Use session token dest claim for shop in token exchange

The exchange_token method now derives the shop from the session token's
dest claim (via JwtPayload) rather than using the raw shop parameter.
This ensures consistency between the validated token and the shop used
for the OAuth request.

The shop parameter is still accepted for backward compatibility but
the dest claim takes precedence.

Author: River

lib/shopify_api/auth/token_exchange.rb

@@ -36,10 +36,11 @@ def exchange_token(shop:, session_token:, requested_token_type:)
           raise ShopifyAPI::Errors::UnsupportedOauthError,
             "Cannot perform OAuth Token Exchange for non embedded apps." unless ShopifyAPI::Context.embedded?
 
-          # Validate the session token content
-          ShopifyAPI::Auth::JwtPayload.new(session_token)
+          # Validate the session token and use the shop from the token's `dest` claim
+          jwt_payload = ShopifyAPI::Auth::JwtPayload.new(session_token)
+          dest_shop = jwt_payload.shop
 
-          shop_session = ShopifyAPI::Auth::Session.new(shop: shop)
+          shop_session = ShopifyAPI::Auth::Session.new(shop: dest_shop)
           body = {
             client_id: ShopifyAPI::Context.api_key,
             client_secret: ShopifyAPI::Context.api_secret_key,
@@ -74,7 +75,7 @@ def exchange_token(shop:, session_token:, requested_token_type:)
           session_params = T.cast(response.body, T::Hash[String, T.untyped]).to_h
 
           Session.from(
-            shop: shop,
+            shop: dest_shop,
             access_token_response: Oauth::AccessTokenResponse.from_hash(session_params),
           )
         end

test/auth/token_exchange_test.rb

@@ -174,6 +174,39 @@ def test_exchange_token_offline_token
         assert_equal(expected_session, session)
       end
 
+      def test_exchange_token_uses_shop_from_session_token_dest_claim
+        modify_context(is_embedded: true, expiring_offline_access_tokens: false)
+
+        # Pass a different shop than what's in the JWT dest claim
+        different_shop = "other-shop.myshopify.com"
+
+        # The request should go to the shop from the JWT dest claim, not the passed shop
+        stub_request(:post, "https://#{@shop}/admin/oauth/access_token")
+          .with(body: @non_expiring_offline_token_exchange_request)
+          .to_return(body: @offline_token_response.to_json, headers: { content_type: "application/json" })
+
+        expected_session = ShopifyAPI::Auth::Session.new(
+          id: "offline_#{@shop}",
+          shop: @shop,
+          access_token: @offline_token_response[:access_token],
+          scope: @offline_token_response[:scope],
+          is_online: false,
+          expires: nil,
+          shopify_session_id: @offline_token_response[:session],
+          refresh_token: nil,
+          refresh_token_expires: nil,
+        )
+
+        session = ShopifyAPI::Auth::TokenExchange.exchange_token(
+          shop: different_shop,
+          session_token: @session_token,
+          requested_token_type: ShopifyAPI::Auth::TokenExchange::RequestedTokenType::OFFLINE_ACCESS_TOKEN,
+        )
+
+        assert_equal(expected_session, session)
+        assert_equal(@shop, session.shop)
+      end
+
       def test_exchange_token_expiring_offline_token
         modify_context(is_embedded: true, expiring_offline_access_tokens: true)
         stub_request(:post, "https://#{@shop}/admin/oauth/access_token")