# Permission System 2.0
## Background
This PR migrates the extension permission system to [the new `PermissionController`](https://github.com/MetaMask/snaps-skunkworks/tree/main/packages/controllers/src/permissions).
The original permission system, based on [`rpc-cap`](https://github.com/MetaMask/rpc-cap), introduced [`ZCAP-LD`](https://w3c-ccg.github.io/zcap-ld/)-like permissions to our JSON-RPC stack.
We used it to [implement](https://github.com/MetaMask/metamask-extension/pull/7004) what we called "LoginPerSite" in [version 7.7.0](https://github.com/MetaMask/metamask-extension/releases/tag/v7.7.0) of the extension, which enabled the user to choose which accounts, if any, should be exposed to each dapp.
While that was a worthwhile feature in and of itself, we wanted a permission _system_ in order to enable everything we are going to with Snaps.
Unfortunately, the original permission system was difficult to use, and necessitated the creation of the original `PermissionsController` (note the "s"), which was more or less a wrapper for `rpc-cap`.
With this PR, we shake off the yoke of the original permission system, in favor of the modular, self-contained, ergonomic, and more mature permission system 2.0.
Note that [the `PermissionController` readme](https://github.com/MetaMask/snaps-skunkworks/tree/main/packages/controllers/src/permissions/README.md) explains how the new permission system works.
The `PermissionController` and `SubjectMetadataController` are currently shipped via `@metamask/snap-controllers`. This is a temporary state of affairs, and we'll move them to `@metamask/controllers` once they've landed in prod.
## Changes in Detail
First, the changes in this PR are not as big as they seem. Roughly half of the additions in this PR are fixtures in the test for the new migration (number 68), and a significant portion of the remaining ~2500 lines are due to find-and-replace changes in other test fixtures and UI files.
- The extension `PermissionsController` has been deleted, and completely replaced with the new `PermissionController` from [`@metamask/snap-controllers`](https://www.npmjs.com/package/@metamask/snap-controllers).
- The original `PermissionsController` "domain metadata" functionality is now managed by the new `SubjectMetadataController`, also from [`@metamask/snap-controllers`](https://www.npmjs.com/package/@metamask/snap-controllers).
- The permission activity and history log controller has been renamed `PermissionLogController` and has its own top-level state key, but is otherwise functionally equivalent to the existing implementation.
- Migration number 68 has been added to account for the new state changes.
- The tests in `app/scripts/controllers/permissions` have been migrated from `mocha` to `jest`.
Reviewers should focus their attention on the following files:
- `app/scripts/`
- `metamask-controller.js`
- This is where most of the integration work for the new `PermissionController` occurs.
Some functions that were internal to the original controller were moved here.
- `controllers/permissions/`
- `selectors.js`
- These selectors are for `ControllerMessenger` selector subscriptions. The actual subscriptions occur in `metamask-controller.js`. See the `ControllerMessenger` implementation for details.
- `specifications.js`
- The caveat and permission specifications are required by the new `PermissionController`, and are used to specify the `eth_accounts` permission and its JSON-RPC method implementation.
See the `PermissionController` readme for details.
- `migrations/068.js`
- The new state should be cross-referenced with the controllers that manage it.
The accompanying tests should also be thoroughly reviewed.
Some files may appear new but have just moved and/or been renamed:
- `app/scripts/lib/rpc-method-middleware/handlers/request-accounts.js`
- This was previously implemented in `controllers/permissions/permissionsMethodMiddleware.js`.
- `test/mocks/permissions.js`
- A truncated version of `test/mocks/permission-controller.js`.
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Fix#5039
* Converted function into async
* Added more explicit explanation of why the number of bits for EcSign
* eth_sign and eth_personalSign now report errors correctly back to the user
* Added leeway to unsigned message byte check
* Fix lint
* Use a Swaps v2 API to get a fiat onboarding URL
* Fix an issue with wrapping / unwrapping if an address contained uppercase chars
* Rename a constant
* Use a constant in a test
Adds a property, `hookNames`, to each RPC method handler export in `app/scripts/lib/rpc-method-middleware` and a function, `selectHooks`, to select from them.
`createMethodMiddleware` receives a giant `opts` object that includes a bunch of different methods from `MetaMaskController` and its subcontrollers. Each method implementation only requires a subset of these methods to do its work. Because they need some kind of name, we call these methods "hooks". With this change, whenever an RPC method is called, `selectHooks` will be called to ensure that each method only receives the hooks that it needs in order to do its job.
This implementation is based on [work in `snaps-skunkworks`](https://github.com/MetaMask/snaps-skunkworks/blob/a3e1248/packages/rpc-methods/src/utils.ts#L17-L34) that will be merged in the near future.
* Background clears confirmations on popup close
* [WIP] Remove clearing confirmations through UI
* Confirmations are now rejected instead of cleared
* Erased commented out code
* Fix linter errors
* Changes after code review
* Moved metrics events from onWindowUnload to background
* PR review fixes
* Added abillity to add reason to rejection of messages
* Fix prettier
* Added type metrics event to signature cancel
* Fix test
* The uncofirmed transactions are now cleared even if Metamask is locked
We're bumping from `^6` to `^8`. All imports are now named, and they have been updated. This is a breaking change, in that support for `eth_signTransaction` is added in `^8.0.0`. We do not support this method in our UI, so our middleware stack has been instrumented to reject.
In addition, there are some non-breaking behavioral changes in this version that reviewers should be aware of, see the [7.0.0 release](https://github.com/MetaMask/eth-json-rpc-middleware/releases).
