npm - @metamask-previews/seedless-onboarding-controller - Versions diffs - 7.1.0-preview-69f51f81 → 7.1.0-preview-40468f94 - Mend

@metamask-previews/seedless-onboarding-controller 7.1.0-preview-69f51f81 → 7.1.0-preview-40468f94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +6 -0
package/dist/SeedlessOnboardingController.cjs +62 -47
package/dist/SeedlessOnboardingController.cjs.map +1 -1
package/dist/SeedlessOnboardingController.d.cts.map +1 -1
package/dist/SeedlessOnboardingController.d.mts.map +1 -1
package/dist/SeedlessOnboardingController.mjs +62 -47
package/dist/SeedlessOnboardingController.mjs.map +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -9,6 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
+- **BREAKING** The `encryptor` constructor param requires `encryptWithKey` method. ([#7800](https://github.com/MetaMask/core/pull/7800))
+  - The method is to encrypt the vault with cached encryption key while the wallet is unlocked.
 - Added new public method, `getAccessToken`. ([#7800](https://github.com/MetaMask/core/pull/7800))
   - Clients can use this method to get `accessToken` from the controller, instead of directly accessing from the state.
   - This method also adds refresh token mechanism when `accessToken` is expired, hence preventing expired token usage in the clients.
@@ -20,6 +22,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump `@metamask/keyring-controller` from `^25.0.0` to `^25.1.0` ([#7713](https://github.com/MetaMask/core/pull/7713))
 - Upgrade `@metamask/utils` from `^11.8.1` to `^11.9.0` ([#7511](https://github.com/MetaMask/core/pull/7511))
+### Fixed
+- Fixed new `accessToken` not being persisted in the vault after the token refresh. ([#7800](https://github.com/MetaMask/core/pull/7800))
 ## [7.1.0]
 ### Added

