feat: add new method to ingest the OAuth token from social login

and try to use the token for automatic pairing after SRP login

Author: mirceanis

packages/profile-sync-controller/src/controllers/authentication/AuthenticationController.ts

@@ -13,8 +13,8 @@ import type {
 import type { HandleSnapRequest } from '@metamask/snaps-controllers';
 
 import {
-  createSnapPublicKeyRequest,
   createSnapAllPublicKeysRequest,
+  createSnapPublicKeyRequest,
   createSnapSignMessageRequest,
 } from './auth-snap-requests';
 import type { LoginResponse, SRPInterface, UserProfile } from '../../sdk';
@@ -32,6 +32,8 @@ const controllerName = 'AuthenticationController';
 export type AuthenticationControllerState = {
   isSignedIn: boolean;
   srpSessionData?: Record<string, LoginResponse>;
+  socialPairingToken?: string;
+  socialPairingDone?: boolean;
 };
 export const defaultState: AuthenticationControllerState = {
   isSignedIn: false,
@@ -45,6 +47,14 @@ const metadata: StateMetadata<AuthenticationControllerState> = {
     persist: true,
     anonymous: false,
   },
+  socialPairingToken: {
+    persist: true,
+    anonymous: true,
+  },
+  socialPairingDone: {
+    persist: true,
+    anonymous: true,
+  },
 };
 
 // Messenger Actions
@@ -60,6 +70,7 @@ type ActionsObj = CreateActionsObj<
   | 'getBearerToken'
   | 'getSessionProfile'
   | 'isSignedIn'
+  | 'ingestSocialLoginToken'
 >;
 export type Actions =
   | ActionsObj[keyof ActionsObj]
@@ -270,20 +281,27 @@ export default class AuthenticationController extends BaseController<
     const allPublicKeys = await this.#snapGetAllPublicKeys();
     const accessTokens = [];
 
-    // We iterate sequentially in order to be sure that the first entry
+    // We iterate sequentially to be sure that the first entry
     // is the primary SRP LoginResponse.
     for (const [entropySourceId] of allPublicKeys) {
       const accessToken = await this.#auth.getAccessToken(entropySourceId);
       accessTokens.push(accessToken);
     }
 
+    // don't await for the pairing to finish
+    this.#tryPairingWithSocialToken().catch((_) => {
+      // don't care
+    });
+
     return accessTokens;
   }
 
   public performSignOut(): void {
     this.update((state) => {
       state.isSignedIn = false;
       state.srpSessionData = undefined;
+      state.socialPairingToken = undefined;
+      state.socialPairingDone = false;
     });
   }
 
@@ -318,6 +336,47 @@ export default class AuthenticationController extends BaseController<
     return this.state.isSignedIn;
   }
 
+  /**
+   * Stores a social login JWT token in controller state temporarily
+   * until it can be used for pairing.
+   * This token will automatically be removed from state after
+   * successful pairing or during a sign-out request.
+   *
+   * @param token - The JWT token from seedless onboarding OAuth flow
+   */
+  public ingestSocialLoginToken(token: string) {
+    this.update((state) => {
+      state.socialPairingToken = token;
+      state.socialPairingDone = false;
+    });
+  }
+
+  async #tryPairingWithSocialToken(): Promise<void> {
+    console.log(`GIGEL: trying to pair with seedless token`);
+    const { socialPairingToken, socialPairingDone } = this.state;
+    if (socialPairingDone || !socialPairingToken) {
+      console.log(`GIGEL: pairing conditions not met`);
+      return;
+    }
+
+    try {
+      console.log(`GIGEL: pairing with seedless token ${socialPairingToken}`);
+      if (await this.#auth.pairSocialIdentifier(socialPairingToken)) {
+        console.log(`GIGEL: successfully paired with seedless onboarding token`);
+        this.update((state) => {
+          state.socialPairingDone = true;
+          state.socialPairingToken = undefined;
+        });
+      } else {
+        console.log(`GIGEL: pairing with seedless token failed`);
+        // ignore the error
+      }
+    } catch (error) {
+      console.error('GIGEL: Failed to pair identifiers:', error);
+      // ignore the error
+    }
+  }
+
   /**
    * Returns the auth snap public key.
    *

packages/profile-sync-controller/src/sdk/authentication-jwt-bearer/flow-srp.ts

@@ -1,17 +1,23 @@
 import type { Eip1193Provider } from 'ethers';
 
