@metamask-previews/profile-sync-controller 28.0.2-preview-60ee344a5 → 28.0.2-preview-684720652

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/CHANGELOG.md +7 -3
  2. package/dist/controllers/authentication/AuthenticationController-method-action-types.cjs.map +1 -1
  3. package/dist/controllers/authentication/AuthenticationController-method-action-types.d.cts +10 -1
  4. package/dist/controllers/authentication/AuthenticationController-method-action-types.d.cts.map +1 -1
  5. package/dist/controllers/authentication/AuthenticationController-method-action-types.d.mts +10 -1
  6. package/dist/controllers/authentication/AuthenticationController-method-action-types.d.mts.map +1 -1
  7. package/dist/controllers/authentication/AuthenticationController-method-action-types.mjs.map +1 -1
  8. package/dist/controllers/authentication/AuthenticationController.cjs +75 -20
  9. package/dist/controllers/authentication/AuthenticationController.cjs.map +1 -1
  10. package/dist/controllers/authentication/AuthenticationController.d.cts +18 -0
  11. package/dist/controllers/authentication/AuthenticationController.d.cts.map +1 -1
  12. package/dist/controllers/authentication/AuthenticationController.d.mts +18 -0
  13. package/dist/controllers/authentication/AuthenticationController.d.mts.map +1 -1
  14. package/dist/controllers/authentication/AuthenticationController.mjs +75 -20
  15. package/dist/controllers/authentication/AuthenticationController.mjs.map +1 -1
  16. package/dist/controllers/authentication/index.cjs.map +1 -1
  17. package/dist/controllers/authentication/index.d.cts +1 -1
  18. package/dist/controllers/authentication/index.d.cts.map +1 -1
  19. package/dist/controllers/authentication/index.d.mts +1 -1
  20. package/dist/controllers/authentication/index.d.mts.map +1 -1
  21. package/dist/controllers/authentication/index.mjs.map +1 -1
  22. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -9,12 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
9
9
 
10
10
  ### Added
11
11
 
12
- - Add SRP profile pairing support (Accounts ADR 0006) ([#8504](https://github.com/MetaMask/core/pull/8504))
13
- - `performSignIn` now automatically pairs all SRPs via `POST /profile/pair` when 2+ SRPs exist (idempotent)
12
+ - Add SRP profile pairing support (Accounts ADR 0006) ([#8504](https://github.com/MetaMask/core/pull/8504), [#8642](https://github.com/MetaMask/core/pull/8642))
13
+ - Pairing runs at the end of `performSignIn`; pair failures are swallowed and retried on the next gate fire.
14
+ - Add `needsProfilePairing?: boolean` to state (defaults `true`, cleared on successful pair, re-armed via `requestProfilePairing()`). Optional in the type to keep partial-state selectors assignable; treat `undefined` as `true`.
15
+ - Add `requestProfilePairing()` (and `AuthenticationController:requestProfilePairing` action) for clients to signal SRP-set changes so the next auto-sign-in cycle re-pairs.
16
+ - Upgrade path: existing signed-in users re-pair automatically on the first auto-sign-in cycle. Pre-pairing sessions miss `canonicalProfileId` and re-login on the next `getAccessToken`, so the pair call runs against fresh v2 JWTs — no client migration needed.
17
+ - JWT staleness note: a newly added SRP's JWT keeps `sub = alias_id` until that SRP's session is re-logged-in. User storage is unaffected (it keys on `x-profile-id`, not `sub`).
14
18
  - Add `canonicalProfileId` to `UserProfile` — the unified profile ID across paired SRPs
15
19
  - Add `ProfileAlias` type for transient alias data returned by the pairing API
16
20
  - Add `pairSrpProfiles` method to `SRPJwtBearerAuth` and `JwtBearerAuth`
17
- - Add `ProfileSignInEvent` (`AuthenticationController:profileSignIn`) emitted after successful pairing
21
+ - Add `ProfileSignInEvent` (`AuthenticationController:profileSignIn`) emitted after successful pairing when the canonical profile ID changes or new aliases are returned
18
22
  - Send `X-MetaMask-Profile-Pairing: enabled` header on all `/srp/login` requests
19
23
  - Resolve original per-SRP `profileId` from `profile_aliases` using `computeIdentifierId`
20
24
  - Propagate canonical profile ID to all `srpSessionData` entries after pairing
package/dist/controllers/authentication/AuthenticationController-method-action-types.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController-method-action-types.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":";AAAA;;;GAGG","sourcesContent":["/**\n * This file is auto generated.\n * Do not edit manually.\n */\n\nimport type { AuthenticationController } from './AuthenticationController';\n\nexport type AuthenticationControllerPerformSignInAction = {\n type: `AuthenticationController:performSignIn`;\n handler: AuthenticationController['performSignIn'];\n};\n\nexport type AuthenticationControllerPerformSignOutAction = {\n type: `AuthenticationController:performSignOut`;\n handler: AuthenticationController['performSignOut'];\n};\n\n/**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\nexport type AuthenticationControllerGetBearerTokenAction = {\n type: `AuthenticationController:getBearerToken`;\n handler: AuthenticationController['getBearerToken'];\n};\n\n/**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\nexport type AuthenticationControllerGetSessionProfileAction = {\n type: `AuthenticationController:getSessionProfile`;\n handler: AuthenticationController['getSessionProfile'];\n};\n\n/**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\nexport type AuthenticationControllerRefreshCanonicalProfileIdAction = {\n type: `AuthenticationController:refreshCanonicalProfileId`;\n handler: AuthenticationController['refreshCanonicalProfileId'];\n};\n\nexport type AuthenticationControllerGetUserProfileLineageAction = {\n type: `AuthenticationController:getUserProfileLineage`;\n handler: AuthenticationController['getUserProfileLineage'];\n};\n\nexport type AuthenticationControllerIsSignedInAction = {\n type: `AuthenticationController:isSignedIn`;\n handler: AuthenticationController['isSignedIn'];\n};\n\n/**\n * Union of all AuthenticationController action types.\n */\nexport type AuthenticationControllerMethodActions =\n | AuthenticationControllerPerformSignInAction\n | AuthenticationControllerPerformSignOutAction\n | AuthenticationControllerGetBearerTokenAction\n | AuthenticationControllerGetSessionProfileAction\n | AuthenticationControllerRefreshCanonicalProfileIdAction\n | AuthenticationControllerGetUserProfileLineageAction\n | AuthenticationControllerIsSignedInAction;\n"]}
1
+ {"version":3,"file":"AuthenticationController-method-action-types.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":";AAAA;;;GAGG","sourcesContent":["/**\n * This file is auto generated.\n * Do not edit manually.\n */\n\nimport type { AuthenticationController } from './AuthenticationController';\n\nexport type AuthenticationControllerPerformSignInAction = {\n type: `AuthenticationController:performSignIn`;\n handler: AuthenticationController['performSignIn'];\n};\n\n/**\n * Marks profile pairing as needed. Clients call this when the SRP set\n * changes (e.g. a new keyring was added) so the next auto-sign-in cycle\n * re-runs `performSignIn` and re-pairs.\n */\nexport type AuthenticationControllerRequestProfilePairingAction = {\n type: `AuthenticationController:requestProfilePairing`;\n handler: AuthenticationController['requestProfilePairing'];\n};\n\nexport type AuthenticationControllerPerformSignOutAction = {\n type: `AuthenticationController:performSignOut`;\n handler: AuthenticationController['performSignOut'];\n};\n\n/**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\nexport type AuthenticationControllerGetBearerTokenAction = {\n type: `AuthenticationController:getBearerToken`;\n handler: AuthenticationController['getBearerToken'];\n};\n\n/**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\nexport type AuthenticationControllerGetSessionProfileAction = {\n type: `AuthenticationController:getSessionProfile`;\n handler: AuthenticationController['getSessionProfile'];\n};\n\n/**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\nexport type AuthenticationControllerRefreshCanonicalProfileIdAction = {\n type: `AuthenticationController:refreshCanonicalProfileId`;\n handler: AuthenticationController['refreshCanonicalProfileId'];\n};\n\nexport type AuthenticationControllerGetUserProfileLineageAction = {\n type: `AuthenticationController:getUserProfileLineage`;\n handler: AuthenticationController['getUserProfileLineage'];\n};\n\nexport type AuthenticationControllerIsSignedInAction = {\n type: `AuthenticationController:isSignedIn`;\n handler: AuthenticationController['isSignedIn'];\n};\n\n/**\n * Union of all AuthenticationController action types.\n */\nexport type AuthenticationControllerMethodActions =\n | AuthenticationControllerPerformSignInAction\n | AuthenticationControllerRequestProfilePairingAction\n | AuthenticationControllerPerformSignOutAction\n | AuthenticationControllerGetBearerTokenAction\n | AuthenticationControllerGetSessionProfileAction\n | AuthenticationControllerRefreshCanonicalProfileIdAction\n | AuthenticationControllerGetUserProfileLineageAction\n | AuthenticationControllerIsSignedInAction;\n"]}
package/dist/controllers/authentication/AuthenticationController-method-action-types.d.cts CHANGED
@@ -7,6 +7,15 @@ export type AuthenticationControllerPerformSignInAction = {
7
7
  type: `AuthenticationController:performSignIn`;
8
8
  handler: AuthenticationController['performSignIn'];
9
9
  };
10
+ /**
11
+ * Marks profile pairing as needed. Clients call this when the SRP set
12
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
13
+ * re-runs `performSignIn` and re-pairs.
14
+ */
15
+ export type AuthenticationControllerRequestProfilePairingAction = {
16
+ type: `AuthenticationController:requestProfilePairing`;
17
+ handler: AuthenticationController['requestProfilePairing'];
18
+ };
10
19
  export type AuthenticationControllerPerformSignOutAction = {
11
20
  type: `AuthenticationController:performSignOut`;
12
21
  handler: AuthenticationController['performSignOut'];
@@ -74,5 +83,5 @@ export type AuthenticationControllerIsSignedInAction = {
74
83
  /**
75
84
  * Union of all AuthenticationController action types.
76
85
  */
77
- export type AuthenticationControllerMethodActions = AuthenticationControllerPerformSignInAction | AuthenticationControllerPerformSignOutAction | AuthenticationControllerGetBearerTokenAction | AuthenticationControllerGetSessionProfileAction | AuthenticationControllerRefreshCanonicalProfileIdAction | AuthenticationControllerGetUserProfileLineageAction | AuthenticationControllerIsSignedInAction;
86
+ export type AuthenticationControllerMethodActions = AuthenticationControllerPerformSignInAction | AuthenticationControllerRequestProfilePairingAction | AuthenticationControllerPerformSignOutAction | AuthenticationControllerGetBearerTokenAction | AuthenticationControllerGetSessionProfileAction | AuthenticationControllerRefreshCanonicalProfileIdAction | AuthenticationControllerGetUserProfileLineageAction | AuthenticationControllerIsSignedInAction;
78
87
  //# sourceMappingURL=AuthenticationController-method-action-types.d.cts.map
package/dist/controllers/authentication/AuthenticationController-method-action-types.d.cts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController-method-action-types.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,uCAAmC;AAE3E,MAAM,MAAM,2CAA2C,GAAG;IACxD,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,wBAAwB,CAAC,eAAe,CAAC,CAAC;CACpD,CAAC;AAEF,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,+CAA+C,GAAG;IAC5D,IAAI,EAAE,4CAA4C,CAAC;IACnD,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;CACxD,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,uDAAuD,GAAG;IACpE,IAAI,EAAE,oDAAoD,CAAC;IAC3D,OAAO,EAAE,wBAAwB,CAAC,2BAA2B,CAAC,CAAC;CAChE,CAAC;AAEF,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAAG;IACrD,IAAI,EAAE,qCAAqC,CAAC;IAC5C,OAAO,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC;CACjD,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qCAAqC,GAC7C,2CAA2C,GAC3C,4CAA4C,GAC5C,4CAA4C,GAC5C,+CAA+C,GAC/C,uDAAuD,GACvD,mDAAmD,GACnD,wCAAwC,CAAC"}
1
+ {"version":3,"file":"AuthenticationController-method-action-types.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,uCAAmC;AAE3E,MAAM,MAAM,2CAA2C,GAAG;IACxD,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,wBAAwB,CAAC,eAAe,CAAC,CAAC;CACpD,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,+CAA+C,GAAG;IAC5D,IAAI,EAAE,4CAA4C,CAAC;IACnD,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;CACxD,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,uDAAuD,GAAG;IACpE,IAAI,EAAE,oDAAoD,CAAC;IAC3D,OAAO,EAAE,wBAAwB,CAAC,2BAA2B,CAAC,CAAC;CAChE,CAAC;AAEF,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAAG;IACrD,IAAI,EAAE,qCAAqC,CAAC;IAC5C,OAAO,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC;CACjD,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qCAAqC,GAC7C,2CAA2C,GAC3C,mDAAmD,GACnD,4CAA4C,GAC5C,4CAA4C,GAC5C,+CAA+C,GAC/C,uDAAuD,GACvD,mDAAmD,GACnD,wCAAwC,CAAC"}
package/dist/controllers/authentication/AuthenticationController-method-action-types.d.mts CHANGED
@@ -7,6 +7,15 @@ export type AuthenticationControllerPerformSignInAction = {
7
7
  type: `AuthenticationController:performSignIn`;
8
8
  handler: AuthenticationController['performSignIn'];
9
9
  };
10
+ /**
11
+ * Marks profile pairing as needed. Clients call this when the SRP set
12
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
13
+ * re-runs `performSignIn` and re-pairs.
14
+ */
15
+ export type AuthenticationControllerRequestProfilePairingAction = {
16
+ type: `AuthenticationController:requestProfilePairing`;
17
+ handler: AuthenticationController['requestProfilePairing'];
18
+ };
10
19
  export type AuthenticationControllerPerformSignOutAction = {
11
20
  type: `AuthenticationController:performSignOut`;
12
21
  handler: AuthenticationController['performSignOut'];
@@ -74,5 +83,5 @@ export type AuthenticationControllerIsSignedInAction = {
74
83
  /**
75
84
  * Union of all AuthenticationController action types.
