@metamask-previews/profile-sync-controller 27.1.0-preview-ad4b7f24e → 27.1.0-preview-3b760ee09

package/CHANGELOG.md

@@ -20,10 +20,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- **BREAKING:** Add client-side JWT `exp` claim validation to prevent stale cached tokens from being returned ([#8144](https://github.com/MetaMask/core/pull/8144))
+  - `validateLoginResponse` now decodes the JWT `exp` claim and rejects tokens that have actually expired, regardless of client-side TTL tracking (`obtainedAt`/`expiresIn`)
+  - Non-JWT access tokens are now rejected as invalid. In production this has no effect (access tokens are always JWTs from the OIDC server), but E2E test mocks that use raw identifier strings as access tokens must be updated. `getMockAuthAccessTokenResponse` now wraps identifiers in a JWT; consumers should use `getE2EIdentifierFromJwt` (newly exported) to extract the identifier from the bearer token in mock servers.
 - **BREAKING:** Standardize names of `AuthenticationController` and `UserStorageController` messenger action types ([#7976](https://github.com/MetaMask/core/pull/7976/))
   - All existing types for messenger actions have been renamed so they end in `Action` (e.g. `AuthenticationControllerPerformSignIn` -> `AuthenticationControllerPerformSignInAction`). You will need to update imports appropriately.
   - This change only affects the types. The action type strings themselves have not changed, so you do not need to update the list of actions you pass when initializing `AuthenticationController` and `UserStorageController` messengers.
 
+### Fixed
+
+- Fix `AuthenticationController` silently discarding tokens when `entropySourceId` is `undefined` ([#8144](https://github.com/MetaMask/core/pull/8144))
+  - `getBearerToken`, `getSessionProfile`, and `getUserProfileLineage` now resolve `undefined` `entropySourceId` to the primary SRP entropy source ID via the message-signing snap before delegating to the auth SDK
+  - This also eliminates a login deduplication race condition where `getBearerToken(undefined)` and `getBearerToken("primary-srp-id")` would trigger two independent OIDC logins for the same identity
+- Update `getUserProfileLineage` to accept an optional `entropySourceId` parameter ([#8144](https://github.com/MetaMask/core/pull/8144))
+
 ## [27.1.0]
 
 ### Changed

package/dist/controllers/authentication/AuthenticationController.cjs

@@ -10,7 +10,7 @@ var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
+var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthenticationController = exports.defaultState = void 0;
 const base_controller_1 = require("@metamask/base-controller");
@@ -79,6 +79,7 @@ class AuthenticationController extends base_controller_1.BaseController {
             env: sdk_1.Env.PRD,
         });
         _AuthenticationController_isUnlocked.set(this, false);
+        _AuthenticationController_cachedPrimaryEntropySourceId.set(this, void 0);
         _AuthenticationController_keyringController.set(this, {
             setupLockedStateSubscriptions: () => {
                 const { isUnlocked } = this.messenger.call('KeyringController:getState');
@@ -131,6 +132,7 @@ class AuthenticationController extends base_controller_1.BaseController {
         return accessTokens;
     }
     performSignOut() {
+        __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, undefined, "f");
         this.update((state) => {
             state.isSignedIn = false;
             state.srpSessionData = undefined;
@@ -144,7 +146,8 @@ class AuthenticationController extends base_controller_1.BaseController {
      */
     async getBearerToken(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getBearerToken');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(entropySourceId);
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(resolvedId);
     }
     /**
      * Will return a session profile.
@@ -156,50 +159,59 @@ class AuthenticationController extends base_controller_1.BaseController {
      */
     async getSessionProfile(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getSessionProfile');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfile(entropySourceId);
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfile(resolvedId);
     }
-    async getUserProfileLineage() {
+    async getUserProfileLineage(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getUserProfileLineage');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfileLineage();
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfileLineage(resolvedId);
     }
     isSignedIn() {
         return this.state.isSignedIn;
     }
 }
 exports.AuthenticationController = AuthenticationController;
-_AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
-    if (entropySourceId) {
-        if (!this.state.srpSessionData?.[entropySourceId]) {
-            return null;
-        }
-        return this.state.srpSessionData[entropySourceId];
-    }
-    const primarySrpLoginResponse = Object.values(this.state.srpSessionData || {})?.[0];
-    if (!primarySrpLoginResponse) {
+_AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
+    const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+    if (!this.state.srpSessionData?.[resolvedId]) {
         return null;
     }
-    return primarySrpLoginResponse;
+    return this.state.srpSessionData[resolvedId];
 }, _AuthenticationController_setLoginResponseToState = async function _AuthenticationController_setLoginResponseToState(loginResponse, entropySourceId) {
+    const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
     const metaMetricsId = await __classPrivateFieldGet(this, _AuthenticationController_metametrics, "f").getMetaMetricsId();
     this.update((state) => {
-        if (entropySourceId) {
-            state.isSignedIn = true;
-            if (!state.srpSessionData) {
-                state.srpSessionData = {};
-            }
-            state.srpSessionData[entropySourceId] = {
-                ...loginResponse,
-                profile: {
-                    ...loginResponse.profile,
-                    metaMetricsId,
-                },
-            };
+        state.isSignedIn = true;
+        if (!state.srpSessionData) {
+            state.srpSessionData = {};
         }
+        state.srpSessionData[resolvedId] = {
+            ...loginResponse,
+            profile: {
+                ...loginResponse.profile,
+                metaMetricsId,
+            },
+        };
     });
 }, _AuthenticationController_assertIsUnlocked = function _AuthenticationController_assertIsUnlocked(methodName) {
     if (!__classPrivateFieldGet(this, _AuthenticationController_isUnlocked, "f")) {
         throw new Error(`${methodName} - unable to proceed, wallet is locked`);
     }
+}, _AuthenticationController_getPrimaryEntropySourceId = async function _AuthenticationController_getPrimaryEntropySourceId() {
+    if (__classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f")) {
+        return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
+    }
+    const allPublicKeys = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_snapGetAllPublicKeys).call(this);
+    if (allPublicKeys.length === 0) {
+        throw new Error('#getPrimaryEntropySourceId - No entropy sources found from snap');
+    }
+    const primaryId = allPublicKeys[0][0];
+    if (!primaryId) {
+        throw new Error('#getPrimaryEntropySourceId - Primary entropy source ID is undefined');
+    }
+    __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, primaryId, "f");
+    return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
 }, _AuthenticationController_snapGetPublicKey = 
 /**
  * Returns the auth snap public key.

