Update package.json dependencies and add refresh token fields to Session model (#151)

### WHY are these changes introduced?

Adds support for refresh tokens in the Prisma session storage schema.

### WHAT is this pull request doing?

- Updates the Prisma schema to include `refreshToken` and `refreshTokenExpires` fields in the Session model
- Modifies the migration SQL to include these new fields
- Points package dependencies to local development versions for testing

### Test this PR

```bash
shopify app init --template=https://github.com/Shopify/shopify-app-template-react-router#<your-branch-name>
```

### Checklist

- [x] I have made changes to the `README.md` file and other related documentation, if applicable
- [x] I have added an entry to `CHANGELOG.md`
- [x] I'm aware I need to create a new release when this PR is merged

Author: fwaadahmad1

CHANGELOG.md

@@ -1,5 +1,9 @@
 # @shopify/shopify-app-template-react-router
 
+## 2025.12.11
+
+- [#151](https://github.com/Shopify/shopify-app-template-react-router/pull/151) Update `@shopify/shopify-app-react-router` to v1.1.0 and `@shopify/shopify-app-session-storage-prisma` to v8.0.0, add refresh token fields (`refreshToken` and `refreshTokenExpires`) to Session model in Prisma schema, and adopt the `expiringOfflineAccessTokens` flag for enhanced security through token rotation. See [expiring vs non-expiring offline tokens](https://shopify.dev/docs/apps/build/authentication-authorization/access-tokens/offline-access-tokens#expiring-vs-non-expiring-offline-tokens) for more information.
+
 ## 2025.10.10
 
 - [#95](https://github.com/Shopify/shopify-app-template-react-router/pull/95) Swap the product link for [admin intents](https://shopify.dev/docs/apps/build/admin/admin-intents).

app/shopify.server.ts

@@ -16,6 +16,9 @@ const shopify = shopifyApp({
   authPathPrefix: "/auth",
   sessionStorage: new PrismaSessionStorage(prisma),
   distribution: AppDistribution.AppStore,
+  future: {
+    expiringOfflineAccessTokens: true,
+  },
   ...(process.env.SHOP_CUSTOM_DOMAIN
     ? { customShopDomains: [process.env.SHOP_CUSTOM_DOMAIN] }
     : {}),

package.json

@@ -30,8 +30,8 @@
     "@react-router/node": "^7.9.3",
     "@react-router/serve": "^7.9.3",
     "@shopify/app-bridge-react": "^4.2.4",
-    "@shopify/shopify-app-react-router": "^1.0.0",
-    "@shopify/shopify-app-session-storage-prisma": "^7.0.0",
+    "@shopify/shopify-app-react-router": "^1.1.0",
+    "@shopify/shopify-app-session-storage-prisma": "^8.0.0",
     "isbot": "^5.1.31",
     "prisma": "^6.16.3",
     "react": "^18.3.1",

prisma/migrations/20240530213853_create_session_table/migration.sql

@@ -14,5 +14,7 @@ CREATE TABLE "Session" (
     "accountOwner" BOOLEAN NOT NULL DEFAULT false,
     "locale" TEXT,
     "collaborator" BOOLEAN DEFAULT false,
-    "emailVerified" BOOLEAN DEFAULT false
+    "emailVerified" BOOLEAN DEFAULT false,
+    "refreshToken" TEXT,
+    "refreshTokenExpires" DATETIME
 );

prisma/schema.prisma

@@ -29,4 +29,6 @@ model Session {
   locale        String?
   collaborator  Boolean?  @default(false)
   emailVerified Boolean?  @default(false)
+  refreshToken        String?
+  refreshTokenExpires DateTime?
 }