76
85
  */
77
- export type AuthenticationControllerMethodActions = AuthenticationControllerPerformSignInAction | AuthenticationControllerPerformSignOutAction | AuthenticationControllerGetBearerTokenAction | AuthenticationControllerGetSessionProfileAction | AuthenticationControllerRefreshCanonicalProfileIdAction | AuthenticationControllerGetUserProfileLineageAction | AuthenticationControllerIsSignedInAction;
86
+ export type AuthenticationControllerMethodActions = AuthenticationControllerPerformSignInAction | AuthenticationControllerRequestProfilePairingAction | AuthenticationControllerPerformSignOutAction | AuthenticationControllerGetBearerTokenAction | AuthenticationControllerGetSessionProfileAction | AuthenticationControllerRefreshCanonicalProfileIdAction | AuthenticationControllerGetUserProfileLineageAction | AuthenticationControllerIsSignedInAction;
78
87
  //# sourceMappingURL=AuthenticationController-method-action-types.d.mts.map
package/dist/controllers/authentication/AuthenticationController-method-action-types.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController-method-action-types.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,uCAAmC;AAE3E,MAAM,MAAM,2CAA2C,GAAG;IACxD,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,wBAAwB,CAAC,eAAe,CAAC,CAAC;CACpD,CAAC;AAEF,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,+CAA+C,GAAG;IAC5D,IAAI,EAAE,4CAA4C,CAAC;IACnD,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;CACxD,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,uDAAuD,GAAG;IACpE,IAAI,EAAE,oDAAoD,CAAC;IAC3D,OAAO,EAAE,wBAAwB,CAAC,2BAA2B,CAAC,CAAC;CAChE,CAAC;AAEF,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAAG;IACrD,IAAI,EAAE,qCAAqC,CAAC;IAC5C,OAAO,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC;CACjD,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qCAAqC,GAC7C,2CAA2C,GAC3C,4CAA4C,GAC5C,4CAA4C,GAC5C,+CAA+C,GAC/C,uDAAuD,GACvD,mDAAmD,GACnD,wCAAwC,CAAC"}
1
+ {"version":3,"file":"AuthenticationController-method-action-types.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,wBAAwB,EAAE,uCAAmC;AAE3E,MAAM,MAAM,2CAA2C,GAAG;IACxD,IAAI,EAAE,wCAAwC,CAAC;IAC/C,OAAO,EAAE,wBAAwB,CAAC,eAAe,CAAC,CAAC;CACpD,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,4CAA4C,GAAG;IACzD,IAAI,EAAE,yCAAyC,CAAC;IAChD,OAAO,EAAE,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;CACrD,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,+CAA+C,GAAG;IAC5D,IAAI,EAAE,4CAA4C,CAAC;IACnD,OAAO,EAAE,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;CACxD,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,uDAAuD,GAAG;IACpE,IAAI,EAAE,oDAAoD,CAAC;IAC3D,OAAO,EAAE,wBAAwB,CAAC,2BAA2B,CAAC,CAAC;CAChE,CAAC;AAEF,MAAM,MAAM,mDAAmD,GAAG;IAChE,IAAI,EAAE,gDAAgD,CAAC;IACvD,OAAO,EAAE,wBAAwB,CAAC,uBAAuB,CAAC,CAAC;CAC5D,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAAG;IACrD,IAAI,EAAE,qCAAqC,CAAC;IAC5C,OAAO,EAAE,wBAAwB,CAAC,YAAY,CAAC,CAAC;CACjD,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,qCAAqC,GAC7C,2CAA2C,GAC3C,mDAAmD,GACnD,4CAA4C,GAC5C,4CAA4C,GAC5C,+CAA+C,GAC/C,uDAAuD,GACvD,mDAAmD,GACnD,wCAAwC,CAAC"}
package/dist/controllers/authentication/AuthenticationController-method-action-types.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController-method-action-types.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG","sourcesContent":["/**\n * This file is auto generated.\n * Do not edit manually.\n */\n\nimport type { AuthenticationController } from './AuthenticationController';\n\nexport type AuthenticationControllerPerformSignInAction = {\n type: `AuthenticationController:performSignIn`;\n handler: AuthenticationController['performSignIn'];\n};\n\nexport type AuthenticationControllerPerformSignOutAction = {\n type: `AuthenticationController:performSignOut`;\n handler: AuthenticationController['performSignOut'];\n};\n\n/**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\nexport type AuthenticationControllerGetBearerTokenAction = {\n type: `AuthenticationController:getBearerToken`;\n handler: AuthenticationController['getBearerToken'];\n};\n\n/**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\nexport type AuthenticationControllerGetSessionProfileAction = {\n type: `AuthenticationController:getSessionProfile`;\n handler: AuthenticationController['getSessionProfile'];\n};\n\n/**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\nexport type AuthenticationControllerRefreshCanonicalProfileIdAction = {\n type: `AuthenticationController:refreshCanonicalProfileId`;\n handler: AuthenticationController['refreshCanonicalProfileId'];\n};\n\nexport type AuthenticationControllerGetUserProfileLineageAction = {\n type: `AuthenticationController:getUserProfileLineage`;\n handler: AuthenticationController['getUserProfileLineage'];\n};\n\nexport type AuthenticationControllerIsSignedInAction = {\n type: `AuthenticationController:isSignedIn`;\n handler: AuthenticationController['isSignedIn'];\n};\n\n/**\n * Union of all AuthenticationController action types.\n */\nexport type AuthenticationControllerMethodActions =\n | AuthenticationControllerPerformSignInAction\n | AuthenticationControllerPerformSignOutAction\n | AuthenticationControllerGetBearerTokenAction\n | AuthenticationControllerGetSessionProfileAction\n | AuthenticationControllerRefreshCanonicalProfileIdAction\n | AuthenticationControllerGetUserProfileLineageAction\n | AuthenticationControllerIsSignedInAction;\n"]}
1
+ {"version":3,"file":"AuthenticationController-method-action-types.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController-method-action-types.ts"],"names":[],"mappings":"AAAA;;;GAGG","sourcesContent":["/**\n * This file is auto generated.\n * Do not edit manually.\n */\n\nimport type { AuthenticationController } from './AuthenticationController';\n\nexport type AuthenticationControllerPerformSignInAction = {\n type: `AuthenticationController:performSignIn`;\n handler: AuthenticationController['performSignIn'];\n};\n\n/**\n * Marks profile pairing as needed. Clients call this when the SRP set\n * changes (e.g. a new keyring was added) so the next auto-sign-in cycle\n * re-runs `performSignIn` and re-pairs.\n */\nexport type AuthenticationControllerRequestProfilePairingAction = {\n type: `AuthenticationController:requestProfilePairing`;\n handler: AuthenticationController['requestProfilePairing'];\n};\n\nexport type AuthenticationControllerPerformSignOutAction = {\n type: `AuthenticationController:performSignOut`;\n handler: AuthenticationController['performSignOut'];\n};\n\n/**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\nexport type AuthenticationControllerGetBearerTokenAction = {\n type: `AuthenticationController:getBearerToken`;\n handler: AuthenticationController['getBearerToken'];\n};\n\n/**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\nexport type AuthenticationControllerGetSessionProfileAction = {\n type: `AuthenticationController:getSessionProfile`;\n handler: AuthenticationController['getSessionProfile'];\n};\n\n/**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\nexport type AuthenticationControllerRefreshCanonicalProfileIdAction = {\n type: `AuthenticationController:refreshCanonicalProfileId`;\n handler: AuthenticationController['refreshCanonicalProfileId'];\n};\n\nexport type AuthenticationControllerGetUserProfileLineageAction = {\n type: `AuthenticationController:getUserProfileLineage`;\n handler: AuthenticationController['getUserProfileLineage'];\n};\n\nexport type AuthenticationControllerIsSignedInAction = {\n type: `AuthenticationController:isSignedIn`;\n handler: AuthenticationController['isSignedIn'];\n};\n\n/**\n * Union of all AuthenticationController action types.\n */\nexport type AuthenticationControllerMethodActions =\n | AuthenticationControllerPerformSignInAction\n | AuthenticationControllerRequestProfilePairingAction\n | AuthenticationControllerPerformSignOutAction\n | AuthenticationControllerGetBearerTokenAction\n | AuthenticationControllerGetSessionProfileAction\n | AuthenticationControllerRefreshCanonicalProfileIdAction\n | AuthenticationControllerGetUserProfileLineageAction\n | AuthenticationControllerIsSignedInAction;\n"]}
package/dist/controllers/authentication/AuthenticationController.cjs CHANGED
@@ -10,7 +10,7 @@ var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (
10
10
  if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
11
11
  return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
12
12
  };
13
- var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_performPairing, _AuthenticationController_pairSrpProfiles, _AuthenticationController_propagateCanonical, _AuthenticationController_getCanonicalProfileId, _AuthenticationController_invalidateSrpSession, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
13
+ var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_profilePairingRequestEpoch, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_tryClearNeedsProfilePairing, _AuthenticationController_doPair, _AuthenticationController_pairSrpProfiles, _AuthenticationController_propagateCanonical, _AuthenticationController_getCanonicalProfileId, _AuthenticationController_invalidateSrpSession, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
14
14
  Object.defineProperty(exports, "__esModule", { value: true });
15
15
  exports.AuthenticationController = exports.defaultState = void 0;
16
16
  const base_controller_1 = require("@metamask/base-controller");
@@ -19,6 +19,7 @@ const auth_snap_requests_1 = require("./auth-snap-requests.cjs");
19
19
  const controllerName = 'AuthenticationController';
20
20
  exports.defaultState = {
21
21
  isSignedIn: false,
22
+ needsProfilePairing: true,
22
23
  };
23
24
  const metadata = {
24
25
  isSignedIn: {
@@ -27,6 +28,12 @@ const metadata = {
27
28
  includeInDebugSnapshot: true,
28
29
  usedInUi: true,
29
30
  },
31
+ needsProfilePairing: {
32
+ includeInStateLogs: true,
33
+ persist: true,
34
+ includeInDebugSnapshot: true,
35
+ usedInUi: true,
36
+ },
30
37
  srpSessionData: {
31
38
  // Remove access token from state logs
32
39
  includeInStateLogs: (srpSessionData) => {
@@ -60,6 +67,7 @@ const MESSENGER_EXPOSED_METHODS = [
60
67
  'refreshCanonicalProfileId',
61
68
  'getUserProfileLineage',
62
69
  'isSignedIn',
70
+ 'requestProfilePairing',
63
71
  ];
64
72
  /**
65
73
  * Controller that enables authentication for restricted endpoints.
@@ -81,6 +89,10 @@ class AuthenticationController extends base_controller_1.BaseController {
81
89
  });
82
90
  _AuthenticationController_isUnlocked.set(this, false);
83
91
  _AuthenticationController_cachedPrimaryEntropySourceId.set(this, void 0);
92
+ // Bumped by `requestProfilePairing`. `performSignIn` snapshots this
93
+ // before its first await; if it changes mid-flight we must NOT clear
94
+ // `needsProfilePairing` (the rearm signal wins).
95
+ _AuthenticationController_profilePairingRequestEpoch.set(this, 0);
84
96
  _AuthenticationController_keyringController.set(this, {
85
97
  setupLockedStateSubscriptions: () => {
86
98
  const { isUnlocked } = this.messenger.call('KeyringController:getState');
@@ -122,6 +134,7 @@ class AuthenticationController extends base_controller_1.BaseController {
122
134
  }
123
135
  async performSignIn() {
124
136
  __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'performSignIn');
137
+ const epochAtStart = __classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f");
125
138
  const allPublicKeys = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_snapGetAllPublicKeys).call(this);
126
139
  const accessTokens = [];
127
140
  // We iterate sequentially in order to be sure that the first entry
@@ -130,12 +143,34 @@ class AuthenticationController extends base_controller_1.BaseController {
130
143
  const accessToken = await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(entropySourceId);
131
144
  accessTokens.push(accessToken);
132
145
  }
133
- // Pair SRP profiles (idempotent no-op if already paired)
134
- if (accessTokens.length >= 2) {
135
- await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_performPairing).call(this, accessTokens);
146
+ if (allPublicKeys.length < 2) {
147
+ // Single-SRP wallet: nothing to pair.
148
+ __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_tryClearNeedsProfilePairing).call(this, epochAtStart);
149
+ }
150
+ else {
151
+ // Pair failures must not break sign-in; the gate stays `true` for retry.
152
+ try {
153
+ await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_doPair).call(this, accessTokens, epochAtStart);
154
+ }
155
+ catch {
156
+ // noop
157
+ }
136
158
  }
137
159
  return accessTokens;
138
160
  }
161
+ /**
162
+ * Marks profile pairing as needed. Clients call this when the SRP set
163
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
164
+ * re-runs `performSignIn` and re-pairs.
165
+ */
166
+ requestProfilePairing() {
167
+ __classPrivateFieldSet(this, _AuthenticationController_profilePairingRequestEpoch, __classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f") + 1, "f");
168
+ if (!this.state.needsProfilePairing) {
169
+ this.update((state) => {
170
+ state.needsProfilePairing = true;
171
+ });
172
+ }
173
+ }
139
174
  performSignOut() {
140
175
  __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, undefined, "f");
141
176
  this.update((state) => {
@@ -215,7 +250,7 @@ class AuthenticationController extends base_controller_1.BaseController {
215
250
  }
216
251
  }
217
252
  exports.AuthenticationController = AuthenticationController;
218
- _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
253
+ _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_profilePairingRequestEpoch = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
219
254
  const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
220
255
  if (!this.state.srpSessionData?.[resolvedId]) {
221
256
  return null;
@@ -255,23 +290,43 @@ _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController
255
290
  }
256
291
  __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, primaryId, "f");
257
292
  return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
258
- }, _AuthenticationController_performPairing = async function _AuthenticationController_performPairing(accessTokens) {
293
+ }, _AuthenticationController_tryClearNeedsProfilePairing = function _AuthenticationController_tryClearNeedsProfilePairing(epochAtStart) {
294
+ if (__classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f") !== epochAtStart) {
295
+ return;
296
+ }
297
+ if (this.state.needsProfilePairing) {
298
+ this.update((state) => {
299
+ state.needsProfilePairing = false;
300
+ });
301
+ }
302
+ }, _AuthenticationController_doPair =
303
+ /**
304
+ * Pairs all SRPs via `POST /profile/pair`, propagates the canonical
305
+ * profile ID, clears `needsProfilePairing`, and emits
306
+ * `AuthenticationController:profileSignIn` when the canonical changes or
307
+ * new aliases are returned. Throws on failure.
308
+ *
309
+ * @param accessTokens - Per-SRP access tokens, primary first.
310
+ * @param epochAtStart - Pairing-request epoch captured by the caller.
311
+ * Used to skip the gate clear if `requestProfilePairing` ran while the
312
+ * pair API call was in-flight.
313
+ */
314
+ async function _AuthenticationController_doPair(accessTokens, epochAtStart) {
259
315
  const previousCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
260
- try {
261
- const profileAliases = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_pairSrpProfiles).call(this, accessTokens);
262
- const newCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
263
- const profileIdChanged = previousCanonical !== newCanonical;
264
- const shouldEmitProfileSignInEvent = profileIdChanged || profileAliases.length > 0;
265
- if (shouldEmitProfileSignInEvent && newCanonical) {
266
- this.messenger.publish('AuthenticationController:profileSignIn', {
267
- profileId: newCanonical,
268
- profileAliases,
269
- profileIdChanged,
270
- });
271
- }
316
+ const profileAliases = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_pairSrpProfiles).call(this, accessTokens);
317
+ const newCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
318
+ if (!newCanonical) {
319
+ return;
272
320
  }
273
- catch {
274
- // Pairing failure is non-fatal — retry on next performSignIn
321
+ __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_tryClearNeedsProfilePairing).call(this, epochAtStart);
322
+ const profileIdChanged = previousCanonical !== newCanonical;
323
+ const shouldEmitProfileSignInEvent = profileIdChanged || profileAliases.length > 0;
324
+ if (shouldEmitProfileSignInEvent) {
325
+ this.messenger.publish('AuthenticationController:profileSignIn', {
326
+ profileId: newCanonical,
327
+ profileAliases,
328
+ profileIdChanged,
329
+ });
275
330
  }
276
331
  }, _AuthenticationController_pairSrpProfiles = async function _AuthenticationController_pairSrpProfiles(accessTokens) {
277
332
  if (accessTokens.length < 2) {
