feat: add gator permissions controller #6033
Conversation
...es/gator-permissions-controller/src/GatorPermissionsController/GatorPermissionsController.ts
Outdated
Show resolved
Hide resolved
V00D00-child
changed the title
V00D00-child
force-pushed
the
feat/add-gator-permissions-controller
branch
from
cbf1238 to
22ab42d
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…schema enforcement has been deprecated
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…t directly to gator-snap
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| const defaultGatorPermissionsList: GatorPermissionsList = { | ||
| 'native-token-stream': {}, | ||
| 'native-token-periodic': {}, | ||
| 'erc20-token-stream': {}, |
There was a problem hiding this comment.
Yeah, need to add that type. Started building this controller before type was supported in gator-snap.
| Erc20TokenStreamPermission | ||
| >, | ||
| ); | ||
| break; |
There was a problem hiding this comment.
erc20-token-periodic missing here as well and at other instances where needed
| break; | ||
| default: | ||
| throw new Error( | ||
| `Unsupported permission type: ${permissionType as string}`, |
There was a problem hiding this comment.
Will we always have to update the controller for a new permission type? I believe the plan is also to support developer creating custom permissions which will have type 'custom' and will then need to provide a name. I think it still makes sense to save those permissions and display to the user."
Tagging @jeffsmale90 who should have more info on this.
There was a problem hiding this comment.
Permission types defined by a third party would likely not be shown here.
It does feel like a reasonably large amount of overhead for surfacing permission types here for revocation.
A couple thoughts:
- can we generalise this logic so that we're not having to duplicate it for every type?
- do we want to have a case for permission types that don't fall into any of the "known" categories? It feels like there's a possibility that a user could grant a permission that the extension doesn't know how to format - we probably don't want to fail, or hide that permission. Maybe group them into "Other" permission types?
There was a problem hiding this comment.
We will likely need to update this controller for any new permission type that we support in gator-snap to keep this controller in sync.
can we generalise this logic so that we're not having to duplicate it for every type?
Yeah, I can take a look at that.
do we want to have a case for permission types that don't fall into any of the "known" categories? It feels like there's a possibility that a user could grant a permission that the extension doesn't know how to format - we probably don't want to fail, or hide that permission. Maybe group them into "Other" permission types?
I intentionally left that out, but I can update the default statement to serve as a catch-all for all custom types. The key in GatorPermissionsList for the see custom permissions type can be "other" or "custom and will have a known type.
There was a problem hiding this comment.
Nice - yeah, I think framing these as "Legitimate permissions where we don't have details of the type" makes sense, so "other' works. I imagine we should be able to type the value as the base permission type at least.
For these permissions, we should figure out how to present enough information to the user that they can at least recognise the permission, and revoke it if they wish to.
| /** | ||
| * Boolean value that allows DApp to define whether the permission can be attenuated–adjusted to meet the user’s terms. | ||
| */ | ||
| isAdjustmentAllowed: boolean; |
There was a problem hiding this comment.
possibly a parameter we don't need to save
There was a problem hiding this comment.
We stored the entire permission response, so if we want to remove this data, we will need to make the change on gator-snap first before making that change in this controller.
There was a problem hiding this comment.
Not strictly true, we can remove it here, and it won't matter that it's included on any data.
These types only need to be sufficiently expressive to capture any data that we show to the user, or otherwise use in the controller.
If we don't show any of the permission specific typed data, we could tighten these up to be a single type shared across all permissions. (I suspect we will need to show permission specific data, such as for how much the allowance is).
github-project-automation
bot
moved this from Needs dev review
to Needs more work from the author
in PR review queue
There was a problem hiding this comment.
Bug: ERC20 Token Missing Periodic Permission Type
The Erc20TokenPeriodicPermission type definition is missing and not included in the PermissionTypes union. Consequently, the GatorPermissionsList type also lacks the 'erc20-token-periodic' key. This creates an inconsistency where native tokens support both stream and periodic permissions, but ERC20 tokens only support stream.
packages/gator-permissions-controller/src/types.ts#L56-L61
core/packages/gator-permissions-controller/src/types.ts
Lines 56 to 61 in 746a079
packages/gator-permissions-controller/src/types.ts#L178-L198
core/packages/gator-permissions-controller/src/types.ts
Lines 178 to 198 in 746a079
Bug: Missing Permission Type Handling
The #categorizePermissionsDataByTypeAndChainId method in GatorPermissionsController.ts is missing a case for the 'erc20-token-periodic' permission type in its switch statement. This causes permissions of this type to fall into the default case, resulting in an "Unsupported permission type" error.