package/dist/controllers/authentication/AuthenticationController.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"AuthenticationController.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,+DAA2D;AAe3D,iEAI8B;AAQ9B,6CAKmB;AAGnB,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOrC,QAAA,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA+BX;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,gCAI7C;IA0BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,oBAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA7CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,SAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEX,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QA4MF,0DAA+D,EAAE,EAAC;QApLhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,mBAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,cAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAmDM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAG,EAAE,CAAC;QAExB,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAEM,cAAc;QACnB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IAEI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEM,KAAK,CAAC,qBAAqB;QAChC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,EAAE,CAAC;IAClD,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;AAvQD,4DAuQC;wbA7KC,KAAK,8DACH,eAAwB;IAExB,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,uBAAuB,GAAG,MAAM,CAAC,MAAM,CAC3C,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAChC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEP,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;gBAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;YAC5B,CAAC;YACD,KAAK,CAAC,cAAc,CAAC,eAAe,CAAC,GAAG;gBACtC,GAAG,aAAa;gBAChB,OAAO,EAAE;oBACP,GAAG,aAAa,CAAC,OAAO;oBACxB,aAAa;iBACd;aACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AA6DD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,+CAA0B,EAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,mDAA8B,GAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,IAAA,qCAA+B,EAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,iDAA4B,EAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n  ControllerGetStateAction,\n  ControllerStateChangeEvent,\n  StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n  KeyringControllerGetStateAction,\n  KeyringControllerLockEvent,\n  KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { HandleSnapRequest } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport {\n  createSnapPublicKeyRequest,\n  createSnapAllPublicKeysRequest,\n  createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\nimport type {\n  LoginResponse,\n  SRPInterface,\n  UserProfile,\n  UserProfileLineage,\n} from '../../sdk';\nimport {\n  assertMessageStartsWithMetamask,\n  AuthType,\n  Env,\n  JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n  isSignedIn: boolean;\n  srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n  isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n  isSignedIn: {\n    includeInStateLogs: true,\n    persist: true,\n    includeInDebugSnapshot: true,\n    usedInUi: true,\n  },\n  srpSessionData: {\n    // Remove access token from state logs\n    includeInStateLogs: (srpSessionData) => {\n      // Unreachable branch, included just to fix a type error for the case where this property is\n      // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n      // set here, because we don't yet use `exactOptionalPropertyTypes`.\n      // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n      // ref: https://github.com/MetaMask/core/issues/6565\n      if (srpSessionData === null || srpSessionData === undefined) {\n        return null;\n      }\n      return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n        (sanitizedSrpSessionData, [key, value]) => {\n          const { accessToken: _unused, ...tokenWithoutAccessToken } =\n            value.token;\n          sanitizedSrpSessionData[key] = {\n            ...value,\n            token: tokenWithoutAccessToken,\n          };\n          return sanitizedSrpSessionData;\n        },\n        {},\n      );\n    },\n    persist: true,\n    includeInDebugSnapshot: false,\n    usedInUi: true,\n  },\n};\n\ntype ControllerConfig = {\n  env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n  'performSignIn',\n  'performSignOut',\n  'getBearerToken',\n  'getSessionProfile',\n  'getUserProfileLineage',\n  'isSignedIn',\n] as const;\n\nexport type Actions =\n  | AuthenticationControllerGetStateAction\n  | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n  typeof controllerName,\n  AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n  ControllerStateChangeEvent<\n    typeof controllerName,\n    AuthenticationControllerState\n  >;\n\nexport type Events = AuthenticationControllerStateChangeEvent;\n\n// Allowed Actions\ntype AllowedActions = HandleSnapRequest | KeyringControllerGetStateAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n  typeof controllerName,\n  Actions | AllowedActions,\n  Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n  typeof controllerName,\n  AuthenticationControllerState,\n  AuthenticationControllerMessenger\n> {\n  readonly #metametrics: MetaMetricsAuth;\n\n  readonly #auth: SRPInterface;\n\n  readonly #config: ControllerConfig = {\n    env: Env.PRD,\n  };\n\n  #isUnlocked = false;\n\n  readonly #keyringController = {\n    setupLockedStateSubscriptions: () => {\n      const { isUnlocked } = this.messenger.call('KeyringController:getState');\n      this.#isUnlocked = isUnlocked;\n\n      this.messenger.subscribe('KeyringController:unlock', () => {\n        this.#isUnlocked = true;\n      });\n\n      this.messenger.subscribe('KeyringController:lock', () => {\n        this.#isUnlocked = false;\n      });\n    },\n  };\n\n  constructor({\n    messenger,\n    state,\n    config,\n    metametrics,\n  }: {\n    messenger: AuthenticationControllerMessenger;\n    state?: AuthenticationControllerState;\n    config?: Partial<ControllerConfig>;\n    /**\n     * Not using the Messaging System as we\n     * do not want to tie this strictly to extension\n     */\n    metametrics: MetaMetricsAuth;\n  }) {\n    super({\n      messenger,\n      metadata,\n      name: controllerName,\n      state: { ...defaultState, ...state },\n    });\n\n    if (!metametrics) {\n      throw new Error('`metametrics` field is required');\n    }\n\n    this.#config = {\n      ...this.#config,\n      ...config,\n    };\n\n    this.#metametrics = metametrics;\n\n    this.#auth = new JwtBearerAuth(\n      {\n        env: this.#config.env,\n        platform: metametrics.agent,\n        type: AuthType.SRP,\n      },\n      {\n        storage: {\n          getLoginResponse: this.#getLoginResponseFromState.bind(this),\n          setLoginResponse: this.#setLoginResponseToState.bind(this),\n        },\n        signing: {\n          getIdentifier: this.#snapGetPublicKey.bind(this),\n          signMessage: this.#snapSignMessage.bind(this),\n        },\n        metametrics: this.#metametrics,\n      },\n    );\n\n    this.#keyringController.setupLockedStateSubscriptions();\n\n    this.messenger.registerMethodActionHandlers(\n      this,\n      MESSENGER_EXPOSED_METHODS,\n    );\n  }\n\n  async #getLoginResponseFromState(\n    entropySourceId?: string,\n  ): Promise<LoginResponse | null> {\n    if (entropySourceId) {\n      if (!this.state.srpSessionData?.[entropySourceId]) {\n        return null;\n      }\n      return this.state.srpSessionData[entropySourceId];\n    }\n\n    const primarySrpLoginResponse = Object.values(\n      this.state.srpSessionData || {},\n    )?.[0];\n\n    if (!primarySrpLoginResponse) {\n      return null;\n    }\n\n    return primarySrpLoginResponse;\n  }\n\n  async #setLoginResponseToState(\n    loginResponse: LoginResponse,\n    entropySourceId?: string,\n  ) {\n    const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n    this.update((state) => {\n      if (entropySourceId) {\n        state.isSignedIn = true;\n        if (!state.srpSessionData) {\n          state.srpSessionData = {};\n        }\n        state.srpSessionData[entropySourceId] = {\n          ...loginResponse,\n          profile: {\n            ...loginResponse.profile,\n            metaMetricsId,\n          },\n        };\n      }\n    });\n  }\n\n  #assertIsUnlocked(methodName: string): void {\n    if (!this.#isUnlocked) {\n      throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n    }\n  }\n\n  public async performSignIn(): Promise<string[]> {\n    this.#assertIsUnlocked('performSignIn');\n\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n    const accessTokens = [];\n\n    // We iterate sequentially in order to be sure that the first entry\n    // is the primary SRP LoginResponse.\n    for (const [entropySourceId] of allPublicKeys) {\n      const accessToken = await this.#auth.getAccessToken(entropySourceId);\n      accessTokens.push(accessToken);\n    }\n\n    return accessTokens;\n  }\n\n  public performSignOut(): void {\n    this.update((state) => {\n      state.isSignedIn = false;\n      state.srpSessionData = undefined;\n    });\n  }\n\n  /**\n   * Will return a bearer token.\n   * Logs a user in if a user is not logged in.\n   *\n   * @returns profile for the session.\n   */\n\n  public async getBearerToken(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('getBearerToken');\n    return await this.#auth.getAccessToken(entropySourceId);\n  }\n\n  /**\n   * Will return a session profile.\n   * Logs a user in if a user is not logged in.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns profile for the session.\n   */\n  public async getSessionProfile(\n    entropySourceId?: string,\n  ): Promise<UserProfile> {\n    this.#assertIsUnlocked('getSessionProfile');\n    return await this.#auth.getUserProfile(entropySourceId);\n  }\n\n  public async getUserProfileLineage(): Promise<UserProfileLineage> {\n    this.#assertIsUnlocked('getUserProfileLineage');\n    return await this.#auth.getUserProfileLineage();\n  }\n\n  public isSignedIn(): boolean {\n    return this.state.isSignedIn;\n  }\n\n  /**\n   * Returns the auth snap public key.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns The snap public key.\n   */\n  async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('#snapGetPublicKey');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapPublicKeyRequest(entropySourceId),\n    )) as string;\n\n    return result;\n  }\n\n  /**\n   * Returns a mapping of entropy source IDs to auth snap public keys.\n   *\n   * @returns A mapping of entropy source IDs to public keys.\n   */\n  async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n    this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapAllPublicKeysRequest(),\n    )) as [string, string][];\n\n    return result;\n  }\n\n  #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n  /**\n   * Signs a specific message using an underlying auth snap.\n   *\n   * @param message - A specific tagged message to sign.\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns A Signature created by the snap.\n   */\n  async #snapSignMessage(\n    message: string,\n    entropySourceId?: string,\n  ): Promise<string> {\n    assertMessageStartsWithMetamask(message);\n\n    if (this.#_snapSignMessageCache[message]) {\n      return this.#_snapSignMessageCache[message];\n    }\n\n    this.#assertIsUnlocked('#snapSignMessage');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapSignMessageRequest(message, entropySourceId),\n    )) as string;\n\n    this.#_snapSignMessageCache[message] = result;\n\n    return result;\n  }\n}\n"]}
+{"version":3,"file":"AuthenticationController.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,+DAA2D;AAe3D,iEAI8B;AAQ9B,6CAKmB;AAGnB,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOrC,QAAA,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA+BX;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,gCAI7C;IA4BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,oBAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA/CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,SAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAE9B,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAkOF,0DAA+D,EAAE,EAAC;QA1MhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,mBAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,cAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAG,EAAE,CAAC;QAExB,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAEM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IAEI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAEM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;AA/RD,4DA+RC;ggBAnMC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC;AAsED;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,+CAA0B,EAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,mDAA8B,GAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,IAAA,qCAA+B,EAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,iDAA4B,EAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n  ControllerGetStateAction,\n  ControllerStateChangeEvent,\n  StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n  KeyringControllerGetStateAction,\n  KeyringControllerLockEvent,\n  KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { HandleSnapRequest } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport {\n  createSnapPublicKeyRequest,\n  createSnapAllPublicKeysRequest,\n  createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\nimport type {\n  LoginResponse,\n  SRPInterface,\n  UserProfile,\n  UserProfileLineage,\n} from '../../sdk';\nimport {\n  assertMessageStartsWithMetamask,\n  AuthType,\n  Env,\n  JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n  isSignedIn: boolean;\n  srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n  isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n  isSignedIn: {\n    includeInStateLogs: true,\n    persist: true,\n    includeInDebugSnapshot: true,\n    usedInUi: true,\n  },\n  srpSessionData: {\n    // Remove access token from state logs\n    includeInStateLogs: (srpSessionData) => {\n      // Unreachable branch, included just to fix a type error for the case where this property is\n      // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n      // set here, because we don't yet use `exactOptionalPropertyTypes`.\n      // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n      // ref: https://github.com/MetaMask/core/issues/6565\n      if (srpSessionData === null || srpSessionData === undefined) {\n        return null;\n      }\n      return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n        (sanitizedSrpSessionData, [key, value]) => {\n          const { accessToken: _unused, ...tokenWithoutAccessToken } =\n            value.token;\n          sanitizedSrpSessionData[key] = {\n            ...value,\n            token: tokenWithoutAccessToken,\n          };\n          return sanitizedSrpSessionData;\n        },\n        {},\n      );\n    },\n    persist: true,\n    includeInDebugSnapshot: false,\n    usedInUi: true,\n  },\n};\n\ntype ControllerConfig = {\n  env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n  'performSignIn',\n  'performSignOut',\n  'getBearerToken',\n  'getSessionProfile',\n  'getUserProfileLineage',\n  'isSignedIn',\n] as const;\n\nexport type Actions =\n  | AuthenticationControllerGetStateAction\n  | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n  typeof controllerName,\n  AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n  ControllerStateChangeEvent<\n    typeof controllerName,\n    AuthenticationControllerState\n  >;\n\nexport type Events = AuthenticationControllerStateChangeEvent;\n\n// Allowed Actions\ntype AllowedActions = HandleSnapRequest | KeyringControllerGetStateAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n  typeof controllerName,\n  Actions | AllowedActions,\n  Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n  typeof controllerName,\n  AuthenticationControllerState,\n  AuthenticationControllerMessenger\n> {\n  readonly #metametrics: MetaMetricsAuth;\n\n  readonly #auth: SRPInterface;\n\n  readonly #config: ControllerConfig = {\n    env: Env.PRD,\n  };\n\n  #isUnlocked = false;\n\n  #cachedPrimaryEntropySourceId?: string;\n\n  readonly #keyringController = {\n    setupLockedStateSubscriptions: () => {\n      const { isUnlocked } = this.messenger.call('KeyringController:getState');\n      this.#isUnlocked = isUnlocked;\n\n      this.messenger.subscribe('KeyringController:unlock', () => {\n        this.#isUnlocked = true;\n      });\n\n      this.messenger.subscribe('KeyringController:lock', () => {\n        this.#isUnlocked = false;\n      });\n    },\n  };\n\n  constructor({\n    messenger,\n    state,\n    config,\n    metametrics,\n  }: {\n    messenger: AuthenticationControllerMessenger;\n    state?: AuthenticationControllerState;\n    config?: Partial<ControllerConfig>;\n    /**\n     * Not using the Messaging System as we\n     * do not want to tie this strictly to extension\n     */\n    metametrics: MetaMetricsAuth;\n  }) {\n    super({\n      messenger,\n      metadata,\n      name: controllerName,\n      state: { ...defaultState, ...state },\n    });\n\n    if (!metametrics) {\n      throw new Error('`metametrics` field is required');\n    }\n\n    this.#config = {\n      ...this.#config,\n      ...config,\n    };\n\n    this.#metametrics = metametrics;\n\n    this.#auth = new JwtBearerAuth(\n      {\n        env: this.#config.env,\n        platform: metametrics.agent,\n        type: AuthType.SRP,\n      },\n      {\n        storage: {\n          getLoginResponse: this.#getLoginResponseFromState.bind(this),\n          setLoginResponse: this.#setLoginResponseToState.bind(this),\n        },\n        signing: {\n          getIdentifier: this.#snapGetPublicKey.bind(this),\n          signMessage: this.#snapSignMessage.bind(this),\n        },\n        metametrics: this.#metametrics,\n      },\n    );\n\n    this.#keyringController.setupLockedStateSubscriptions();\n\n    this.messenger.registerMethodActionHandlers(\n      this,\n      MESSENGER_EXPOSED_METHODS,\n    );\n  }\n\n  async #getLoginResponseFromState(\n    entropySourceId?: string,\n  ): Promise<LoginResponse | null> {\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    if (!this.state.srpSessionData?.[resolvedId]) {\n      return null;\n    }\n    return this.state.srpSessionData[resolvedId];\n  }\n\n  async #setLoginResponseToState(\n    loginResponse: LoginResponse,\n    entropySourceId?: string,\n  ) {\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n    this.update((state) => {\n      state.isSignedIn = true;\n      if (!state.srpSessionData) {\n        state.srpSessionData = {};\n      }\n      state.srpSessionData[resolvedId] = {\n        ...loginResponse,\n        profile: {\n          ...loginResponse.profile,\n          metaMetricsId,\n        },\n      };\n    });\n  }\n\n  #assertIsUnlocked(methodName: string): void {\n    if (!this.#isUnlocked) {\n      throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n    }\n  }\n\n  async #getPrimaryEntropySourceId(): Promise<string> {\n    if (this.#cachedPrimaryEntropySourceId) {\n      return this.#cachedPrimaryEntropySourceId;\n    }\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n    if (allPublicKeys.length === 0) {\n      throw new Error(\n        '#getPrimaryEntropySourceId - No entropy sources found from snap',\n      );\n    }\n\n    const primaryId = allPublicKeys[0][0];\n    if (!primaryId) {\n      throw new Error(\n        '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n      );\n    }\n\n    this.#cachedPrimaryEntropySourceId = primaryId;\n    return this.#cachedPrimaryEntropySourceId;\n  }\n\n  public async performSignIn(): Promise<string[]> {\n    this.#assertIsUnlocked('performSignIn');\n\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n    const accessTokens = [];\n\n    // We iterate sequentially in order to be sure that the first entry\n    // is the primary SRP LoginResponse.\n    for (const [entropySourceId] of allPublicKeys) {\n      const accessToken = await this.#auth.getAccessToken(entropySourceId);\n      accessTokens.push(accessToken);\n    }\n\n    return accessTokens;\n  }\n\n  public performSignOut(): void {\n    this.#cachedPrimaryEntropySourceId = undefined;\n    this.update((state) => {\n      state.isSignedIn = false;\n      state.srpSessionData = undefined;\n    });\n  }\n\n  /**\n   * Will return a bearer token.\n   * Logs a user in if a user is not logged in.\n   *\n   * @returns profile for the session.\n   */\n\n  public async getBearerToken(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('getBearerToken');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getAccessToken(resolvedId);\n  }\n\n  /**\n   * Will return a session profile.\n   * Logs a user in if a user is not logged in.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns profile for the session.\n   */\n  public async getSessionProfile(\n    entropySourceId?: string,\n  ): Promise<UserProfile> {\n    this.#assertIsUnlocked('getSessionProfile');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getUserProfile(resolvedId);\n  }\n\n  public async getUserProfileLineage(\n    entropySourceId?: string,\n  ): Promise<UserProfileLineage> {\n    this.#assertIsUnlocked('getUserProfileLineage');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getUserProfileLineage(resolvedId);\n  }\n\n  public isSignedIn(): boolean {\n    return this.state.isSignedIn;\n  }\n\n  /**\n   * Returns the auth snap public key.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns The snap public key.\n   */\n  async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('#snapGetPublicKey');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapPublicKeyRequest(entropySourceId),\n    )) as string;\n\n    return result;\n  }\n\n  /**\n   * Returns a mapping of entropy source IDs to auth snap public keys.\n   *\n   * @returns A mapping of entropy source IDs to public keys.\n   */\n  async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n    this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapAllPublicKeysRequest(),\n    )) as [string, string][];\n\n    return result;\n  }\n\n  #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n  /**\n   * Signs a specific message using an underlying auth snap.\n   *\n   * @param message - A specific tagged message to sign.\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns A Signature created by the snap.\n   */\n  async #snapSignMessage(\n    message: string,\n    entropySourceId?: string,\n  ): Promise<string> {\n    assertMessageStartsWithMetamask(message);\n\n    if (this.#_snapSignMessageCache[message]) {\n      return this.#_snapSignMessageCache[message];\n    }\n\n    this.#assertIsUnlocked('#snapSignMessage');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapSignMessageRequest(message, entropySourceId),\n    )) as string;\n\n    this.#_snapSignMessageCache[message] = result;\n\n    return result;\n  }\n}\n"]}