package/dist/controllers/authentication/AuthenticationController.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,+DAA2D;AAsB3D,6CAKmB;AAEnB,iEAI8B;AAG9B,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOrC,QAAA,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,2BAA2B;IAC3B,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA8CX;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,gCAI7C;IA4BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,oBAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA/CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,SAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAE9B,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAkWF,0DAA+D,EAAE,EAAC;QA1UhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,mBAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,cAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,uBAAA,IAAI,qFAAgB,MAApB,IAAI,EAAiB,YAAY,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAsEM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,yBAAyB;QACpC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,2BAA2B,CAAC,CAAC;QAEpD,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;QACvE,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,EAAuB,sBAAsB,CAAC,CAAC;QACnD,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAExD,MAAM,SAAS,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;QACJ,CAAC;QAED,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,SAAS,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAcM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;AA/ZD,4DA+ZC;ggBAnUC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC,6CAuBD,KAAK,mDAAiB,YAAsB;IAC1C,MAAM,iBAAiB,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAE9D,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,MAAM,uBAAA,IAAI,sFAAiB,MAArB,IAAI,EAAkB,YAAY,CAAC,CAAC;QAEjE,MAAM,YAAY,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACzD,MAAM,gBAAgB,GAAG,iBAAiB,KAAK,YAAY,CAAC;QAC5D,MAAM,4BAA4B,GAChC,gBAAgB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAEhD,IAAI,4BAA4B,IAAI,YAAY,EAAE,CAAC;YACjD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,wCAAwC,EAAE;gBAC/D,SAAS,EAAE,YAAY;gBACvB,cAAc;gBACd,gBAAgB;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;IAC/D,CAAC;AACH,CAAC,8CAED,KAAK,oDAAkB,YAAsB;IAC3C,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;IAC3E,MAAM,EACJ,cAAc,EACd,OAAO,EAAE,EAAE,kBAAkB,EAAE,GAChC,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,eAAe,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;IACvE,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,kBAAkB,CAAC,CAAC;IAC7C,OAAO,cAAc,CAAC;AACxB,CAAC,uGAEmB,kBAA0B;IAC5C,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;IACtC,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;gBACnB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK;IACH,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;IACvE,OAAO,CACL,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,sBAAsB,CAAC,EAAE,OAAO;QAC1D,EAAE,kBAAkB,IAAI,IAAI,CAC/B,CAAC;AACJ,CAAC,2GAoFqB,eAAuB;IAC3C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;YACnB,iEAAiE;YACjE,2EAA2E;YAC3E,wEAAwE;YACxE,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,EAAE,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAeD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,+CAA0B,EAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,mDAA8B,GAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,IAAA,qCAA+B,EAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,iDAA4B,EAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n ControllerGetStateAction,\n ControllerStateChangeEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n KeyringControllerGetStateAction,\n KeyringControllerLockEvent,\n KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { SnapControllerHandleRequestAction } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport type {\n LoginResponse,\n ProfileAlias,\n SRPInterface,\n UserProfile,\n UserProfileLineage,\n} from '../../sdk';\nimport {\n assertMessageStartsWithMetamask,\n AuthType,\n Env,\n JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\nimport {\n createSnapPublicKeyRequest,\n createSnapAllPublicKeysRequest,\n createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n isSignedIn: boolean;\n srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n isSignedIn: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n srpSessionData: {\n // Remove access token from state logs\n includeInStateLogs: (srpSessionData) => {\n // Unreachable branch, included just to fix a type error for the case where this property is\n // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n // set here, because we don't yet use `exactOptionalPropertyTypes`.\n // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n // ref: https://github.com/MetaMask/core/issues/6565\n if (srpSessionData === null || srpSessionData === undefined) {\n return null;\n }\n return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n (sanitizedSrpSessionData, [key, value]) => {\n const { accessToken: _unused, ...tokenWithoutAccessToken } =\n value.token;\n sanitizedSrpSessionData[key] = {\n ...value,\n token: tokenWithoutAccessToken,\n };\n return sanitizedSrpSessionData;\n },\n {},\n );\n },\n persist: true,\n includeInDebugSnapshot: false,\n usedInUi: true,\n },\n};\n\ntype ControllerConfig = {\n env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n 'performSignIn',\n 'performSignOut',\n 'getBearerToken',\n 'getSessionProfile',\n 'refreshCanonicalProfileId',\n 'getUserProfileLineage',\n 'isSignedIn',\n] as const;\n\nexport type Actions =\n | AuthenticationControllerGetStateAction\n | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n ControllerStateChangeEvent<\n typeof controllerName,\n AuthenticationControllerState\n >;\n\nexport type ProfileSignInInfo = {\n profileId: string;\n profileAliases: ProfileAlias[];\n profileIdChanged: boolean;\n};\n\nexport type AuthenticationControllerProfileSignInEvent = {\n type: `${typeof controllerName}:profileSignIn`;\n payload: [ProfileSignInInfo];\n};\n\nexport type Events =\n | AuthenticationControllerStateChangeEvent\n | AuthenticationControllerProfileSignInEvent;\n\n// Allowed Actions\ntype AllowedActions =\n | KeyringControllerGetStateAction\n | SnapControllerHandleRequestAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n typeof controllerName,\n Actions | AllowedActions,\n Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n typeof controllerName,\n AuthenticationControllerState,\n AuthenticationControllerMessenger\n> {\n readonly #metametrics: MetaMetricsAuth;\n\n readonly #auth: SRPInterface;\n\n readonly #config: ControllerConfig = {\n env: Env.PRD,\n };\n\n #isUnlocked = false;\n\n #cachedPrimaryEntropySourceId?: string;\n\n readonly #keyringController = {\n setupLockedStateSubscriptions: () => {\n const { isUnlocked } = this.messenger.call('KeyringController:getState');\n this.#isUnlocked = isUnlocked;\n\n this.messenger.subscribe('KeyringController:unlock', () => {\n this.#isUnlocked = true;\n });\n\n this.messenger.subscribe('KeyringController:lock', () => {\n this.#isUnlocked = false;\n });\n },\n };\n\n constructor({\n messenger,\n state,\n config,\n metametrics,\n }: {\n messenger: AuthenticationControllerMessenger;\n state?: AuthenticationControllerState;\n config?: Partial<ControllerConfig>;\n /**\n * Not using the Messaging System as we\n * do not want to tie this strictly to extension\n */\n metametrics: MetaMetricsAuth;\n }) {\n super({\n messenger,\n metadata,\n name: controllerName,\n state: { ...defaultState, ...state },\n });\n\n if (!metametrics) {\n throw new Error('`metametrics` field is required');\n }\n\n this.#config = {\n ...this.#config,\n ...config,\n };\n\n this.#metametrics = metametrics;\n\n this.#auth = new JwtBearerAuth(\n {\n env: this.#config.env,\n platform: metametrics.agent,\n type: AuthType.SRP,\n },\n {\n storage: {\n getLoginResponse: this.#getLoginResponseFromState.bind(this),\n setLoginResponse: this.#setLoginResponseToState.bind(this),\n },\n signing: {\n getIdentifier: this.#snapGetPublicKey.bind(this),\n signMessage: this.#snapSignMessage.bind(this),\n },\n metametrics: this.#metametrics,\n },\n );\n\n this.#keyringController.setupLockedStateSubscriptions();\n\n this.messenger.registerMethodActionHandlers(\n this,\n MESSENGER_EXPOSED_METHODS,\n );\n }\n\n async #getLoginResponseFromState(\n entropySourceId?: string,\n ): Promise<LoginResponse | null> {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n if (!this.state.srpSessionData?.[resolvedId]) {\n return null;\n }\n return this.state.srpSessionData[resolvedId];\n }\n\n async #setLoginResponseToState(\n loginResponse: LoginResponse,\n entropySourceId?: string,\n ) {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n this.update((state) => {\n state.isSignedIn = true;\n if (!state.srpSessionData) {\n state.srpSessionData = {};\n }\n state.srpSessionData[resolvedId] = {\n ...loginResponse,\n profile: {\n ...loginResponse.profile,\n metaMetricsId,\n },\n };\n });\n }\n\n #assertIsUnlocked(methodName: string): void {\n if (!this.#isUnlocked) {\n throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n }\n }\n\n async #getPrimaryEntropySourceId(): Promise<string> {\n if (this.#cachedPrimaryEntropySourceId) {\n return this.#cachedPrimaryEntropySourceId;\n }\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n if (allPublicKeys.length === 0) {\n throw new Error(\n '#getPrimaryEntropySourceId - No entropy sources found from snap',\n );\n }\n\n const primaryId = allPublicKeys[0][0];\n if (!primaryId) {\n throw new Error(\n '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n );\n }\n\n this.#cachedPrimaryEntropySourceId = primaryId;\n return this.#cachedPrimaryEntropySourceId;\n }\n\n public async performSignIn(): Promise<string[]> {\n this.#assertIsUnlocked('performSignIn');\n\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n const accessTokens: string[] = [];\n\n // We iterate sequentially in order to be sure that the first entry\n // is the primary SRP LoginResponse.\n for (const [entropySourceId] of allPublicKeys) {\n const accessToken = await this.#auth.getAccessToken(entropySourceId);\n accessTokens.push(accessToken);\n }\n\n // Pair SRP profiles (idempotent — no-op if already paired)\n if (accessTokens.length >= 2) {\n await this.#performPairing(accessTokens);\n }\n\n return accessTokens;\n }\n\n async #performPairing(accessTokens: string[]): Promise<void> {\n const previousCanonical = await this.#getCanonicalProfileId();\n\n try {\n const profileAliases = await this.#pairSrpProfiles(accessTokens);\n\n const newCanonical = await this.#getCanonicalProfileId();\n const profileIdChanged = previousCanonical !== newCanonical;\n const shouldEmitProfileSignInEvent =\n profileIdChanged || profileAliases.length > 0;\n\n if (shouldEmitProfileSignInEvent && newCanonical) {\n this.messenger.publish('AuthenticationController:profileSignIn', {\n profileId: newCanonical,\n profileAliases,\n profileIdChanged,\n });\n }\n } catch {\n // Pairing failure is non-fatal — retry on next performSignIn\n }\n }\n\n async #pairSrpProfiles(accessTokens: string[]): Promise<ProfileAlias[]> {\n if (accessTokens.length < 2) {\n return [];\n }\n const primaryAccessToken = accessTokens[0]; // Associated with primary SRP.\n const {\n profileAliases,\n profile: { canonicalProfileId },\n } = await this.#auth.pairSrpProfiles(accessTokens, primaryAccessToken);\n this.#propagateCanonical(canonicalProfileId);\n return profileAliases;\n }\n\n #propagateCanonical(canonicalProfileId: string): void {\n const { srpSessionData } = this.state;\n if (!srpSessionData) {\n return;\n }\n\n this.update((state) => {\n for (const entry of Object.values(state.srpSessionData ?? {})) {\n if (entry?.profile) {\n entry.profile.canonicalProfileId = canonicalProfileId;\n }\n }\n });\n }\n\n /**\n * Returns the canonical profile id from the primary SRP's cached session.\n * Returns `null` when no session exists yet for the primary SRP.\n *\n * Always reads from the primary SRP because the canonical is shared across\n * all paired SRPs after `#propagateCanonical`.\n *\n * @returns The canonical profile id, or `null` if unavailable.\n */\n async #getCanonicalProfileId(): Promise<string | null> {\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n return (\n this.state.srpSessionData?.[primaryEntropySourceId]?.profile\n ?.canonicalProfileId ?? null\n );\n }\n\n public performSignOut(): void {\n this.#cachedPrimaryEntropySourceId = undefined;\n this.update((state) => {\n state.isSignedIn = false;\n state.srpSessionData = undefined;\n });\n }\n\n /**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\n public async getBearerToken(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('getBearerToken');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getAccessToken(resolvedId);\n }\n\n /**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\n public async getSessionProfile(\n entropySourceId?: string,\n ): Promise<UserProfile> {\n this.#assertIsUnlocked('getSessionProfile');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfile(resolvedId);\n }\n\n /**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\n public async refreshCanonicalProfileId(): Promise<string> {\n this.#assertIsUnlocked('refreshCanonicalProfileId');\n\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n this.#invalidateSrpSession(primaryEntropySourceId);\n await this.#auth.getAccessToken(primaryEntropySourceId);\n\n const canonical = await this.#getCanonicalProfileId();\n if (!canonical) {\n throw new Error(\n 'refreshCanonicalProfileId - Unable to resolve canonical profile ID',\n );\n }\n\n this.#propagateCanonical(canonical);\n return canonical;\n }\n\n #invalidateSrpSession(entropySourceId: string): void {\n this.update((state) => {\n const entry = state.srpSessionData?.[entropySourceId];\n if (entry?.profile) {\n // Setting canonicalProfileId to '' forces a re-fetch on the next\n // #getAuthSession call. The falsy check (!auth.profile.canonicalProfileId)\n // treats '' the same as undefined/null — all signal an invalid session.\n entry.profile.canonicalProfileId = '';\n }\n });\n }\n\n public async getUserProfileLineage(\n entropySourceId?: string,\n ): Promise<UserProfileLineage> {\n this.#assertIsUnlocked('getUserProfileLineage');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfileLineage(resolvedId);\n }\n\n public isSignedIn(): boolean {\n return this.state.isSignedIn;\n }\n\n /**\n * Returns the auth snap public key.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns The snap public key.\n */\n async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('#snapGetPublicKey');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapPublicKeyRequest(entropySourceId),\n )) as string;\n\n return result;\n }\n\n /**\n * Returns a mapping of entropy source IDs to auth snap public keys.\n *\n * @returns A mapping of entropy source IDs to public keys.\n */\n async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapAllPublicKeysRequest(),\n )) as [string, string][];\n\n return result;\n }\n\n #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n /**\n * Signs a specific message using an underlying auth snap.\n *\n * @param message - A specific tagged message to sign.\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns A Signature created by the snap.\n */\n async #snapSignMessage(\n message: string,\n entropySourceId?: string,\n ): Promise<string> {\n assertMessageStartsWithMetamask(message);\n\n if (this.#_snapSignMessageCache[message]) {\n return this.#_snapSignMessageCache[message];\n }\n\n this.#assertIsUnlocked('#snapSignMessage');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapSignMessageRequest(message, entropySourceId),\n )) as string;\n\n this.#_snapSignMessageCache[message] = result;\n\n return result;\n }\n}\n"]}
1
+ {"version":3,"file":"AuthenticationController.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,+DAA2D;AAsB3D,6CAKmB;AAEnB,iEAI8B;AAG9B,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAmBrC,QAAA,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;IACjB,mBAAmB,EAAE,IAAI;CAC1B,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,mBAAmB,EAAE;QACnB,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,2BAA2B;IAC3B,uBAAuB;IACvB,YAAY;IACZ,uBAAuB;CACf,CAAC;AA8CX;;;GAGG;AACH,MAAa,wBAAyB,SAAQ,gCAI7C;IAiCC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,oBAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QApDI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,SAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAEvC,oEAAoE;QACpE,qEAAqE;QACrE,iDAAiD;QACjD,+DAA8B,CAAC,EAAC;QAEvB,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAuZF,0DAA+D,EAAE,EAAC;QA/XhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,mBAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,cAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,YAAY,GAAG,uBAAA,IAAI,4DAA4B,CAAC;QACtD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,sCAAsC;YACtC,uBAAA,IAAI,kGAA6B,MAAjC,IAAI,EAA8B,YAAY,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,yEAAyE;YACzE,IAAI,CAAC;gBACH,MAAM,uBAAA,IAAI,6EAAQ,MAAZ,IAAI,EAAS,YAAY,EAAE,YAAY,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,qBAAqB;QAC1B,6KAAoC,CAAC,MAAA,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;YACpC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACnC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAqGM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,yBAAyB;QACpC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,2BAA2B,CAAC,CAAC;QAEpD,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;QACvE,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,EAAuB,sBAAsB,CAAC,CAAC;QACnD,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAExD,MAAM,SAAS,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;QACJ,CAAC;QAED,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,SAAS,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAcM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;AAzdD,4DAydC;skBAxXC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC,yHAoD4B,YAAoB;IAC/C,IAAI,uBAAA,IAAI,4DAA4B,KAAK,YAAY,EAAE,CAAC;QACtD,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,mBAAmB,GAAG,KAAK,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,2CAAS,YAAsB,EAAE,YAAoB;IACxD,MAAM,iBAAiB,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAE9D,MAAM,cAAc,GAAG,MAAM,uBAAA,IAAI,sFAAiB,MAArB,IAAI,EAAkB,YAAY,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAEzD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;IACT,CAAC;IAED,uBAAA,IAAI,kGAA6B,MAAjC,IAAI,EAA8B,YAAY,CAAC,CAAC;IAEhD,MAAM,gBAAgB,GAAG,iBAAiB,KAAK,YAAY,CAAC;IAC5D,MAAM,4BAA4B,GAChC,gBAAgB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhD,IAAI,4BAA4B,EAAE,CAAC;QACjC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,wCAAwC,EAAE;YAC/D,SAAS,EAAE,YAAY;YACvB,cAAc;YACd,gBAAgB;SACjB,CAAC,CAAC;IACL,CAAC;AACH,CAAC,8CAED,KAAK,oDAAkB,YAAsB;IAC3C,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;IAC3E,MAAM,EACJ,cAAc,EACd,OAAO,EAAE,EAAE,kBAAkB,EAAE,GAChC,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,eAAe,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;IACvE,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,kBAAkB,CAAC,CAAC;IAC7C,OAAO,cAAc,CAAC;AACxB,CAAC,uGAEmB,kBAA0B;IAC5C,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;IACtC,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;gBACnB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK;IACH,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;IACvE,OAAO,CACL,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,sBAAsB,CAAC,EAAE,OAAO;QAC1D,EAAE,kBAAkB,IAAI,IAAI,CAC/B,CAAC;AACJ,CAAC,2GAoFqB,eAAuB;IAC3C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;YACnB,iEAAiE;YACjE,2EAA2E;YAC3E,wEAAwE;YACxE,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,EAAE,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAeD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,+CAA0B,EAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,mDAA8B,GAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,IAAA,qCAA+B,EAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,IAAA,iDAA4B,EAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n ControllerGetStateAction,\n ControllerStateChangeEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n KeyringControllerGetStateAction,\n KeyringControllerLockEvent,\n KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { SnapControllerHandleRequestAction } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport type {\n LoginResponse,\n ProfileAlias,\n SRPInterface,\n UserProfile,\n UserProfileLineage,\n} from '../../sdk';\nimport {\n assertMessageStartsWithMetamask,\n AuthType,\n Env,\n JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\nimport {\n createSnapPublicKeyRequest,\n createSnapAllPublicKeysRequest,\n createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n isSignedIn: boolean;\n srpSessionData?: Record<string, LoginResponse>;\n /**\n * Client gate for profile pairing. Defaults to `true` (fresh install /\n * upgrade), set to `false` after a successful `performSignIn` pair, set\n * back to `true` via `requestProfilePairing()` when the SRP set changes,\n * and left `true` on pair failure so the next state shift retries.\n *\n * Optional in the type so partial-state selectors stay assignable to\n * `AuthenticationControllerState`. The controller seeds it via\n * `defaultState` at construction; consumers should read `undefined` as\n * `true` to mirror that runtime default.