packages/gator-permissions-controller/src/GatorPermissionsController.ts#L334-L373
core/packages/gator-permissions-controller/src/GatorPermissionsController.ts
Lines 334 to 373 in 746a079
Was this report helpful? Give feedback by reacting with 👍 or 👎
| }; | ||
|
|
||
| /** | ||
| * Represents a list of gator permissions filtered by permission type. |
There was a problem hiding this comment.
| * Represents a list of gator permissions filtered by permission type. | |
| * Represents a list of gator permissions grouped by permission type. |
| break; | ||
| default: | ||
| throw new Error( | ||
| `Unsupported permission type: ${permissionType as string}`, |
There was a problem hiding this comment.
Permission types defined by a third party would likely not be shown here.
It does feel like a reasonably large amount of overhead for surfacing permission types here for revocation.
A couple thoughts:
- can we generalise this logic so that we're not having to duplicate it for every type?
- do we want to have a case for permission types that don't fall into any of the "known" categories? It feels like there's a possibility that a user could grant a permission that the extension doesn't know how to format - we probably don't want to fail, or hide that permission. Maybe group them into "Other" permission types?
| /** | ||
| * Represents a list of gator permissions filtered by permission type and chainId. | ||
| */ | ||
| export type GatorPermissionsList = { |
There was a problem hiding this comment.
Point 2 is a bit of a nit, but I think point 1 is more important. GatorPermissionsList isn't really a list.
- It's actually a much more complex object - map of permission type, to map of chainId to permissions
- The leaf on the data type isn't really a list, it's an array
There was a problem hiding this comment.
Also inverting the relationship between GatorPermissionsList and SupportedGatorPermissionsType will make this much more concise; you can define a map from SupportedGatorPermissionType to chainId-> permission once (maybe with a generic).
| anonymous: false, | ||
| }, | ||
| gatorPermissionsListStringify: { | ||
| persist: true, |
There was a problem hiding this comment.
I assume that persist: true means this data is stored locally (in some sort of extension storage?), and fetched from the profile sync as needed - given that, loading the "All Permissions" page is incredibly slow, whether navigating to the page for the first time, or navigating back from the specific permission.
Is my assumption correct? Given the above experience, is this working as expected?
| break; | ||
| default: | ||
| throw new Error( | ||
| `Unsupported permission type: ${permissionType as string}`, |
There was a problem hiding this comment.
Nice - yeah, I think framing these as "Legitimate permissions where we don't have details of the type" makes sense, so "other' works. I imagine we should be able to type the value as the base permission type at least.
For these permissions, we should figure out how to present enough information to the user that they can at least recognise the permission, and revoke it if they wish to.
| return JSON.stringify(gatorPermissionsList); | ||
| } catch (error) { | ||
| log('Failed to serialize gator permissions list', error); | ||
| throw error; |
There was a problem hiding this comment.
Can we throw a new Error with more details?
throw new Error("Failed to serialize gator permissions", { cause: error });
This will make it easier to track down the actual meaning of the error, without having to dig into the stack trace.
| return JSON.parse(gatorPermissionsList); | ||
| } catch (error) { | ||
| log('Failed to deserialize gator permissions list', error); | ||
| throw error; |
There was a problem hiding this comment.
Can we throw a new Error with more details?
throw new Error("Failed to deserialize gator permissions", { cause: error });
This will make it easier to track down the actual meaning of the error, without having to dig into the stack trace.
There was a problem hiding this comment.
We should come up with a minimization and mitigation strategy for corrupted permission data.
I believe we're storing the permissions separately in profile sync, which is a good start! Can we store them separately in the gator-permissions-controller state too, so that a single corrupted permission doesn't result in corrupting the entire dataset?
How do we recover from this error? Can we refetch from profile sync?
| /** | ||
| * Represents a list of gator permissions filtered by permission type and chainId. | ||
| */ | ||
| export type GatorPermissionsList = { |
There was a problem hiding this comment.
Also inverting the relationship between GatorPermissionsList and SupportedGatorPermissionsType will make this much more concise; you can define a map from SupportedGatorPermissionType to chainId-> permission once (maybe with a generic).
| /** | ||
| * JSON serialized object containing gator permissions fetched from profile sync indexed by permission type | ||
| */ | ||
| gatorPermissionsListStringify: string; |
There was a problem hiding this comment.
nit: I'm not a huge fan of Stringify as a suffix to denote Serialized. It's a verb, and just generally a big funny.
