Adds Controller required for seed #14889

ieow · 2025-04-25T12:04:03Z

Description

Related issues

Fixes:

Manual testing steps

Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
I've completed the PR template to the best of my ability
I’ve included tests if applicable
I’ve documented my code using JSDoc format if applicable
I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

github-actions · 2025-04-25T12:04:16Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

ieow · 2025-04-28T08:07:28Z

I have read the CLA Document and I hereby sign the CLA

sethkfman · 2025-04-29T15:21:13Z

app/core/OAuthService/OAuthInterface.ts

@@ -0,0 +1,80 @@
+import { AuthSessionResult } from 'expo-auth-session';


@chaitanyapotti I would recommend that you add these directories to the .github/CODEOWNERS file.

Cal-L

Left some comments

Cal-L · 2025-04-30T18:58:09Z

app/core/Engine/controllers/seedless-onboarding-controller/index.ts

+} from '@metamask/seedless-onboarding-controller';
+import { Encryptor, LEGACY_DERIVATION_OPTIONS } from '../../../Encryptor';
+
+export const web3AuthNetwork = process.env.Web3AuthNetwork as Web3AuthNetwork;


Suggested change

export const web3AuthNetwork = process.env.Web3AuthNetwork as Web3AuthNetwork;

export const web3AuthNetwork = process.env.WEB3_AUTH_NETWORK as Web3AuthNetwork;

Also, should this be moved into a constants file or just use the env var inline

Cal-L · 2025-04-30T18:58:33Z

app/core/Engine/controllers/seedless-onboarding-controller/index.ts

+export const web3AuthNetwork = process.env.Web3AuthNetwork as Web3AuthNetwork;
+
+if (!web3AuthNetwork) {
+  throw new Error('Missing environment variables');


Suggested change

throw new Error('Missing environment variables');

throw new Error('Missing environment variable WEB3_AUTH_NETWORK');

Cal-L · 2025-04-30T19:01:17Z

app/core/Engine/controllers/seedless-onboarding-controller/index.ts

+}
+
+const encryptor = new Encryptor({
+  keyDerivationOptions: LEGACY_DERIVATION_OPTIONS,


I'm not familiar with the different types of derivation options but I know we're using it in many places. @ccharly Can you take a look at this if it's fine?

Cal-L · 2025-04-30T19:03:33Z

app/core/Engine/messengers/seedless-onboarding-controller-messenger/index.ts

+) {
+  return baseControllerMessenger.getRestricted({
+    name: 'SeedlessOnboardingController',
+    allowedEvents: [],


I don't have visibility to the seedless onboarding controller. Does the controller use actions or events of other controllers?

Cal-L · 2025-04-30T19:06:59Z

app/util/test/initial-background-state.json

@@ -485,5 +485,8 @@
        }
      ]
    }
+  },
+  "SeedlessOnboardingController": {


To be safe, let's also create a new migration to prepopulate the controller with this state

Cal-L · 2025-04-30T19:11:07Z

package.json

@@ -332,6 +340,7 @@
    "react-native-fs": "^2.20.0",
    "react-native-gesture-handler": "^1.10.3",
    "react-native-get-random-values": "^1.8.0",
+    "react-native-google-acm": "git+https://github.com/Web3Auth/react-native-google-acm.git#edf4e52397f766d56d1644d908246e358f3cf774",


Did we bypass the paid version by forking our own and adding our own implementation?

Cal-L · 2025-04-30T19:16:07Z

app/core/OAuthService/OAuthService.ts

+}
+
+export class OAuthService {
+  public localState: {


Extract types

Cal-L · 2025-04-30T19:49:09Z

app/core/OAuthService/OAuthService.ts

+    ReduxService.store.dispatch({
+      type: UserActionType.LOADING_SET,
+      payload: {
+        loadingMsg: 'Logging in...',


Probably not necessary to pass in payload since this is static. We can just set it in the reducer itself

Cal-L · 2025-04-30T19:50:00Z

app/core/OAuthService/OAuthService.ts

+    data: AuthResponse,
+    authConnection: AuthConnection,
+  ): Promise<{
+    type: 'success' | 'error';


Extract into enum

Cal-L · 2025-04-30T19:52:09Z

app/core/OAuthService/OAuthService.ts

+}
+
+if (!AuthServerUrl || !AuthConnectionId || !GroupedAuthConnectionId) {
+  throw new Error('Missing environment variables');