package/dist/controllers/authentication/AuthenticationController.d.cts

@@ -57,7 +57,7 @@ export declare class AuthenticationController extends BaseController<typeof cont
      * @returns profile for the session.
      */
     getSessionProfile(entropySourceId?: string): Promise<UserProfile>;
-    getUserProfileLineage(): Promise<UserProfileLineage>;
+    getUserProfileLineage(entropySourceId?: string): Promise<UserProfileLineage>;
     isSignedIn(): boolean;
 }
 export {};

package/dist/controllers/authentication/AuthenticationController.d.cts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthenticationController.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,oCAAoC;AAQrE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AACvG,OAAO,KAAK,EACV,aAAa,EAEb,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAEnE,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAWF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,MAAM,GAAG,wCAAwC,CAAC;AAG9D,KAAK,cAAc,GAAG,iBAAiB,GAAG,+BAA+B,CAAC;AAE1E,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA0Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA+FY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAgBxC,cAAc,IAAI,IAAI;IAO7B;;;;;OAKG;IAEU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKtE;;;;;;;OAOG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAKV,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAK1D,UAAU,IAAI,OAAO;CAqE7B"}
+{"version":3,"file":"AuthenticationController.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,oCAAoC;AAQrE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AACvG,OAAO,KAAK,EACV,aAAa,EAEb,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAEnE,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAWF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,MAAM,GAAG,wCAAwC,CAAC;AAG9D,KAAK,cAAc,GAAG,iBAAiB,GAAG,+BAA+B,CAAC;AAE1E,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA4Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAgBxC,cAAc,IAAI,IAAI;IAQ7B;;;;;OAKG;IAEU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;OAOG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOV,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}

package/dist/controllers/authentication/AuthenticationController.d.mts

@@ -57,7 +57,7 @@ export declare class AuthenticationController extends BaseController<typeof cont
      * @returns profile for the session.
      */
     getSessionProfile(entropySourceId?: string): Promise<UserProfile>;
-    getUserProfileLineage(): Promise<UserProfileLineage>;
+    getUserProfileLineage(entropySourceId?: string): Promise<UserProfileLineage>;
     isSignedIn(): boolean;
 }
 export {};

