@metamask-previews/seedless-onboarding-controller 5.0.0-preview-fb233ab2 → 5.0.0-preview-dc6dbaa5

package/CHANGELOG.md

@@ -7,6 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Added new public method, `checkIsSeedlessOnboardingUserAuthenticated` to validate the controller authenticate tokens state. ([#6998](https://github.com/MetaMask/core/pull/6998))
+
+### Changed
+
+- **BREAKING** Update `refreshToken` and `revokeToken` params as required in `Authenticate` method. ([#6998](https://github.com/MetaMask/core/pull/6998))
+- Refactor `refreshAuthTokens` method, separately catch refreshJWTToken and authenticate errors. ([#6998](https://github.com/MetaMask/core/pull/6998))
+- Bump `@metamask/toprf-secure-backup` package to `0.9.0`. ([#6998](https://github.com/MetaMask/core/pull/6998))
+
+### Fixed
+
+- Fixed `Invalid Access Token` error during rehydration. ([#6998](https://github.com/MetaMask/core/pull/6998))
+
 ## [5.0.0]
 
 ### Changed

package/dist/SeedlessOnboardingController.cjs

@@ -10,7 +10,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _SeedlessOnboardingController_instances, _SeedlessOnboardingController_vaultEncryptor, _SeedlessOnboardingController_controllerOperationMutex, _SeedlessOnboardingController_vaultOperationMutex, _SeedlessOnboardingController_refreshJWTToken, _SeedlessOnboardingController_revokeRefreshToken, _SeedlessOnboardingController_renewRefreshToken, _SeedlessOnboardingController_passwordOutdatedCacheTTL, _SeedlessOnboardingController_isUnlocked, _SeedlessOnboardingController_cachedDecryptedVaultData, _SeedlessOnboardingController_submitGlobalPassword, _SeedlessOnboardingController_getAccessToken, _SeedlessOnboardingController_setUnlocked, _SeedlessOnboardingController_persistOprfKey, _SeedlessOnboardingController_persistAuthPubKey, _SeedlessOnboardingController_storeKeyringEncryptionKey, _SeedlessOnboardingController_loadKeyringEncryptionKey, _SeedlessOnboardingController_loadSeedlessEncryptionKey, _SeedlessOnboardingController_recoverAuthPubKey, _SeedlessOnboardingController_recoverEncKey, _SeedlessOnboardingController_fetchAllSecretDataFromMetadataStore, _SeedlessOnboardingController_changeEncryptionKey, _SeedlessOnboardingController_encryptAndStoreSecretData, _SeedlessOnboardingController_unlockVaultAndGetVaultData, _SeedlessOnboardingController_decryptAndParseVaultData, _SeedlessOnboardingController_withPersistedSecretMetadataBackupsState, _SeedlessOnboardingController_filterDupesAndUpdateSocialBackupsMetadata, _SeedlessOnboardingController_createNewVaultWithAuthData, _SeedlessOnboardingController_updateVault, _SeedlessOnboardingController_withControllerLock, _SeedlessOnboardingController_withVaultLock, _SeedlessOnboardingController_parseVaultData, _SeedlessOnboardingController_assertIsUnlocked, _SeedlessOnboardingController_assertIsAuthenticatedUser, _SeedlessOnboardingController_assertIsSRPBackedUpUser, _SeedlessOnboardingController_assertPasswordInSync, _SeedlessOnboardingController_resetPasswordOutdatedCache, _SeedlessOnboardingController_addRefreshTokenToRevokeList, _SeedlessOnboardingController_isTokenExpiredError, _SeedlessOnboardingController_isMaxKeyChainLengthError, _SeedlessOnboardingController_executeWithTokenRefresh;
+var _SeedlessOnboardingController_instances, _SeedlessOnboardingController_vaultEncryptor, _SeedlessOnboardingController_controllerOperationMutex, _SeedlessOnboardingController_vaultOperationMutex, _SeedlessOnboardingController_refreshJWTToken, _SeedlessOnboardingController_revokeRefreshToken, _SeedlessOnboardingController_renewRefreshToken, _SeedlessOnboardingController_passwordOutdatedCacheTTL, _SeedlessOnboardingController_isUnlocked, _SeedlessOnboardingController_cachedDecryptedVaultData, _SeedlessOnboardingController_submitGlobalPassword, _SeedlessOnboardingController_setUnlocked, _SeedlessOnboardingController_persistOprfKey, _SeedlessOnboardingController_persistAuthPubKey, _SeedlessOnboardingController_storeKeyringEncryptionKey, _SeedlessOnboardingController_loadKeyringEncryptionKey, _SeedlessOnboardingController_loadSeedlessEncryptionKey, _SeedlessOnboardingController_recoverAuthPubKey, _SeedlessOnboardingController_recoverEncKey, _SeedlessOnboardingController_fetchAllSecretDataFromMetadataStore, _SeedlessOnboardingController_changeEncryptionKey, _SeedlessOnboardingController_encryptAndStoreSecretData, _SeedlessOnboardingController_unlockVaultAndGetVaultData, _SeedlessOnboardingController_decryptAndParseVaultData, _SeedlessOnboardingController_withPersistedSecretMetadataBackupsState, _SeedlessOnboardingController_filterDupesAndUpdateSocialBackupsMetadata, _SeedlessOnboardingController_createNewVaultWithAuthData, _SeedlessOnboardingController_updateVault, _SeedlessOnboardingController_withControllerLock, _SeedlessOnboardingController_withVaultLock, _SeedlessOnboardingController_parseVaultData, _SeedlessOnboardingController_assertIsUnlocked, _SeedlessOnboardingController_assertIsAuthenticatedUser, _SeedlessOnboardingController_assertIsSRPBackedUpUser, _SeedlessOnboardingController_assertPasswordInSync, _SeedlessOnboardingController_resetPasswordOutdatedCache, _SeedlessOnboardingController_addRefreshTokenToRevokeList, _SeedlessOnboardingController_isAuthTokenError, _SeedlessOnboardingController_isMaxKeyChainLengthError, _SeedlessOnboardingController_executeWithTokenRefresh;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SeedlessOnboardingController = exports.getInitialSeedlessOnboardingControllerStateWithDefaults = void 0;
