@metamask-previews/seedless-onboarding-controller 7.1.0-preview-2aeb1204 → 7.1.0-preview-40468f94

package/CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- **BREAKING** The `encryptor` constructor param requires `encryptWithKey` method. ([#7800](https://github.com/MetaMask/core/pull/7800))
+  - The method is to encrypt the vault with cached encryption key while the wallet is unlocked.
+- Added new public method, `getAccessToken`. ([#7800](https://github.com/MetaMask/core/pull/7800))
+  - Clients can use this method to get `accessToken` from the controller, instead of directly accessing from the state.
+  - This method also adds refresh token mechanism when `accessToken` is expired, hence preventing expired token usage in the clients.
+
 ### Changed
 
 - Update StateMetadata's `includeInStateLogs` property. ([#7750](https://github.com/MetaMask/core/pull/7750))
@@ -14,6 +22,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump `@metamask/keyring-controller` from `^25.0.0` to `^25.1.0` ([#7713](https://github.com/MetaMask/core/pull/7713))
 - Upgrade `@metamask/utils` from `^11.8.1` to `^11.9.0` ([#7511](https://github.com/MetaMask/core/pull/7511))
 
+### Fixed
+
+- Fixed new `accessToken` not being persisted in the vault after the token refresh. ([#7800](https://github.com/MetaMask/core/pull/7800))
+
 ## [7.1.0]
 
 ### Added

package/dist/SeedlessOnboardingController.cjs

@@ -10,11 +10,12 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _SeedlessOnboardingController_instances, _SeedlessOnboardingController_vaultEncryptor, _SeedlessOnboardingController_controllerOperationMutex, _SeedlessOnboardingController_vaultOperationMutex, _SeedlessOnboardingController_refreshJWTToken, _SeedlessOnboardingController_revokeRefreshToken, _SeedlessOnboardingController_renewRefreshToken, _SeedlessOnboardingController_passwordOutdatedCacheTTL, _SeedlessOnboardingController_isUnlocked, _SeedlessOnboardingController_cachedDecryptedVaultData, _SeedlessOnboardingController_submitGlobalPassword, _SeedlessOnboardingController_setUnlocked, _SeedlessOnboardingController_persistOprfKey, _SeedlessOnboardingController_persistAuthPubKey, _SeedlessOnboardingController_storeKeyringEncryptionKey, _SeedlessOnboardingController_loadKeyringEncryptionKey, _SeedlessOnboardingController_loadSeedlessEncryptionKey, _SeedlessOnboardingController_recoverAuthPubKey, _SeedlessOnboardingController_recoverEncKey, _SeedlessOnboardingController_fetchAllSecretDataFromMetadataStore, _SeedlessOnboardingController_changeEncryptionKey, _SeedlessOnboardingController_encryptAndStoreSecretData, _SeedlessOnboardingController_unlockVaultAndGetVaultData, _SeedlessOnboardingController_decryptAndParseVaultData, _SeedlessOnboardingController_withPersistedSecretMetadataBackupsState, _SeedlessOnboardingController_filterDupesAndUpdateSocialBackupsMetadata, _SeedlessOnboardingController_createNewVaultWithAuthData, _SeedlessOnboardingController_updateVault, _SeedlessOnboardingController_getAccessTokenAndRevokeToken, _SeedlessOnboardingController_withControllerLock, _SeedlessOnboardingController_withVaultLock, _SeedlessOnboardingController_parseVaultData, _SeedlessOnboardingController_assertIsUnlocked, _SeedlessOnboardingController_assertIsAuthenticatedUser, _SeedlessOnboardingController_assertPasswordInSync, _SeedlessOnboardingController_resetPasswordOutdatedCache, _SeedlessOnboardingController_addRefreshTokenToRevokeList, _SeedlessOnboardingController_isAuthTokenError, _SeedlessOnboardingController_isMaxKeyChainLengthError, _SeedlessOnboardingController_executeWithTokenRefresh;
+var _SeedlessOnboardingController_instances, _SeedlessOnboardingController_vaultEncryptor, _SeedlessOnboardingController_controllerOperationMutex, _SeedlessOnboardingController_vaultOperationMutex, _SeedlessOnboardingController_refreshJWTToken, _SeedlessOnboardingController_revokeRefreshToken, _SeedlessOnboardingController_renewRefreshToken, _SeedlessOnboardingController_passwordOutdatedCacheTTL, _SeedlessOnboardingController_isUnlocked, _SeedlessOnboardingController_cachedDecryptedVaultData, _SeedlessOnboardingController_submitGlobalPassword, _SeedlessOnboardingController_setUnlocked, _SeedlessOnboardingController_persistOprfKey, _SeedlessOnboardingController_persistAuthPubKey, _SeedlessOnboardingController_storeKeyringEncryptionKey, _SeedlessOnboardingController_loadKeyringEncryptionKey, _SeedlessOnboardingController_loadSeedlessEncryptionKey, _SeedlessOnboardingController_recoverAuthPubKey, _SeedlessOnboardingController_recoverEncKey, _SeedlessOnboardingController_fetchAllSecretDataFromMetadataStore, _SeedlessOnboardingController_changeEncryptionKey, _SeedlessOnboardingController_encryptAndStoreSecretData, _SeedlessOnboardingController_unlockVaultAndGetVaultData, _SeedlessOnboardingController_decryptAndParseVaultData, _SeedlessOnboardingController_withPersistedSecretMetadataBackupsState, _SeedlessOnboardingController_filterDupesAndUpdateSocialBackupsMetadata, _SeedlessOnboardingController_createNewVaultWithAuthData, _SeedlessOnboardingController_updateVault, _SeedlessOnboardingController_getAccessTokenAndRevokeToken, _SeedlessOnboardingController_withControllerLock, _SeedlessOnboardingController_withVaultLock, _SeedlessOnboardingController_parseVaultData, _SeedlessOnboardingController_assertIsUnlocked, _SeedlessOnboardingController_assertIsAuthenticatedUser, _SeedlessOnboardingController_assertPasswordInSync, _SeedlessOnboardingController_resetPasswordOutdatedCache, _SeedlessOnboardingController_addRefreshTokenToRevokeList, _SeedlessOnboardingController_isAuthTokenError, _SeedlessOnboardingController_isMaxKeyChainLengthError, _SeedlessOnboardingController_executeWithTokenRefresh, _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh, _SeedlessOnboardingController_checkTokensExpired;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SeedlessOnboardingController = exports.getInitialSeedlessOnboardingControllerStateWithDefaults = void 0;
 const auth_network_utils_1 = require("@metamask/auth-network-utils");
 const base_controller_1 = require("@metamask/base-controller");
+const messenger_1 = require("@metamask/messenger");
 const toprf_secure_backup_1 = require("@metamask/toprf-secure-backup");
 const utils_1 = require("@metamask/utils");
 const aes_1 = require("@noble/ciphers/aes");
@@ -242,6 +243,7 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
         __classPrivateFieldSet(this, _SeedlessOnboardingController_refreshJWTToken, refreshJWTToken, "f");
         __classPrivateFieldSet(this, _SeedlessOnboardingController_revokeRefreshToken, revokeRefreshToken, "f");
         __classPrivateFieldSet(this, _SeedlessOnboardingController_renewRefreshToken, renewRefreshToken, "f");
+        this.messenger.registerActionHandler('SeedlessOnboardingController:getAccessToken', this.getAccessToken.bind(this));
     }
     async fetchMetadataAccessCreds() {
         const { metadataAccessToken } = this.state;
@@ -552,7 +554,7 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
     /**
      * Submit the password to the controller, verify the password validity and unlock the controller.
      *
-     * This method will be used especially when user rehydrate/unlock the wallet.
+     * This method will be used especially when user unlock the wallet.
      * The provided password will be verified against the encrypted vault, encryption key will be derived and saved in the controller state.
      *
      * This operation is useful when user performs some actions that requires the user password/encryption key. e.g. add new srp backup
@@ -562,7 +564,37 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
      */
     async submitPassword(password) {
         return await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withControllerLock).call(this, async () => {
-            await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, { password });
+            // get the access token from the state before unlocking, it might be the new token set from the `refreshAuthTokens` method.
+            const { accessToken: accessTokenBeforeUnlock } = this.state;
+            const deserializedVaultData = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, {
+                password,
+            });
+            const { accessToken: accessTokenAfterUnlock } = this.state;
+            let latestAccessToken = accessTokenAfterUnlock;
+            // compare the access token from state before unlocking and after unlocking, take the latest access token if it's different.
+            if (accessTokenBeforeUnlock &&
+                accessTokenAfterUnlock &&
+                accessTokenBeforeUnlock !== accessTokenAfterUnlock) {
+                // If there was an access token in the state before unlocking, it might be the token set from the `refreshAuthTokens` method.
+                // Compare it with the access token value from decrypted vault after unlocking and take the latest access token.
