feat: Migrate eth_accounts and permittedChains to CAIP-25 endowment

[jiexi]

Description

This PR replaces the replaces the internal eth_accounts and endowment:permittedChains permission structure with a CAIP-25 endowment. It adds adapter logic to translate to and from the new internal CAIP-25 permissions. This change should be transparent to wallet users and to dapps except for one two cases, see below. This change is required in order to support CAIP-25 and CAIP-27 requests in a follow-up PR that enables the Multichain API.

Related issues

Related: MetaMask/core#4784

Manual testing steps

There should be no user or dapp facing difference in behavior except:

• When calling wallet_revokePermissions and specifying either eth_accounts or endowment:permitted-chains, the entire CAIP-25 permission will be revoked. It will appear to the dapp as if both eth_accounts and endowment:permitted-chains were revoked.
• When calling wallet_getPermissions for a permitted dapp when the wallet is locked, eth_accounts should be returned in addition to endowment:permitted-chains. Currently there is a regression on main where only endowment:permitted-chains gets returned when the wallet is locked.

await window.ethereum.request({
 "method": "wallet_revokePermissions",
 "params": [
  {
    eth_accounts: {}
  }
],
});

await window.ethereum.request({
 "method": "wallet_revokePermissions",
 "params": [
  {
    'endowment:permitted-chains': {}
  }
],
});

await window.ethereum.request({
 "method": "wallet_getPermissions",
 "params": [],
});

Locked Wallet Behavior with dapp connected

Other than the two noted items below, this behavior matches that in main

• eth_accounts returns []
• wallet_getPermissions returns permissions incl eth_accounts
• wallet_revokePermissions works as usual and revokes eth_accounts and revoke permitted-chains together
• • Note this fixes a regression in main where eth_accounts and permitted-chains aren't revoked as a pair if either is revoked
• eth_requestAccounts prompts for unlock, after unlock returns accounts if any are permitted, otherwise shows connection prompt
• wallet_requestPermissions prompts for unlock
• signature methods fails with method or accounts not authorized
• non-signature methods work as usual
• accountsChanged empty array on lock. no event after revokePermissions which makes sense since the dapp was told empty array on lock and now it's actually empty array so no changes have occurred as far as the dapp should be concerned.
• CHANGED: for dapps that were granted chain permissions via the wallet_addEthereum or wallet_switchEthereumChain flows without account permissions, these permissions will be removed with this migration. We think this ok because:
  • This is a very uncommon scenario for dapps to request chain switches without account permissions.
  • These permissions can be regained very trivially with subsequent chain switch requests.

Testing the migration

• Create a dev build from main
• Install the dev build from the dist/chrome directory and proceed through onboarding
• Run this command in the background console:

  chrome.storage.local.get(
    null,
    (state) => {
      state.data.PermissionController = {}; // Replace this line based on instructions below
      chrome.storage.local.set(state, () => chrome.runtime.reload());
    }
  );
  

• Disable the extension
• Switch to main and create a dev build
• Enable and reload the extension
  • You should see in the console that migration 139 has failed

Repeat the above steps but with the line above replaced with the following for example:

• state.data.NetworkController = {};
• state.data.NetworkController = 'foobar';
• state.data.NetworkController.selectedNetworkClientId = null;
• state.data.NetworkController.networkConfigurationsByChainId = 'foobar';

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@metamask/api-specs@0.10.12 🔁 npm/@metamask/api-specs@0.9.3	None	0	270 kB	metamaskbot
npm/@metamask/multichain@2.0.0	None	0	318 kB	metamaskbot
npm/@open-rpc/meta-schema@1.14.9 🔁 npm/@open-rpc/meta-schema@1.14.6	None	0	38.4 kB	belfordz

🚮 Removed packages: npm/@json-schema-spec/json-pointer@0.1.2, npm/@json-schema-tools/reference-resolver@1.2.4

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[jiexi]

@metamask-bot update-policies

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@SocketSecurity ignore npm/@metamask/eth-json-rpc-infura@9.1.0

i know that mcmire guy

[jiexi]

@SocketSecurity ignore npm/@metamask/eth-block-tracker@10.1.0

i still know that mcmire fellow

[jiexi]

@SocketSecurity ignore npm/@metamask/eth-json-rpc-middleware@13.0.0

the fetch isn't new, but even then it's fine because it fetches caller supplied url

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[sonarqubecloud]

Quality Gate passed

Issues
15 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[Gudahtt]

I have attempted to extract this here: #29783

[Gudahtt]

It would be helpful to have manual testing instructions in the PR description for the migration, e.g. how to test that everything works correctly when updating.

I've provided similar instructions in the past on how to do "update testing", e.g. in this PR: #26485
That might be a good starting point.

[Gudahtt]

LGTM!

[metamaskbot]

Builds ready [18440d6]

• builds: chrome, firefox
• builds (flask): chrome, firefox
• builds (MMI): chrome
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • content-script: 0
  • offscreen: 0

Page Load Metrics (1692 ± 55 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	1485	1959	1698	115	55
		domContentLoaded	1478	1901	1668	106	51
		load	1487	1959	1692	115	55
		domInteractive	26	75	46	15	7
		backgroundConnect	6	74	25	21	10
		firstReactRender	15	101	42	27	13
		getState	5	66	18	20	10
		initialActions	0	1	0	0	0
		loadScripts	1053	1425	1216	95	46
		setupStore	6	90	16	23	11
		uiStartup	1731	2750	1965	209	100

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 16.07 KiB (0.27%)
• ui: 659 Bytes (0.01%)
• common: 132.64 KiB (1.53%)

[metamaskbot]

Builds ready [15fa319]

• builds: chrome, firefox
• builds (flask): chrome, firefox
• builds (MMI): chrome
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • content-script: 0
  • offscreen: 0

Page Load Metrics (1581 ± 45 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	1408	1755	1585	94	45
		domContentLoaded	1400	1737	1560	89	43
		load	1408	1758	1581	93	45
		domInteractive	24	72	34	15	7
		backgroundConnect	5	75	20	18	9
		firstReactRender	15	104	32	28	13
		getState	4	59	17	18	9
		initialActions	0	1	0	0	0
		loadScripts	1026	1330	1156	79	38
		setupStore	5	88	18	23	11
		uiStartup	1609	2322	1923	230	111

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 16.21 KiB (0.27%)
• ui: 659 Bytes (0.01%)
• common: 132.64 KiB (1.53%)