package/dist/controllers/authentication/AuthenticationController.d.mts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthenticationController.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,oCAAoC;AAQrE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AACvG,OAAO,KAAK,EACV,aAAa,EAEb,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAEnE,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAWF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,MAAM,GAAG,wCAAwC,CAAC;AAG9D,KAAK,cAAc,GAAG,iBAAiB,GAAG,+BAA+B,CAAC;AAE1E,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA0Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA+FY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAgBxC,cAAc,IAAI,IAAI;IAO7B;;;;;OAKG;IAEU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAKtE;;;;;;;OAOG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAKV,qBAAqB,IAAI,OAAO,CAAC,kBAAkB,CAAC;IAK1D,UAAU,IAAI,OAAO;CAqE7B"}
+{"version":3,"file":"AuthenticationController.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iBAAiB,EAAE,oCAAoC;AAQrE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AACvG,OAAO,KAAK,EACV,aAAa,EAEb,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAEnE,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAWF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,MAAM,GAAG,wCAAwC,CAAC;AAG9D,KAAK,cAAc,GAAG,iBAAiB,GAAG,+BAA+B,CAAC;AAE1E,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA4Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAgBxC,cAAc,IAAI,IAAI;IAQ7B;;;;;OAKG;IAEU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;OAOG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOV,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}

package/dist/controllers/authentication/AuthenticationController.mjs

@@ -9,7 +9,7 @@ var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
     return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
 };
-var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
+var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
 import { BaseController } from "@metamask/base-controller";
 import { createSnapPublicKeyRequest, createSnapAllPublicKeysRequest, createSnapSignMessageRequest } from "./auth-snap-requests.mjs";
 import { assertMessageStartsWithMetamask, AuthType, Env, JwtBearerAuth } from "../../sdk/index.mjs";
@@ -76,6 +76,7 @@ export class AuthenticationController extends BaseController {
             env: Env.PRD,
         });
         _AuthenticationController_isUnlocked.set(this, false);
+        _AuthenticationController_cachedPrimaryEntropySourceId.set(this, void 0);
         _AuthenticationController_keyringController.set(this, {
             setupLockedStateSubscriptions: () => {
                 const { isUnlocked } = this.messenger.call('KeyringController:getState');
@@ -128,6 +129,7 @@ export class AuthenticationController extends BaseController {
         return accessTokens;
     }
     performSignOut() {
+        __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, undefined, "f");
         this.update((state) => {
             state.isSignedIn = false;
             state.srpSessionData = undefined;
@@ -141,7 +143,8 @@ export class AuthenticationController extends BaseController {
      */
     async getBearerToken(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getBearerToken');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(entropySourceId);
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(resolvedId);
     }
     /**
      * Will return a session profile.
@@ -153,49 +156,58 @@ export class AuthenticationController extends BaseController {
      */
     async getSessionProfile(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getSessionProfile');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfile(entropySourceId);
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfile(resolvedId);
     }
-    async getUserProfileLineage() {
+    async getUserProfileLineage(entropySourceId) {
         __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'getUserProfileLineage');
-        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfileLineage();
+        const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+        return await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getUserProfileLineage(resolvedId);
     }
     isSignedIn() {
         return this.state.isSignedIn;
     }
 }
-_AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
-    if (entropySourceId) {
-        if (!this.state.srpSessionData?.[entropySourceId]) {
-            return null;
-        }
-        return this.state.srpSessionData[entropySourceId];
-    }
-    const primarySrpLoginResponse = Object.values(this.state.srpSessionData || {})?.[0];
-    if (!primarySrpLoginResponse) {
+_AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
+    const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
+    if (!this.state.srpSessionData?.[resolvedId]) {
         return null;
     }
-    return primarySrpLoginResponse;
+    return this.state.srpSessionData[resolvedId];
 }, _AuthenticationController_setLoginResponseToState = async function _AuthenticationController_setLoginResponseToState(loginResponse, entropySourceId) {
+    const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
     const metaMetricsId = await __classPrivateFieldGet(this, _AuthenticationController_metametrics, "f").getMetaMetricsId();
     this.update((state) => {
-        if (entropySourceId) {
-            state.isSignedIn = true;
-            if (!state.srpSessionData) {
-                state.srpSessionData = {};
-            }
-            state.srpSessionData[entropySourceId] = {
-                ...loginResponse,
-                profile: {
-                    ...loginResponse.profile,
-                    metaMetricsId,
-                },
-            };
+        state.isSignedIn = true;
+        if (!state.srpSessionData) {
+            state.srpSessionData = {};
         }
+        state.srpSessionData[resolvedId] = {
+            ...loginResponse,
+            profile: {
+                ...loginResponse.profile,
+                metaMetricsId,
+            },
+        };
     });
 }, _AuthenticationController_assertIsUnlocked = function _AuthenticationController_assertIsUnlocked(methodName) {
     if (!__classPrivateFieldGet(this, _AuthenticationController_isUnlocked, "f")) {
         throw new Error(`${methodName} - unable to proceed, wallet is locked`);
     }
+}, _AuthenticationController_getPrimaryEntropySourceId = async function _AuthenticationController_getPrimaryEntropySourceId() {
+    if (__classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f")) {
+        return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
+    }
+    const allPublicKeys = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_snapGetAllPublicKeys).call(this);
+    if (allPublicKeys.length === 0) {
+        throw new Error('#getPrimaryEntropySourceId - No entropy sources found from snap');
+    }
+    const primaryId = allPublicKeys[0][0];
+    if (!primaryId) {
+        throw new Error('#getPrimaryEntropySourceId - Primary entropy source ID is undefined');
+    }
+    __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, primaryId, "f");
+    return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
 }, _AuthenticationController_snapGetPublicKey = 
 /**
  * Returns the auth snap public key.