\n */\n needsProfilePairing?: boolean;\n};\nexport const defaultState: AuthenticationControllerState = {\n isSignedIn: false,\n needsProfilePairing: true,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n isSignedIn: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n needsProfilePairing: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n srpSessionData: {\n // Remove access token from state logs\n includeInStateLogs: (srpSessionData) => {\n // Unreachable branch, included just to fix a type error for the case where this property is\n // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n // set here, because we don't yet use `exactOptionalPropertyTypes`.\n // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n // ref: https://github.com/MetaMask/core/issues/6565\n if (srpSessionData === null || srpSessionData === undefined) {\n return null;\n }\n return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n (sanitizedSrpSessionData, [key, value]) => {\n const { accessToken: _unused, ...tokenWithoutAccessToken } =\n value.token;\n sanitizedSrpSessionData[key] = {\n ...value,\n token: tokenWithoutAccessToken,\n };\n return sanitizedSrpSessionData;\n },\n {},\n );\n },\n persist: true,\n includeInDebugSnapshot: false,\n usedInUi: true,\n },\n};\n\ntype ControllerConfig = {\n env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n 'performSignIn',\n 'performSignOut',\n 'getBearerToken',\n 'getSessionProfile',\n 'refreshCanonicalProfileId',\n 'getUserProfileLineage',\n 'isSignedIn',\n 'requestProfilePairing',\n] as const;\n\nexport type Actions =\n | AuthenticationControllerGetStateAction\n | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n ControllerStateChangeEvent<\n typeof controllerName,\n AuthenticationControllerState\n >;\n\nexport type ProfileSignInInfo = {\n profileId: string;\n profileAliases: ProfileAlias[];\n profileIdChanged: boolean;\n};\n\nexport type AuthenticationControllerProfileSignInEvent = {\n type: `${typeof controllerName}:profileSignIn`;\n payload: [ProfileSignInInfo];\n};\n\nexport type Events =\n | AuthenticationControllerStateChangeEvent\n | AuthenticationControllerProfileSignInEvent;\n\n// Allowed Actions\ntype AllowedActions =\n | KeyringControllerGetStateAction\n | SnapControllerHandleRequestAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n typeof controllerName,\n Actions | AllowedActions,\n Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n typeof controllerName,\n AuthenticationControllerState,\n AuthenticationControllerMessenger\n> {\n readonly #metametrics: MetaMetricsAuth;\n\n readonly #auth: SRPInterface;\n\n readonly #config: ControllerConfig = {\n env: Env.PRD,\n };\n\n #isUnlocked = false;\n\n #cachedPrimaryEntropySourceId?: string;\n\n // Bumped by `requestProfilePairing`. `performSignIn` snapshots this\n // before its first await; if it changes mid-flight we must NOT clear\n // `needsProfilePairing` (the rearm signal wins).\n #profilePairingRequestEpoch = 0;\n\n readonly #keyringController = {\n setupLockedStateSubscriptions: () => {\n const { isUnlocked } = this.messenger.call('KeyringController:getState');\n this.#isUnlocked = isUnlocked;\n\n this.messenger.subscribe('KeyringController:unlock', () => {\n this.#isUnlocked = true;\n });\n\n this.messenger.subscribe('KeyringController:lock', () => {\n this.#isUnlocked = false;\n });\n },\n };\n\n constructor({\n messenger,\n state,\n config,\n metametrics,\n }: {\n messenger: AuthenticationControllerMessenger;\n state?: AuthenticationControllerState;\n config?: Partial<ControllerConfig>;\n /**\n * Not using the Messaging System as we\n * do not want to tie this strictly to extension\n */\n metametrics: MetaMetricsAuth;\n }) {\n super({\n messenger,\n metadata,\n name: controllerName,\n state: { ...defaultState, ...state },\n });\n\n if (!metametrics) {\n throw new Error('`metametrics` field is required');\n }\n\n this.#config = {\n ...this.#config,\n ...config,\n };\n\n this.#metametrics = metametrics;\n\n this.#auth = new JwtBearerAuth(\n {\n env: this.#config.env,\n platform: metametrics.agent,\n type: AuthType.SRP,\n },\n {\n storage: {\n getLoginResponse: this.#getLoginResponseFromState.bind(this),\n setLoginResponse: this.#setLoginResponseToState.bind(this),\n },\n signing: {\n getIdentifier: this.#snapGetPublicKey.bind(this),\n signMessage: this.#snapSignMessage.bind(this),\n },\n metametrics: this.#metametrics,\n },\n );\n\n this.#keyringController.setupLockedStateSubscriptions();\n\n this.messenger.registerMethodActionHandlers(\n this,\n MESSENGER_EXPOSED_METHODS,\n );\n }\n\n async #getLoginResponseFromState(\n entropySourceId?: string,\n ): Promise<LoginResponse | null> {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n if (!this.state.srpSessionData?.[resolvedId]) {\n return null;\n }\n return this.state.srpSessionData[resolvedId];\n }\n\n async #setLoginResponseToState(\n loginResponse: LoginResponse,\n entropySourceId?: string,\n ) {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n this.update((state) => {\n state.isSignedIn = true;\n if (!state.srpSessionData) {\n state.srpSessionData = {};\n }\n state.srpSessionData[resolvedId] = {\n ...loginResponse,\n profile: {\n ...loginResponse.profile,\n metaMetricsId,\n },\n };\n });\n }\n\n #assertIsUnlocked(methodName: string): void {\n if (!this.#isUnlocked) {\n throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n }\n }\n\n async #getPrimaryEntropySourceId(): Promise<string> {\n if (this.#cachedPrimaryEntropySourceId) {\n return this.#cachedPrimaryEntropySourceId;\n }\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n if (allPublicKeys.length === 0) {\n throw new Error(\n '#getPrimaryEntropySourceId - No entropy sources found from snap',\n );\n }\n\n const primaryId = allPublicKeys[0][0];\n if (!primaryId) {\n throw new Error(\n '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n );\n }\n\n this.#cachedPrimaryEntropySourceId = primaryId;\n return this.#cachedPrimaryEntropySourceId;\n }\n\n public async performSignIn(): Promise<string[]> {\n this.#assertIsUnlocked('performSignIn');\n\n const epochAtStart = this.#profilePairingRequestEpoch;\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n const accessTokens: string[] = [];\n\n // We iterate sequentially in order to be sure that the first entry\n // is the primary SRP LoginResponse.\n for (const [entropySourceId] of allPublicKeys) {\n const accessToken = await this.#auth.getAccessToken(entropySourceId);\n accessTokens.push(accessToken);\n }\n\n if (allPublicKeys.length < 2) {\n // Single-SRP wallet: nothing to pair.\n this.#tryClearNeedsProfilePairing(epochAtStart);\n } else {\n // Pair failures must not break sign-in; the gate stays `true` for retry.\n try {\n await this.#doPair(accessTokens, epochAtStart);\n } catch {\n // noop\n }\n }\n\n return accessTokens;\n }\n\n /**\n * Marks profile pairing as needed. Clients call this when the SRP set\n * changes (e.g. a new keyring was added) so the next auto-sign-in cycle\n * re-runs `performSignIn` and re-pairs.\n */\n public requestProfilePairing(): void {\n this.#profilePairingRequestEpoch += 1;\n if (!this.state.needsProfilePairing) {\n this.update((state) => {\n state.needsProfilePairing = true;\n });\n }\n }\n\n /**\n * Clears `needsProfilePairing` only if no `requestProfilePairing` call\n * landed since `epochAtStart` was captured. Prevents `performSignIn`\n * from silently overwriting a concurrent rearm.\n *\n * @param epochAtStart - Epoch value captured at the start of `performSignIn`.\n */\n #tryClearNeedsProfilePairing(epochAtStart: number): void {\n if (this.#profilePairingRequestEpoch !== epochAtStart) {\n return;\n }\n if (this.state.needsProfilePairing) {\n this.update((state) => {\n state.needsProfilePairing = false;\n });\n }\n }\n\n /**\n * Pairs all SRPs via `POST /profile/pair`, propagates the canonical\n * profile ID, clears `needsProfilePairing`, and emits\n * `AuthenticationController:profileSignIn` when the canonical changes or\n * new aliases are returned. Throws on failure.\n *\n * @param accessTokens - Per-SRP access tokens, primary first.\n * @param epochAtStart - Pairing-request epoch captured by the caller.\n * Used to skip the gate clear if `requestProfilePairing` ran while the\n * pair API call was in-flight.\n */\n async #doPair(accessTokens: string[], epochAtStart: number): Promise<void> {\n const previousCanonical = await this.#getCanonicalProfileId();\n\n const profileAliases = await this.#pairSrpProfiles(accessTokens);\n const newCanonical = await this.#getCanonicalProfileId();\n\n if (!newCanonical) {\n return;\n }\n\n this.#tryClearNeedsProfilePairing(epochAtStart);\n\n const profileIdChanged = previousCanonical !== newCanonical;\n const shouldEmitProfileSignInEvent =\n profileIdChanged || profileAliases.length > 0;\n\n if (shouldEmitProfileSignInEvent) {\n this.messenger.publish('AuthenticationController:profileSignIn', {\n profileId: newCanonical,\n profileAliases,\n profileIdChanged,\n });\n }\n }\n\n async #pairSrpProfiles(accessTokens: string[]): Promise<ProfileAlias[]> {\n if (accessTokens.length < 2) {\n return [];\n }\n const primaryAccessToken = accessTokens[0]; // Associated with primary SRP.\n const {\n profileAliases,\n profile: { canonicalProfileId },\n } = await this.#auth.pairSrpProfiles(accessTokens, primaryAccessToken);\n this.#propagateCanonical(canonicalProfileId);\n return profileAliases;\n }\n\n #propagateCanonical(canonicalProfileId: string): void {\n const { srpSessionData } = this.state;\n if (!srpSessionData) {\n return;\n }\n\n this.update((state) => {\n for (const entry of Object.values(state.srpSessionData ?? {})) {\n if (entry?.profile) {\n entry.profile.canonicalProfileId = canonicalProfileId;\n }\n }\n });\n }\n\n /**\n * Returns the canonical profile id from the primary SRP's cached session.\n * Returns `null` when no session exists yet for the primary SRP.\n *\n * Always reads from the primary SRP because the canonical is shared across\n * all paired SRPs after `#propagateCanonical`.\n *\n * @returns The canonical profile id, or `null` if unavailable.\n */\n async #getCanonicalProfileId(): Promise<string | null> {\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n return (\n this.state.srpSessionData?.[primaryEntropySourceId]?.profile\n ?.canonicalProfileId ?? null\n );\n }\n\n public performSignOut(): void {\n this.#cachedPrimaryEntropySourceId = undefined;\n this.update((state) => {\n state.isSignedIn = false;\n state.srpSessionData = undefined;\n });\n }\n\n /**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\n public async getBearerToken(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('getBearerToken');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getAccessToken(resolvedId);\n }\n\n /**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\n public async getSessionProfile(\n entropySourceId?: string,\n ): Promise<UserProfile> {\n this.#assertIsUnlocked('getSessionProfile');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfile(resolvedId);\n }\n\n /**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\n public async refreshCanonicalProfileId(): Promise<string> {\n this.#assertIsUnlocked('refreshCanonicalProfileId');\n\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n this.#invalidateSrpSession(primaryEntropySourceId);\n await this.#auth.getAccessToken(primaryEntropySourceId);\n\n const canonical = await this.#getCanonicalProfileId();\n if (!canonical) {\n throw new Error(\n 'refreshCanonicalProfileId - Unable to resolve canonical profile ID',\n );\n }\n\n this.#propagateCanonical(canonical);\n return canonical;\n }\n\n #invalidateSrpSession(entropySourceId: string): void {\n this.update((state) => {\n const entry = state.srpSessionData?.[entropySourceId];\n if (entry?.profile) {\n // Setting canonicalProfileId to '' forces a re-fetch on the next\n // #getAuthSession call. The falsy check (!auth.profile.canonicalProfileId)\n // treats '' the same as undefined/null — all signal an invalid session.\n entry.profile.canonicalProfileId = '';\n }\n });\n }\n\n public async getUserProfileLineage(\n entropySourceId?: string,\n ): Promise<UserProfileLineage> {\n this.#assertIsUnlocked('getUserProfileLineage');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfileLineage(resolvedId);\n }\n\n public isSignedIn(): boolean {\n return this.state.isSignedIn;\n }\n\n /**\n * Returns the auth snap public key.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns The snap public key.\n */\n async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('#snapGetPublicKey');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapPublicKeyRequest(entropySourceId),\n )) as string;\n\n return result;\n }\n\n /**\n * Returns a mapping of entropy source IDs to auth snap public keys.\n *\n * @returns A mapping of entropy source IDs to public keys.\n */\n async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapAllPublicKeysRequest(),\n )) as [string, string][];\n\n return result;\n }\n\n #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n /**\n * Signs a specific message using an underlying auth snap.\n *\n * @param message - A specific tagged message to sign.\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns A Signature created by the snap.\n */\n async #snapSignMessage(\n message: string,\n entropySourceId?: string,\n ): Promise<string> {\n assertMessageStartsWithMetamask(message);\n\n if (this.#_snapSignMessageCache[message]) {\n return this.#_snapSignMessageCache[message];\n }\n\n this.#assertIsUnlocked('#snapSignMessage');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapSignMessageRequest(message, entropySourceId),\n )) as string;\n\n this.#_snapSignMessageCache[message] = result;\n\n return result;\n }\n}\n"]}
package/dist/controllers/authentication/AuthenticationController.d.cts CHANGED
@@ -11,6 +11,18 @@ declare const controllerName = "AuthenticationController";
11
11
  export type AuthenticationControllerState = {
12
12
  isSignedIn: boolean;
13
13
  srpSessionData?: Record<string, LoginResponse>;
14
+ /**
15
+ * Client gate for profile pairing. Defaults to `true` (fresh install /
16
+ * upgrade), set to `false` after a successful `performSignIn` pair, set
17
+ * back to `true` via `requestProfilePairing()` when the SRP set changes,
18
+ * and left `true` on pair failure so the next state shift retries.
19
+ *
20
+ * Optional in the type so partial-state selectors stay assignable to
21
+ * `AuthenticationControllerState`. The controller seeds it via
22
+ * `defaultState` at construction; consumers should read `undefined` as
23
+ * `true` to mirror that runtime default.
24
+ */
25
+ needsProfilePairing?: boolean;
14
26
  };
15
27
  export declare const defaultState: AuthenticationControllerState;
16
28
  type ControllerConfig = {
@@ -49,6 +61,12 @@ export declare class AuthenticationController extends BaseController<typeof cont
49
61
  metametrics: MetaMetricsAuth;
50
62
  });
51
63
  performSignIn(): Promise<string[]>;
64
+ /**
65
+ * Marks profile pairing as needed. Clients call this when the SRP set
66
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
67
+ * re-runs `performSignIn` and re-pairs.
68
+ */
69
+ requestProfilePairing(): void;
52
70
  performSignOut(): void;
53
71
  /**
54
72
  * Returns a bearer token for the specified SRP, logging in if needed.
package/dist/controllers/authentication/AuthenticationController.d.cts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iCAAiC,EAAE,oCAAoC;AAGrF,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EAEZ,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAMnE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AAEvG,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAYF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,YAAY,EAAE,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,0CAA0C,GAAG;IACvD,IAAI,EAAE,GAAG,OAAO,cAAc,gBAAgB,CAAC;IAC/C,OAAO,EAAE,CAAC,iBAAiB,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,MAAM,GACd,wCAAwC,GACxC,0CAA0C,CAAC;AAG/C,KAAK,cAAc,GACf,+BAA+B,GAC/B,iCAAiC,CAAC;AAEtC,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA4Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAyFxC,cAAc,IAAI,IAAI;IAQ7B;;;;;;;;;;OAUG;IACU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;;;;;;OAYG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOvB;;;;;;;;;;;;;;;OAeG;IACU,yBAAyB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8B5C,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}
1
+ {"version":3,"file":"AuthenticationController.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iCAAiC,EAAE,oCAAoC;AAGrF,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EAEZ,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAMnE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AAEvG,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAC/C;;;;;;;;;;OAUG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAG1B,CAAC;AA4CF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAaF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,YAAY,EAAE,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,0CAA0C,GAAG;IACvD,IAAI,EAAE,GAAG,OAAO,cAAc,gBAAgB,CAAC;IAC/C,OAAO,EAAE,CAAC,iBAAiB,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,MAAM,GACd,wCAAwC,GACxC,0CAA0C,CAAC;AAG/C,KAAK,cAAc,GACf,+BAA+B,GAC/B,iCAAiC,CAAC;AAEtC,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBAiCa,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IA6B/C;;;;OAIG;IACI,qBAAqB,IAAI,IAAI;IA4G7B,cAAc,IAAI,IAAI;IAQ7B;;;;;;;;;;OAUG;IACU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;;;;;;OAYG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOvB;;;;;;;;;;;;;;;OAeG;IACU,yBAAyB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8B5C,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}
package/dist/controllers/authentication/AuthenticationController.d.mts CHANGED
@@ -11,6 +11,18 @@ declare const controllerName = "AuthenticationController";
11
11
  export type AuthenticationControllerState = {
12
12
  isSignedIn: boolean;
13
13
  srpSessionData?: Record<string, LoginResponse>;
14
+ /**
15
+ * Client gate for profile pairing. Defaults to `true` (fresh install /
16
+ * upgrade), set to `false` after a successful `performSignIn` pair, set
17
+ * back to `true` via `requestProfilePairing()` when the SRP set changes,
18
+ * and left `true` on pair failure so the next state shift retries.
19
+ *
20
+ * Optional in the type so partial-state selectors stay assignable to
21
+ * `AuthenticationControllerState`. The controller seeds it via
22
+ * `defaultState` at construction; consumers should read `undefined` as
23
+ * `true` to mirror that runtime default.
24
+ */
25
+ needsProfilePairing?: boolean;
14
26
  };
15
27
  export declare const defaultState: AuthenticationControllerState;
16
28
  type ControllerConfig = {
@@ -49,6 +61,12 @@ export declare class AuthenticationController extends BaseController<typeof cont
49
61
  metametrics: MetaMetricsAuth;
50
62
  });
51
63
  performSignIn(): Promise<string[]>;
64
+ /**
65
+ * Marks profile pairing as needed. Clients call this when the SRP set
66
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
67
+ * re-runs `performSignIn` and re-pairs.
