fix(oauth): add RefreshTokenHttpError and guard refreshAuthTokens in MaxKeyChainLength recovery

[himanshuchawla009]

Explanation

Companion to MetaMask/core#7989.

1. RefreshTokenHttpError in AuthTokenHandler

The core SeedlessOnboardingController now distinguishes permanent token failures (401) from transient ones to apply the right recovery strategy. It does this by checking whether the error thrown by refreshJWTToken is a RefreshTokenHttpError with statusCode === 401.

Previously AuthTokenHandler threw a plain Error('Failed to refresh JWT token') for all non-2xx responses, making this distinction impossible. This PR adds a RefreshTokenHttpError class that carries the HTTP statusCode, giving the controller the information it needs

2. try/catch around refreshAuthTokens in the MaxKeyChainLengthExceeded recovery path

refreshAuthTokens is called fire-and-forget in the MaxKeyChainLengthExceeded recovery path before rehydrateSeedPhrase. If the refresh token is already stale or revoked (which is precisely the scenario that triggers this path), the call would throw and abort rehydration entirely — leaving the user stuck.

Wrapping in try/catch logs the error and lets rehydration proceed regardless.

3. encryptorAdapter for SeedlessOnboardingController

KeyringController has a generic EncryptionResult type that accepts our mobile Encryptor's cipher property. However, SeedlessOnboardingController uses a fixed VaultEncryptor type (from ExportableKeyEncryptor) that strictly requires data instead of cipher.

Changelog

CHANGELOG entry: null

References

• Companion PR: fix: JWT token refresh race conditions in seedless-onboarding-controller. core#7989 — fixes JWT token refresh race conditions in SeedlessOnboardingController

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've manually tested the PR (required)

---

Note

Medium Risk
Touches OAuth token refresh and seedless recovery flows; incorrect error typing/handling could change recovery behavior for revoked or transient refresh-token failures.

Overview
Improves seedless OAuth token-refresh error handling so callers can distinguish auth-server HTTP failures by status code.

AuthTokenHandler.refreshJWTToken now throws RefreshTokenHttpError (includes statusCode) on non-2xx responses, and the MaxKeyChainLengthExceeded recovery path in Authentication.syncPasswordAndUnlockWallet wraps SeedlessOnboardingController.refreshAuthTokens() in a try/catch to log and continue with rehydrateSeedPhrase instead of aborting recovery.

^{Written by Cursor Bugbot for commit 413b327. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

Missing Object.setPrototypeOf in custom Error subclass

Low Severity

RefreshTokenHttpError extends Error but omits the Object.setPrototypeOf(this, RefreshTokenHttpError.prototype) call that the project's own AuthenticationError class uses (with an explicit link to the TypeScript breaking-changes wiki). Without it, instanceof RefreshTokenHttpError checks can silently return false in transpiled environments, defeating the purpose of this typed error class. The whole point of introducing RefreshTokenHttpError is to let callers distinguish it from plain Error.

 

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​metamask/​seedless-onboarding-controller@​6.1.0 ⏵ 8.1.0			+1

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• npm/@metamask/seedless-onboarding-controller@8.1.0

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
88.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeAccounts, SmokeConfirmations, SmokeIdentity, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeTrade, SmokeWalletPlatform, SmokeCard, SmokePerps, SmokeRamps, SmokeMultiChainAPI, SmokePredictions, FlaskBuildTests
• Selected Performance tags: @PerformanceAccountList, @PerformanceOnboarding, @PerformanceLogin, @PerformanceSwaps, @PerformanceLaunch, @PerformanceAssetLoading, @PerformancePredict, @PerformancePreps
• Risk Level: high
• AI Confidence: 100%

click to see 🤖 AI reasoning details

E2E Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/seedless-onboarding-controller. Running all tests.

Performance Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/seedless-onboarding-controller. Running all tests.

View GitHub Actions results

[grvgoel81]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action Severity Alert  (click "▶" to expand/collapse)
Block
Network access: npm @metamask/seedless-onboarding-controller in module globalThis["fetch"]
Module: globalThis["fetch"]

Location: Package overview

From: package.json → npm/@metamask/seedless-onboarding-controller@8.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

_Mark the package as acceptable risk_. To ignore this alert only
in this pull request, reply with the comment
`@SocketSecurity ignore npm/@metamask/seedless-onboarding-controller@8.1.0`. You can
also ignore all packages with `@SocketSecurity ignore-all`.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the [triage state of this alert](https://socket.dev/dashboard/org/MetaMask/diff-scan/50d61b88-0749-4b4c-b8a3-6bea1311f8c3/alert/QjAme1AXxJn1Y-yruToXkjt8lnJ9ui4fvil0KiDKsLvA).

View full report

https://github.com/SocketSecurity ignore npm/@metamask/seedless-onboarding-controller@8.1.0

@metamask/seedless-onboarding-controller is used for social login onboarding and requires network access for interacting with Web3Auth servers and Toprf Operations.

[himanshuchawla009]

@SocketSecurity ignore npm/@metamask/seedless-onboarding-controller@8.1.0

@metamask/seedless-onboarding-controller is used for social login onboarding and requires network access for interacting with Web3Auth servers and Toprf Operations.