fix: Strip accessToken from AuthenticationController state logs

The metadata property was recently added to the
`AuthenticationController` in #6470, but we forgot to strip out the
`accessToken`. This is currently being stripped from state logs in both
clients.

The metadata was updated to strip out this token. Additionally, some
improvements were added to the metadata snapshot tests to ensure that
all properties are represented in the fixture state.

The `@metamask/utils` package was added as a dependency because the
new metadata state deriver uses `Json` in its signature, so that type
is now used in the exported types for this package.

Author: Gudahtt

packages/base-controller/src/BaseController.ts

@@ -394,6 +394,7 @@ export function deriveStateFromMetadata<
   metadata: StateMetadata<ControllerState>,
   metadataProperty: keyof StatePropertyMetadata<Json>,
 ): Record<keyof ControllerState, Json> {
+  // Cast to keyof ControllerState because `Object.keys` erases index type, returning string
   return (Object.keys(state) as (keyof ControllerState)[]).reduce<
     Record<keyof ControllerState, Json>
   >((derivedState, key) => {

packages/profile-sync-controller/package.json

@@ -103,6 +103,7 @@
     "@metamask/base-controller": "^8.3.0",
     "@metamask/snaps-sdk": "^9.0.0",
     "@metamask/snaps-utils": "^11.0.0",
+    "@metamask/utils": "^11.4.2",
     "@noble/ciphers": "^1.3.0",
     "@noble/hashes": "^1.8.0",
     "immer": "^9.0.6",

packages/profile-sync-controller/src/controllers/authentication/AuthenticationController.test.ts

@@ -14,6 +14,7 @@ import type { LoginResponse } from '../../sdk';
 import { Platform } from '../../sdk';
 import { arrangeAuthAPIs } from '../../sdk/__fixtures__/auth';
 import { MOCK_USER_PROFILE_LINEAGE_RESPONSE } from '../../sdk/mocks/auth';
+import { hasProperty } from '@metamask/utils';
 
 const MOCK_ENTROPY_SOURCE_IDS = [
   'MOCK_ENTROPY_SOURCE_ID',
@@ -543,6 +544,7 @@ describe('metadata', () => {
     const controller = new AuthenticationController({
       messenger: createMockAuthenticationMessenger().messenger,
       metametrics: createMockAuthMetaMetrics(),
+      state: mockSignedInState(),
     });
 
     expect(
@@ -553,41 +555,114 @@ describe('metadata', () => {
       ),
     ).toMatchInlineSnapshot(`
       Object {
-        "isSignedIn": false,
+        "isSignedIn": true,
       }
     `);
   });
 
-  it('includes expected state in state logs', () => {
-    const controller = new AuthenticationController({
-      messenger: createMockAuthenticationMessenger().messenger,
-      metametrics: createMockAuthMetaMetrics(),
-    });
+  describe('includeInStateLogs', () => {
+    it('includes expected state in state logs, with access token stripped out', () => {
+      const controller = new AuthenticationController({
+        messenger: createMockAuthenticationMessenger().messenger,
+        metametrics: createMockAuthMetaMetrics(),
+        state: mockSignedInState(),
+      });
 
-    expect(
-      deriveStateFromMetadata(
+      const derivedState = deriveStateFromMetadata(
         controller.state,
         controller.metadata,
         'includeInStateLogs',
-      ),
-    ).toMatchInlineSnapshot(`
-      Object {
-        "isSignedIn": false,
-      }
-    `);
+      );
+
+      expect(derivedState).toMatchInlineSnapshot(`
+        Object {
+          "isSignedIn": true,
+          "srpSessionData": Object {
+            "MOCK_ENTROPY_SOURCE_ID": Object {
+              "profile": Object {
+                "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+                "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+                "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+              },
+              "token": Object {
+                "expiresIn": 1757528159922,
+                "obtainedAt": 0,
+              },
+            },
+            "MOCK_ENTROPY_SOURCE_ID2": Object {
+              "profile": Object {
+                "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+                "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+                "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+              },
+              "token": Object {
+                "expiresIn": 1757528159922,
+                "obtainedAt": 0,
+              },
+            },
+          },
+        }
+      `);
+    });
+
+    it('returns expected state in state logs when srpSessionData is unset', () => {
+      const controller = new AuthenticationController({
+        messenger: createMockAuthenticationMessenger().messenger,
+        metametrics: createMockAuthMetaMetrics(),
+      });
+
+      expect(
+        deriveStateFromMetadata(
+          controller.state,
+          controller.metadata,
+          'includeInStateLogs',
+        ),
+      ).toMatchInlineSnapshot(`
+        Object {
+          "isSignedIn": false,
+        }
+      `);
+    });
   });
 