package/dist/SeedlessOnboardingController.cjs CHANGED Viewed

@@ -975,22 +975,39 @@ _SeedlessOnboardingController_vaultEncryptor = new WeakMap(), _SeedlessOnboardin
  * corresponding to the current authPubKey in state.
  */
 async function _SeedlessOnboardingController_submitGlobalPassword({ targetAuthPubKey, globalPassword, maxKeyChainLength, }) {
-    const { pwEncKey: curPwEncKey, authKeyPair: curAuthKeyPair } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, globalPassword);
+    const { pwEncKey: globalPwEncKey, authKeyPair: globalAuthKeyPair } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_recoverEncKey).call(this, globalPassword);
     try {
         // Recover vault encryption key.
         const res = await this.toprfClient.recoverPwEncKey({
             targetAuthPubKey,
-            curPwEncKey,
-            curAuthKeyPair,
+            curPwEncKey: globalPwEncKey,
+            curAuthKeyPair: globalAuthKeyPair,
             maxPwChainLength: maxKeyChainLength,
         });
         const { pwEncKey } = res;
         const vaultKey = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_loadSeedlessEncryptionKey).call(this, pwEncKey);
+        // accessToken before unlocking vault and flooding the state with values from the decrypted vault
+        // it might be the new token set from the `refreshAuthTokens` method.
+        const { accessToken: accessTokenBeforeUnlock } = this.state;
         // Unlock the controller
-        await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, {
+        const decryptedVaultData = await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_unlockVaultAndGetVaultData).call(this, {
             encryptionKey: vaultKey,
         });
         __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_setUnlocked).call(this);
+        // accessToken from decrypted vault
+        const accessTokenFromDecryptedVault = decryptedVaultData.accessToken;
+        // compare the two access tokens, take the latest access token if it's different.
+        if (accessTokenBeforeUnlock &&
+            accessTokenFromDecryptedVault &&
+            accessTokenBeforeUnlock !== accessTokenFromDecryptedVault) {
+            const latestAccessToken = (0, utils_3.compareAndGetLatestToken)(accessTokenBeforeUnlock, accessTokenFromDecryptedVault);
+            // update the access token in the state with the latest access token if it's different from the decrypted access token after unlocking
+            // later when we call `syncLatestGlobalPassword`, the encrypted vault will be updated with the latest access token.
+            this.update((state) => {
+                state.accessToken = latestAccessToken;
+            });
+        }
+        __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_resetPasswordOutdatedCache).call(this);
     }
     catch (error) {
         if (__classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_isAuthTokenError).call(this, error)) {
@@ -1420,24 +1437,14 @@ async function _SeedlessOnboardingController_updateVault({ password, vaultData,
         // from the password using an intentionally slow key derivation function.
         // We should make sure that we only call it very intentionally.
         const { vault, exportedKeyString } = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").encryptWithDetail(password, serializedVaultData);
-        const updatedState = {
-            vault,
-            vaultEncryptionKey: exportedKeyString,
-            vaultEncryptionSalt: JSON.parse(vault).salt,
-        };
-        // Encrypt vault key.
-        if (pwEncKey) {
-            const aes = (0, webcrypto_1.managedNonce)(aes_1.gcm)(pwEncKey);
-            const encryptedKey = aes.encrypt((0, utils_2.utf8ToBytes)(exportedKeyString));
-            updatedState.encryptedSeedlessEncryptionKey =
-                (0, utils_1.bytesToBase64)(encryptedKey);
-        }
+        const aes = (0, webcrypto_1.managedNonce)(aes_1.gcm)(pwEncKey);
+        const encryptedKey = aes.encrypt((0, utils_2.utf8ToBytes)(exportedKeyString));
+        const encryptedSeedlessEncryptionKey = (0, utils_1.bytesToBase64)(encryptedKey);
         this.update((state) => {
-            state.vault = updatedState.vault;
-            state.vaultEncryptionKey = updatedState.vaultEncryptionKey;
-            state.vaultEncryptionSalt = updatedState.vaultEncryptionSalt;
-            state.encryptedSeedlessEncryptionKey =
-                updatedState.encryptedSeedlessEncryptionKey;
+            state.vault = vault;
+            state.vaultEncryptionKey = exportedKeyString;
+            state.vaultEncryptionSalt = JSON.parse(vault).salt;
+            state.encryptedSeedlessEncryptionKey = encryptedSeedlessEncryptionKey;
         });
     });
 }, _SeedlessOnboardingController_getAccessTokenAndRevokeToken =
@@ -1623,35 +1630,43 @@ async function _SeedlessOnboardingController_executeWithTokenRefresh(operation,
         }
     }
 }, _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh = async function _SeedlessOnboardingController_updateVaultAfterAuthTokenRefresh(accessToken) {
-    if (!__classPrivateFieldGet(this, _SeedlessOnboardingController_isUnlocked, "f")) {
-        // we just temporarily store the access token in the state
-        // when user attempts to unlock the vault, we will use this access token to update the vault
+    await __classPrivateFieldGet(this, _SeedlessOnboardingController_instances, "m", _SeedlessOnboardingController_withVaultLock).call(this, async () => {
+        if (!__classPrivateFieldGet(this, _SeedlessOnboardingController_isUnlocked, "f")) {
+            // we just temporarily store the access token in the state
+            // when user attempts to unlock the vault, we will use this access token to update the vault
+            this.update((state) => {
+                state.accessToken = accessToken;
+            });
+            return;
+        }
+        const { vaultEncryptionKey, vaultEncryptionSalt } = this.state;
+        if (!vaultEncryptionKey ||
+            !vaultEncryptionSalt ||
+            !__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f")) {
+            throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.MissingCredentials);
+        }
+        const serializedVaultData = (0, utils_3.serializeVaultData)({
+            ...__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f"),
+            accessToken,
+        });
+        const encryptionKey = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").importKey(vaultEncryptionKey);
+        const updatedEncVault = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").encryptWithKey(encryptionKey, serializedVaultData);
+        // NOTE: Referenced from keyring-controller!
+        // We need to include the salt used to derive
+        // the encryption key, to be able to derive it
+        // from password again.
+        updatedEncVault.salt = vaultEncryptionSalt;
         this.update((state) => {
+            state.vault = JSON.stringify(updatedEncVault);
+            state.vaultEncryptionSalt = vaultEncryptionSalt;
             state.accessToken = accessToken;
+            state.vaultEncryptionKey = vaultEncryptionKey;
         });
-        return;
-    }
-    const { vaultEncryptionKey, vaultEncryptionSalt } = this.state;
-    if (!vaultEncryptionKey ||
-        !vaultEncryptionSalt ||
-        !__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f")) {
-        throw new Error(constants_1.SeedlessOnboardingControllerErrorMessage.MissingCredentials);
-    }
-    // update the cached decrypted vault data with the new access token
-    __classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f").accessToken = accessToken;
-    const serializedVaultData = (0, utils_3.serializeVaultData)(__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f"));
-    const encryptionKey = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").importKey(vaultEncryptionKey);
-    const updatedEncVault = await __classPrivateFieldGet(this, _SeedlessOnboardingController_vaultEncryptor, "f").encryptWithKey(encryptionKey, serializedVaultData);
-    // NOTE: Referenced from keyring-controller!
-    // We need to include the salt used to derive
-    // the encryption key, to be able to derive it
-    // from password again.
-    updatedEncVault.salt = vaultEncryptionSalt;
-    this.update((state) => {
-        state.vault = JSON.stringify(updatedEncVault);
-        state.vaultEncryptionSalt = vaultEncryptionSalt;
-        state.accessToken = accessToken;
-        state.vaultEncryptionKey = vaultEncryptionKey;
+        // update the cached decrypted vault data with the new access token
+        __classPrivateFieldSet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, {
+            ...__classPrivateFieldGet(this, _SeedlessOnboardingController_cachedDecryptedVaultData, "f"),
+            accessToken,
+        }, "f");
     });
 }, _SeedlessOnboardingController_checkTokensExpired = function _SeedlessOnboardingController_checkTokensExpired() {
     // proactively check for expired tokens and refresh them if needed