The build type (i.e. the distribution) is now included in the Sentry
environment during setup, for all builds except the "main" build. This
will allow us to track Flask and beta errors separately from other
errors.
A constant was created for the build types. The equivalent constant in
our build scripts was updated to match it more closely, for
consistency. We can't use the same constant in both places because our
shared constants are in modules that use ES6 exports, and our build
script does not yet support ES6 exports.
The singular `BuildType` was used rather than `BuildTypes` to match our
naming conventions elsewhere for enums. We name them like classes or
types, rather than like a collection.
Relates to #11896
* Fixes#12145
When transactions fail, preserve error message when presented with an error object. Fallback to stringified error for other cases.
* Perserve error stack when err.stack is present, else set stack to message.
* Use optional chaining
* Call Wyre’s API via our backend to generate Wyre’s Checkout URL
* Add back paymentMethod=debit-card, use a fallback URL if no url is returned from BE
* Fix a lint issue
* Refactor how to return Wyre’s Checkout URL
* Add 2 constants into a test file, refactoring
* Moving RPC Urls to network constants
* Including RPC url in switchEthereumChain requestData
* Setting project id to var
* Fix built-in networks switch-ethereum-chain
`switch-ethereum-chain` did not work correctly with built-in networks.
It was treating them as custom networks, rather than as built-in
networks. This affected how they were displayed in the network
dropdown, and resulted in slight differences to the network stack used
as well.
The problem was that `updateRpcTarget` was used, which was meant for
custom networks only. Now that `setProviderType` is used in the case of
a built-in network, the behaviour should match the network switcher
exactly.
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Moving RPC Urls to network constants
* Including RPC url in switchEthereumChain requestData
* Setting project id to var
* Fix built-in networks switch-ethereum-chain
`switch-ethereum-chain` did not work correctly with built-in networks.
It was treating them as custom networks, rather than as built-in
networks. This affected how they were displayed in the network
dropdown, and resulted in slight differences to the network stack used
as well.
The problem was that `updateRpcTarget` was used, which was meant for
custom networks only. Now that `setProviderType` is used in the case of
a built-in network, the behaviour should match the network switcher
exactly.
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
Sentry is now configured with environment variables, rather than with
hard-coded values. This makes it easier to test Sentry functionality
using a different Sentry account, as we did recently during QA of
v9.5.1.
The only change for the normal build process is the introduction of the
`SENTRY_DSN_DEV` variable, which can be set via `.metamaskrc` or via an
environment variable. This determines where error reports are sent. It
still defaults to our team Sentry account's `metamask-testing` project.
The `sentry:publish` script now requires SENTRY_ORG and SENTRY_PROJECT
to be set in order to publish release artifacts. The CircleCI
configuration has been updated with these values, so it should act the
same as it did before. Previously we had used a CLI flag to specify the
organization and project, but Sentry already natively supports these
environment variables [1].
[1]: https://docs.sentry.io/product/cli/configuration/#configuration-values
Three uses of `hasOwnProperty.call` have been replaced with simpler
alternatives. I did this because I found this convention confusing.
The `ComposableObservableStore` changes required adding a check for
whether the `config` is defined, because the old syntax would allow
iterating over `undefined` as if it was an empty object. Functionally
it should be identical. A new test was added to highlight this
functionality.
The `assert` module has two modes: "Legacy" and "strict". When using
strict mode, the "strict" version of each assertion method is implied.
Whereas in legacy mode, by default it will use the deprecated, "loose"
version of each assertion.
We now use strict mode everywhere. A few tests required updates where
they were asserting the wrong thing, and it was passing beforehand due
to the loose matching.
The CurrencyRateController has been migrated to the BaseControllerV2
API, which includes various API changes. These changes include:
* The constructor now expects to be passed a
`RestrictedControllerMessenger`.
* State changes are subscribed to via the `ControllerMessenger` now,
rather than via a `subscribe` function.
* The state and configration are passed in as one "options" object,
rather than as two separate parameters
* The polling needs to be started explicitly by calling `start`. It
can be stopped and started on-demand now as well.
* Changing the current currency or native currency will now throw an
error if we fail to update the conversion rate.
The `ComposableObservableStore` has been updated to accomodate these
new types of controllers. The constructor has been updated to use an
options bag pattern as well, to make the addition of the new required
`controllerMessenger` parameter a bit less unweildly.
Sentry is now configured with environment variables, rather than with
hard-coded values. This makes it easier to test Sentry functionality
using a different Sentry account, as we did recently during QA of
v9.5.1.
The only change for the normal build process is the introduction of the
`SENTRY_DSN_DEV` variable, which can be set via `.metamaskrc` or via an
environment variable. This determines where error reports are sent. It
still defaults to our team Sentry account's `metamask-testing` project.
The `sentry:publish` script now requires SENTRY_ORG and SENTRY_PROJECT
to be set in order to publish release artifacts. The CircleCI
configuration has been updated with these values, so it should act the
same as it did before. Previously we had used a CLI flag to specify the
organization and project, but Sentry already natively supports these
environment variables [1].
[1]: https://docs.sentry.io/product/cli/configuration/#configuration-values
Three uses of `hasOwnProperty.call` have been replaced with simpler
alternatives. I did this because I found this convention confusing.
The `ComposableObservableStore` changes required adding a check for
whether the `config` is defined, because the old syntax would allow
iterating over `undefined` as if it was an empty object. Functionally
it should be identical. A new test was added to highlight this
functionality.
Erik Marks
Thomas Huang
Alex Donesky
Olaf Tomalka
Daniel
David Walsh
Mark Stacey
Shane
Peter-Jan Brone
Dan J Miller
ryanml
Brad Decker