package/dist/controllers/authentication/AuthenticationController.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"AuthenticationController.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAe3D,OAAO,EACL,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,EAC7B,iCAA6B;AAQ9B,OAAO,EACL,+BAA+B,EAC/B,QAAQ,EACR,GAAG,EACH,aAAa,EACd,4BAAkB;AAGnB,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOlD,MAAM,CAAC,MAAM,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA+BX;;;GAGG;AACH,MAAM,OAAO,wBAAyB,SAAQ,cAI7C;IA0BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA7CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,GAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEX,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QA4MF,0DAA+D,EAAE,EAAC;QApLhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,aAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,QAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAmDM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAG,EAAE,CAAC;QAExB,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAEM,cAAc;QACnB,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IAEI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEM,KAAK,CAAC,qBAAqB;QAChC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,EAAE,CAAC;IAClD,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;wbA7KC,KAAK,8DACH,eAAwB;IAExB,IAAI,eAAe,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,EAAE,CAAC;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,uBAAuB,GAAG,MAAM,CAAC,MAAM,CAC3C,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAChC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEP,IAAI,CAAC,uBAAuB,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,IAAI,eAAe,EAAE,CAAC;YACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;gBAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;YAC5B,CAAC;YACD,KAAK,CAAC,cAAc,CAAC,eAAe,CAAC,GAAG;gBACtC,GAAG,aAAa;gBAChB,OAAO,EAAE;oBACP,GAAG,aAAa,CAAC,OAAO;oBACxB,aAAa;iBACd;aACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AA6DD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,0BAA0B,CAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,8BAA8B,EAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,+BAA+B,CAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,4BAA4B,CAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n  ControllerGetStateAction,\n  ControllerStateChangeEvent,\n  StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n  KeyringControllerGetStateAction,\n  KeyringControllerLockEvent,\n  KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { HandleSnapRequest } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport {\n  createSnapPublicKeyRequest,\n  createSnapAllPublicKeysRequest,\n  createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\nimport type {\n  LoginResponse,\n  SRPInterface,\n  UserProfile,\n  UserProfileLineage,\n} from '../../sdk';\nimport {\n  assertMessageStartsWithMetamask,\n  AuthType,\n  Env,\n  JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n  isSignedIn: boolean;\n  srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n  isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n  isSignedIn: {\n    includeInStateLogs: true,\n    persist: true,\n    includeInDebugSnapshot: true,\n    usedInUi: true,\n  },\n  srpSessionData: {\n    // Remove access token from state logs\n    includeInStateLogs: (srpSessionData) => {\n      // Unreachable branch, included just to fix a type error for the case where this property is\n      // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n      // set here, because we don't yet use `exactOptionalPropertyTypes`.\n      // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n      // ref: https://github.com/MetaMask/core/issues/6565\n      if (srpSessionData === null || srpSessionData === undefined) {\n        return null;\n      }\n      return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n        (sanitizedSrpSessionData, [key, value]) => {\n          const { accessToken: _unused, ...tokenWithoutAccessToken } =\n            value.token;\n          sanitizedSrpSessionData[key] = {\n            ...value,\n            token: tokenWithoutAccessToken,\n          };\n          return sanitizedSrpSessionData;\n        },\n        {},\n      );\n    },\n    persist: true,\n    includeInDebugSnapshot: false,\n    usedInUi: true,\n  },\n};\n\ntype ControllerConfig = {\n  env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n  'performSignIn',\n  'performSignOut',\n  'getBearerToken',\n  'getSessionProfile',\n  'getUserProfileLineage',\n  'isSignedIn',\n] as const;\n\nexport type Actions =\n  | AuthenticationControllerGetStateAction\n  | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n  typeof controllerName,\n  AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n  ControllerStateChangeEvent<\n    typeof controllerName,\n    AuthenticationControllerState\n  >;\n\nexport type Events = AuthenticationControllerStateChangeEvent;\n\n// Allowed Actions\ntype AllowedActions = HandleSnapRequest | KeyringControllerGetStateAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n  typeof controllerName,\n  Actions | AllowedActions,\n  Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n  typeof controllerName,\n  AuthenticationControllerState,\n  AuthenticationControllerMessenger\n> {\n  readonly #metametrics: MetaMetricsAuth;\n\n  readonly #auth: SRPInterface;\n\n  readonly #config: ControllerConfig = {\n    env: Env.PRD,\n  };\n\n  #isUnlocked = false;\n\n  readonly #keyringController = {\n    setupLockedStateSubscriptions: () => {\n      const { isUnlocked } = this.messenger.call('KeyringController:getState');\n      this.#isUnlocked = isUnlocked;\n\n      this.messenger.subscribe('KeyringController:unlock', () => {\n        this.#isUnlocked = true;\n      });\n\n      this.messenger.subscribe('KeyringController:lock', () => {\n        this.#isUnlocked = false;\n      });\n    },\n  };\n\n  constructor({\n    messenger,\n    state,\n    config,\n    metametrics,\n  }: {\n    messenger: AuthenticationControllerMessenger;\n    state?: AuthenticationControllerState;\n    config?: Partial<ControllerConfig>;\n    /**\n     * Not using the Messaging System as we\n     * do not want to tie this strictly to extension\n     */\n    metametrics: MetaMetricsAuth;\n  }) {\n    super({\n      messenger,\n      metadata,\n      name: controllerName,\n      state: { ...defaultState, ...state },\n    });\n\n    if (!metametrics) {\n      throw new Error('`metametrics` field is required');\n    }\n\n    this.#config = {\n      ...this.#config,\n      ...config,\n    };\n\n    this.#metametrics = metametrics;\n\n    this.#auth = new JwtBearerAuth(\n      {\n        env: this.#config.env,\n        platform: metametrics.agent,\n        type: AuthType.SRP,\n      },\n      {\n        storage: {\n          getLoginResponse: this.#getLoginResponseFromState.bind(this),\n          setLoginResponse: this.#setLoginResponseToState.bind(this),\n        },\n        signing: {\n          getIdentifier: this.#snapGetPublicKey.bind(this),\n          signMessage: this.#snapSignMessage.bind(this),\n        },\n        metametrics: this.#metametrics,\n      },\n    );\n\n    this.#keyringController.setupLockedStateSubscriptions();\n\n    this.messenger.registerMethodActionHandlers(\n      this,\n      MESSENGER_EXPOSED_METHODS,\n    );\n  }\n\n  async #getLoginResponseFromState(\n    entropySourceId?: string,\n  ): Promise<LoginResponse | null> {\n    if (entropySourceId) {\n      if (!this.state.srpSessionData?.[entropySourceId]) {\n        return null;\n      }\n      return this.state.srpSessionData[entropySourceId];\n    }\n\n    const primarySrpLoginResponse = Object.values(\n      this.state.srpSessionData || {},\n    )?.[0];\n\n    if (!primarySrpLoginResponse) {\n      return null;\n    }\n\n    return primarySrpLoginResponse;\n  }\n\n  async #setLoginResponseToState(\n    loginResponse: LoginResponse,\n    entropySourceId?: string,\n  ) {\n    const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n    this.update((state) => {\n      if (entropySourceId) {\n        state.isSignedIn = true;\n        if (!state.srpSessionData) {\n          state.srpSessionData = {};\n        }\n        state.srpSessionData[entropySourceId] = {\n          ...loginResponse,\n          profile: {\n            ...loginResponse.profile,\n            metaMetricsId,\n          },\n        };\n      }\n    });\n  }\n\n  #assertIsUnlocked(methodName: string): void {\n    if (!this.#isUnlocked) {\n      throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n    }\n  }\n\n  public async performSignIn(): Promise<string[]> {\n    this.#assertIsUnlocked('performSignIn');\n\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n    const accessTokens = [];\n\n    // We iterate sequentially in order to be sure that the first entry\n    // is the primary SRP LoginResponse.\n    for (const [entropySourceId] of allPublicKeys) {\n      const accessToken = await this.#auth.getAccessToken(entropySourceId);\n      accessTokens.push(accessToken);\n    }\n\n    return accessTokens;\n  }\n\n  public performSignOut(): void {\n    this.update((state) => {\n      state.isSignedIn = false;\n      state.srpSessionData = undefined;\n    });\n  }\n\n  /**\n   * Will return a bearer token.\n   * Logs a user in if a user is not logged in.\n   *\n   * @returns profile for the session.\n   */\n\n  public async getBearerToken(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('getBearerToken');\n    return await this.#auth.getAccessToken(entropySourceId);\n  }\n\n  /**\n   * Will return a session profile.\n   * Logs a user in if a user is not logged in.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns profile for the session.\n   */\n  public async getSessionProfile(\n    entropySourceId?: string,\n  ): Promise<UserProfile> {\n    this.#assertIsUnlocked('getSessionProfile');\n    return await this.#auth.getUserProfile(entropySourceId);\n  }\n\n  public async getUserProfileLineage(): Promise<UserProfileLineage> {\n    this.#assertIsUnlocked('getUserProfileLineage');\n    return await this.#auth.getUserProfileLineage();\n  }\n\n  public isSignedIn(): boolean {\n    return this.state.isSignedIn;\n  }\n\n  /**\n   * Returns the auth snap public key.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns The snap public key.\n   */\n  async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('#snapGetPublicKey');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapPublicKeyRequest(entropySourceId),\n    )) as string;\n\n    return result;\n  }\n\n  /**\n   * Returns a mapping of entropy source IDs to auth snap public keys.\n   *\n   * @returns A mapping of entropy source IDs to public keys.\n   */\n  async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n    this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapAllPublicKeysRequest(),\n    )) as [string, string][];\n\n    return result;\n  }\n\n  #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n  /**\n   * Signs a specific message using an underlying auth snap.\n   *\n   * @param message - A specific tagged message to sign.\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns A Signature created by the snap.\n   */\n  async #snapSignMessage(\n    message: string,\n    entropySourceId?: string,\n  ): Promise<string> {\n    assertMessageStartsWithMetamask(message);\n\n    if (this.#_snapSignMessageCache[message]) {\n      return this.#_snapSignMessageCache[message];\n    }\n\n    this.#assertIsUnlocked('#snapSignMessage');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapSignMessageRequest(message, entropySourceId),\n    )) as string;\n\n    this.#_snapSignMessageCache[message] = result;\n\n    return result;\n  }\n}\n"]}