+                latestAccessToken = (0, utils_3.compareAndGetLatestToken)(accessTokenBeforeUnlock, accessTokenAfterUnlock);
+            }
+            // update the state and vault with the latest access token if it's different from the current access token in the state.
+            if (latestAccessToken && latestAccessToken !== accessTokenAfterUnlock) {
+                // update the access token in the state with the latest access token if it's different from the decrypted access token after unlocking
+                this.update((state) => {
+                    state.accessToken = latestAccessToken;
+                });
+                const updatedVaultData = {
+                    ...deserializedVaultData,
+                    accessToken: latestAccessToken,
+                };
+                await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_updateVault).call(this, {
+                    password,
+                    vaultData: updatedVaultData,
+                    pwEncKey: deserializedVaultData.toprfPwEncryptionKey,
+                });
+            }
             __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_setUnlocked).call(this);
         });
     }
@@ -768,6 +800,8 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
                 refreshToken,
                 skipLock: true,
             });
+            // update the vault with new access token
+            await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh).call(this, accessToken);
         }
         catch (error) {
             log('Error refreshing node auth tokens', error);
@@ -858,6 +892,21 @@ class SeedlessOnboardingController extends base_controller_1.BaseController {
             }
         });
     }
+    /**
+     * Get the access token from the state.
+     *
+     * If the tokens are expired, the method will refresh them and return the new access token.
+     *
+     * @returns The access token.
+     */
+    async getAccessToken() {
+        return __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withControllerLock).call(this, async () => {
+            __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_assertIsAuthenticatedUser).call(this, this.state);
+            return __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_executeWithTokenRefresh).call(this, async () => {
+                return this.state.accessToken;
+            }, 'getAccessToken');
+        });
+    }
     /**
      * Check if the current node auth token is expired.
      *
@@ -926,22 +975,39 @@ _SeedlessOnboardingController_vaultEncryptor = new WeakMap(), _SeedlessOnboardin
  * corresponding to the current authPubKey in state.
  */
 async function _SeedlessOnboardingController_submitGlobalPassword({ targetAuthPubKey, globalPassword, maxKeyChainLength, }) {
-    const { pwEncKey: curPwEncKey, authKeyPair: curAuthKeyPair } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, globalPassword);
+    const { pwEncKey: globalPwEncKey, authKeyPair: globalAuthKeyPair } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, globalPassword);
     try {
         // Recover vault encryption key.
         const res = await this.toprfClient.recoverPwEncKey({
             targetAuthPubKey,
-            curPwEncKey,
-            curAuthKeyPair,
+            curPwEncKey: globalPwEncKey,
+            curAuthKeyPair: globalAuthKeyPair,
             maxPwChainLength: maxKeyChainLength,
         });
         const { pwEncKey } = res;
         const vaultKey = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_loadSeedlessEncryptionKey).call(this, pwEncKey);
+        // accessToken before unlocking vault and flooding the state with values from the decrypted vault
+        // it might be the new token set from the `refreshAuthTokens` method.
+        const { accessToken: accessTokenBeforeUnlock } = this.state;
         // Unlock the controller
-        await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, {
+        const decryptedVaultData = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, {
             encryptionKey: vaultKey,
         });
         __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_setUnlocked).call(this);
+        // accessToken from decrypted vault
+        const accessTokenFromDecryptedVault = decryptedVaultData.accessToken;
+        // compare the two access tokens, take the latest access token if it's different.
+        if (accessTokenBeforeUnlock &&
+            accessTokenFromDecryptedVault &&
+            accessTokenBeforeUnlock !== accessTokenFromDecryptedVault) {
+            const latestAccessToken = (0, utils_3.compareAndGetLatestToken)(accessTokenBeforeUnlock, accessTokenFromDecryptedVault);
+            // update the access token in the state with the latest access token if it's different from the decrypted access token after unlocking
+            // later when we call `syncLatestGlobalPassword`, the encrypted vault will be updated with the latest access token.
+            this.update((state) => {
+                state.accessToken = latestAccessToken;
+            });
+        }
+        __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_resetPasswordOutdatedCache).call(this);
     }
     catch (error) {
         if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
@@ -1371,14 +1437,14 @@ async function _SeedlessOnboardingController_updateVault({ password, vaultData,
         // from the password using an intentionally slow key derivation function.