I think gatorPermissionsListSerialized would be more meaningful.
There was a problem hiding this comment.
Additionally, must this be a string? Can we not store a complex object in the controller state?
| /** | ||
| * Boolean value that allows DApp to define whether the permission can be attenuated–adjusted to meet the user’s terms. | ||
| */ | ||
| isAdjustmentAllowed: boolean; |
There was a problem hiding this comment.
Not strictly true, we can remove it here, and it won't matter that it's included on any data.
These types only need to be sufficiently expressive to capture any data that we show to the user, or otherwise use in the controller.
If we don't show any of the permission specific typed data, we could tighten these up to be a single type shared across all permissions. (I suspect we will need to show permission specific data, such as for how much the allowance is).
| }; | ||
|
|
||
| const mockNativeTokenPeriodicStorageEntry: StoredGatorPermission< | ||
| AccountSigner, |
There was a problem hiding this comment.
nit: I enjoy generic parameters named with a T prefix denoting that they are a generic Type.
It can become harder to grok, especially when it's amongst concrete types.
I'll comment just here, but there's a couple of generic parameters to which this applies.
Explanation
@metamask/gator-permissions-controller
Current State and Why Change is Needed
MetaMask clients currently lack a dedicated system for managing gator permissions that are stored to profile sync via the
@metamask/gator-permissions-snap.Solution and How It Works
This change introduces a new
@metamask/gator-permissions-controllerpackage that provides a comprehensive solution for managing gator permissions in MetaMask clients with gator-snap integration.Changes That Might Not Be Obvious
stateuses JSON serialization for storing permission data fetched from@metamask/gator-permissions-snap, which allows for efficient storage and retrieval while maintaining data integrity. The deserialize permission data is represented as a list of gator permissions filtered by permission type and chainId.Package Dependencies and Integration
The new package depends on
@metamask/snaps-controllersas a peer dependency, ensuring it can leverage sending RPC requests to an installed Metamask Snap. This integration allows theGatorPermissionsControllerto forward requests to@metamask/gator-permissions-snapto fetch users' Gator permissions that have been stored in the MetaMask Profile Sync service.The
@metamask/gator-permissions-snapwill take on the responsibility of authenticating with MetaMask Profile Sync service using anSRPidentifier via integration with@metamask/message-signing-snap.No Dependency Upgrades Required
This is a new package that introduces new functionality without requiring changes to existing dependencies. The package uses the current stable versions of
@metamask/base-controller,@metamask/utils,@metamask/snaps-sdk, and@metamask/snaps-utilsfollowing the established patterns in the MetaMask codebase.References
Related to(MM snap-7715-permissions): Persisting Granted Permissions with MM Profile Sync
Requires(MM snap-7715-permissions):Add new permissionsProvider_getGrantedPermissions RPC
Required by(MM Extension): MetaMask/metamask-extension#33996
Gator Permissions Data Flow
graph TD %% dApp flow for storing permissions A[dApp<br/>client side RPC] -->|RPC| GPS[gator-permissions-snap] C -->|WRITE| D[(permissions stored<br/>across all sites)] %% User flow for reading permissions E[user<br/>permissions page] -->|UI| F[MM client] F -->|submitRequestToBackground| G[GatorPermissionsController] G --> MSYS[messagingSystem] MSYS -->|handleRequest| SC[SnapController] SC -->|RPC| GPS C -->|READ| D %% SRP Auth GPS -->|OAuth 2.0 Auth| MS[message-signing-snap] MS -->|SRP identifier & signature| C[profile sync service] %% Styling classDef dappStyle fill:#e1f5fe,stroke:#01579b,stroke-width:2px classDef userStyle fill:#f3e5f5,stroke:#4a148c,stroke-width:2px classDef serviceStyle fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px classDef dataStyle fill:#fff3e0,stroke:#e65100,stroke-width:2px classDef authStyle fill:#ffebee,stroke:#c62828,stroke-width:2px classDef systemStyle fill:#fce4ec,stroke:#ad1457,stroke-width:2px class A dappStyle class E,F userStyle class GPS,C serviceStyle class D dataStyle class MS authStyle class G,MSYS,SC systemStyleChecklist