68
+ */
69
+ requestProfilePairing(): void;
52
70
  performSignOut(): void;
53
71
  /**
54
72
  * Returns a bearer token for the specified SRP, logging in if needed.
package/dist/controllers/authentication/AuthenticationController.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iCAAiC,EAAE,oCAAoC;AAGrF,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EAEZ,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAMnE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AAEvG,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;CAChD,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAE1B,CAAC;AAsCF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAYF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,YAAY,EAAE,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,0CAA0C,GAAG;IACvD,IAAI,EAAE,GAAG,OAAO,cAAc,gBAAgB,CAAC;IAC/C,OAAO,EAAE,CAAC,iBAAiB,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,MAAM,GACd,wCAAwC,GACxC,0CAA0C,CAAC;AAG/C,KAAK,cAAc,GACf,+BAA+B,GAC/B,iCAAiC,CAAC;AAEtC,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBA4Ba,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAyFxC,cAAc,IAAI,IAAI;IAQ7B;;;;;;;;;;OAUG;IACU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;;;;;;OAYG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOvB;;;;;;;;;;;;;;;OAeG;IACU,yBAAyB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8B5C,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}
1
+ {"version":3,"file":"AuthenticationController.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAC3D,OAAO,KAAK,EACV,wBAAwB,EACxB,0BAA0B,EAE3B,kCAAkC;AACnC,OAAO,KAAK,EACV,+BAA+B,EAC/B,0BAA0B,EAC1B,4BAA4B,EAC7B,qCAAqC;AACtC,OAAO,KAAK,EAAE,SAAS,EAAE,4BAA4B;AACrD,OAAO,KAAK,EAAE,iCAAiC,EAAE,oCAAoC;AAGrF,OAAO,KAAK,EACV,aAAa,EACb,YAAY,EAEZ,WAAW,EACX,kBAAkB,EACnB,4BAAkB;AACnB,OAAO,EAGL,GAAG,EAEJ,4BAAkB;AACnB,OAAO,KAAK,EAAE,eAAe,EAAE,wCAAoC;AAMnE,OAAO,EAAE,qCAAqC,EAAE,2DAAuD;AAEvG,QAAA,MAAM,cAAc,6BAA6B,CAAC;AAGlD,MAAM,MAAM,6BAA6B,GAAG;IAC1C,UAAU,EAAE,OAAO,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAC/C;;;;;;;;;;OAUG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,CAAC;AACF,eAAO,MAAM,YAAY,EAAE,6BAG1B,CAAC;AA4CF,KAAK,gBAAgB,GAAG;IACtB,GAAG,EAAE,GAAG,CAAC;CACV,CAAC;AAaF,MAAM,MAAM,OAAO,GACf,sCAAsC,GACtC,qCAAqC,CAAC;AAE1C,MAAM,MAAM,sCAAsC,GAAG,wBAAwB,CAC3E,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEF,MAAM,MAAM,wCAAwC,GAClD,0BAA0B,CACxB,OAAO,cAAc,EACrB,6BAA6B,CAC9B,CAAC;AAEJ,MAAM,MAAM,iBAAiB,GAAG;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,YAAY,EAAE,CAAC;IAC/B,gBAAgB,EAAE,OAAO,CAAC;CAC3B,CAAC;AAEF,MAAM,MAAM,0CAA0C,GAAG;IACvD,IAAI,EAAE,GAAG,OAAO,cAAc,gBAAgB,CAAC;IAC/C,OAAO,EAAE,CAAC,iBAAiB,CAAC,CAAC;CAC9B,CAAC;AAEF,MAAM,MAAM,MAAM,GACd,wCAAwC,GACxC,0CAA0C,CAAC;AAG/C,KAAK,cAAc,GACf,+BAA+B,GAC/B,iCAAiC,CAAC;AAEtC,KAAK,aAAa,GAAG,0BAA0B,GAAG,4BAA4B,CAAC;AAG/E,MAAM,MAAM,iCAAiC,GAAG,SAAS,CACvD,OAAO,cAAc,EACrB,OAAO,GAAG,cAAc,EACxB,MAAM,GAAG,aAAa,CACvB,CAAC;AAEF;;;GAGG;AACH,qBAAa,wBAAyB,SAAQ,cAAc,CAC1D,OAAO,cAAc,EACrB,6BAA6B,EAC7B,iCAAiC,CAClC;;gBAiCa,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GACZ,EAAE;QACD,SAAS,EAAE,iCAAiC,CAAC;QAC7C,KAAK,CAAC,EAAE,6BAA6B,CAAC;QACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAC;QACnC;;;WAGG;QACH,WAAW,EAAE,eAAe,CAAC;KAC9B;IA4GY,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IA6B/C;;;;OAIG;IACI,qBAAqB,IAAI,IAAI;IA4G7B,cAAc,IAAI,IAAI;IAQ7B;;;;;;;;;;OAUG;IACU,cAAc,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAOtE;;;;;;;;;;;;OAYG;IACU,iBAAiB,CAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,WAAW,CAAC;IAOvB;;;;;;;;;;;;;;;OAeG;IACU,yBAAyB,IAAI,OAAO,CAAC,MAAM,CAAC;IA8B5C,qBAAqB,CAChC,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,kBAAkB,CAAC;IAOvB,UAAU,IAAI,OAAO;CAqE7B"}
package/dist/controllers/authentication/AuthenticationController.mjs CHANGED
@@ -9,13 +9,14 @@ var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (
9
9
  if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
10
10
  return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
11
11
  };
12
- var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_performPairing, _AuthenticationController_pairSrpProfiles, _AuthenticationController_propagateCanonical, _AuthenticationController_getCanonicalProfileId, _AuthenticationController_invalidateSrpSession, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
12
+ var _AuthenticationController_instances, _AuthenticationController_metametrics, _AuthenticationController_auth, _AuthenticationController_config, _AuthenticationController_isUnlocked, _AuthenticationController_cachedPrimaryEntropySourceId, _AuthenticationController_profilePairingRequestEpoch, _AuthenticationController_keyringController, _AuthenticationController_getLoginResponseFromState, _AuthenticationController_setLoginResponseToState, _AuthenticationController_assertIsUnlocked, _AuthenticationController_getPrimaryEntropySourceId, _AuthenticationController_tryClearNeedsProfilePairing, _AuthenticationController_doPair, _AuthenticationController_pairSrpProfiles, _AuthenticationController_propagateCanonical, _AuthenticationController_getCanonicalProfileId, _AuthenticationController_invalidateSrpSession, _AuthenticationController_snapGetPublicKey, _AuthenticationController_snapGetAllPublicKeys, _AuthenticationController__snapSignMessageCache, _AuthenticationController_snapSignMessage;
13
13
  import { BaseController } from "@metamask/base-controller";
14
14
  import { assertMessageStartsWithMetamask, AuthType, Env, JwtBearerAuth } from "../../sdk/index.mjs";
15
15
  import { createSnapPublicKeyRequest, createSnapAllPublicKeysRequest, createSnapSignMessageRequest } from "./auth-snap-requests.mjs";
16
16
  const controllerName = 'AuthenticationController';
17
17
  export const defaultState = {
18
18
  isSignedIn: false,
19
+ needsProfilePairing: true,
19
20
  };
20
21
  const metadata = {
21
22
  isSignedIn: {
@@ -24,6 +25,12 @@ const metadata = {
24
25
  includeInDebugSnapshot: true,
25
26
  usedInUi: true,
26
27
  },
28
+ needsProfilePairing: {
29
+ includeInStateLogs: true,
30
+ persist: true,
31
+ includeInDebugSnapshot: true,
32
+ usedInUi: true,
33
+ },
27
34
  srpSessionData: {
28
35
  // Remove access token from state logs
29
36
  includeInStateLogs: (srpSessionData) => {
@@ -57,6 +64,7 @@ const MESSENGER_EXPOSED_METHODS = [
57
64
  'refreshCanonicalProfileId',
58
65
  'getUserProfileLineage',
59
66
  'isSignedIn',
67
+ 'requestProfilePairing',
60
68
  ];
61
69
  /**
62
70
  * Controller that enables authentication for restricted endpoints.
@@ -78,6 +86,10 @@ export class AuthenticationController extends BaseController {
78
86
  });
79
87
  _AuthenticationController_isUnlocked.set(this, false);
80
88
  _AuthenticationController_cachedPrimaryEntropySourceId.set(this, void 0);
89
+ // Bumped by `requestProfilePairing`. `performSignIn` snapshots this
90
+ // before its first await; if it changes mid-flight we must NOT clear
91
+ // `needsProfilePairing` (the rearm signal wins).
92
+ _AuthenticationController_profilePairingRequestEpoch.set(this, 0);
81
93
  _AuthenticationController_keyringController.set(this, {
82
94
  setupLockedStateSubscriptions: () => {
83
95
  const { isUnlocked } = this.messenger.call('KeyringController:getState');
@@ -119,6 +131,7 @@ export class AuthenticationController extends BaseController {
119
131
  }
120
132
  async performSignIn() {
121
133
  __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_assertIsUnlocked).call(this, 'performSignIn');
134
+ const epochAtStart = __classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f");
122
135
  const allPublicKeys = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_snapGetAllPublicKeys).call(this);
123
136
  const accessTokens = [];
124
137
  // We iterate sequentially in order to be sure that the first entry
@@ -127,12 +140,34 @@ export class AuthenticationController extends BaseController {
127
140
  const accessToken = await __classPrivateFieldGet(this, _AuthenticationController_auth, "f").getAccessToken(entropySourceId);
128
141
  accessTokens.push(accessToken);
129
142
  }
130
- // Pair SRP profiles (idempotent no-op if already paired)
131
- if (accessTokens.length >= 2) {
132
- await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_performPairing).call(this, accessTokens);
143
+ if (allPublicKeys.length < 2) {
144
+ // Single-SRP wallet: nothing to pair.
145
+ __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_tryClearNeedsProfilePairing).call(this, epochAtStart);
146
+ }
147
+ else {
148
+ // Pair failures must not break sign-in; the gate stays `true` for retry.
149
+ try {
150
+ await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_doPair).call(this, accessTokens, epochAtStart);
151
+ }
152
+ catch {
153
+ // noop
154
+ }
133
155
  }
134
156
  return accessTokens;
135
157
  }
158
+ /**
159
+ * Marks profile pairing as needed. Clients call this when the SRP set
160
+ * changes (e.g. a new keyring was added) so the next auto-sign-in cycle
161
+ * re-runs `performSignIn` and re-pairs.
162
+ */
163
+ requestProfilePairing() {
164
+ __classPrivateFieldSet(this, _AuthenticationController_profilePairingRequestEpoch, __classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f") + 1, "f");
165
+ if (!this.state.needsProfilePairing) {
166
+ this.update((state) => {
167
+ state.needsProfilePairing = true;
168
+ });
169
+ }
170
+ }
136
171
  performSignOut() {
137
172
  __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, undefined, "f");
138
173
  this.update((state) => {
@@ -211,7 +246,7 @@ export class AuthenticationController extends BaseController {
211
246
  return this.state.isSignedIn;
212
247
  }
213
248
  }
214
- _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
249
+ _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController_auth = new WeakMap(), _AuthenticationController_config = new WeakMap(), _AuthenticationController_isUnlocked = new WeakMap(), _AuthenticationController_cachedPrimaryEntropySourceId = new WeakMap(), _AuthenticationController_profilePairingRequestEpoch = new WeakMap(), _AuthenticationController_keyringController = new WeakMap(), _AuthenticationController__snapSignMessageCache = new WeakMap(), _AuthenticationController_instances = new WeakSet(), _AuthenticationController_getLoginResponseFromState = async function _AuthenticationController_getLoginResponseFromState(entropySourceId) {
215
250
  const resolvedId = entropySourceId ?? (await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getPrimaryEntropySourceId).call(this));
216
251
  if (!this.state.srpSessionData?.[resolvedId]) {
217
252
  return null;
@@ -251,23 +286,43 @@ _AuthenticationController_metametrics = new WeakMap(), _AuthenticationController
251
286
  }
252
287
  __classPrivateFieldSet(this, _AuthenticationController_cachedPrimaryEntropySourceId, primaryId, "f");
253
288
  return __classPrivateFieldGet(this, _AuthenticationController_cachedPrimaryEntropySourceId, "f");
254
- }, _AuthenticationController_performPairing = async function _AuthenticationController_performPairing(accessTokens) {
289
+ }, _AuthenticationController_tryClearNeedsProfilePairing = function _AuthenticationController_tryClearNeedsProfilePairing(epochAtStart) {
290
+ if (__classPrivateFieldGet(this, _AuthenticationController_profilePairingRequestEpoch, "f") !== epochAtStart) {
291
+ return;
292
+ }
293
+ if (this.state.needsProfilePairing) {
294
+ this.update((state) => {
295
+ state.needsProfilePairing = false;
296
+ });
297
+ }
298
+ }, _AuthenticationController_doPair =
299
+ /**
300
+ * Pairs all SRPs via `POST /profile/pair`, propagates the canonical
301
+ * profile ID, clears `needsProfilePairing`, and emits
302
+ * `AuthenticationController:profileSignIn` when the canonical changes or
303
+ * new aliases are returned. Throws on failure.
304
+ *
305
+ * @param accessTokens - Per-SRP access tokens, primary first.
306
+ * @param epochAtStart - Pairing-request epoch captured by the caller.
307
+ * Used to skip the gate clear if `requestProfilePairing` ran while the
308
+ * pair API call was in-flight.
