feat: integrate AuthenticationController for bearer token handling in…#8843
Merged
Conversation
fb101e4 to
47ab3ba
Compare
47ab3ba to
30578d8
Compare
Contributor
Author
|
@metamaskbot publish-previews |
Contributor
|
Preview builds have been published. Learn how to use preview builds in other projects. Expand for full list of packages and versions. |
amitabh94
approved these changes
May 19, 2026
pull Bot
pushed a commit
to Reality2byte/core
that referenced
this pull request
May 20, 2026
## Explanation Release 993.0.0 — two packages: - **`@metamask/ramps-controller`** `13.3.1` → **`14.0.0`** (major) - **`@metamask/transaction-pay-controller`** `22.6.1` → **`22.6.2`** (patch) `ramps-controller@14.0.0` ships MetaMask#8843, which authenticates `getBuyWidgetUrl` by requiring `AuthenticationController:getBearerToken` on its messenger. That's a breaking messenger-contract change, so major. `transaction-pay-controller@22.6.2` is a no-code-change patch that bumps its dep range on `ramps-controller` from `^13.3.1` to `^14.0.0`. Included to keep the dependency graph current and avoid duplicate `ramps-controller` copies in consumer node_modules. Its code doesn't touch any of the breaking surface. ## References - Feature PR: MetaMask#8843 - Mobile adoption (draft): MetaMask/metamask-mobile#30319 ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [x] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [x] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because this release includes a **breaking** `@metamask/ramps-controller` messenger-contract change requiring consumers to delegate `AuthenticationController:getBearerToken` before calling `getBuyWidgetUrl`. The rest is version/changelog/dependency range updates with minimal runtime impact. > > **Overview** > Bumps the monorepo release version to `993.0.0` and publishes `@metamask/ramps-controller` `14.0.0` (major) and `@metamask/transaction-pay-controller` `22.6.2` (patch). > > `ramps-controller@14.0.0` documents a **breaking** change requiring `RampsServiceMessenger` consumers to delegate `AuthenticationController:getBearerToken`, and adds bearer-token authentication for `getBuyWidgetUrl` plus a new runtime dependency on `@metamask/profile-sync-controller`. > > `transaction-pay-controller@22.6.2` is a dependency-only update to consume `@metamask/ramps-controller@^14.0.0`, with corresponding `yarn.lock` updates. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit b8f2fe6. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Darius Costolas <10818970+meltingice1337@users.noreply.github.com>
4 tasks
pull Bot
pushed a commit
to dmrazzy/core
that referenced
this pull request
Jun 3, 2026
MetaMask#8888) ## Explanation The ramps API is gating more endpoints behind bearer-token authentication. PR MetaMask#8843 introduced the auth plumbing on `RampsService` (`#getRequestHeaders`, messenger delegation of `AuthenticationController:getBearerToken`, runtime dependency on `@metamask/profile-sync-controller`) and applied it to `getBuyWidgetUrl`. Two more endpoints — `getPaymentMethods` and `getQuotes` — now also require auth upstream, so without a bearer token these calls will start failing and break the Buy flow. This PR extends the existing auth pattern to those two endpoints: - `getPaymentMethods` awaits `#getRequestHeaders()` once before dispatching the request through `#policy.execute`, and passes the resulting `Authorization: Bearer <token>` header to `#fetch`. - `getQuotes` does the same. - Token retrieval happens outside the retry/circuit-breaker loop (same shape as `getBuyWidgetUrl`), so a single bearer token is fetched per call and reused across retries. If `getBearerToken` rejects (wallet locked, signed out), no HTTP request is made. No new dependencies, no messenger contract change — the `AuthenticationController:getBearerToken` action is already delegated by consumers as of MetaMask#8843. **Test updates:** For each of `getPaymentMethods` and `getQuotes`, three new tests mirror the coverage added for `getBuyWidgetUrl` in MetaMask#8843: - `sends an Authorization header containing the bearer token` — nock `reqheaders` enforces the header is present on the outgoing request. - `requests a bearer token exactly once per call` — verifies the token is fetched exactly once per call (i.e. outside the retry loop). - `rejects without making an HTTP call when the bearer token cannot be retrieved` — verifies the request short-circuits when `AuthenticationController:getBearerToken` rejects. ## References - Builds on MetaMask#8843 (which introduced bearer-token auth for `getBuyWidgetUrl` and the supporting `#getRequestHeaders` / messenger delegation). ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [ ] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core Buy-flow API calls and auth; failure modes change when the wallet is locked or unsigned-in, but the pattern is already established for `getBuyWidgetUrl` with no new consumer wiring. > > **Overview** > **`RampsService.getPaymentMethods`** and **`getQuotes`** now require the same bearer-token auth as **`getBuyWidgetUrl`**: each call awaits **`#getRequestHeaders()`** (via **`AuthenticationController:getBearerToken`**) *before* **`#policy.execute`**, passes **`Authorization: Bearer …`** into **`#fetch`**, and **does not hit the network** if token retrieval fails (e.g. locked wallet). > > No new messenger contracts or dependencies—consumers already need **`getBearerToken`** delegated from v14.0.0. Tests for both methods mirror the buy-widget coverage (header present, token fetched once per call, short-circuit on token failure). Changelog **[Unreleased]** entry documents the change. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 9a6c86b. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Darius Costolas <10818970+meltingice1337@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
RampsService.getBuyWidgetUrlpreviously issued unauthenticated requests to the ramps API (/providers/<provider>/buy-widget). The upstream API is being gated behind authentication, so without a bearer token the call will start to fail and break the Buy flow for every consumer (mobile, extension).This PR makes
getBuyWidgetUrlauthenticated by sourcing a bearer token fromAuthenticationControllervia the messenger and attaching it as anAuthorization: Bearer <token>header on the outgoing request.How it works:
RampsService.#getRequestHeaderscalls the messenger actionAuthenticationController:getBearerTokenand returns theAuthorizationheader. It is awaited once pergetBuyWidgetUrlinvocation (verified by a new test) before the request is dispatched through the existing#policy.executewrapper, so token retrieval happens outside the retry/circuit-breaker loop. If the token call rejects (e.g. wallet is locked, user signed out), the rejection propagates and no HTTP call is made — also covered by a new test.RampsServiceMessenger'sAllowedActionsis widened fromnevertoAuthenticationController.AuthenticationControllerGetBearerTokenAction. This is a breaking change to the messenger contract: consumers must delegate theAuthenticationController:getBearerTokenaction into the ramps messenger before callinggetBuyWidgetUrl.getBuyWidgetUrlis authenticated in this PR. Other endpoints (e.g.getGeolocation) remain unauthenticated and explicitly do not request a bearer token; this is locked in by tests that assertgetBearerTokenis not called and that noAuthorizationheader is sent for those endpoints.Dependency added:
@metamask/profile-sync-controller@^28.1.0is added as a runtime dependency solely for itsAuthenticationControllertype export (theAuthenticationControllerGetBearerTokenActionaction type). It is not instantiated byramps-controller; the implementing controller lives in the consuming app and is wired up via the messenger.Demo:
auth_demo.mp4
Test updates:
getBuyWidgetUrlnow assert theAuthorization: Bearer mock-bearer-tokenheader is present on the nock interceptor.getBearerTokenshort-circuits before any HTTP request; and the scope assertion thatgetGeolocationremains unauthenticated.getRootMessenger/getServicetest helpers now delegate theAuthenticationController:getBearerTokenaction and expose amockGetBearerTokenjest mock so individual tests can override the resolution behavior.References
Checklist
Note
Medium Risk
Medium risk due to a breaking messenger contract change requiring consumers to delegate
AuthenticationController:getBearerToken, and because it changes howgetBuyWidgetUrlperforms network requests by adding auth headers and failing early when tokens are unavailable.Overview
RampsService.getBuyWidgetUrlnow authenticates buy-widget requests by retrieving a bearer token via the messenger actionAuthenticationController:getBearerTokenand sendingAuthorization: Bearer <token>on the HTTP call.This widens
RampsServiceMessengerallowed actions (a breaking change for consumers that must delegate/register the new action), adds@metamask/profile-sync-controlleras a runtime dependency for the action type, updates TS project references, and extends tests to assert auth header behavior, token fetch call counts, and that unrelated endpoints (e.g.getGeolocation) remain unauthenticated.Reviewed by Cursor Bugbot for commit bdad742. Bugbot is set up for automated code reviews on this repo. Configure here.