 const auth_network_utils_1 = require("@metamask/auth-network-utils");
@@ -297,14 +297,10 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
                     state.authConnection = authConnection;
                     state.socialLoginEmail = socialLoginEmail;
                     state.metadataAccessToken = metadataAccessToken;
+                    state.refreshToken = refreshToken;
+                    // Temporarily store revoke token & access token in state for later vault creation
+                    state.revokeToken = revokeToken;
                     state.accessToken = accessToken;
-                    if (refreshToken) {
-                        state.refreshToken = refreshToken;
-                    }
-                    if (revokeToken) {
-                        // Temporarily store revoke token in state for later vault creation
-                        state.revokeToken = revokeToken;
-                    }
                     // we will check if the controller state is properly set with the authenticated user info
                     // before setting the isSeedlessOnboardingUserAuthenticated to true
                     (0, assertions_1.assertIsSeedlessOnboardingUserAuthenticated)(state);
@@ -406,26 +402,26 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
      */
     async fetchAllSecretData(password) {
         return await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withControllerLock).call(this, async () => {
-            // assert that the user is authenticated before fetching the secret data
-            __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
-            let encKey;
-            let pwEncKey;
-            let authKeyPair;
-            if (password) {
-                const recoverEncKeyResult = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, password);
-                encKey = recoverEncKeyResult.encKey;
-                pwEncKey = recoverEncKeyResult.pwEncKey;
-                authKeyPair = recoverEncKeyResult.authKeyPair;
-            }
-            else {
-                __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsUnlocked).call(this);
-                // verify the password and unlock the vault
-                const keysFromVault = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this);
-                encKey = keysFromVault.toprfEncryptionKey;
-                pwEncKey = keysFromVault.toprfPwEncryptionKey;
-                authKeyPair = keysFromVault.toprfAuthKeyPair;
-            }
-            const performFetch = async () => {
+            return await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_executeWithTokenRefresh).call(this, async () => {
+                // assert that the user is authenticated before fetching the secret data
+                __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
+                let encKey;
+                let pwEncKey;
+                let authKeyPair;
+                if (password) {
+                    const recoverEncKeyResult = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, password);
+                    encKey = recoverEncKeyResult.encKey;
+                    pwEncKey = recoverEncKeyResult.pwEncKey;
+                    authKeyPair = recoverEncKeyResult.authKeyPair;
+                }
+                else {
+                    __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsUnlocked).call(this);
+                    // verify the password and unlock the vault
+                    const keysFromVault = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this);
+                    encKey = keysFromVault.toprfEncryptionKey;
+                    pwEncKey = keysFromVault.toprfPwEncryptionKey;
+                    authKeyPair = keysFromVault.toprfAuthKeyPair;
+                }
                 const secrets = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_fetchAllSecretDataFromMetadataStore).call(this, encKey, authKeyPair);
                 if (password) {
                     // if password is provided, we need to create a new vault with the auth data. (supposedly the user is trying to rehydrate the wallet)
@@ -437,8 +433,7 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
                     });
                 }
                 return secrets;
-            };
-            return await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_executeWithTokenRefresh).call(this, performFetch, 'fetchAllSecretData');
+            }, 'fetchAllSecretData');
         });
     }
     /**