         // We should make sure that we only call it very intentionally.
         const { vault, exportedKeyString } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").encryptWithDetail(password, serializedVaultData);
-        // Encrypt vault key.
         const aes = (0, webcrypto_1.managedNonce)(aes_1.gcm)(pwEncKey);
         const encryptedKey = aes.encrypt((0, utils_2.utf8ToBytes)(exportedKeyString));
+        const encryptedSeedlessEncryptionKey = (0, utils_1.bytesToBase64)(encryptedKey);
         this.update((state) => {
             state.vault = vault;
             state.vaultEncryptionKey = exportedKeyString;
             state.vaultEncryptionSalt = JSON.parse(vault).salt;
-            state.encryptedSeedlessEncryptionKey = (0, utils_1.bytesToBase64)(encryptedKey);
+            state.encryptedSeedlessEncryptionKey = encryptedSeedlessEncryptionKey;
         });
     });
 }, _SeedlessOnboardingController_getAccessTokenAndRevokeToken = 
@@ -1537,18 +1603,7 @@ async function _SeedlessOnboardingController_assertPasswordInSync(options) {
  */
 async function _SeedlessOnboardingController_executeWithTokenRefresh(operation, operationName) {
     try {
-        // proactively check for expired tokens and refresh them if needed
-        const isNodeAuthTokenExpired = this.checkNodeAuthTokenExpired();
-        const isMetadataAccessTokenExpired = this.checkMetadataAccessTokenExpired();
-        // access token is only accessible when the vault is unlocked
-        // so skip the check if the vault is locked
-        let isAccessTokenExpired = false;
-        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_isUnlocked, "f")) {
-            isAccessTokenExpired = this.checkAccessTokenExpired();
-        }
-        if (isNodeAuthTokenExpired ||
-            isMetadataAccessTokenExpired ||
-            isAccessTokenExpired) {
+        if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_checkTokensExpired).call(this)) {
             log(`JWT token expired during ${operationName}, attempting to refresh tokens`, 'node auth token exp check');
             await this.refreshAuthTokens();
         }
@@ -1574,6 +1629,58 @@ async function _SeedlessOnboardingController_executeWithTokenRefresh(operation,
             throw error;
         }
     }
+}, _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh = async function _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh(accessToken) {
+    await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withVaultLock).call(this, async () => {
+        if (!__classPrivateFieldGet(this, _SeedlessOnboardingController_isUnlocked, "f")) {
+            // we just temporarily store the access token in the state
+            // when user attempts to unlock the vault, we will use this access token to update the vault
+            this.update((state) => {
+                state.accessToken = accessToken;
+            });
+            return;
+        }
+        const { vaultEncryptionKey, vaultEncryptionSalt } = this.state;
+        if (!vaultEncryptionKey ||
+            !vaultEncryptionSalt ||
+            !__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f")) {
+            throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.MissingCredentials);
+        }
+        const serializedVaultData = (0, utils_3.serializeVaultData)({
+            ...__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f"),
+            accessToken,
+        });
+        const encryptionKey = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").importKey(vaultEncryptionKey);
+        const updatedEncVault = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").encryptWithKey(encryptionKey, serializedVaultData);
+        // NOTE: Referenced from keyring-controller!
+        // We need to include the salt used to derive
+        // the encryption key, to be able to derive it
+        // from password again.
+        updatedEncVault.salt = vaultEncryptionSalt;
+        this.update((state) => {
+            state.vault = JSON.stringify(updatedEncVault);
+            state.vaultEncryptionSalt = vaultEncryptionSalt;
+            state.accessToken = accessToken;
+            state.vaultEncryptionKey = vaultEncryptionKey;
+        });
+        // update the cached decrypted vault data with the new access token
+        __classPrivateFieldSet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, {
+            ...__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f"),
+            accessToken,
+        }, "f");
+    });
+}, _SeedlessOnboardingController_checkTokensExpired = function _SeedlessOnboardingController_checkTokensExpired() {
+    // proactively check for expired tokens and refresh them if needed
+    const isNodeAuthTokenExpired = this.checkNodeAuthTokenExpired();
+    const isMetadataAccessTokenExpired = this.checkMetadataAccessTokenExpired();
+    // access token is only accessible when the vault is unlocked
+    // so skip the check if the vault is locked
+    let isAccessTokenExpired = false;
+    if (__classPrivateFieldGet(this, _SeedlessOnboardingController_isUnlocked, "f")) {
+        isAccessTokenExpired = this.checkAccessTokenExpired();
+    }
+    return (isNodeAuthTokenExpired ||
+        isMetadataAccessTokenExpired ||
+        isAccessTokenExpired);
 };
 /**
  * Assert that the provided password is a valid non-empty string.