+{"version":3,"file":"AuthenticationController.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAe3D,OAAO,EACL,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,EAC7B,iCAA6B;AAQ9B,OAAO,EACL,+BAA+B,EAC/B,QAAQ,EACR,GAAG,EACH,aAAa,EACd,4BAAkB;AAGnB,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOlD,MAAM,CAAC,MAAM,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA+BX;;;GAGG;AACH,MAAM,OAAO,wBAAyB,SAAQ,cAI7C;IA4BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA/CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,GAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAE9B,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAkOF,0DAA+D,EAAE,EAAC;QA1MhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,aAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,QAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAG,EAAE,CAAC;QAExB,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAEM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IAEI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAEM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;ggBAnMC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC;AAsED;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,0BAA0B,CAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,8BAA8B,EAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,+BAA+B,CAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,4BAA4B,CAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n  ControllerGetStateAction,\n  ControllerStateChangeEvent,\n  StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n  KeyringControllerGetStateAction,\n  KeyringControllerLockEvent,\n  KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { HandleSnapRequest } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport {\n  createSnapPublicKeyRequest,\n  createSnapAllPublicKeysRequest,\n  createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\nimport type {\n  LoginResponse,\n  SRPInterface,\n  UserProfile,\n  UserProfileLineage,\n} from '../../sdk';\nimport {\n  assertMessageStartsWithMetamask,\n  AuthType,\n  Env,\n  JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n  isSignedIn: boolean;\n  srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n  isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n  isSignedIn: {\n    includeInStateLogs: true,\n    persist: true,\n    includeInDebugSnapshot: true,\n    usedInUi: true,\n  },\n  srpSessionData: {\n    // Remove access token from state logs\n    includeInStateLogs: (srpSessionData) => {\n      // Unreachable branch, included just to fix a type error for the case where this property is\n      // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n      // set here, because we don't yet use `exactOptionalPropertyTypes`.\n      // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n      // ref: https://github.com/MetaMask/core/issues/6565\n      if (srpSessionData === null || srpSessionData === undefined) {\n        return null;\n      }\n      return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n        (sanitizedSrpSessionData, [key, value]) => {\n          const { accessToken: _unused, ...tokenWithoutAccessToken } =\n            value.token;\n          sanitizedSrpSessionData[key] = {\n            ...value,\n            token: tokenWithoutAccessToken,\n          };\n          return sanitizedSrpSessionData;\n        },\n        {},\n      );\n    },\n    persist: true,\n    includeInDebugSnapshot: false,\n    usedInUi: true,\n  },\n};\n\ntype ControllerConfig = {\n  env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n  'performSignIn',\n  'performSignOut',\n  'getBearerToken',\n  'getSessionProfile',\n  'getUserProfileLineage',\n  'isSignedIn',\n] as const;\n\nexport type Actions =\n  | AuthenticationControllerGetStateAction\n  | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n  typeof controllerName,\n  AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n  ControllerStateChangeEvent<\n    typeof controllerName,\n    AuthenticationControllerState\n  >;\n\nexport type Events = AuthenticationControllerStateChangeEvent;\n\n// Allowed Actions\ntype AllowedActions = HandleSnapRequest | KeyringControllerGetStateAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n  typeof controllerName,\n  Actions | AllowedActions,\n  Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n  typeof controllerName,\n  AuthenticationControllerState,\n  AuthenticationControllerMessenger\n> {\n  readonly #metametrics: MetaMetricsAuth;\n\n  readonly #auth: SRPInterface;\n\n  readonly #config: ControllerConfig = {\n    env: Env.PRD,\n  };\n\n  #isUnlocked = false;\n\n  #cachedPrimaryEntropySourceId?: string;\n\n  readonly #keyringController = {\n    setupLockedStateSubscriptions: () => {\n      const { isUnlocked } = this.messenger.call('KeyringController:getState');\n      this.#isUnlocked = isUnlocked;\n\n      this.messenger.subscribe('KeyringController:unlock', () => {\n        this.#isUnlocked = true;\n      });\n\n      this.messenger.subscribe('KeyringController:lock', () => {\n        this.#isUnlocked = false;\n      });\n    },\n  };\n\n  constructor({\n    messenger,\n    state,\n    config,\n    metametrics,\n  }: {\n    messenger: AuthenticationControllerMessenger;\n    state?: AuthenticationControllerState;\n    config?: Partial<ControllerConfig>;\n    /**\n     * Not using the Messaging System as we\n     * do not want to tie this strictly to extension\n     */\n    metametrics: MetaMetricsAuth;\n  }) {\n    super({\n      messenger,\n      metadata,\n      name: controllerName,\n      state: { ...defaultState, ...state },\n    });\n\n    if (!metametrics) {\n      throw new Error('`metametrics` field is required');\n    }\n\n    this.#config = {\n      ...this.#config,\n      ...config,\n    };\n\n    this.#metametrics = metametrics;\n\n    this.#auth = new JwtBearerAuth(\n      {\n        env: this.#config.env,\n        platform: metametrics.agent,\n        type: AuthType.SRP,\n      },\n      {\n        storage: {\n          getLoginResponse: this.#getLoginResponseFromState.bind(this),\n          setLoginResponse: this.#setLoginResponseToState.bind(this),\n        },\n        signing: {\n          getIdentifier: this.#snapGetPublicKey.bind(this),\n          signMessage: this.#snapSignMessage.bind(this),\n        },\n        metametrics: this.#metametrics,\n      },\n    );\n\n    this.#keyringController.setupLockedStateSubscriptions();\n\n    this.messenger.registerMethodActionHandlers(\n      this,\n      MESSENGER_EXPOSED_METHODS,\n    );\n  }\n\n  async #getLoginResponseFromState(\n    entropySourceId?: string,\n  ): Promise<LoginResponse | null> {\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    if (!this.state.srpSessionData?.[resolvedId]) {\n      return null;\n    }\n    return this.state.srpSessionData[resolvedId];\n  }\n\n  async #setLoginResponseToState(\n    loginResponse: LoginResponse,\n    entropySourceId?: string,\n  ) {\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n    this.update((state) => {\n      state.isSignedIn = true;\n      if (!state.srpSessionData) {\n        state.srpSessionData = {};\n      }\n      state.srpSessionData[resolvedId] = {\n        ...loginResponse,\n        profile: {\n          ...loginResponse.profile,\n          metaMetricsId,\n        },\n      };\n    });\n  }\n\n  #assertIsUnlocked(methodName: string): void {\n    if (!this.#isUnlocked) {\n      throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n    }\n  }\n\n  async #getPrimaryEntropySourceId(): Promise<string> {\n    if (this.#cachedPrimaryEntropySourceId) {\n      return this.#cachedPrimaryEntropySourceId;\n    }\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n    if (allPublicKeys.length === 0) {\n      throw new Error(\n        '#getPrimaryEntropySourceId - No entropy sources found from snap',\n      );\n    }\n\n    const primaryId = allPublicKeys[0][0];\n    if (!primaryId) {\n      throw new Error(\n        '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n      );\n    }\n\n    this.#cachedPrimaryEntropySourceId = primaryId;\n    return this.#cachedPrimaryEntropySourceId;\n  }\n\n  public async performSignIn(): Promise<string[]> {\n    this.#assertIsUnlocked('performSignIn');\n\n    const allPublicKeys = await this.#snapGetAllPublicKeys();\n    const accessTokens = [];\n\n    // We iterate sequentially in order to be sure that the first entry\n    // is the primary SRP LoginResponse.\n    for (const [entropySourceId] of allPublicKeys) {\n      const accessToken = await this.#auth.getAccessToken(entropySourceId);\n      accessTokens.push(accessToken);\n    }\n\n    return accessTokens;\n  }\n\n  public performSignOut(): void {\n    this.#cachedPrimaryEntropySourceId = undefined;\n    this.update((state) => {\n      state.isSignedIn = false;\n      state.srpSessionData = undefined;\n    });\n  }\n\n  /**\n   * Will return a bearer token.\n   * Logs a user in if a user is not logged in.\n   *\n   * @returns profile for the session.\n   */\n\n  public async getBearerToken(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('getBearerToken');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getAccessToken(resolvedId);\n  }\n\n  /**\n   * Will return a session profile.\n   * Logs a user in if a user is not logged in.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns profile for the session.\n   */\n  public async getSessionProfile(\n    entropySourceId?: string,\n  ): Promise<UserProfile> {\n    this.#assertIsUnlocked('getSessionProfile');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getUserProfile(resolvedId);\n  }\n\n  public async getUserProfileLineage(\n    entropySourceId?: string,\n  ): Promise<UserProfileLineage> {\n    this.#assertIsUnlocked('getUserProfileLineage');\n    const resolvedId =\n      entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n    return await this.#auth.getUserProfileLineage(resolvedId);\n  }\n\n  public isSignedIn(): boolean {\n    return this.state.isSignedIn;\n  }\n\n  /**\n   * Returns the auth snap public key.\n   *\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns The snap public key.\n   */\n  async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n    this.#assertIsUnlocked('#snapGetPublicKey');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapPublicKeyRequest(entropySourceId),\n    )) as string;\n\n    return result;\n  }\n\n  /**\n   * Returns a mapping of entropy source IDs to auth snap public keys.\n   *\n   * @returns A mapping of entropy source IDs to public keys.\n   */\n  async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n    this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapAllPublicKeysRequest(),\n    )) as [string, string][];\n\n    return result;\n  }\n\n  #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n  /**\n   * Signs a specific message using an underlying auth snap.\n   *\n   * @param message - A specific tagged message to sign.\n   * @param entropySourceId - The entropy source ID used to derive the key,\n   * when multiple sources are available (Multi-SRP).\n   * @returns A Signature created by the snap.\n   */\n  async #snapSignMessage(\n    message: string,\n    entropySourceId?: string,\n  ): Promise<string> {\n    assertMessageStartsWithMetamask(message);\n\n    if (this.#_snapSignMessageCache[message]) {\n      return this.#_snapSignMessageCache[message];\n    }\n\n    this.#assertIsUnlocked('#snapSignMessage');\n\n    const result = (await this.messenger.call(\n      'SnapController:handleRequest',\n      createSnapSignMessageRequest(message, entropySourceId),\n    )) as string;\n\n    this.#_snapSignMessageCache[message] = result;\n\n    return result;\n  }\n}\n"]}