@@ -634,7 +629,6 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
      */
     async checkIsPasswordOutdated(options) {
         const doCheckIsPasswordExpired = async () => {
-            __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
             // cache result to reduce load on infra
             // Check cache first unless skipCache is true
             if (!options?.skipCache) {
@@ -647,6 +641,7 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
                     return passwordOutdatedCache.isExpiredPwd;
                 }
             }
+            (0, assertions_1.assertIsAuthUserInfoValid)(this.state);
             const { nodeAuthTokens, authConnectionId, groupedAuthConnectionId, userId, } = this.state;
             const currentDeviceAuthPubKey = __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverAuthPubKey).call(this);
             let globalAuthPubKey = options?.globalAuthPubKey;
@@ -676,6 +671,25 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
             ? await doCheckIsPasswordExpired()
             : await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withControllerLock).call(this, doCheckIsPasswordExpired), 'checkIsPasswordOutdated');
     }
+    /**
+     * Check if the user is authenticated with the seedless onboarding flow by checking the token values in the state.
+     *
+     * @returns True if the user is authenticated, false otherwise.
+     */
+    async checkIsSeedlessOnboardingUserAuthenticated() {
+        let isAuthenticated = false;
+        try {
+            (0, assertions_1.assertIsSeedlessOnboardingUserAuthenticated)(this.state);
+            isAuthenticated = true;
+        }
+        catch {
+            isAuthenticated = false;
+        }
+        this.update((state) => {
+            state.isSeedlessOnboardingUserAuthenticated = isAuthenticated;
+        });
+        return isAuthenticated;
+    }
     /**
      * Clears the current state of the SeedlessOnboardingController.
      */
@@ -715,12 +729,15 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
      */
     async refreshAuthTokens() {
         __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
-        const { refreshToken } = this.state;
+        const { refreshToken, revokeToken } = this.state;
+        const res = await __classPrivateFieldGet(this, _SeedlessOnboardingController_refreshJWTToken, "f").call(this, {
+            connection: this.state.authConnection,
+            refreshToken,
+        }).catch((error) => {
+            log('Error refreshing JWT tokens', error);
+            throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.FailedToRefreshJWTTokens);
+        });
         try {
-            const res = await __classPrivateFieldGet(this, _SeedlessOnboardingController_refreshJWTToken, "f").call(this, {
-                connection: this.state.authConnection,
-                refreshToken,
-            });
             const { idTokens, accessToken, metadataAccessToken } = res;
             // re-authenticate with the new id tokens to set new node auth tokens
             await this.authenticate({
@@ -731,6 +748,8 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
                 authConnectionId: this.state.authConnectionId,
                 groupedAuthConnectionId: this.state.groupedAuthConnectionId,
                 userId: this.state.userId,
+                refreshToken,
+                revokeToken,
                 skipLock: true,
             });
         }
@@ -868,9 +887,6 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
         try {
             __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
             const { accessToken } = this.state;
-            if (!accessToken) {
-                return true; // Consider missing token as expired
-            }
             const decodedToken = (0, utils_3.decodeJWTToken)(accessToken);
             return decodedToken.exp < Math.floor(Date.now() / 1000);
         }
@@ -912,7 +928,7 @@ async function _SeedlessOnboardingController_submitGlobalPassword({ targetAuthPu
         __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_setUnlocked).call(this);
     }
     catch (error) {
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             throw error;
         }
         if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isMaxKeyChainLengthError).call(this, error)) {
@@ -920,30 +936,6 @@ async function _SeedlessOnboardingController_submitGlobalPassword({ targetAuthPu
         }
         throw errors_1.PasswordSyncError.getInstance(error);
     }
-}, _SeedlessOnboardingController_getAccessToken = 
-/**
- * Get the access token from the state or the vault.
- * If the access token is not in the state, it will be retrieved from the vault by decrypting it with the password.
- *
- * If both the access token and the vault are not available, an error will be thrown.
- *
- * @param password - The optional password to unlock the vault. If not provided, the access token will be retrieved from the vault.
- * @returns The access token.