309
+ */
310
+ async function _AuthenticationController_doPair(accessTokens, epochAtStart) {
255
311
  const previousCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
256
- try {
257
- const profileAliases = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_pairSrpProfiles).call(this, accessTokens);
258
- const newCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
259
- const profileIdChanged = previousCanonical !== newCanonical;
260
- const shouldEmitProfileSignInEvent = profileIdChanged || profileAliases.length > 0;
261
- if (shouldEmitProfileSignInEvent && newCanonical) {
262
- this.messenger.publish('AuthenticationController:profileSignIn', {
263
- profileId: newCanonical,
264
- profileAliases,
265
- profileIdChanged,
266
- });
267
- }
312
+ const profileAliases = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_pairSrpProfiles).call(this, accessTokens);
313
+ const newCanonical = await __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_getCanonicalProfileId).call(this);
314
+ if (!newCanonical) {
315
+ return;
268
316
  }
269
- catch {
270
- // Pairing failure is non-fatal — retry on next performSignIn
317
+ __classPrivateFieldGet(this, _AuthenticationController_instances, "m", _AuthenticationController_tryClearNeedsProfilePairing).call(this, epochAtStart);
318
+ const profileIdChanged = previousCanonical !== newCanonical;
319
+ const shouldEmitProfileSignInEvent = profileIdChanged || profileAliases.length > 0;
320
+ if (shouldEmitProfileSignInEvent) {
321
+ this.messenger.publish('AuthenticationController:profileSignIn', {
322
+ profileId: newCanonical,
323
+ profileAliases,
324
+ profileIdChanged,
325
+ });
271
326
  }
272
327
  }, _AuthenticationController_pairSrpProfiles = async function _AuthenticationController_pairSrpProfiles(accessTokens) {
273
328
  if (accessTokens.length < 2) {
package/dist/controllers/authentication/AuthenticationController.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"AuthenticationController.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAsB3D,OAAO,EACL,+BAA+B,EAC/B,QAAQ,EACR,GAAG,EACH,aAAa,EACd,4BAAkB;AAEnB,OAAO,EACL,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,EAC7B,iCAA6B;AAG9B,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAOlD,MAAM,CAAC,MAAM,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;CAClB,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,2BAA2B;IAC3B,uBAAuB;IACvB,YAAY;CACJ,CAAC;AA8CX;;;GAGG;AACH,MAAM,OAAO,wBAAyB,SAAQ,cAI7C;IA4BC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QA/CI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,GAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAE9B,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAkWF,0DAA+D,EAAE,EAAC;QA1UhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,aAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,QAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,2DAA2D;QAC3D,IAAI,YAAY,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,uBAAA,IAAI,qFAAgB,MAApB,IAAI,EAAiB,YAAY,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAsEM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,yBAAyB;QACpC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,2BAA2B,CAAC,CAAC;QAEpD,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;QACvE,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,EAAuB,sBAAsB,CAAC,CAAC;QACnD,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAExD,MAAM,SAAS,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;QACJ,CAAC;QAED,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,SAAS,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAcM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;ggBAnUC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC,6CAuBD,KAAK,mDAAiB,YAAsB;IAC1C,MAAM,iBAAiB,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAE9D,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,MAAM,uBAAA,IAAI,sFAAiB,MAArB,IAAI,EAAkB,YAAY,CAAC,CAAC;QAEjE,MAAM,YAAY,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACzD,MAAM,gBAAgB,GAAG,iBAAiB,KAAK,YAAY,CAAC;QAC5D,MAAM,4BAA4B,GAChC,gBAAgB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAEhD,IAAI,4BAA4B,IAAI,YAAY,EAAE,CAAC;YACjD,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,wCAAwC,EAAE;gBAC/D,SAAS,EAAE,YAAY;gBACvB,cAAc;gBACd,gBAAgB;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6DAA6D;IAC/D,CAAC;AACH,CAAC,8CAED,KAAK,oDAAkB,YAAsB;IAC3C,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;IAC3E,MAAM,EACJ,cAAc,EACd,OAAO,EAAE,EAAE,kBAAkB,EAAE,GAChC,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,eAAe,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;IACvE,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,kBAAkB,CAAC,CAAC;IAC7C,OAAO,cAAc,CAAC;AACxB,CAAC,uGAEmB,kBAA0B;IAC5C,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;IACtC,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;gBACnB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK;IACH,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;IACvE,OAAO,CACL,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,sBAAsB,CAAC,EAAE,OAAO;QAC1D,EAAE,kBAAkB,IAAI,IAAI,CAC/B,CAAC;AACJ,CAAC,2GAoFqB,eAAuB;IAC3C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;YACnB,iEAAiE;YACjE,2EAA2E;YAC3E,wEAAwE;YACxE,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,EAAE,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAeD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,0BAA0B,CAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,8BAA8B,EAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,+BAA+B,CAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,4BAA4B,CAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n ControllerGetStateAction,\n ControllerStateChangeEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n KeyringControllerGetStateAction,\n KeyringControllerLockEvent,\n KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { SnapControllerHandleRequestAction } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport type {\n LoginResponse,\n ProfileAlias,\n SRPInterface,\n UserProfile,\n UserProfileLineage,\n} from '../../sdk';\nimport {\n assertMessageStartsWithMetamask,\n AuthType,\n Env,\n JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\nimport {\n createSnapPublicKeyRequest,\n createSnapAllPublicKeysRequest,\n createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n isSignedIn: boolean;\n srpSessionData?: Record<string, LoginResponse>;\n};\nexport const defaultState: AuthenticationControllerState = {\n isSignedIn: false,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n isSignedIn: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n srpSessionData: {\n // Remove access token from state logs\n includeInStateLogs: (srpSessionData) => {\n // Unreachable branch, included just to fix a type error for the case where this property is\n // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n // set here, because we don't yet use `exactOptionalPropertyTypes`.\n // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n // ref: https://github.com/MetaMask/core/issues/6565\n if (srpSessionData === null || srpSessionData === undefined) {\n return null;\n }\n return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n (sanitizedSrpSessionData, [key, value]) => {\n const { accessToken: _unused, ...tokenWithoutAccessToken } =\n value.token;\n sanitizedSrpSessionData[key] = {\n ...value,\n token: tokenWithoutAccessToken,\n };\n return sanitizedSrpSessionData;\n },\n {},\n );\n },\n persist: true,\n includeInDebugSnapshot: false,\n usedInUi: true,\n },\n};\n\ntype ControllerConfig = {\n env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n 'performSignIn',\n 'performSignOut',\n 'getBearerToken',\n 'getSessionProfile',\n 'refreshCanonicalProfileId',\n 'getUserProfileLineage',\n 'isSignedIn',\n] as const;\n\nexport type Actions =\n | AuthenticationControllerGetStateAction\n | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n ControllerStateChangeEvent<\n typeof controllerName,\n AuthenticationControllerState\n >;\n\nexport type ProfileSignInInfo = {\n profileId: string;\n profileAliases: ProfileAlias[];\n profileIdChanged: boolean;\n};\n\nexport type AuthenticationControllerProfileSignInEvent = {\n type: `${typeof controllerName}:profileSignIn`;\n payload: [ProfileSignInInfo];\n};\n\nexport type Events =\n | AuthenticationControllerStateChangeEvent\n | AuthenticationControllerProfileSignInEvent;\n\n// Allowed Actions\ntype AllowedActions =\n | KeyringControllerGetStateAction\n | SnapControllerHandleRequestAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n typeof controllerName,\n Actions | AllowedActions,\n Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n typeof controllerName,\n AuthenticationControllerState,\n AuthenticationControllerMessenger\n> {\n readonly #metametrics: MetaMetricsAuth;\n\n readonly #auth: SRPInterface;\n\n readonly #config: ControllerConfig = {\n env: Env.PRD,\n };\n\n #isUnlocked = false;\n\n #cachedPrimaryEntropySourceId?: string;\n\n readonly #keyringController = {\n setupLockedStateSubscriptions: () => {\n const { isUnlocked } = this.messenger.call('KeyringController:getState');\n this.#isUnlocked = isUnlocked;\n\n this.messenger.subscribe('KeyringController:unlock', () => {\n this.#isUnlocked = true;\n });\n\n this.messenger.subscribe('KeyringController:lock', () => {\n this.#isUnlocked = false;\n });\n },\n };\n\n constructor({\n messenger,\n state,\n config,\n metametrics,\n }: {\n messenger: AuthenticationControllerMessenger;\n state?: AuthenticationControllerState;\n config?: Partial<ControllerConfig>;\n /**\n * Not using the Messaging System as we\n * do not want to tie this strictly to extension\n */\n metametrics: MetaMetricsAuth;\n }) {\n super({\n messenger,\n metadata,\n name: controllerName,\n state: { ...defaultState, ...state },\n });\n\n if (!metametrics) {\n throw new Error('`metametrics` field is required');\n }\n\n this.#config = {\n ...this.#config,\n ...config,\n };\n\n this.#metametrics = metametrics;\n\n this.#auth = new JwtBearerAuth(\n {\n env: this.#config.env,\n platform: metametrics.agent,\n type: AuthType.SRP,\n },\n {\n storage: {\n getLoginResponse: this.#getLoginResponseFromState.bind(this),\n setLoginResponse: this.#setLoginResponseToState.bind(this),\n },\n signing: {\n getIdentifier: this.#snapGetPublicKey.bind(this),\n signMessage: this.#snapSignMessage.bind(this),\n },\n metametrics: this.#metametrics,\n },\n );\n\n this.#keyringController.setupLockedStateSubscriptions();\n\n this.messenger.registerMethodActionHandlers(\n this,\n MESSENGER_EXPOSED_METHODS,\n );\n }\n\n async #getLoginResponseFromState(\n entropySourceId?: string,\n ): Promise<LoginResponse | null> {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n if (!this.state.srpSessionData?.[resolvedId]) {\n return null;\n }\n return this.state.srpSessionData[resolvedId];\n }\n\n async #setLoginResponseToState(\n loginResponse: LoginResponse,\n entropySourceId?: string,\n ) {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n this.update((state) => {\n state.isSignedIn = true;\n if (!state.srpSessionData) {\n state.srpSessionData = {};\n }\n state.srpSessionData[resolvedId] = {\n ...loginResponse,\n profile: {\n ...loginResponse.profile,\n metaMetricsId,\n },\n };\n });\n }\n\n #assertIsUnlocked(methodName: string): void {\n if (!this.#isUnlocked) {\n throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n }\n }\n\n async #getPrimaryEntropySourceId(): Promise<string> {\n if (this.#cachedPrimaryEntropySourceId) {\n return this.#cachedPrimaryEntropySourceId;\n }\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n if (allPublicKeys.length === 0) {\n throw new Error(\n '#getPrimaryEntropySourceId - No entropy sources found from snap',\n );\n }\n\n const primaryId = allPublicKeys[0][0];\n if (!primaryId) {\n throw new Error(\n '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n );\n }\n\n this.#cachedPrimaryEntropySourceId = primaryId;\n return this.#cachedPrimaryEntropySourceId;\n }\n\n public async performSignIn(): Promise<string[]> {\n this.#assertIsUnlocked('performSignIn');\n\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n const accessTokens: string[] = [];\n\n // We iterate sequentially in order to be sure that the first entry\n // is the primary SRP LoginResponse.\n for (const [entropySourceId] of allPublicKeys) {\n const accessToken = await this.#auth.getAccessToken(entropySourceId);\n accessTokens.push(accessToken);\n }\n\n // Pair SRP profiles (idempotent — no-op if already paired)\n if (accessTokens.length >= 2) {\n await this.#performPairing(accessTokens);\n }\n\n return accessTokens;\n }\n\n async #performPairing(accessTokens: string[]): Promise<void> {\n const previousCanonical = await this.#getCanonicalProfileId();\n\n try {\n const profileAliases = await this.#pairSrpProfiles(accessTokens);\n\n const newCanonical = await this.#getCanonicalProfileId();\n const profileIdChanged = previousCanonical !== newCanonical;\n const shouldEmitProfileSignInEvent =\n profileIdChanged || profileAliases.length > 0;\n\n if (shouldEmitProfileSignInEvent && newCanonical) {\n this.messenger.publish('AuthenticationController:profileSignIn', {\n profileId: newCanonical,\n profileAliases,\n profileIdChanged,\n });\n }\n } catch {\n // Pairing failure is non-fatal — retry on next performSignIn\n }\n }\n\n async #pairSrpProfiles(accessTokens: string[]): Promise<ProfileAlias[]> {\n if (accessTokens.length < 2) {\n return [];\n }\n const primaryAccessToken = accessTokens[0]; // Associated with primary SRP.\n const {\n profileAliases,\n profile: { canonicalProfileId },\n } = await this.#auth.pairSrpProfiles(accessTokens, primaryAccessToken);\n this.#propagateCanonical(canonicalProfileId);\n return profileAliases;\n }\n\n #propagateCanonical(canonicalProfileId: string): void {\n const { srpSessionData } = this.state;\n if (!srpSessionData) {\n return;\n }\n\n this.update((state) => {\n for (const entry of Object.values(state.srpSessionData ?? {})) {\n if (entry?.profile) {\n entry.profile.canonicalProfileId = canonicalProfileId;\n }\n }\n });\n }\n\n /**\n * Returns the canonical profile id from the primary SRP's cached session.\n * Returns `null` when no session exists yet for the primary SRP.\n *\n * Always reads from the primary SRP because the canonical is shared across\n * all paired SRPs after `#propagateCanonical`.\n *\n * @returns The canonical profile id, or `null` if unavailable.\n */\n async #getCanonicalProfileId(): Promise<string | null> {\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n return (\n this.state.srpSessionData?.[primaryEntropySourceId]?.profile\n ?.canonicalProfileId ?? null\n );\n }\n\n public performSignOut(): void {\n this.#cachedPrimaryEntropySourceId = undefined;\n this.update((state) => {\n state.isSignedIn = false;\n state.srpSessionData = undefined;\n });\n }\n\n /**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\n public async getBearerToken(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('getBearerToken');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getAccessToken(resolvedId);\n }\n\n /**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\n public async getSessionProfile(\n entropySourceId?: string,\n ): Promise<UserProfile> {\n this.#assertIsUnlocked('getSessionProfile');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfile(resolvedId);\n }\n\n /**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\n public async refreshCanonicalProfileId(): Promise<string> {\n this.#assertIsUnlocked('refreshCanonicalProfileId');\n\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n this.#invalidateSrpSession(primaryEntropySourceId);\n await this.#auth.getAccessToken(primaryEntropySourceId);\n\n const canonical = await this.#getCanonicalProfileId();\n if (!canonical) {\n throw new Error(\n 'refreshCanonicalProfileId - Unable to resolve canonical profile ID',\n );\n }\n\n this.#propagateCanonical(canonical);\n return canonical;\n }\n\n #invalidateSrpSession(entropySourceId: string): void {\n this.update((state) => {\n const entry = state.srpSessionData?.[entropySourceId];\n if (entry?.profile) {\n // Setting canonicalProfileId to '' forces a re-fetch on the next\n // #getAuthSession call. The falsy check (!auth.profile.canonicalProfileId)\n // treats '' the same as undefined/null — all signal an invalid session.\n entry.profile.canonicalProfileId = '';\n }\n });\n }\n\n public async getUserProfileLineage(\n entropySourceId?: string,\n ): Promise<UserProfileLineage> {\n this.#assertIsUnlocked('getUserProfileLineage');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfileLineage(resolvedId);\n }\n\n public isSignedIn(): boolean {\n return this.state.isSignedIn;\n }\n\n /**\n * Returns the auth snap public key.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns The snap public key.\n */\n async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('#snapGetPublicKey');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapPublicKeyRequest(entropySourceId),\n )) as string;\n\n return result;\n }\n\n /**\n * Returns a mapping of entropy source IDs to auth snap public keys.\n *\n * @returns A mapping of entropy source IDs to public keys.\n */\n async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapAllPublicKeysRequest(),\n )) as [string, string][];\n\n return result;\n }\n\n #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n /**\n * Signs a specific message using an underlying auth snap.\n *\n * @param message - A specific tagged message to sign.\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns A Signature created by the snap.\n */\n async #snapSignMessage(\n message: string,\n entropySourceId?: string,\n ): Promise<string> {\n assertMessageStartsWithMetamask(message);\n\n if (this.#_snapSignMessageCache[message]) {\n return this.#_snapSignMessageCache[message];\n }\n\n this.#assertIsUnlocked('#snapSignMessage');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapSignMessageRequest(message, entropySourceId),\n )) as string;\n\n this.#_snapSignMessageCache[message] = result;\n\n return result;\n }\n}\n"]}
