fix: onboarding completion page guard

[lwin-kyaw]

Description

Users can bypass the entire onboarding flow by navigating directly to the completion route (#/onboarding/completion), rendering the CreationSuccessful component without having created a wallet. Clicking "Open wallet" then calls completeOnboarding(), marking onboarding as complete even though the KeyringController vault was never created. This leads to an inconsistent state where the extension appears onboarded but has no wallet, causing errors when trying to unlock.

This PR adds a guard to the CreationSuccessful component that checks whether the wallet has been initialized (isInitialized). If the wallet is not initialized and the user is not arriving from a settings reminder, they are redirected back to the onboarding welcome page. This prevents users from skipping mandatory onboarding steps by directly manipulating route URLs.

Changelog

CHANGELOG entry: Fixed a security issue where users could skip onboarding by navigating directly to the completion route

Related issues

Fixes: #37079

Manual testing steps

1. Load the extension in Chrome and begin a fresh onboarding (clear extension data if needed)
2. Instead of going through the onboarding flow, navigate directly to chrome-extension://<extension-id>/home.html#/onboarding/completion
3. Verify that you are redirected back to the onboarding welcome page instead of seeing the "Your wallet is ready!" screen
4. Complete the normal onboarding flow (create password, back up SRP, etc.)
5. Verify the completion screen renders correctly after proper onboarding
6. After onboarding, go to Settings → Security & Privacy → Reveal Secret Recovery Phrase → back up SRP again
7. Verify the completion screen renders correctly when arriving from the settings reminder flow (?isFromReminder=true)

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

🔐 @MetaMask/web3auth (2 files, +33 -0)

• 📁 ui/
  • 📁 pages/
    • 📁 onboarding-flow/
      • 📁 creation-successful/
        • 📄 creation-successful.test.tsx +18 -0
        • 📄 creation-successful.tsx +15 -0

[metamaskbotv2]