package/dist/controllers/authentication/mocks/mockResponses.cjs

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getMockAuthAccessTokenResponse = exports.MOCK_OATH_TOKEN_RESPONSE = exports.getMockAuthLoginResponse = exports.MOCK_LOGIN_RESPONSE = exports.getMockAuthNonceResponse = exports.MOCK_JWT = exports.MOCK_NONCE = exports.MOCK_NONCE_RESPONSE = void 0;
+exports.getMockAuthAccessTokenResponse = exports.getE2EIdentifierFromJwt = exports.MOCK_OATH_TOKEN_RESPONSE = exports.getMockAuthLoginResponse = exports.MOCK_LOGIN_RESPONSE = exports.getMockAuthNonceResponse = exports.MOCK_JWT = exports.MOCK_NONCE = exports.MOCK_NONCE_RESPONSE = void 0;
 const auth_1 = require("../../../sdk/mocks/auth.cjs");
 exports.MOCK_NONCE_RESPONSE = auth_1.MOCK_NONCE_RESPONSE;
 exports.MOCK_NONCE = exports.MOCK_NONCE_RESPONSE.nonce;
@@ -47,18 +47,57 @@ const getMockAuthLoginResponse = () => {
 };
 exports.getMockAuthLoginResponse = getMockAuthLoginResponse;
 exports.MOCK_OATH_TOKEN_RESPONSE = auth_1.MOCK_OIDC_TOKEN_RESPONSE;
+const MOCK_JWT_FAR_FUTURE_EXP = 4102444800; // 2100-01-01
+/**
+ * Wraps a plain-text identifier in a minimal JWT so that client-side
+ * JWT validation (exp check) passes in E2E tests. The identifier is
+ * stored in the `sub` claim and can be extracted via {@link getE2EIdentifierFromJwt}.
+ *
+ * @param identifier - The plain-text E2E identifier to wrap.
+ * @returns A JWT-shaped string containing the identifier.
+ */
+const wrapInMockJwt = (identifier) => {
+    const header = btoa(JSON.stringify({ alg: 'none', typ: 'JWT' }));
+    const payload = btoa(JSON.stringify({ sub: identifier, exp: MOCK_JWT_FAR_FUTURE_EXP }));
+    return `${header}.${payload}.mock`;
+};
+/**
+ * Extracts the E2E identifier (`sub` claim) from a mock JWT created
+ * by {@link wrapInMockJwt}. Falls back to returning the raw token if
+ * decoding fails (backward compatibility with raw-identifier headers).
+ *
+ * @param token - A bearer token string (JWT or raw identifier).
+ * @returns The decoded identifier, or the original token as-is.
+ */
+const getE2EIdentifierFromJwt = (token) => {
+    try {
+        const parts = token.split('.');
+        if (parts.length === 3) {
+            const { sub } = JSON.parse(atob(parts[1]));
+            if (typeof sub === 'string' && sub.length > 0) {
+                return sub;
+            }
+        }
+    }
+    catch {
+        // not a JWT — fall through
+    }
+    return token;
+};
+exports.getE2EIdentifierFromJwt = getE2EIdentifierFromJwt;
 const getMockAuthAccessTokenResponse = () => {
     return {
         url: auth_1.MOCK_OIDC_TOKEN_URL,
         requestMethod: 'POST',
         response: (requestJsonBody) => {
-            // We end up setting the access token to the e2eIdentifier in the test environment
-            // This is then attached to every request's Authorization header
-            // and used to segregate data in the test environment
+            // We wrap the e2eIdentifier in a JWT so client-side JWT validation passes.
+            // The mock server extracts the identifier back via getE2EIdentifierFromJwt.
             const e2eIdentifier = new URLSearchParams(requestJsonBody).get('assertion');
             return {
                 ...exports.MOCK_OATH_TOKEN_RESPONSE,
-                access_token: e2eIdentifier ?? exports.MOCK_OATH_TOKEN_RESPONSE.access_token,
+                access_token: e2eIdentifier
+                    ? wrapInMockJwt(e2eIdentifier)
+                    : exports.MOCK_OATH_TOKEN_RESPONSE.access_token,
             };
         },
     };

