Shopify: GraphQL AdminGenerateSessionPayload is leaked to staff with no permission

@hiffley reported the ability to generate app tokens via the adminGenerateSession mutation in Shopify Admin, as a staff member with no permissions. This allowed for accessing a small subset of installed apps that are using this new flow including Shopify Email. Access was limited to the current...