Builds ready [115ac3c]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1392 ± 96 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1392	1174	1647	96	1451	1557
			load	1198	995	1446	89	1247	1343
			domContentLoaded	1191	990	1439	89	1242	1329
			domInteractive	27	16	92	19	24	84
			firstPaint	171	66	1183	161	207	330
			backgroundConnect	247	225	344	16	251	274
			firstReactRender	15	9	25	3	17	22
			initialActions	1	0	6	1	1	3
			loadScripts	960	757	1211	89	1011	1103
			setupStore	14	7	150	14	15	21
			numNetworkReqs	23	15	89	20	15	81
	Browserify	Power User Home	uiStartup	1934	1429	10481	967	1820	2666
			load	1179	1045	1829	171	1176	1640
			domContentLoaded	1163	1033	1774	165	1155	1610
			domInteractive	36	19	172	30	33	123
			firstPaint	174	76	487	86	227	303
			backgroundConnect	444	287	7685	776	336	634
			firstReactRender	23	15	49	6	26	33
			initialActions	1	0	3	1	1	2
			loadScripts	922	799	1497	156	906	1352
			setupStore	16	7	44	7	19	30
			numNetworkReqs	72	43	176	31	75	162
	Webpack	Standard Home	uiStartup	801	652	1062	96	861	975
			load	692	585	916	91	759	856
			domContentLoaded	687	582	910	90	753	849
			domInteractive	24	15	80	16	21	71
			firstPaint	117	57	335	58	153	210
			backgroundConnect	24	16	55	7	28	38
			firstReactRender	14	9	27	4	18	20
			initialActions	1	0	2	1	1	2
			loadScripts	684	580	908	89	749	846
			setupStore	11	6	38	5	11	21
			numNetworkReqs	23	15	103	22	15	86
	Webpack	Power User Home	uiStartup	1232	894	2166	194	1305	1589
			load	707	616	1292	124	694	997
			domContentLoaded	698	610	1281	124	681	992
			domInteractive	39	18	282	37	37	124
			firstPaint	135	61	557	79	143	305
			backgroundConnect	160	130	320	40	162	256
			firstReactRender	22	17	31	3	24	27
			initialActions	1	0	1	0	1	1
			loadScripts	695	608	1271	122	679	982
			setupStore	12	4	37	5	14	18
			numNetworkReqs	117	44	293	51	147	214
Firefox	Browserify	Standard Home	uiStartup	1528	1322	2135	170	1564	1921
			load	1318	1128	1928	137	1376	1589
			domContentLoaded	1317	1124	1922	137	1370	1589
			domInteractive	66	33	210	36	87	136
			firstPaint	-	-	-	-	-	-
			backgroundConnect	54	31	126	15	55	86
			firstReactRender	12	9	17	1	12	13
			initialActions	1	0	2	0	1	2
			loadScripts	1292	1106	1899	135	1347	1556
			setupStore	14	6	123	15	13	40
			numNetworkReqs	24	12	97	22	17	85
	Browserify	Power User Home	uiStartup	2692	2004	4091	362	2890	3294
			load	1535	1331	2427	222	1583	2031
			domContentLoaded	1534	1331	2427	222	1583	2030
			domInteractive	126	35	651	106	119	392
			firstPaint	-	-	-	-	-	-
			backgroundConnect	264	110	1013	190	298	786
			firstReactRender	18	15	63	5	18	23
			initialActions	2	0	47	5	2	2
			loadScripts	1490	1311	2398	206	1532	1901
			setupStore	164	8	695	202	248	656
			numNetworkReqs	73	36	160	32	92	129
	Webpack	Standard Home	uiStartup	1587	1307	2374	172	1621	2024
			load	1367	1189	1724	110	1420	1575
			domContentLoaded	1366	1188	1724	110	1419	1575
			domInteractive	88	29	230	45	128	156
			firstPaint	-	-	-	-	-	-
			backgroundConnect	60	27	372	52	62	133
			firstReactRender	15	10	50	6	14	20
			initialActions	1	0	3	1	1	2
			loadScripts	1336	1175	1670	99	1395	1499
			setupStore	14	6	176	20	12	46
			numNetworkReqs	23	13	87	20	17	79
	Webpack	Power User Home	uiStartup	2658	1966	3776	413	2795	3685
			load	1543	1208	2456	300	1656	2294
			domContentLoaded	1542	1208	2450	300	1655	2293
			domInteractive	140	32	733	156	118	540
			firstPaint	-	-	-	-	-	-
			backgroundConnect	307	117	1205	262	281	923
			firstReactRender	20	15	55	5	23	28
			initialActions	2	1	6	1	2	3
			loadScripts	1506	1187	2434	285	1625	2120
			setupStore	187	7	784	231	263	726
			numNetworkReqs	69	36	165	34	94	132

📊 Page Load Benchmark Results

Current Commit: 115ac3c | Date: 2/12/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.03s (±40ms) 🟡 | historical mean value: 1.04s ⬇️ (historical data)
• domContentLoaded-> current mean value: 718ms (±35ms) 🟢 | historical mean value: 728ms ⬇️ (historical data)
• firstContentfulPaint-> current mean value: 76ms (±13ms) 🟢 | historical mean value: 79ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.03s	40ms	1.01s	1.31s	1.07s	1.31s
domContentLoaded	718ms	35ms	699ms	979ms	741ms	979ms
firstPaint	76ms	13ms	56ms	184ms	84ms	184ms
firstContentfulPaint	76ms	13ms	56ms	184ms	84ms	184ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 2.75 KiB (0.06%)
• ui: 31 Bytes (0%)
• common: 5.58 KiB (0.05%)

[tuna1207]

I think we should also add guard to completeOnboarding() in case other pages can trigger this method

metamask-extension/app/scripts/controllers/onboarding.ts

Line 170 in e6d841e

completeOnboarding(): boolean {