1
+ {"version":3,"file":"AuthenticationController.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/AuthenticationController.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,cAAc,EAAE,kCAAkC;AAsB3D,OAAO,EACL,+BAA+B,EAC/B,QAAQ,EACR,GAAG,EACH,aAAa,EACd,4BAAkB;AAEnB,OAAO,EACL,0BAA0B,EAC1B,8BAA8B,EAC9B,4BAA4B,EAC7B,iCAA6B;AAG9B,MAAM,cAAc,GAAG,0BAA0B,CAAC;AAmBlD,MAAM,CAAC,MAAM,YAAY,GAAkC;IACzD,UAAU,EAAE,KAAK;IACjB,mBAAmB,EAAE,IAAI;CAC1B,CAAC;AACF,MAAM,QAAQ,GAAiD;IAC7D,UAAU,EAAE;QACV,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,mBAAmB,EAAE;QACnB,kBAAkB,EAAE,IAAI;QACxB,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,IAAI;QAC5B,QAAQ,EAAE,IAAI;KACf;IACD,cAAc,EAAE;QACd,sCAAsC;QACtC,kBAAkB,EAAE,CAAC,cAAc,EAAE,EAAE;YACrC,4FAA4F;YAC5F,2FAA2F;YAC3F,mEAAmE;YACnE,kEAAkE;YAClE,oDAAoD;YACpD,IAAI,cAAc,KAAK,IAAI,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;gBAC5D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,MAAM,CAC1C,CAAC,uBAAuB,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;gBACxC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,GAAG,uBAAuB,EAAE,GACxD,KAAK,CAAC,KAAK,CAAC;gBACd,uBAAuB,CAAC,GAAG,CAAC,GAAG;oBAC7B,GAAG,KAAK;oBACR,KAAK,EAAE,uBAAuB;iBAC/B,CAAC;gBACF,OAAO,uBAAuB,CAAC;YACjC,CAAC,EACD,EAAE,CACH,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,IAAI;QACb,sBAAsB,EAAE,KAAK;QAC7B,QAAQ,EAAE,IAAI;KACf;CACF,CAAC;AAMF,MAAM,yBAAyB,GAAG;IAChC,eAAe;IACf,gBAAgB;IAChB,gBAAgB;IAChB,mBAAmB;IACnB,2BAA2B;IAC3B,uBAAuB;IACvB,YAAY;IACZ,uBAAuB;CACf,CAAC;AA8CX;;;GAGG;AACH,MAAM,OAAO,wBAAyB,SAAQ,cAI7C;IAiCC,YAAY,EACV,SAAS,EACT,KAAK,EACL,MAAM,EACN,WAAW,GAUZ;QACC,KAAK,CAAC;YACJ,SAAS;YACT,QAAQ;YACR,IAAI,EAAE,cAAc;YACpB,KAAK,EAAE,EAAE,GAAG,YAAY,EAAE,GAAG,KAAK,EAAE;SACrC,CAAC,CAAC;;QApDI,wDAA8B;QAE9B,iDAAoB;QAEpB,2CAA4B;YACnC,GAAG,EAAE,GAAG,CAAC,GAAG;SACb,EAAC;QAEF,+CAAc,KAAK,EAAC;QAEpB,yEAAuC;QAEvC,oEAAoE;QACpE,qEAAqE;QACrE,iDAAiD;QACjD,+DAA8B,CAAC,EAAC;QAEvB,sDAAqB;YAC5B,6BAA6B,EAAE,GAAG,EAAE;gBAClC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;gBACzE,uBAAA,IAAI,wCAAe,UAAU,MAAA,CAAC;gBAE9B,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,0BAA0B,EAAE,GAAG,EAAE;oBACxD,uBAAA,IAAI,wCAAe,IAAI,MAAA,CAAC;gBAC1B,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,wBAAwB,EAAE,GAAG,EAAE;oBACtD,uBAAA,IAAI,wCAAe,KAAK,MAAA,CAAC;gBAC3B,CAAC,CAAC,CAAC;YACL,CAAC;SACF,EAAC;QAuZF,0DAA+D,EAAE,EAAC;QA/XhE,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,uBAAA,IAAI,oCAAW;YACb,GAAG,uBAAA,IAAI,wCAAQ;YACf,GAAG,MAAM;SACV,MAAA,CAAC;QAEF,uBAAA,IAAI,yCAAgB,WAAW,MAAA,CAAC;QAEhC,uBAAA,IAAI,kCAAS,IAAI,aAAa,CAC5B;YACE,GAAG,EAAE,uBAAA,IAAI,wCAAQ,CAAC,GAAG;YACrB,QAAQ,EAAE,WAAW,CAAC,KAAK;YAC3B,IAAI,EAAE,QAAQ,CAAC,GAAG;SACnB,EACD;YACE,OAAO,EAAE;gBACP,gBAAgB,EAAE,uBAAA,IAAI,gGAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5D,gBAAgB,EAAE,uBAAA,IAAI,8FAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC3D;YACD,OAAO,EAAE;gBACP,aAAa,EAAE,uBAAA,IAAI,uFAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,WAAW,EAAE,uBAAA,IAAI,sFAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;aAC9C;YACD,WAAW,EAAE,uBAAA,IAAI,6CAAa;SAC/B,CACF,MAAA,CAAC;QAEF,uBAAA,IAAI,mDAAmB,CAAC,6BAA6B,EAAE,CAAC;QAExD,IAAI,CAAC,SAAS,CAAC,4BAA4B,CACzC,IAAI,EACJ,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAgEM,KAAK,CAAC,aAAa;QACxB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,eAAe,CAAC,CAAC;QAExC,MAAM,YAAY,GAAG,uBAAA,IAAI,4DAA4B,CAAC;QACtD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;QACzD,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,mEAAmE;QACnE,oCAAoC;QACpC,KAAK,MAAM,CAAC,eAAe,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9C,MAAM,WAAW,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,eAAe,CAAC,CAAC;YACrE,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;QAED,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,sCAAsC;YACtC,uBAAA,IAAI,kGAA6B,MAAjC,IAAI,EAA8B,YAAY,CAAC,CAAC;QAClD,CAAC;aAAM,CAAC;YACN,yEAAyE;YACzE,IAAI,CAAC;gBACH,MAAM,uBAAA,IAAI,6EAAQ,MAAZ,IAAI,EAAS,YAAY,EAAE,YAAY,CAAC,CAAC;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,qBAAqB;QAC1B,6KAAoC,CAAC,MAAA,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;YACpC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpB,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACnC,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAqGM,cAAc;QACnB,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;QAC/C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC;YACzB,KAAK,CAAC,cAAc,GAAG,SAAS,CAAC;QACnC,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;OAUG;IACI,KAAK,CAAC,cAAc,CAAC,eAAwB;QAClD,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,gBAAgB,CAAC,CAAC;QACzC,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;OAYG;IACI,KAAK,CAAC,iBAAiB,CAC5B,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;QAC5C,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACI,KAAK,CAAC,yBAAyB;QACpC,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,2BAA2B,CAAC,CAAC;QAEpD,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;QACvE,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,EAAuB,sBAAsB,CAAC,CAAC;QACnD,MAAM,uBAAA,IAAI,sCAAM,CAAC,cAAc,CAAC,sBAAsB,CAAC,CAAC;QAExD,MAAM,SAAS,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;QACtD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAC;QACJ,CAAC;QAED,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,SAAS,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAcM,KAAK,CAAC,qBAAqB,CAChC,eAAwB;QAExB,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;QAChD,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;QAC/D,OAAO,MAAM,uBAAA,IAAI,sCAAM,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC;IAC/B,CAAC;CAmEF;skBAxXC,KAAK,8DACH,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC,sDAED,KAAK,4DACH,aAA4B,EAC5B,eAAwB;IAExB,MAAM,UAAU,GACd,eAAe,IAAI,CAAC,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC,CAAC;IAC/D,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6CAAa,CAAC,gBAAgB,EAAE,CAAC;IACjE,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,KAAK,CAAC,cAAc,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG;YACjC,GAAG,aAAa;YAChB,OAAO,EAAE;gBACP,GAAG,aAAa,CAAC,OAAO;gBACxB,aAAa;aACd;SACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,mGAEiB,UAAkB;IAClC,IAAI,CAAC,uBAAA,IAAI,4CAAY,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,GAAG,UAAU,wCAAwC,CAAC,CAAC;IACzE,CAAC;AACH,CAAC,wDAED,KAAK;IACH,IAAI,uBAAA,IAAI,8DAA8B,EAAE,CAAC;QACvC,OAAO,uBAAA,IAAI,8DAA8B,CAAC;IAC5C,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,2FAAsB,MAA1B,IAAI,CAAwB,CAAC;IAEzD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IAED,uBAAA,IAAI,0DAAiC,SAAS,MAAA,CAAC;IAC/C,OAAO,uBAAA,IAAI,8DAA8B,CAAC;AAC5C,CAAC,yHAoD4B,YAAoB;IAC/C,IAAI,uBAAA,IAAI,4DAA4B,KAAK,YAAY,EAAE,CAAC;QACtD,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,CAAC,mBAAmB,EAAE,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;YACpB,KAAK,CAAC,mBAAmB,GAAG,KAAK,CAAC;QACpC,CAAC,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,2CAAS,YAAsB,EAAE,YAAoB;IACxD,MAAM,iBAAiB,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAE9D,MAAM,cAAc,GAAG,MAAM,uBAAA,IAAI,sFAAiB,MAArB,IAAI,EAAkB,YAAY,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,uBAAA,IAAI,4FAAuB,MAA3B,IAAI,CAAyB,CAAC;IAEzD,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO;IACT,CAAC;IAED,uBAAA,IAAI,kGAA6B,MAAjC,IAAI,EAA8B,YAAY,CAAC,CAAC;IAEhD,MAAM,gBAAgB,GAAG,iBAAiB,KAAK,YAAY,CAAC;IAC5D,MAAM,4BAA4B,GAChC,gBAAgB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;IAEhD,IAAI,4BAA4B,EAAE,CAAC;QACjC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,wCAAwC,EAAE;YAC/D,SAAS,EAAE,YAAY;YACvB,cAAc;YACd,gBAAgB;SACjB,CAAC,CAAC;IACL,CAAC;AACH,CAAC,8CAED,KAAK,oDAAkB,YAAsB;IAC3C,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,kBAAkB,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,+BAA+B;IAC3E,MAAM,EACJ,cAAc,EACd,OAAO,EAAE,EAAE,kBAAkB,EAAE,GAChC,GAAG,MAAM,uBAAA,IAAI,sCAAM,CAAC,eAAe,CAAC,YAAY,EAAE,kBAAkB,CAAC,CAAC;IACvE,uBAAA,IAAI,yFAAoB,MAAxB,IAAI,EAAqB,kBAAkB,CAAC,CAAC;IAC7C,OAAO,cAAc,CAAC;AACxB,CAAC,uGAEmB,kBAA0B;IAC5C,MAAM,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;IACtC,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO;IACT,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;gBACnB,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,kBAAkB,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,KAAK;IACH,MAAM,sBAAsB,GAAG,MAAM,uBAAA,IAAI,gGAA2B,MAA/B,IAAI,CAA6B,CAAC;IACvE,OAAO,CACL,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,sBAAsB,CAAC,EAAE,OAAO;QAC1D,EAAE,kBAAkB,IAAI,IAAI,CAC/B,CAAC;AACJ,CAAC,2GAoFqB,eAAuB;IAC3C,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE;QACpB,MAAM,KAAK,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,CAAC,CAAC;QACtD,IAAI,KAAK,EAAE,OAAO,EAAE,CAAC;YACnB,iEAAiE;YACjE,2EAA2E;YAC3E,wEAAwE;YACxE,KAAK,CAAC,OAAO,CAAC,kBAAkB,GAAG,EAAE,CAAC;QACxC,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAeD;;;;;;GAMG;AACH,KAAK,qDAAmB,eAAwB;IAC9C,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,mBAAmB,CAAC,CAAC;IAE5C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,0BAA0B,CAAC,eAAe,CAAC,CAC5C,CAAW,CAAC;IAEb,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,KAAK;IACH,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,uBAAuB,CAAC,CAAC;IAEhD,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,8BAA8B,EAAE,CACjC,CAAuB,CAAC;IAEzB,OAAO,MAAM,CAAC;AAChB,CAAC;AAID;;;;;;;GAOG;AACH,KAAK,oDACH,OAAe,EACf,eAAwB;IAExB,+BAA+B,CAAC,OAAO,CAAC,CAAC;IAEzC,IAAI,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,OAAO,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAED,uBAAA,IAAI,uFAAkB,MAAtB,IAAI,EAAmB,kBAAkB,CAAC,CAAC;IAE3C,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CACvC,8BAA8B,EAC9B,4BAA4B,CAAC,OAAO,EAAE,eAAe,CAAC,CACvD,CAAW,CAAC;IAEb,uBAAA,IAAI,uDAAuB,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC;IAE9C,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["import { BaseController } from '@metamask/base-controller';\nimport type {\n ControllerGetStateAction,\n ControllerStateChangeEvent,\n StateMetadata,\n} from '@metamask/base-controller';\nimport type {\n KeyringControllerGetStateAction,\n KeyringControllerLockEvent,\n KeyringControllerUnlockEvent,\n} from '@metamask/keyring-controller';\nimport type { Messenger } from '@metamask/messenger';\nimport type { SnapControllerHandleRequestAction } from '@metamask/snaps-controllers';\nimport type { Json } from '@metamask/utils';\n\nimport type {\n LoginResponse,\n ProfileAlias,\n SRPInterface,\n UserProfile,\n UserProfileLineage,\n} from '../../sdk';\nimport {\n assertMessageStartsWithMetamask,\n AuthType,\n Env,\n JwtBearerAuth,\n} from '../../sdk';\nimport type { MetaMetricsAuth } from '../../shared/types/services';\nimport {\n createSnapPublicKeyRequest,\n createSnapAllPublicKeysRequest,\n createSnapSignMessageRequest,\n} from './auth-snap-requests';\nimport { AuthenticationControllerMethodActions } from './AuthenticationController-method-action-types';\n\nconst controllerName = 'AuthenticationController';\n\n// State\nexport type AuthenticationControllerState = {\n isSignedIn: boolean;\n srpSessionData?: Record<string, LoginResponse>;\n /**\n * Client gate for profile pairing. Defaults to `true` (fresh install /\n * upgrade), set to `false` after a successful `performSignIn` pair, set\n * back to `true` via `requestProfilePairing()` when the SRP set changes,\n * and left `true` on pair failure so the next state shift retries.\n *\n * Optional in the type so partial-state selectors stay assignable to\n * `AuthenticationControllerState`. The controller seeds it via\n * `defaultState` at construction; consumers should read `undefined` as\n * `true` to mirror that runtime default.\n */\n needsProfilePairing?: boolean;\n};\nexport const defaultState: AuthenticationControllerState = {\n isSignedIn: false,\n needsProfilePairing: true,\n};\nconst metadata: StateMetadata<AuthenticationControllerState> = {\n isSignedIn: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n needsProfilePairing: {\n includeInStateLogs: true,\n persist: true,\n includeInDebugSnapshot: true,\n usedInUi: true,\n },\n srpSessionData: {\n // Remove access token from state logs\n includeInStateLogs: (srpSessionData) => {\n // Unreachable branch, included just to fix a type error for the case where this property is\n // unset. The type gets collapsed to include `| undefined` even though `undefined` is never\n // set here, because we don't yet use `exactOptionalPropertyTypes`.\n // TODO: Remove branch after enabling `exactOptionalPropertyTypes`\n // ref: https://github.com/MetaMask/core/issues/6565\n if (srpSessionData === null || srpSessionData === undefined) {\n return null;\n }\n return Object.entries(srpSessionData).reduce<Record<string, Json>>(\n (sanitizedSrpSessionData, [key, value]) => {\n const { accessToken: _unused, ...tokenWithoutAccessToken } =\n value.token;\n sanitizedSrpSessionData[key] = {\n ...value,\n token: tokenWithoutAccessToken,\n };\n return sanitizedSrpSessionData;\n },\n {},\n );\n },\n persist: true,\n includeInDebugSnapshot: false,\n usedInUi: true,\n },\n};\n\ntype ControllerConfig = {\n env: Env;\n};\n\nconst MESSENGER_EXPOSED_METHODS = [\n 'performSignIn',\n 'performSignOut',\n 'getBearerToken',\n 'getSessionProfile',\n 'refreshCanonicalProfileId',\n 'getUserProfileLineage',\n 'isSignedIn',\n 'requestProfilePairing',\n] as const;\n\nexport type Actions =\n | AuthenticationControllerGetStateAction\n | AuthenticationControllerMethodActions;\n\nexport type AuthenticationControllerGetStateAction = ControllerGetStateAction<\n typeof controllerName,\n AuthenticationControllerState\n>;\n\nexport type AuthenticationControllerStateChangeEvent =\n ControllerStateChangeEvent<\n typeof controllerName,\n AuthenticationControllerState\n >;\n\nexport type ProfileSignInInfo = {\n profileId: string;\n profileAliases: ProfileAlias[];\n profileIdChanged: boolean;\n};\n\nexport type AuthenticationControllerProfileSignInEvent = {\n type: `${typeof controllerName}:profileSignIn`;\n payload: [ProfileSignInInfo];\n};\n\nexport type Events =\n | AuthenticationControllerStateChangeEvent\n | AuthenticationControllerProfileSignInEvent;\n\n// Allowed Actions\ntype AllowedActions =\n | KeyringControllerGetStateAction\n | SnapControllerHandleRequestAction;\n\ntype AllowedEvents = KeyringControllerLockEvent | KeyringControllerUnlockEvent;\n\n// Messenger\nexport type AuthenticationControllerMessenger = Messenger<\n typeof controllerName,\n Actions | AllowedActions,\n Events | AllowedEvents\n>;\n\n/**\n * Controller that enables authentication for restricted endpoints.\n * Used for Backup & Sync, Notifications, and other services.\n */\nexport class AuthenticationController extends BaseController<\n typeof controllerName,\n AuthenticationControllerState,\n AuthenticationControllerMessenger\n> {\n readonly #metametrics: MetaMetricsAuth;\n\n readonly #auth: SRPInterface;\n\n readonly #config: ControllerConfig = {\n env: Env.PRD,\n };\n\n #isUnlocked = false;\n\n #cachedPrimaryEntropySourceId?: string;\n\n // Bumped by `requestProfilePairing`. `performSignIn` snapshots this\n // before its first await; if it changes mid-flight we must NOT clear\n // `needsProfilePairing` (the rearm signal wins).\n #profilePairingRequestEpoch = 0;\n\n readonly #keyringController = {\n setupLockedStateSubscriptions: () => {\n const { isUnlocked } = this.messenger.call('KeyringController:getState');\n this.#isUnlocked = isUnlocked;\n\n this.messenger.subscribe('KeyringController:unlock', () => {\n this.#isUnlocked = true;\n });\n\n this.messenger.subscribe('KeyringController:lock', () => {\n this.#isUnlocked = false;\n });\n },\n };\n\n constructor({\n messenger,\n state,\n config,\n metametrics,\n }: {\n messenger: AuthenticationControllerMessenger;\n state?: AuthenticationControllerState;\n config?: Partial<ControllerConfig>;\n /**\n * Not using the Messaging System as we\n * do not want to tie this strictly to extension\n */\n metametrics: MetaMetricsAuth;\n }) {\n super({\n messenger,\n metadata,\n name: controllerName,\n state: { ...defaultState, ...state },\n });\n\n if (!metametrics) {\n throw new Error('`metametrics` field is required');\n }\n\n this.#config = {\n ...this.#config,\n ...config,\n };\n\n this.#metametrics = metametrics;\n\n this.#auth = new JwtBearerAuth(\n {\n env: this.#config.env,\n platform: metametrics.agent,\n type: AuthType.SRP,\n },\n {\n storage: {\n getLoginResponse: this.#getLoginResponseFromState.bind(this),\n setLoginResponse: this.#setLoginResponseToState.bind(this),\n },\n signing: {\n getIdentifier: this.#snapGetPublicKey.bind(this),\n signMessage: this.#snapSignMessage.bind(this),\n },\n metametrics: this.#metametrics,\n },\n );\n\n this.#keyringController.setupLockedStateSubscriptions();\n\n this.messenger.registerMethodActionHandlers(\n this,\n MESSENGER_EXPOSED_METHODS,\n );\n }\n\n async #getLoginResponseFromState(\n entropySourceId?: string,\n ): Promise<LoginResponse | null> {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n if (!this.state.srpSessionData?.[resolvedId]) {\n return null;\n }\n return this.state.srpSessionData[resolvedId];\n }\n\n async #setLoginResponseToState(\n loginResponse: LoginResponse,\n entropySourceId?: string,\n ) {\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n const metaMetricsId = await this.#metametrics.getMetaMetricsId();\n this.update((state) => {\n state.isSignedIn = true;\n if (!state.srpSessionData) {\n state.srpSessionData = {};\n }\n state.srpSessionData[resolvedId] = {\n ...loginResponse,\n profile: {\n ...loginResponse.profile,\n metaMetricsId,\n },\n };\n });\n }\n\n #assertIsUnlocked(methodName: string): void {\n if (!this.