Let's move this condition to the top of the file below imports and specify explicitly, which env vars are missing

socket-security · 2025-05-05T10:35:03Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality
npm/jsonify@0.0.1
npm/json-stable-stringify@1.3.0
npm/@toruslabs/bs58@1.0.0
npm/@toruslabs/fnd-base@15.0.0
npm/@toruslabs/constants@15.0.0
npm/expo-application@6.0.2
npm/dunder-proto@1.0.1
npm/math-intrinsics@1.1.0
npm/get-proto@1.0.1
npm/loglevel@1.9.1 ⏵ 1.9.2
npm/expo-linking@7.0.5
npm/call-bind-apply-helpers@1.0.2
npm/es-object-atoms@1.0.0 ⏵ 1.1.1	⁺¹	⁺⁴
npm/call-bound@1.0.4
npm/@sentry/core@9.15.0
npm/expo-crypto@14.0.2
npm/expo-apple-authentication@7.1.3
npm/expo-web-browser@14.0.2
npm/@toruslabs/fetch-node-details@15.0.0
npm/@toruslabs/http-helpers@8.1.1
npm/@toruslabs/eccrypto@6.0.2
npm/expo-auth-session@6.0.3
npm/@metamask/auth-network-utils@0.0.0
npm/@metamask/seedless-onboarding-controller@0.0.0
npm/@metamask/toprf-secure-backup@0.0.0

View full report

socket-security · 2025-05-05T10:35:05Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		`npm/@toruslabs/[email protected]` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@toruslabs/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@toruslabs/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`npm/@toruslabs/[email protected]` has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → `npm/@toruslabs/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@toruslabs/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`npm/[email protected]` has Network access. Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`npm/[email protected]` has a New author. New Author: ljharb Previous Author: From: yarn.lock → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

chaitanyapotti added this to PR review queue Apr 28, 2025

github-project-automation bot moved this to Needs dev review in PR review queue Apr 28, 2025

chaitanyapotti added team-web3auth Web3Auth team area-onboarding labels Apr 28, 2025

chaitanyapotti assigned ieow Apr 28, 2025

chaitanyapotti added the No QA Needed Apply this label when your PR does not need any QA effort. label Apr 28, 2025

chaitanyapotti marked this pull request as ready for review April 29, 2025 09:17

chaitanyapotti requested review from a team as code owners April 29, 2025 09:17

chaitanyapotti changed the title ~~Feat/main seedless onboarding controller integration~~ Adds OAuth Controller required for seedless onboarding Apr 29, 2025

sethkfman reviewed Apr 29, 2025

View reviewed changes

ieow mentioned this pull request Apr 30, 2025

Feat/main UI update #14999

Closed

7 tasks

Cal-L reviewed Apr 30, 2025

View reviewed changes

ieow closed this May 13, 2025

ieow force-pushed the feat/main-seedless-onboarding branch from d61cbbb to 6895dbe Compare May 13, 2025 12:58

github-project-automation bot moved this from Needs dev review to Merged, Closed or Archived in PR review queue May 13, 2025

github-actions bot locked and limited conversation to collaborators May 13, 2025

ieow removed the team-web3auth Web3Auth team label May 13, 2025

ieow changed the title ~~Adds OAuth Controller required for seedless onboarding~~ Adds Controller required for seed May 13, 2025

		@@ -0,0 +1,80 @@
		import { AuthSessionResult } from 'expo-auth-session';

	export const web3AuthNetwork = process.env.Web3AuthNetwork as Web3AuthNetwork;
	export const web3AuthNetwork = process.env.WEB3_AUTH_NETWORK as Web3AuthNetwork;

	throw new Error('Missing environment variables');
	throw new Error('Missing environment variable WEB3_AUTH_NETWORK');

Uh oh!

Adds Controller required for seed #14889

Adds Controller required for seed #14889

Uh oh!

Conversation

ieow commented Apr 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Related issues

Manual testing steps

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

Uh oh!

github-actions bot commented Apr 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ieow commented Apr 28, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Cal-L left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

socket-security bot commented May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented May 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

ieow commented Apr 25, 2025 •

edited

Loading

github-actions bot commented Apr 25, 2025 •

edited

Loading

socket-security bot commented May 5, 2025 •

edited

Loading

socket-security bot commented May 5, 2025 •

edited

Loading