feat: add bearer token authorization to RampsService payments & quotes#8888
Merged
Conversation
…ts-quotes # Conflicts: # packages/ramps-controller/CHANGELOG.md
amitabh94
previously approved these changes
Jun 2, 2026
Contributor
Author
|
@metamaskbot publish-preview |
Contributor
|
Preview builds have been published. Learn how to use preview builds in other projects. Expand for full list of packages and versions. |
…ts-quotes # Conflicts: # packages/ramps-controller/CHANGELOG.md
amitabh94
approved these changes
Jun 3, 2026
4 tasks
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Jun 11, 2026
#9060) ## Explanation `RampsService.getPaymentMethods` was recently changed (in #8888, still unreleased) to send an `Authorization: Bearer <token>` header, sourcing the token from `AuthenticationController:getBearerToken`. In practice, the payment-methods was changed to be called before the user signed into metamask. Requiring a bearer token there is problematic because `AuthenticationController.getBearerToken` is not a passive read: - If the wallet is **locked**, it throws (`getBearerToken - unable to proceed, wallet is locked`). - If the wallet is **unlocked but not signed in**, it falls through to `getAccessToken`, which performs a full SRP **sign-in** (network round-trip + SIWE/SRP signing) as a side effect. So fetching a payment-methods catalog could either fail outright or silently sign the user in — neither of which should happen just to render a list of payment options. This PR scopes bearer-token auth back to the endpoints that genuinely need it. `getPaymentMethods` is now fetched as an unauthenticated request (matching the existing pattern used by `getGeolocation`, `getProviders`, etc.), while `getQuotes` and `getBuyWidgetUrl` keep their `Authorization` headers since they create user-bound orders/widgets. Changes: - **`RampsService.getPaymentMethods`** — removed the `#getRequestHeaders()` call and now passes no headers to `fetch`. The private `#getRequestHeaders` helper is unchanged and still used by `getQuotes` and `getBuyWidgetUrl`. - **Tests** — replaced the three payment-methods auth tests with negative assertions (`does not request a bearer token`, `does not send an Authorization header`) mirroring the existing `getGeolocation` auth-scope tests. The "rejects when the bearer token cannot be retrieved" test was removed as no longer applicable. - **Changelog** — kept the original #8888 entry intact and added a separate `Changed` entry documenting that `getPaymentMethods` no longer sends an `Authorization` header. ## References - Related to #8888 (added the bearer-token auth being scoped down here) ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [x] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes when ramps auth runs and could fail if the API still required a token for payment methods; intended to stop locked-wallet failures and accidental sign-in from catalog loads. > > **Overview** > Reverts bearer-token auth on **`RampsService.getPaymentMethods`** so the regions/payments catalog can load **before** sign-in. The method no longer calls `#getRequestHeaders()` or sends an `Authorization` header on `fetch`, aligning it with other public catalog calls (e.g. geolocation/providers). **`getQuotes`** and **`getBuyWidgetUrl`** still use authenticated headers. > > Tests now assert payment-methods requests **do not** call `getBearerToken` and **do not** send `Authorization`, and drop the case where a missing token blocked the HTTP call. The ramps-controller changelog records this under **Changed**. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 082a6c3. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Darius Costolas <10818970+meltingice1337@users.noreply.github.com>
pull Bot
pushed a commit
to dmrazzy/core
that referenced
this pull request
Jun 12, 2026
## Explanation This is the release PR for `1038.0.0`, generated by `create-release-branch`. It bumps the monorepo version from `1037.0.0` to `1038.0.0` and releases a single package: `@metamask/ramps-controller` `14.1.1` → `14.2.0`. The release moves the entries that had accumulated under `[Unreleased]` into a new `[14.2.0]` section in the package's changelog. `@metamask/ramps-controller@14.2.0` includes the following: - **Changed** — `RampsService.getQuotes` now sends an `Authorization: Bearer <token>` header, sourcing the token from `AuthenticationController:getBearerToken` (already a required messenger action since `14.0.0`); the call throws if no token is available (e.g. the wallet is locked or the user is signed out) ([MetaMask#8888](MetaMask#8888)). This is the notable change driving the version bump: `getQuotes` previously made an unauthenticated request and now requires a bearer token, so consumers should review their sign-in state before upgrading. - **Changed** — Bump `@metamask/controller-utils` from `^12.1.0` to `^12.2.0` ([MetaMask#9058](MetaMask#9058), [MetaMask#9083](MetaMask#9083)). Note on `getPaymentMethods`: within this unreleased window, auth was added to `getPaymentMethods` (MetaMask#8888) and then removed again (MetaMask#9060) so that payment methods can be fetched before sign-in. Because that change was reverted before shipping, it nets to no consumer-facing change and is intentionally omitted from the changelog per the project's "omit reverted changes" guideline. This is a minor release (`14.2.0`). It contains no breaking changes; the version is bumped to minor — rather than patch — to surface the `getQuotes` authentication behavior change, which alters how an existing method makes its request even though the public interface is unchanged. As part of cutting the release, the in-monorepo consumer `@metamask/transaction-pay-controller` has its dependency on `@metamask/ramps-controller` bumped to `^14.2.0`; this is a mechanical version bump required by the release tooling and does not change `transaction-pay-controller`'s behavior. ## References <!-- Are there any issues that this pull request is tied to? Are there other links that reviewers should consult to understand these changes better? Are there client or consumer pull requests to adopt any breaking changes? For example: * Fixes #12345 * Related to #67890 --> Release PR generated by `create-release-branch`; see `docs/processes/releasing.md`. `@metamask/ramps-controller` was bumped to a minor (`14.2.0`) rather than a patch in response to review feedback that the `getQuotes` authentication change is a notable behavior change to an existing method. ## Checklist - [ ] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them --------- Co-authored-by: Darius Costolas <10818970+meltingice1337@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
The ramps API is gating more endpoints behind bearer-token authentication. PR #8843 introduced the auth plumbing on
RampsService(#getRequestHeaders, messenger delegation ofAuthenticationController:getBearerToken, runtime dependency on@metamask/profile-sync-controller) and applied it togetBuyWidgetUrl. Two more endpoints —getPaymentMethodsandgetQuotes— now also require auth upstream, so without a bearer token these calls will start failing and break the Buy flow.This PR extends the existing auth pattern to those two endpoints:
getPaymentMethodsawaits#getRequestHeaders()once before dispatching the request through#policy.execute, and passes the resultingAuthorization: Bearer <token>header to#fetch.getQuotesdoes the same.getBuyWidgetUrl), so a single bearer token is fetched per call and reused across retries. IfgetBearerTokenrejects (wallet locked, signed out), no HTTP request is made.No new dependencies, no messenger contract change — the
AuthenticationController:getBearerTokenaction is already delegated by consumers as of #8843.Test updates:
For each of
getPaymentMethodsandgetQuotes, three new tests mirror the coverage added forgetBuyWidgetUrlin #8843:sends an Authorization header containing the bearer token— nockreqheadersenforces the header is present on the outgoing request.requests a bearer token exactly once per call— verifies the token is fetched exactly once per call (i.e. outside the retry loop).rejects without making an HTTP call when the bearer token cannot be retrieved— verifies the request short-circuits whenAuthenticationController:getBearerTokenrejects.References
getBuyWidgetUrland the supporting#getRequestHeaders/ messenger delegation).Checklist
Note
Medium Risk
Touches core Buy-flow API calls and auth; failure modes change when the wallet is locked or unsigned-in, but the pattern is already established for
getBuyWidgetUrlwith no new consumer wiring.Overview
RampsService.getPaymentMethodsandgetQuotesnow require the same bearer-token auth asgetBuyWidgetUrl: each call awaits#getRequestHeaders()(viaAuthenticationController:getBearerToken) before#policy.execute, passesAuthorization: Bearer …into#fetch, and does not hit the network if token retrieval fails (e.g. locked wallet).No new messenger contracts or dependencies—consumers already need
getBearerTokendelegated from v14.0.0. Tests for both methods mirror the buy-widget coverage (header present, token fetched once per call, short-circuit on token failure). Changelog [Unreleased] entry documents the change.Reviewed by Cursor Bugbot for commit 9a6c86b. Bugbot is set up for automated code reviews on this repo. Configure here.