#isUnlocked) {\n throw new Error(`${methodName} - unable to proceed, wallet is locked`);\n }\n }\n\n async #getPrimaryEntropySourceId(): Promise<string> {\n if (this.#cachedPrimaryEntropySourceId) {\n return this.#cachedPrimaryEntropySourceId;\n }\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n\n if (allPublicKeys.length === 0) {\n throw new Error(\n '#getPrimaryEntropySourceId - No entropy sources found from snap',\n );\n }\n\n const primaryId = allPublicKeys[0][0];\n if (!primaryId) {\n throw new Error(\n '#getPrimaryEntropySourceId - Primary entropy source ID is undefined',\n );\n }\n\n this.#cachedPrimaryEntropySourceId = primaryId;\n return this.#cachedPrimaryEntropySourceId;\n }\n\n public async performSignIn(): Promise<string[]> {\n this.#assertIsUnlocked('performSignIn');\n\n const epochAtStart = this.#profilePairingRequestEpoch;\n const allPublicKeys = await this.#snapGetAllPublicKeys();\n const accessTokens: string[] = [];\n\n // We iterate sequentially in order to be sure that the first entry\n // is the primary SRP LoginResponse.\n for (const [entropySourceId] of allPublicKeys) {\n const accessToken = await this.#auth.getAccessToken(entropySourceId);\n accessTokens.push(accessToken);\n }\n\n if (allPublicKeys.length < 2) {\n // Single-SRP wallet: nothing to pair.\n this.#tryClearNeedsProfilePairing(epochAtStart);\n } else {\n // Pair failures must not break sign-in; the gate stays `true` for retry.\n try {\n await this.#doPair(accessTokens, epochAtStart);\n } catch {\n // noop\n }\n }\n\n return accessTokens;\n }\n\n /**\n * Marks profile pairing as needed. Clients call this when the SRP set\n * changes (e.g. a new keyring was added) so the next auto-sign-in cycle\n * re-runs `performSignIn` and re-pairs.\n */\n public requestProfilePairing(): void {\n this.#profilePairingRequestEpoch += 1;\n if (!this.state.needsProfilePairing) {\n this.update((state) => {\n state.needsProfilePairing = true;\n });\n }\n }\n\n /**\n * Clears `needsProfilePairing` only if no `requestProfilePairing` call\n * landed since `epochAtStart` was captured. Prevents `performSignIn`\n * from silently overwriting a concurrent rearm.\n *\n * @param epochAtStart - Epoch value captured at the start of `performSignIn`.\n */\n #tryClearNeedsProfilePairing(epochAtStart: number): void {\n if (this.#profilePairingRequestEpoch !== epochAtStart) {\n return;\n }\n if (this.state.needsProfilePairing) {\n this.update((state) => {\n state.needsProfilePairing = false;\n });\n }\n }\n\n /**\n * Pairs all SRPs via `POST /profile/pair`, propagates the canonical\n * profile ID, clears `needsProfilePairing`, and emits\n * `AuthenticationController:profileSignIn` when the canonical changes or\n * new aliases are returned. Throws on failure.\n *\n * @param accessTokens - Per-SRP access tokens, primary first.\n * @param epochAtStart - Pairing-request epoch captured by the caller.\n * Used to skip the gate clear if `requestProfilePairing` ran while the\n * pair API call was in-flight.\n */\n async #doPair(accessTokens: string[], epochAtStart: number): Promise<void> {\n const previousCanonical = await this.#getCanonicalProfileId();\n\n const profileAliases = await this.#pairSrpProfiles(accessTokens);\n const newCanonical = await this.#getCanonicalProfileId();\n\n if (!newCanonical) {\n return;\n }\n\n this.#tryClearNeedsProfilePairing(epochAtStart);\n\n const profileIdChanged = previousCanonical !== newCanonical;\n const shouldEmitProfileSignInEvent =\n profileIdChanged || profileAliases.length > 0;\n\n if (shouldEmitProfileSignInEvent) {\n this.messenger.publish('AuthenticationController:profileSignIn', {\n profileId: newCanonical,\n profileAliases,\n profileIdChanged,\n });\n }\n }\n\n async #pairSrpProfiles(accessTokens: string[]): Promise<ProfileAlias[]> {\n if (accessTokens.length < 2) {\n return [];\n }\n const primaryAccessToken = accessTokens[0]; // Associated with primary SRP.\n const {\n profileAliases,\n profile: { canonicalProfileId },\n } = await this.#auth.pairSrpProfiles(accessTokens, primaryAccessToken);\n this.#propagateCanonical(canonicalProfileId);\n return profileAliases;\n }\n\n #propagateCanonical(canonicalProfileId: string): void {\n const { srpSessionData } = this.state;\n if (!srpSessionData) {\n return;\n }\n\n this.update((state) => {\n for (const entry of Object.values(state.srpSessionData ?? {})) {\n if (entry?.profile) {\n entry.profile.canonicalProfileId = canonicalProfileId;\n }\n }\n });\n }\n\n /**\n * Returns the canonical profile id from the primary SRP's cached session.\n * Returns `null` when no session exists yet for the primary SRP.\n *\n * Always reads from the primary SRP because the canonical is shared across\n * all paired SRPs after `#propagateCanonical`.\n *\n * @returns The canonical profile id, or `null` if unavailable.\n */\n async #getCanonicalProfileId(): Promise<string | null> {\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n return (\n this.state.srpSessionData?.[primaryEntropySourceId]?.profile\n ?.canonicalProfileId ?? null\n );\n }\n\n public performSignOut(): void {\n this.#cachedPrimaryEntropySourceId = undefined;\n this.update((state) => {\n state.isSignedIn = false;\n state.srpSessionData = undefined;\n });\n }\n\n /**\n * Returns a bearer token for the specified SRP, logging in if needed.\n *\n * When called without `entropySourceId`, returns the primary (first) SRP's\n * access token, which is effectively the canonical\n * profile's token that can be used by alias-aware consumers for cross-SRP\n * operations.\n *\n * @param entropySourceId - The entropy source ID. Omit for the primary SRP.\n * @returns The OIDC access token.\n */\n public async getBearerToken(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('getBearerToken');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getAccessToken(resolvedId);\n }\n\n /**\n * Returns the cached session profile, logging in if no session exists.\n *\n * The returned `canonicalProfileId` reflects the value from the most recent\n * login or pairing. In the rare event where a canonical changed because of\n * a pairing that happened on another device, the cached value may be stale\n * until the next login. For guaranteed freshness, call\n * `refreshCanonicalProfileId()` before reading `canonicalProfileId`.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns profile for the session.\n */\n public async getSessionProfile(\n entropySourceId?: string,\n ): Promise<UserProfile> {\n this.#assertIsUnlocked('getSessionProfile');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfile(resolvedId);\n }\n\n /**\n * Forces a fresh retrieval of the canonical profile ID from the server\n * and propagates it to all cached SRP sessions.\n *\n * This method invalidates the primary SRP's cached session and forces a\n * re-login. Use it before operations that require a guaranteed-fresh\n * canonical (e.g. storage key derivation for Accounts ADR 0005). For\n * best-effort reads, use\n * `getSessionProfile().canonicalProfileId` instead.\n *\n * Only the primary SRP is re-logged-in regardless of how many SRPs exist —\n * the server returns the current canonical for the entire pairing group\n * from any single SRP login.\n *\n * @returns The refreshed canonical profile ID.\n */\n public async refreshCanonicalProfileId(): Promise<string> {\n this.#assertIsUnlocked('refreshCanonicalProfileId');\n\n const primaryEntropySourceId = await this.#getPrimaryEntropySourceId();\n this.#invalidateSrpSession(primaryEntropySourceId);\n await this.#auth.getAccessToken(primaryEntropySourceId);\n\n const canonical = await this.#getCanonicalProfileId();\n if (!canonical) {\n throw new Error(\n 'refreshCanonicalProfileId - Unable to resolve canonical profile ID',\n );\n }\n\n this.#propagateCanonical(canonical);\n return canonical;\n }\n\n #invalidateSrpSession(entropySourceId: string): void {\n this.update((state) => {\n const entry = state.srpSessionData?.[entropySourceId];\n if (entry?.profile) {\n // Setting canonicalProfileId to '' forces a re-fetch on the next\n // #getAuthSession call. The falsy check (!auth.profile.canonicalProfileId)\n // treats '' the same as undefined/null — all signal an invalid session.\n entry.profile.canonicalProfileId = '';\n }\n });\n }\n\n public async getUserProfileLineage(\n entropySourceId?: string,\n ): Promise<UserProfileLineage> {\n this.#assertIsUnlocked('getUserProfileLineage');\n const resolvedId =\n entropySourceId ?? (await this.#getPrimaryEntropySourceId());\n return await this.#auth.getUserProfileLineage(resolvedId);\n }\n\n public isSignedIn(): boolean {\n return this.state.isSignedIn;\n }\n\n /**\n * Returns the auth snap public key.\n *\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns The snap public key.\n */\n async #snapGetPublicKey(entropySourceId?: string): Promise<string> {\n this.#assertIsUnlocked('#snapGetPublicKey');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapPublicKeyRequest(entropySourceId),\n )) as string;\n\n return result;\n }\n\n /**\n * Returns a mapping of entropy source IDs to auth snap public keys.\n *\n * @returns A mapping of entropy source IDs to public keys.\n */\n async #snapGetAllPublicKeys(): Promise<[string, string][]> {\n this.#assertIsUnlocked('#snapGetAllPublicKeys');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapAllPublicKeysRequest(),\n )) as [string, string][];\n\n return result;\n }\n\n #_snapSignMessageCache: Record<`metamask:${string}`, string> = {};\n\n /**\n * Signs a specific message using an underlying auth snap.\n *\n * @param message - A specific tagged message to sign.\n * @param entropySourceId - The entropy source ID used to derive the key,\n * when multiple sources are available (Multi-SRP).\n * @returns A Signature created by the snap.\n */\n async #snapSignMessage(\n message: string,\n entropySourceId?: string,\n ): Promise<string> {\n assertMessageStartsWithMetamask(message);\n\n if (this.#_snapSignMessageCache[message]) {\n return this.#_snapSignMessageCache[message];\n }\n\n this.#assertIsUnlocked('#snapSignMessage');\n\n const result = (await this.messenger.call(\n 'SnapController:handleRequest',\n createSnapSignMessageRequest(message, entropySourceId),\n )) as string;\n\n this.#_snapSignMessageCache[message] = result;\n\n return result;\n }\n}\n"]}
package/dist/controllers/authentication/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6EAAsE;AAEjC,2FAF5B,mDAAwB,OAEc;AAC/C,kBAAe,mDAAwB,CAAC;AACxC,iEAA2C;AAC3C,2DAAiC","sourcesContent":["import { AuthenticationController } from './AuthenticationController';\n\nexport { AuthenticationController as Controller };\nexport default AuthenticationController;\nexport * from './AuthenticationController';\nexport * as Mocks from './mocks';\n\nexport type {\n AuthenticationControllerPerformSignInAction,\n AuthenticationControllerPerformSignOutAction,\n AuthenticationControllerGetBearerTokenAction,\n AuthenticationControllerGetSessionProfileAction,\n AuthenticationControllerRefreshCanonicalProfileIdAction,\n AuthenticationControllerGetUserProfileLineageAction,\n AuthenticationControllerIsSignedInAction,\n} from './AuthenticationController-method-action-types';\n"]}
1
+ {"version":3,"file":"index.cjs","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6EAAsE;AAEjC,2FAF5B,mDAAwB,OAEc;AAC/C,kBAAe,mDAAwB,CAAC;AACxC,iEAA2C;AAC3C,2DAAiC","sourcesContent":["import { AuthenticationController } from './AuthenticationController';\n\nexport { AuthenticationController as Controller };\nexport default AuthenticationController;\nexport * from './AuthenticationController';\nexport * as Mocks from './mocks';\n\nexport type {\n AuthenticationControllerPerformSignInAction,\n AuthenticationControllerPerformSignOutAction,\n AuthenticationControllerGetBearerTokenAction,\n AuthenticationControllerGetSessionProfileAction,\n AuthenticationControllerRefreshCanonicalProfileIdAction,\n AuthenticationControllerGetUserProfileLineageAction,\n AuthenticationControllerIsSignedInAction,\n AuthenticationControllerRequestProfilePairingAction,\n} from './AuthenticationController-method-action-types';\n"]}
package/dist/controllers/authentication/index.d.cts CHANGED
@@ -3,5 +3,5 @@ export { AuthenticationController as Controller };
3
3
  export default AuthenticationController;
4
4
  export * from "./AuthenticationController.cjs";
5
5
  export * as Mocks from "./mocks/index.cjs";
6
- export type { AuthenticationControllerPerformSignInAction, AuthenticationControllerPerformSignOutAction, AuthenticationControllerGetBearerTokenAction, AuthenticationControllerGetSessionProfileAction, AuthenticationControllerRefreshCanonicalProfileIdAction, AuthenticationControllerGetUserProfileLineageAction, AuthenticationControllerIsSignedInAction, } from "./AuthenticationController-method-action-types.cjs";
6
+ export type { AuthenticationControllerPerformSignInAction, AuthenticationControllerPerformSignOutAction, AuthenticationControllerGetBearerTokenAction, AuthenticationControllerGetSessionProfileAction, AuthenticationControllerRefreshCanonicalProfileIdAction, AuthenticationControllerGetUserProfileLineageAction, AuthenticationControllerIsSignedInAction, AuthenticationControllerRequestProfilePairingAction, } from "./AuthenticationController-method-action-types.cjs";
7
7
  //# sourceMappingURL=index.d.cts.map
package/dist/controllers/authentication/index.d.cts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB;AAEjC,YAAY,EACV,2CAA2C,EAC3C,4CAA4C,EAC5C,4CAA4C,EAC5C,+CAA+C,EAC/C,uDAAuD,EACvD,mDAAmD,EACnD,wCAAwC,GACzC,2DAAuD"}
1
+ {"version":3,"file":"index.d.cts","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB;AAEjC,YAAY,EACV,2CAA2C,EAC3C,4CAA4C,EAC5C,4CAA4C,EAC5C,+CAA+C,EAC/C,uDAAuD,EACvD,mDAAmD,EACnD,wCAAwC,EACxC,mDAAmD,GACpD,2DAAuD"}
package/dist/controllers/authentication/index.d.mts CHANGED
@@ -3,5 +3,5 @@ export { AuthenticationController as Controller };
3
3
  export default AuthenticationController;
4
4
  export * from "./AuthenticationController.mjs";
5
5
  export * as Mocks from "./mocks/index.mjs";
6
- export type { AuthenticationControllerPerformSignInAction, AuthenticationControllerPerformSignOutAction, AuthenticationControllerGetBearerTokenAction, AuthenticationControllerGetSessionProfileAction, AuthenticationControllerRefreshCanonicalProfileIdAction, AuthenticationControllerGetUserProfileLineageAction, AuthenticationControllerIsSignedInAction, } from "./AuthenticationController-method-action-types.mjs";
6
+ export type { AuthenticationControllerPerformSignInAction, AuthenticationControllerPerformSignOutAction, AuthenticationControllerGetBearerTokenAction, AuthenticationControllerGetSessionProfileAction, AuthenticationControllerRefreshCanonicalProfileIdAction, AuthenticationControllerGetUserProfileLineageAction, AuthenticationControllerIsSignedInAction, AuthenticationControllerRequestProfilePairingAction, } from "./AuthenticationController-method-action-types.mjs";
7
7
  //# sourceMappingURL=index.d.mts.map
package/dist/controllers/authentication/index.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB;AAEjC,YAAY,EACV,2CAA2C,EAC3C,4CAA4C,EAC5C,4CAA4C,EAC5C,+CAA+C,EAC/C,uDAAuD,EACvD,mDAAmD,EACnD,wCAAwC,GACzC,2DAAuD"}
1
+ {"version":3,"file":"index.d.mts","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB;AAEjC,YAAY,EACV,2CAA2C,EAC3C,4CAA4C,EAC5C,4CAA4C,EAC5C,+CAA+C,EAC/C,uDAAuD,EACvD,mDAAmD,EACnD,wCAAwC,EACxC,mDAAmD,GACpD,2DAAuD"}
package/dist/controllers/authentication/index.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB","sourcesContent":["import { AuthenticationController } from './AuthenticationController';\n\nexport { AuthenticationController as Controller };\nexport default AuthenticationController;\nexport * from './AuthenticationController';\nexport * as Mocks from './mocks';\n\nexport type {\n AuthenticationControllerPerformSignInAction,\n AuthenticationControllerPerformSignOutAction,\n AuthenticationControllerGetBearerTokenAction,\n AuthenticationControllerGetSessionProfileAction,\n AuthenticationControllerRefreshCanonicalProfileIdAction,\n AuthenticationControllerGetUserProfileLineageAction,\n AuthenticationControllerIsSignedInAction,\n} from './AuthenticationController-method-action-types';\n"]}
1
+ {"version":3,"file":"index.mjs","sourceRoot":"","sources":["../../../src/controllers/authentication/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAE,uCAAmC;AAEtE,OAAO,EAAE,wBAAwB,IAAI,UAAU,EAAE,CAAC;AAClD,eAAe,wBAAwB,CAAC;AACxC,+CAA2C;AAC3C,OAAO,KAAK,KAAK,0BAAgB","sourcesContent":["import { AuthenticationController } from './AuthenticationController';\n\nexport { AuthenticationController as Controller };\nexport default AuthenticationController;\nexport * from './AuthenticationController';\nexport * as Mocks from './mocks';\n\nexport type {\n AuthenticationControllerPerformSignInAction,\n AuthenticationControllerPerformSignOutAction,\n AuthenticationControllerGetBearerTokenAction,\n AuthenticationControllerGetSessionProfileAction,\n AuthenticationControllerRefreshCanonicalProfileIdAction,\n AuthenticationControllerGetUserProfileLineageAction,\n AuthenticationControllerIsSignedInAction,\n AuthenticationControllerRequestProfilePairingAction,\n} from './AuthenticationController-method-action-types';\n"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@metamask-previews/profile-sync-controller",
3
- "version": "28.0.2-preview-60ee344a5",
3
+ "version": "28.0.2-preview-684720652",
4
4
  "description": "The profile sync helps developers synchronize data across multiple clients and devices in a privacy-preserving way. All data saved in the user storage database is encrypted client-side to preserve privacy. The user storage provides a modular design, giving developers the flexibility to construct and manage their storage spaces in a way that best suits their needs",
5
5
  "keywords": [
6
6
  "Ethereum",