-import { authenticate, authorizeOIDC, getNonce } from './services';
+import {
+  authenticate,
+  authorizeOIDC,
+  getNonce,
+  PAIR_SOCIAL_IDENTIFIER,
+} from './services';
 import type {
   AuthConfig,
   AuthSigningOptions,
   AuthStorageOptions,
-  AuthType,
+  ErrorMessage,
   IBaseAuth,
   LoginResponse,
   UserProfile,
 } from './types';
+import { AuthType } from './types';
 import type { MetaMetricsAuth } from '../../shared/types/services';
-import { ValidationError } from '../errors';
+import { PairError, ValidationError } from '../errors';
 import { getMetaMaskProviderEIP6963 } from '../utils/eip-6963-metamask-provider';
 import {
   MESSAGE_SIGNING_SNAP,
@@ -201,4 +207,63 @@ export class SRPJwtBearerAuth implements IBaseAuth {
   ): `metamask:${string}:${string}` {
     return `metamask:${nonce}:${publicKey}` as const;
   }
+
+  async pairSocialIdentifier(jwt: string): Promise<boolean> {
+    console.log(
+      `GIGEL: pairing primary SRP with social token ${jwt}`,
+    );
+
+    const { env, platform } = this.#config;
+
+    // Exchange the social token with an access token
+    console.log(`GIGEL: exchanging social token for access token`);
+    const tokenResponse = await authorizeOIDC(jwt, env, platform);
+    console.log(`GIGEL: obtained access token ${tokenResponse.accessToken}`);
+
+    // Prepare the SRP signature
+    const identifier = await this.getIdentifier();
+    const profile = await this.getUserProfile();
+    const n = await getNonce(profile.profileId, env);
+    console.log(
+      `GIGEL: pairing social token with profile ${profile.profileId} with nonce ${n.nonce}`,
+    );
+    const raw = `metamask:${n.nonce}:${identifier}`;
+    const sig = await this.signMessage(raw);
+    const primaryIdentifierSignature = {
+      signature: sig,
+      raw_message: raw,
+      identifier_type: AuthType.SRP,
+      encrypted_storage_key: '', // Not yet part of this flow, so we leave it empty
+    };
+
+    const pairUrl = new URL(PAIR_SOCIAL_IDENTIFIER(env));
+
+    try {
+      const response = await fetch(pairUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${tokenResponse.accessToken}`,
+        },
+        body: JSON.stringify({
+          nonce: n.nonce,
+          login: primaryIdentifierSignature,
+        }),
+      });
+
+      if (!response.ok) {
+        const responseBody = (await response.json()) as ErrorMessage;
+        throw new Error(
+          `HTTP error message: ${responseBody.message}, error: ${responseBody.error}`,
+        );
+      }
+    } catch (e) {
+      /* istanbul ignore next */
+      const errorMessage =
+        e instanceof Error ? e.message : JSON.stringify(e ?? '');
+      throw new PairError(`unable to pair identifiers: ${errorMessage}`);
+    }
+
+    return false;
+  }
 }

packages/profile-sync-controller/src/sdk/authentication-jwt-bearer/services.ts

@@ -16,6 +16,9 @@ export const NONCE_URL = (env: Env) =>
 export const PAIR_IDENTIFIERS = (env: Env) =>
   `${getEnvUrls(env).authApiUrl}/api/v2/identifiers/pair`;
 
+export const PAIR_SOCIAL_IDENTIFIER = (env: Env) =>
+  `${getEnvUrls(env).authApiUrl}/api/v2/identifiers/pair/social`;
+
 export const OIDC_TOKEN_URL = (env: Env) =>
   `${getEnvUrls(env).oidcApiUrl}/oauth2/token`;
 

packages/profile-sync-controller/src/sdk/authentication.ts

@@ -109,6 +109,11 @@ export class JwtBearerAuth implements SIWEInterface, SRPInterface {
     await pairIdentifiers(n.nonce, logins, accessToken, this.#env);
   }
 
+  async pairSocialIdentifier(jwt: string): Promise<boolean> {
+    this.#assertSRP(this.#type, this.#sdk);
+    return await this.#sdk.pairSocialIdentifier(jwt);
+  }
+
   prepare(signer: {
     address: string;
     chainId: number;