- */
-async function _SeedlessOnboardingController_getAccessToken(password) {
-    const { accessToken, vault } = this.state;
-    if (accessToken) {
-        // if the access token is in the state, return it
-        return accessToken;
-    }
-    // otherwise, check the vault availability and decrypt the access token from the vault
-    if (!vault) {
-        throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.InvalidAccessToken);
-    }
-    const { vaultData } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_decryptAndParseVaultData).call(this, {
-        password,
-    });
-    return vaultData.accessToken;
 }, _SeedlessOnboardingController_setUnlocked = function _SeedlessOnboardingController_setUnlocked() {
     __classPrivateFieldSet(this, _SeedlessOnboardingController_isUnlocked, true, "f");
 }, _SeedlessOnboardingController_persistOprfKey = 
@@ -968,7 +960,7 @@ async function _SeedlessOnboardingController_persistOprfKey(oprfKey, authPubKey)
         });
     }
     catch (error) {
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             throw error;
         }
         log('Error persisting local encryption key', error);
@@ -1032,11 +1024,11 @@ async function _SeedlessOnboardingController_loadSeedlessEncryptionKey(encKey) {
  * @throws RecoveryError - If failed to recover the encryption key.
  */
 async function _SeedlessOnboardingController_recoverEncKey(password) {
-    __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
-    const { authConnectionId, groupedAuthConnectionId, userId } = this.state;
+    (0, assertions_1.assertIsAuthUserInfoValid)(this.state);
+    const { nodeAuthTokens, authConnectionId, groupedAuthConnectionId, userId, } = this.state;
     try {
         const recoverEncKeyResult = await this.toprfClient.recoverEncKey({
-            nodeAuthTokens: this.state.nodeAuthTokens,
+            nodeAuthTokens,
             password,
             authConnectionId,
             groupedAuthConnectionId,
@@ -1046,7 +1038,7 @@ async function _SeedlessOnboardingController_recoverEncKey(password) {
     }
     catch (error) {
         // throw token expired error for token refresh handler
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             throw error;
         }
         throw errors_1.RecoveryError.getInstance(error);
@@ -1062,7 +1054,7 @@ async function _SeedlessOnboardingController_recoverEncKey(password) {
     }
     catch (error) {
         log('Error fetching secret data', error);
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             throw error;
         }
         throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.FailedToFetchSecretMetadata);
@@ -1166,7 +1158,7 @@ async function _SeedlessOnboardingController_encryptAndStoreSecretData(params) {
         });
     }
     catch (error) {
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             throw error;
         }
         log('Error encrypting and storing secret data backup', error);
@@ -1323,8 +1315,7 @@ async function _SeedlessOnboardingController_withPersistedSecretMetadataBackupsS
  */
 async function _SeedlessOnboardingController_createNewVaultWithAuthData({ password, rawToprfEncryptionKey, rawToprfPwEncryptionKey, rawToprfAuthKeyPair, }) {
     __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
-    const { revokeToken } = this.state;
-    const accessToken = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_getAccessToken).call(this, password);
+    const { revokeToken, accessToken } = this.state;
     const vaultData = {
         toprfAuthKeyPair: rawToprfAuthKeyPair,
         toprfEncryptionKey: rawToprfEncryptionKey,
@@ -1475,10 +1466,13 @@ async function _SeedlessOnboardingController_assertPasswordInSync(options) {
             { refreshToken, revokeToken },
         ];
     });
-}, _SeedlessOnboardingController_isTokenExpiredError = function _SeedlessOnboardingController_isTokenExpiredError(error) {
+}, _SeedlessOnboardingController_isAuthTokenError = function _SeedlessOnboardingController_isAuthTokenError(error) {
     if (error instanceof toprf_secure_backup_1.TOPRFError) {
+        return (
         // eslint-disable-next-line @typescript-eslint/no-unsafe-enum-comparison
-        return error.code === toprf_secure_backup_1.TOPRFErrorCode.AuthTokenExpired;
+        error.code === toprf_secure_backup_1.TOPRFErrorCode.AuthTokenExpired ||
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-enum-comparison
+            error.code === toprf_secure_backup_1.TOPRFErrorCode.InvalidAuthToken);
     }
     return false;
 }, _SeedlessOnboardingController_isMaxKeyChainLengthError = function _SeedlessOnboardingController_isMaxKeyChainLengthError(error) {
@@ -1521,7 +1515,7 @@ async function _SeedlessOnboardingController_executeWithTokenRefresh(operation,
     }
     catch (error) {
         // Check if this is a token expiration error
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isTokenExpiredError).call(this, error)) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
             log(`Token expired during ${operationName}, attempting to refresh tokens`, error);
             try {
                 // Refresh the tokens