,
+  api_version: "2024-01"
+)
+```
+
+For more information on private vs public Storefront access tokens, see [Shopify's authentication documentation](https://shopify.dev/docs/api/usage/authentication#getting-started-with-private-access).
 ## Removal of `LATEST_SUPPORTED_ADMIN_VERSION` and `RELEASE_CANDIDATE_ADMIN_VERSION` constants
 
 The `LATEST_SUPPORTED_ADMIN_VERSION` and `RELEASE_CANDIDATE_ADMIN_VERSION` constants have been removed to prevent semantic versioning (semver) breaking changes. Previously, these constants would automatically update every quarter when new API versions were released, causing unintended breaking changes for apps.
@@ -68,7 +102,8 @@ Make a module or class that includes or extends `ShopifyAPI::Webhooks::WebhookHa
 
 In v14, adding new fields to the callback would become a breaking change. To make this code more flexible, handlers will now receive an object that can be typed and extended.
 
-`data` will have the following keys
+`data` will have the following keys:
+
 - `topic`, `String` - The topic of the webhook
 - `shop`, `String` - The shop domain of the webhook
 - `body`, `T::Hash[String, T.untyped]`- The body of the webhook
diff --git a/lib/shopify_api/clients/graphql/storefront.rb b/lib/shopify_api/clients/graphql/storefront.rb
@@ -8,21 +8,15 @@ class Storefront < Client
         sig do
           params(
             shop: String,
-            storefront_access_token: T.nilable(String),
             private_token: T.nilable(String),
             public_token: T.nilable(String),
             api_version: T.nilable(String),
           ).void
         end
-        def initialize(shop, storefront_access_token = nil, private_token: nil, public_token: nil, api_version: nil)
-          unless storefront_access_token.nil?
-            warning = <<~WARNING
-              DEPRECATED: Use the named parameters for the Storefront token instead of passing
-              the public token as the second argument. Also, you may want to look into using
-              the Storefront private access token instead:
-              https://shopify.dev/docs/api/usage/authentication#getting-started-with-private-access
-            WARNING
-            ShopifyAPI::Logger.deprecated(warning, "15.0.0")
+        def initialize(shop, private_token: nil, public_token: nil, api_version: nil)
+          token = private_token || public_token
+          if token.nil?
+            raise ArgumentError, "Storefront client requires either private_token or public_token to be provided"
           end
 
           session = Auth::Session.new(
@@ -32,7 +26,7 @@ def initialize(shop, storefront_access_token = nil, private_token: nil, public_t
             is_online: false,
           )
           super(session: session, base_path: "/api", api_version: api_version)
-          @storefront_access_token = T.let(T.must(private_token || public_token || storefront_access_token), String)
+          @storefront_access_token = T.let(token, String)
           @storefront_auth_header = T.let(
             private_token.nil? ? "X-Shopify-Storefront-Access-Token" : "Shopify-Storefront-Private-Token",
             String,
diff --git a/test/clients/graphql/storefront_test.rb b/test/clients/graphql/storefront_test.rb
@@ -22,9 +22,13 @@ def setup
 
         def build_client
           if !defined?("@api_version")
-            ShopifyAPI::Clients::Graphql::Storefront.new(@shop, @storefront_access_token)
+            ShopifyAPI::Clients::Graphql::Storefront.new(@shop, public_token: @storefront_access_token)
           else
-            ShopifyAPI::Clients::Graphql::Storefront.new(@shop, @storefront_access_token, api_version: @api_version)
+            ShopifyAPI::Clients::Graphql::Storefront.new(
+              @shop,
+              public_token: @storefront_access_token,
+              api_version: @api_version,
+            )
           end
         end
 
@@ -81,7 +85,7 @@ def test_can_query_using_public_token
         end
 
         def test_error_raised_when_no_token_provided
-          assert_raises(TypeError) { ShopifyAPI::Clients::Graphql::Storefront.new(@shop) }
+          assert_raises(ArgumentError) { ShopifyAPI::Clients::Graphql::Storefront.new(@shop) }
         end
       end
     end
