feat(authentication-controller): prevent login race conditions (MetaMask#6353)

## Explanation

This PR adds a deferred login mechanism to `SRPJwtBearerAuth` that
prevents race conditions when multiple concurrent authentication
attempts occur. The implementation uses Promise caching to ensure only
one login operation executes at a time, with subsequent concurrent calls
sharing the same Promise result.

Changes:

- Extract login logic into dedicated `#performLogin` method
- Add `#deferredLogin` method with Promise map caching for race
condition prevention

## References

Related to: https://consensyssoftware.atlassian.net/browse/MUL-641

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [x] I've communicated my changes to consumers by [updating changelogs
for packages I've
changed](https://github.com/MetaMask/core/tree/main/docs/contributing.md#updating-changelogs),
highlighting breaking changes as necessary
- [ ] I've prepared draft pull requests for clients and consumer
packages to resolve any breaking changes

Author: mathieuartu

packages/profile-sync-controller/CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Implement deferred login pattern in `SRPJwtBearerAuth` to prevent race conditions during concurrent authentication attempts ([#6353](https://github.com/MetaMask/core/pull/6353))
+  - Add `#deferredLogin` method that ensures only one login operation executes at a time using Promise map caching
+
 ## [24.0.0]
 
 ### Added

packages/profile-sync-controller/src/sdk/authentication-jwt-bearer/flow-srp.ts

@@ -68,6 +68,9 @@ export class SRPJwtBearerAuth implements IBaseAuth {
 
   readonly #metametrics?: MetaMetricsAuth;
 
+  // Map to store ongoing login promises by entropySourceId
+  readonly #ongoingLogins = new Map<string, Promise<LoginResponse>>();
+
   #customProvider?: Eip1193Provider;
 
   constructor(
@@ -169,6 +172,11 @@ export class SRPJwtBearerAuth implements IBaseAuth {
   }
 
   async #login(entropySourceId?: string): Promise<LoginResponse> {
+    // Use a deferred login to avoid race conditions
+    return await this.#deferredLogin(entropySourceId);
+  }
+
+  async #performLogin(entropySourceId?: string): Promise<LoginResponse> {
     // Nonce
     const publicKey = await this.getIdentifier(entropySourceId);
     const nonceRes = await getNonce(publicKey, this.#config.env);
@@ -206,6 +214,32 @@ export class SRPJwtBearerAuth implements IBaseAuth {
     return result;
   }
 
+  async #deferredLogin(entropySourceId?: string): Promise<LoginResponse> {
+    // Use a key that accounts for undefined entropySourceId
+    const loginKey = entropySourceId ?? '__default__';
+
+    // Check if there's already an ongoing login for this entropySourceId
+    const existingLogin = this.#ongoingLogins.get(loginKey);
+    if (existingLogin) {
+      return existingLogin;
+    }
+
+    // Create a new login promise
+    const loginPromise = this.#performLogin(entropySourceId);
+
+    // Store the promise in the map
+    this.#ongoingLogins.set(loginKey, loginPromise);
+
+    try {
+      // Wait for the login to complete
+      const result = await loginPromise;
+      return result;
+    } finally {
+      // Always clean up the ongoing login promise when done
+      this.#ongoingLogins.delete(loginKey);
+    }
+  }
+
   #createSrpLoginRawMessage(
     nonce: string,
     publicKey: string,

packages/profile-sync-controller/src/sdk/authentication.test.ts

@@ -4,6 +4,7 @@ import { arrangeAuthAPIs } from './__fixtures__/auth';
 import type { MockVariable } from './__fixtures__/test-utils';
 import { arrangeAuth, arrangeMockProvider } from './__fixtures__/test-utils';
 import { JwtBearerAuth } from './authentication';
+import * as AuthServices from './authentication-jwt-bearer/services';
 import type { LoginResponse, Pair } from './authentication-jwt-bearer/types';
 import {
   NonceRetrievalError,
@@ -196,6 +197,63 @@ describe('Authentication - SRP Flow - getAccessToken(), getUserProfile() & getUs
     expect(mockUserProfileLineageUrl.isDone()).toBe(true);
   });
 
+  it('prevents race conditions with concurrent login attempts', async () => {
+    const { auth, mockGetLoginResponse } = arrangeAuth('SRP', MOCK_SRP);
+
+    // Mock expired token that will force re-authentication on the 4th call
+    const expiredToken = createMockStoredProfile();
+    expiredToken.token.expiresIn = 1; // 1 second expiration
+    expiredToken.token.obtainedAt = Date.now() - 2000; // 2 seconds ago (expired)
+
+    // First call returns null (no cached session), subsequent calls return expired token
+    mockGetLoginResponse
+      .mockResolvedValueOnce(null)
+      .mockResolvedValue(expiredToken);
+
+    arrangeAuthAPIs();
+
+    // Spy on the service methods to count how many times they're called
+    const getNonceSpy = jest.spyOn(AuthServices, 'getNonce');
+    const authenticateSpy = jest.spyOn(AuthServices, 'authenticate');
+    const authorizeOIDCSpy = jest.spyOn(AuthServices, 'authorizeOIDC');
+
+    // Make three concurrent login attempts
+    const loginPromise1 = auth.getAccessToken();
+    const loginPromise2 = auth.getAccessToken();
+    const loginPromise3 = auth.getAccessToken();
+
+    // Wait for all promises to resolve
+    const [token1, token2, token3] = await Promise.all([
+      loginPromise1,
+      loginPromise2,
+      loginPromise3,
+    ]);
+
+    // All should return the same token
+    expect(token1).toBe(MOCK_ACCESS_JWT);
+    expect(token2).toBe(MOCK_ACCESS_JWT);
+    expect(token3).toBe(MOCK_ACCESS_JWT);
+
+    // Verify that each service was called exactly once despite three concurrent requests
+    expect(getNonceSpy).toHaveBeenCalledTimes(1);
+    expect(authenticateSpy).toHaveBeenCalledTimes(1);
+    expect(authorizeOIDCSpy).toHaveBeenCalledTimes(1);
+
+    // After the concurrent promises resolve, make another call with expired token
+    // This should trigger a second login because the cached token is expired
+    const token4 = await auth.getAccessToken();
+    expect(token4).toBe(MOCK_ACCESS_JWT);
+
+    // Service methods should now have been called twice (initial login + expired token refresh)
+    expect(getNonceSpy).toHaveBeenCalledTimes(2);
+    expect(authenticateSpy).toHaveBeenCalledTimes(2);
+    expect(authorizeOIDCSpy).toHaveBeenCalledTimes(2);
+
+    getNonceSpy.mockRestore();
+    authenticateSpy.mockRestore();
+    authorizeOIDCSpy.mockRestore();
+  });
+
   it('the SRP signIn failed: nonce error', async () => {
     const { auth } = arrangeAuth('SRP', MOCK_SRP);