   it('persists expected state', () => {
     const controller = new AuthenticationController({
       messenger: createMockAuthenticationMessenger().messenger,
       metametrics: createMockAuthMetaMetrics(),
+      state: mockSignedInState(),
     });
 
     expect(
       deriveStateFromMetadata(controller.state, controller.metadata, 'persist'),
     ).toMatchInlineSnapshot(`
       Object {
-        "isSignedIn": false,
+        "isSignedIn": true,
+        "srpSessionData": Object {
+          "MOCK_ENTROPY_SOURCE_ID": Object {
+            "profile": Object {
+              "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+              "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+              "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+            },
+            "token": Object {
+              "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+              "expiresIn": 1757528159923,
+              "obtainedAt": 0,
+            },
+          },
+          "MOCK_ENTROPY_SOURCE_ID2": Object {
+            "profile": Object {
+              "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+              "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+              "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+            },
+            "token": Object {
+              "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+              "expiresIn": 1757528159923,
+              "obtainedAt": 0,
+            },
+          },
+        },
       }
     `);
   });
@@ -596,6 +671,7 @@ describe('metadata', () => {
     const controller = new AuthenticationController({
       messenger: createMockAuthenticationMessenger().messenger,
       metametrics: createMockAuthMetaMetrics(),
+      state: mockSignedInState(),
     });
 
     expect(
@@ -606,7 +682,33 @@ describe('metadata', () => {
       ),
     ).toMatchInlineSnapshot(`
       Object {
-        "isSignedIn": false,
+        "isSignedIn": true,
+        "srpSessionData": Object {
+          "MOCK_ENTROPY_SOURCE_ID": Object {
+            "profile": Object {
+              "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+              "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+              "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+            },
+            "token": Object {
+              "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+              "expiresIn": 1757528159924,
+              "obtainedAt": 0,
+            },
+          },
+          "MOCK_ENTROPY_SOURCE_ID2": Object {
+            "profile": Object {
+              "identifierId": "da9a9fc7b09edde9cc23cec9b7e11a71fb0ab4d2ddd8af8af905306f3e1456fb",
+              "metaMetricsId": "561ec651-a844-4b36-a451-04d6eac35740",
+              "profileId": "f88227bd-b615-41a3-b0be-467dd781a4ad",
+            },
+            "token": Object {
+              "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
+              "expiresIn": 1757528159924,
+              "obtainedAt": 0,
+            },
+          },
+        },
       }
     `);
   });

packages/profile-sync-controller/src/controllers/authentication/AuthenticationController.ts

@@ -11,6 +11,7 @@ import type {
   KeyringControllerUnlockEvent,
 } from '@metamask/keyring-controller';
 import type { HandleSnapRequest } from '@metamask/snaps-controllers';
+import type { Json } from '@metamask/utils';
 
 import {
   createSnapPublicKeyRequest,
@@ -49,7 +50,27 @@ const metadata: StateMetadata<AuthenticationControllerState> = {
     usedInUi: true,
   },
   srpSessionData: {
-    includeInStateLogs: true,
+    // Remove access token from state logs
+    includeInStateLogs: (srpSessionData) => {
+      // Using non-null assertion here to assert that it's not undefined, because if it was, this
+      // wouldn't get called.
+      // The type includes `| undefined` only because we don't yet use `strictOptionalTypes`
+      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+      return Object.entries(srpSessionData!).reduce<Record<string, Json>>(
+        (sanitizedSrpSessionData, [key, value]) => {
+          const token: Partial<(typeof value)['token']> = {
+            ...value.token,
+          };
+          delete token.accessToken;
+          sanitizedSrpSessionData[key] = {
+            ...value,
+            token,
+          };
+          return sanitizedSrpSessionData;
+        },
+        {},
+      );
+    },
     persist: true,
     anonymous: false,
     usedInUi: true,

yarn.lock

@@ -4263,6 +4263,7 @@ __metadata:
     "@metamask/snaps-controllers": "npm:^14.0.1"
     "@metamask/snaps-sdk": "npm:^9.0.0"
     "@metamask/snaps-utils": "npm:^11.0.0"
+    "@metamask/utils": "npm:^11.4.2"
     "@noble/ciphers": "npm:^1.3.0"
     "@noble/hashes": "npm:^1.8.0"
     "@types/jest": "npm:^27.4.1"