feat: add Universal dev mode feature flag#30055
Conversation
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
github-actions
Bot
added
pr-not-ready-for-e2e
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| // TODO: Verify the dev-api Sentinel hostname follows the standard | ||
| // `*.api.cx.metamask.io` -> `*.dev-api.cx.metamask.io` rewrite. If Sentinel | ||
| // uses a different dev hostname, switch off `devApiEnv()` directly instead. | ||
| const BASE_URL = apiUrl('https://tx-sentinel-{0}.api.cx.metamask.io/'); |
There was a problem hiding this comment.
Sentinel URL template rewritten at module load time
Low Severity
BASE_URL and OrdersEndpoint evaluate apiUrl() at module scope, freezing the result at import time. The devApiEnv() function was explicitly designed to be "read at call time (not module load) so tests can set/unset process.env.MM_DEV_API_ENV without juggling the module cache." Calling it via apiUrl() at module scope defeats this design: any test that sets the env var after module load will silently operate against the wrong URL. These constants could be converted to getter functions or computed lazily to match the intent documented in devApiEnv.ts.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 1978b9c. Configure here.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #30055 +/- ##
==========================================
+ Coverage 81.54% 81.57% +0.03%
==========================================
Files 5343 5359 +16
Lines 142128 142546 +418
Branches 32411 32530 +119
==========================================
+ Hits 115899 116289 +390
+ Misses 18299 18295 -4
- Partials 7930 7962 +32 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
One problem is that when you switch this "ON" the JWT being returned is still PROD since its in a persistant storage until it get invalidated. I think we will also need to update AuthenticationController so that it clears storage if MM_DEV_API_ENV is on or something like this. Or like a button to clear persistant storage.
Jwhiles
force-pushed
the
universal-dev-mode-feature-flag
branch
2 times, most recently
from
bdbc8f2 to
e715e9b
Compare
Jwhiles
force-pushed
the
universal-dev-mode-feature-flag
branch
from
65b4c99 to
19643ab
Compare
| - Auth: outbound requests target `oidc.dev-api.cx.metamask.io`. | ||
| - Chomp: `[ChompApiServiceInit] MM_DEV_API_ENV=dev; using env URL`. | ||
| - Bridge / WebSocket / Sentinel / Perps / Social / UserStorage / | ||
| Notifications: outbound URLs include `dev-api` subdomains. |
There was a problem hiding this comment.
Development tracking file accidentally committed to repo
Medium Severity
A personal development tracking file todo.md was committed to the repository root. It contains TODO checklists, verification steps, and outstanding-work notes that duplicate the PR description. It also incorrectly states uat is a supported value for MM_DEV_API_ENV (line 4: "Set MM_DEV_API_ENV=dev (or uat)"), but devApiEnv() only recognizes 'dev' and treats everything else — including 'uat' — as 'prod'. This file doesn't belong in the codebase and its inaccurate documentation could mislead future developers.
Reviewed by Cursor Bugbot for commit 19643ab. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 06b0172. Configure here.
| @@ -0,0 +1,3 @@ | |||
| [tools] | |||
| yarn = "latest" | |||
| ruby = "3.2.9" | |||
There was a problem hiding this comment.
Tooling config file committed to repository root
Low Severity
mise.toml is a personal tool-version manager configuration file. The project's .gitignore already excludes the equivalent .tool-versions with the comment "don't save asdf tools-version config as nvm is prioritized." This file serves the same purpose and pins yarn = "latest", which is non-deterministic and could cause inconsistent tooling across developers and CI.
Reviewed by Cursor Bugbot for commit 06b0172. Configure here.
|
3 participants
Description
It's currently very awkward to point the mobile app at non-prod backends.
AuthenticationControlleris pinned toEnv.PRD, so to test against dev you have to hand-edit its init, plus every downstream service's URL. Any that you don't update will throw errors for all upstream requests.This PR adds a build time switch —
MM_DEV_API_ENV=dev | prodin.js.envthat the auth controller reads at init time.I've attempted to wire up all the consumers of the auth controller with this flag when it easy to do so - but there are a few which have proven difficult to wire up. They are the following:
TokenBalancesController— accounts-API URL sealed in@metamask/assets-controllers.AssetsControllerviacreateApiPlatformClient—API_URLSsealed in@metamask/core-backend.NotificationServicesPushController— itsconfig.envis Firebase env, not backend env.TODO
the
*.api.cx.metamask.io↔*.dev-api.cx.metamask.ioconvention; ifeither deviates, swap
apiUrl()for an explicit map (TODOcommentsmark the call sites).
BRIDGE_USE_DEV_APIS. It's redundant withMM_DEV_API_ENV=devbut is referenced byscripts/verify-build-config.js,scripts/apply-build-config.js,scripts/build-announce/env-validation-section.ts,builds.yml,bitrise.yml, the E2E GitHub workflows, and.js.env.example.Changelog
CHANGELOG entry: Add dev API testing feature flag
Related issues
Fixes:
Manual testing steps
echo 'export MM_DEV_API_ENV="dev"' >> .js.env
yarn watch:clean && yarn start:ios
Sign in, then confirm that outbund requests target
*.dev-api.cx.metamask.io- and that the JWT issuer claim (iss) should behttps://oidc.dev-api.cx.metamask.io.Screenshots/Recordings
Before
After
Pre-merge author checklist
Performance checks (if applicable)
trace()for usage andaddTokenfor an exampleFor performance guidelines and tooling, see the Performance Guide.
Pre-merge reviewer checklist
Note
Medium Risk
Broadly changes how multiple backend clients choose their base URLs and authentication env, including identity/JWT minting and websocket endpoints. Default remains prod, but misconfiguration or incomplete coverage could cause 401/403s or unexpected traffic routing in non-prod builds.
Overview
Introduces a build-time
MM_DEV_API_ENVswitch (defaultprod) via newapp/core/devApiEnv.tsto keepAuthenticationControllerJWT minting and downstream JWT-consuming services targeting the same backend environment.Updates multiple services/controllers (e.g., identity auth + user storage, authenticated user storage, profile metrics, chomp, bridge, social, perps data lake, sentinel, notifications, backend websocket) to derive their env/base URLs from this shared switch (often by rewriting
*.api.cx.metamask.io→*.dev-api.cx.metamask.io), and adds an Identity section in Developer Options to display the current env and clear the persisted auth session.Adds
patch-packagepatches for dependencies that don’t expose env/base-url configuration (@metamask/core-backendAPI host constants and@metamask/assets-controllersaccounts domain) and updates tests/config to validate the new env-driven behavior.Reviewed by Cursor Bugbot for commit 06b0172. Bugbot is set up for automated code reviews on this repo. Configure here.