package/dist/controllers/authentication/mocks/mockResponses.cjs.map

@@ -1 +1 @@
-{"version":3,"file":"mockResponses.cjs","sourceRoot":"","sources":["../../../../src/controllers/authentication/mocks/mockResponses.ts"],"names":[],"mappings":";;;AAAA,sDAQiC;AAQpB,QAAA,mBAAmB,GAAG,0BAAuB,CAAC;AAC9C,QAAA,UAAU,GAAG,2BAAmB,CAAC,KAAK,CAAC;AACvC,QAAA,QAAQ,GAAG,eAAY,CAAC;AAE9B,MAAM,wBAAwB,GAAG,GAAG,EAAE;IAC3C,OAAO;QACL,GAAG,EAAE,qBAAc;QACnB,aAAa,EAAE,KAAK;QACpB,QAAQ,EAAE,CACR,CAAW,EACX,IAAa,EACb,+BAA+D,EAC/D,EAAE;YACF,2FAA2F;YAC3F,oEAAoE;YACpE,MAAM,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,aAAa,GAAG,+BAA+B,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;YAE1E,OAAO;gBACL,GAAG,2BAAmB;gBACtB,KAAK,EAAE,aAAa,IAAI,2BAAmB,CAAC,KAAK;gBACjD,UAAU,EAAE,2BAAmB,CAAC,UAAU;aAC3C,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AArBW,QAAA,wBAAwB,4BAqBnC;AAEW,QAAA,mBAAmB,GAAG,8BAA2B,CAAC;AAExD,MAAM,wBAAwB,GAAG,GAAG,EAAE;IAC3C,OAAO;QACL,GAAG,EAAE,yBAAkB;QACvB,aAAa,EAAE,MAAM;QACrB,mHAAmH;QACnH,+DAA+D;QAC/D,QAAQ,EAAE,CAAC,eAAyC,EAAE,EAAE;YACtD,MAAM,kBAAkB,GAAG,eAAe,EAAE,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACnE,MAAM,aAAa,GAAG,kBAAkB,EAAE,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAE1E,OAAO;gBACL,GAAG,2BAAmB;gBACtB,KAAK,EAAE,aAAa,IAAI,2BAAmB,CAAC,KAAK;gBACjD,OAAO,EAAE;oBACP,GAAG,2BAAmB,CAAC,OAAO;oBAC9B,UAAU,EAAE,aAAa,IAAI,2BAAmB,CAAC,OAAO,CAAC,UAAU;oBACnE,aAAa,EACX,aAAa,IAAI,2BAAmB,CAAC,OAAO,CAAC,aAAa;iBAC7D;aACF,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AAtBW,QAAA,wBAAwB,4BAsBnC;AAEW,QAAA,wBAAwB,GAAG,+BAA4B,CAAC;AAE9D,MAAM,8BAA8B,GAAG,GAAG,EAAE;IACjD,OAAO;QACL,GAAG,EAAE,0BAAmB;QACxB,aAAa,EAAE,MAAM;QACrB,QAAQ,EAAE,CAAC,eAAwB,EAAE,EAAE;YACrC,kFAAkF;YAClF,gEAAgE;YAChE,qDAAqD;YACrD,MAAM,aAAa,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC,GAAG,CAC5D,WAAW,CACZ,CAAC;YAEF,OAAO;gBACL,GAAG,gCAAwB;gBAC3B,YAAY,EAAE,aAAa,IAAI,gCAAwB,CAAC,YAAY;aACrE,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AAlBW,QAAA,8BAA8B,kCAkBzC","sourcesContent":["import {\n  MOCK_NONCE_RESPONSE as SDK_MOCK_NONCE_RESPONSE,\n  MOCK_JWT as SDK_MOCK_JWT,\n  MOCK_SRP_LOGIN_RESPONSE as SDK_MOCK_SRP_LOGIN_RESPONSE,\n  MOCK_OIDC_TOKEN_RESPONSE as SDK_MOCK_OIDC_TOKEN_RESPONSE,\n  MOCK_NONCE_URL,\n  MOCK_SRP_LOGIN_URL,\n  MOCK_OIDC_TOKEN_URL,\n} from '../../../sdk/mocks/auth';\n\ntype MockResponse = {\n  url: string;\n  requestMethod: 'GET' | 'POST' | 'PUT';\n  response: unknown;\n};\n\nexport const MOCK_NONCE_RESPONSE = SDK_MOCK_NONCE_RESPONSE;\nexport const MOCK_NONCE = MOCK_NONCE_RESPONSE.nonce;\nexport const MOCK_JWT = SDK_MOCK_JWT;\n\nexport const getMockAuthNonceResponse = () => {\n  return {\n    url: MOCK_NONCE_URL,\n    requestMethod: 'GET',\n    response: (\n      _?: unknown,\n      path?: string,\n      getE2ESrpIdentifierForPublicKey?: (publicKey: string) => string,\n    ) => {\n      // The goal here is to have this identifier bubble all the way up to being the access token\n      // That way, we can use it to segregate data in the test environment\n      const identifier = path?.split('?identifier=')[1];\n      const e2eIdentifier = getE2ESrpIdentifierForPublicKey?.(identifier ?? '');\n\n      return {\n        ...MOCK_NONCE_RESPONSE,\n        nonce: e2eIdentifier ?? MOCK_NONCE_RESPONSE.nonce,\n        identifier: MOCK_NONCE_RESPONSE.identifier,\n      };\n    },\n  } satisfies MockResponse;\n};\n\nexport const MOCK_LOGIN_RESPONSE = SDK_MOCK_SRP_LOGIN_RESPONSE;\n\nexport const getMockAuthLoginResponse = () => {\n  return {\n    url: MOCK_SRP_LOGIN_URL,\n    requestMethod: 'POST',\n    // In case this mock is used in an E2E test, we populate token, profile_id and identifier_id with the e2eIdentifier\n    // to make it easier to segregate data in the test environment.\n    response: (requestJsonBody?: { raw_message: string }) => {\n      const splittedRawMessage = requestJsonBody?.raw_message.split(':');\n      const e2eIdentifier = splittedRawMessage?.[splittedRawMessage.length - 2];\n\n      return {\n        ...MOCK_LOGIN_RESPONSE,\n        token: e2eIdentifier ?? MOCK_LOGIN_RESPONSE.token,\n        profile: {\n          ...MOCK_LOGIN_RESPONSE.profile,\n          profile_id: e2eIdentifier ?? MOCK_LOGIN_RESPONSE.profile.profile_id,\n          identifier_id:\n            e2eIdentifier ?? MOCK_LOGIN_RESPONSE.profile.identifier_id,\n        },\n      };\n    },\n  } satisfies MockResponse;\n};\n\nexport const MOCK_OATH_TOKEN_RESPONSE = SDK_MOCK_OIDC_TOKEN_RESPONSE;\n\nexport const getMockAuthAccessTokenResponse = () => {\n  return {\n    url: MOCK_OIDC_TOKEN_URL,\n    requestMethod: 'POST',\n    response: (requestJsonBody?: string) => {\n      // We end up setting the access token to the e2eIdentifier in the test environment\n      // This is then attached to every request's Authorization header\n      // and used to segregate data in the test environment\n      const e2eIdentifier = new URLSearchParams(requestJsonBody).get(\n        'assertion',\n      );\n\n      return {\n        ...MOCK_OATH_TOKEN_RESPONSE,\n        access_token: e2eIdentifier ?? MOCK_OATH_TOKEN_RESPONSE.access_token,\n      };\n    },\n  } satisfies MockResponse;\n};\n"]}
+{"version":3,"file":"mockResponses.cjs","sourceRoot":"","sources":["../../../../src/controllers/authentication/mocks/mockResponses.ts"],"names":[],"mappings":";;;AAAA,sDAQiC;AAQpB,QAAA,mBAAmB,GAAG,0BAAuB,CAAC;AAC9C,QAAA,UAAU,GAAG,2BAAmB,CAAC,KAAK,CAAC;AACvC,QAAA,QAAQ,GAAG,eAAY,CAAC;AAE9B,MAAM,wBAAwB,GAAG,GAAG,EAAE;IAC3C,OAAO;QACL,GAAG,EAAE,qBAAc;QACnB,aAAa,EAAE,KAAK;QACpB,QAAQ,EAAE,CACR,CAAW,EACX,IAAa,EACb,+BAA+D,EAC/D,EAAE;YACF,2FAA2F;YAC3F,oEAAoE;YACpE,MAAM,UAAU,GAAG,IAAI,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;YAClD,MAAM,aAAa,GAAG,+BAA+B,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC;YAE1E,OAAO;gBACL,GAAG,2BAAmB;gBACtB,KAAK,EAAE,aAAa,IAAI,2BAAmB,CAAC,KAAK;gBACjD,UAAU,EAAE,2BAAmB,CAAC,UAAU;aAC3C,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AArBW,QAAA,wBAAwB,4BAqBnC;AAEW,QAAA,mBAAmB,GAAG,8BAA2B,CAAC;AAExD,MAAM,wBAAwB,GAAG,GAAG,EAAE;IAC3C,OAAO;QACL,GAAG,EAAE,yBAAkB;QACvB,aAAa,EAAE,MAAM;QACrB,mHAAmH;QACnH,+DAA+D;QAC/D,QAAQ,EAAE,CAAC,eAAyC,EAAE,EAAE;YACtD,MAAM,kBAAkB,GAAG,eAAe,EAAE,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACnE,MAAM,aAAa,GAAG,kBAAkB,EAAE,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAE1E,OAAO;gBACL,GAAG,2BAAmB;gBACtB,KAAK,EAAE,aAAa,IAAI,2BAAmB,CAAC,KAAK;gBACjD,OAAO,EAAE;oBACP,GAAG,2BAAmB,CAAC,OAAO;oBAC9B,UAAU,EAAE,aAAa,IAAI,2BAAmB,CAAC,OAAO,CAAC,UAAU;oBACnE,aAAa,EACX,aAAa,IAAI,2BAAmB,CAAC,OAAO,CAAC,aAAa;iBAC7D;aACF,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AAtBW,QAAA,wBAAwB,4BAsBnC;AAEW,QAAA,wBAAwB,GAAG,+BAA4B,CAAC;AAErE,MAAM,uBAAuB,GAAG,UAAU,CAAC,CAAC,aAAa;AAEzD;;;;;;;GAOG;AACH,MAAM,aAAa,GAAG,CAAC,UAAkB,EAAU,EAAE;IACnD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,CAClB,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG,EAAE,uBAAuB,EAAE,CAAC,CAClE,CAAC;IACF,OAAO,GAAG,MAAM,IAAI,OAAO,OAAO,CAAC;AACrC,CAAC,CAAC;AAEF;;;;;;;GAOG;AACI,MAAM,uBAAuB,GAAG,CAAC,KAAa,EAAU,EAAE;IAC/D,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAbW,QAAA,uBAAuB,2BAalC;AAEK,MAAM,8BAA8B,GAAG,GAAG,EAAE;IACjD,OAAO;QACL,GAAG,EAAE,0BAAmB;QACxB,aAAa,EAAE,MAAM;QACrB,QAAQ,EAAE,CAAC,eAAwB,EAAE,EAAE;YACrC,2EAA2E;YAC3E,4EAA4E;YAC5E,MAAM,aAAa,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,CAAC,GAAG,CAC5D,WAAW,CACZ,CAAC;YAEF,OAAO;gBACL,GAAG,gCAAwB;gBAC3B,YAAY,EAAE,aAAa;oBACzB,CAAC,CAAC,aAAa,CAAC,aAAa,CAAC;oBAC9B,CAAC,CAAC,gCAAwB,CAAC,YAAY;aAC1C,CAAC;QACJ,CAAC;KACqB,CAAC;AAC3B,CAAC,CAAC;AAnBW,QAAA,8BAA8B,kCAmBzC","sourcesContent":["import {\n  MOCK_NONCE_RESPONSE as SDK_MOCK_NONCE_RESPONSE,\n  MOCK_JWT as SDK_MOCK_JWT,\n  MOCK_SRP_LOGIN_RESPONSE as SDK_MOCK_SRP_LOGIN_RESPONSE,\n  MOCK_OIDC_TOKEN_RESPONSE as SDK_MOCK_OIDC_TOKEN_RESPONSE,\n  MOCK_NONCE_URL,\n  MOCK_SRP_LOGIN_URL,\n  MOCK_OIDC_TOKEN_URL,\n} from '../../../sdk/mocks/auth';\n\ntype MockResponse = {\n  url: string;\n  requestMethod: 'GET' | 'POST' | 'PUT';\n  response: unknown;\n};\n\nexport const MOCK_NONCE_RESPONSE = SDK_MOCK_NONCE_RESPONSE;\nexport const MOCK_NONCE = MOCK_NONCE_RESPONSE.nonce;\nexport const MOCK_JWT = SDK_MOCK_JWT;\n\nexport const getMockAuthNonceResponse = () => {\n  return {\n    url: MOCK_NONCE_URL,\n    requestMethod: 'GET',\n    response: (\n      _?: unknown,\n      path?: string,\n      getE2ESrpIdentifierForPublicKey?: (publicKey: string) => string,\n    ) => {\n      // The goal here is to have this identifier bubble all the way up to being the access token\n      // That way, we can use it to segregate data in the test environment\n      const identifier = path?.split('?identifier=')[1];\n      const e2eIdentifier = getE2ESrpIdentifierForPublicKey?.(identifier ?? '');\n\n      return {\n        ...MOCK_NONCE_RESPONSE,\n        nonce: e2eIdentifier ?? MOCK_NONCE_RESPONSE.nonce,\n        identifier: MOCK_NONCE_RESPONSE.identifier,\n      };\n    },\n  } satisfies MockResponse;\n};\n\nexport const MOCK_LOGIN_RESPONSE = SDK_MOCK_SRP_LOGIN_RESPONSE;\n\nexport const getMockAuthLoginResponse = () => {\n  return {\n    url: MOCK_SRP_LOGIN_URL,\n    requestMethod: 'POST',\n    // In case this mock is used in an E2E test, we populate token, profile_id and identifier_id with the e2eIdentifier\n    // to make it easier to segregate data in the test environment.\n    response: (requestJsonBody?: { raw_message: string }) => {\n      const splittedRawMessage = requestJsonBody?.raw_message.split(':');\n      const e2eIdentifier = splittedRawMessage?.[splittedRawMessage.length - 2];\n\n      return {\n        ...MOCK_LOGIN_RESPONSE,\n        token: e2eIdentifier ?? MOCK_LOGIN_RESPONSE.token,\n        profile: {\n          ...MOCK_LOGIN_RESPONSE.profile,\n          profile_id: e2eIdentifier ?? MOCK_LOGIN_RESPONSE.profile.profile_id,\n          identifier_id:\n            e2eIdentifier ?? MOCK_LOGIN_RESPONSE.profile.identifier_id,\n        },\n      };\n    },\n  } satisfies MockResponse;\n};\n\nexport const MOCK_OATH_TOKEN_RESPONSE = SDK_MOCK_OIDC_TOKEN_RESPONSE;\n\nconst MOCK_JWT_FAR_FUTURE_EXP = 4102444800; // 2100-01-01\n\n/**\n * Wraps a plain-text identifier in a minimal JWT so that client-side\n * JWT validation (exp check) passes in E2E tests. The identifier is\n * stored in the `sub` claim and can be extracted via {@link getE2EIdentifierFromJwt}.\n *\n * @param identifier - The plain-text E2E identifier to wrap.\n * @returns A JWT-shaped string containing the identifier.\n */\nconst wrapInMockJwt = (identifier: string): string => {\n  const header = btoa(JSON.stringify({ alg: 'none', typ: 'JWT' }));\n  const payload = btoa(\n    JSON.stringify({ sub: identifier, exp: MOCK_JWT_FAR_FUTURE_EXP }),\n  );\n  return `${header}.${payload}.mock`;\n};\n\n/**\n * Extracts the E2E identifier (`sub` claim) from a mock JWT created\n * by {@link wrapInMockJwt}. Falls back to returning the raw token if\n * decoding fails (backward compatibility with raw-identifier headers).\n *\n * @param token - A bearer token string (JWT or raw identifier).\n * @returns The decoded identifier, or the original token as-is.\n */\nexport const getE2EIdentifierFromJwt = (token: string): string => {\n  try {\n    const parts = token.split('.');\n    if (parts.length === 3) {\n      const { sub } = JSON.parse(atob(parts[1]));\n      if (typeof sub === 'string' && sub.length > 0) {\n        return sub;\n      }\n    }\n  } catch {\n    // not a JWT — fall through\n  }\n  return token;\n};\n\nexport const getMockAuthAccessTokenResponse = () => {\n  return {\n    url: MOCK_OIDC_TOKEN_URL,\n    requestMethod: 'POST',\n    response: (requestJsonBody?: string) => {\n      // We wrap the e2eIdentifier in a JWT so client-side JWT validation passes.\n      // The mock server extracts the identifier back via getE2EIdentifierFromJwt.\n      const e2eIdentifier = new URLSearchParams(requestJsonBody).get(\n        'assertion',\n      );\n\n      return {\n        ...MOCK_OATH_TOKEN_RESPONSE,\n        access_token: e2eIdentifier\n          ? wrapInMockJwt(e2eIdentifier)\n          : MOCK_OATH_TOKEN_RESPONSE.access_token,\n      };\n    },\n  } satisfies MockResponse;\n};\n"]}

package/dist/controllers/authentication/mocks/mockResponses.d.cts

@@ -46,6 +46,15 @@ export declare const MOCK_OATH_TOKEN_RESPONSE: {
     access_token: string;
     expires_in: number;
 };
+/**
+ * Extracts the E2E identifier (`sub` claim) from a mock JWT created
+ * by {@link wrapInMockJwt}. Falls back to returning the raw token if
+ * decoding fails (backward compatibility with raw-identifier headers).
+ *
+ * @param token - A bearer token string (JWT or raw identifier).
+ * @returns The decoded identifier, or the original token as-is.
+ */
+export declare const getE2EIdentifierFromJwt: (token: string) => string;
 export declare const getMockAuthAccessTokenResponse: () => {
     url: string;
     requestMethod: "POST";