feat: Migrate eth_accounts and permittedChains to CAIP-25 endowment

[jiexi]

Description

This PR replaces the replaces the internal eth_accounts and endowment:permittedChains permission structure with a CAIP-25 endowment. It adds adapter logic to translate to and from the new internal CAIP-25 permissions. This change should be transparent to wallet users and to dapps except for one two cases, see below. This change is required in order to support CAIP-25 and CAIP-27 requests in a follow-up PR that enables the Multichain API.

Related issues

Related: MetaMask/core#4784

Manual testing steps

There should be no user or dapp facing difference in behavior except:

• When calling wallet_revokePermissions and specifying either eth_accounts or endowment:permitted-chains, the entire CAIP-25 permission will be revoked. It will appear to the dapp as if both eth_accounts and endowment:permitted-chains were revoked.
• When calling wallet_getPermissions for a permitted dapp when the wallet is locked, eth_accounts should be returned in addition to endowment:permitted-chains. Currently there is a regression on main where only endowment:permitted-chains gets returned when the wallet is locked.

await window.ethereum.request({
 "method": "wallet_revokePermissions",
 "params": [
  {
    eth_accounts: {}
  }
],
});

await window.ethereum.request({
 "method": "wallet_revokePermissions",
 "params": [
  {
    'endowment:permitted-chains': {}
  }
],
});

await window.ethereum.request({
 "method": "wallet_getPermissions",
 "params": [],
});

Locked Wallet Behavior with dapp connected

Other than the two noted items below, this behavior matches that in main

• eth_accounts returns []
• wallet_getPermissions returns permissions incl eth_accounts
• wallet_revokePermissions works as usual and revokes eth_accounts and revoke permitted-chains together
• • Note this fixes a regression in main where eth_accounts and permitted-chains aren't revoked as a pair if either is revoked
• eth_requestAccounts prompts for unlock, after unlock returns accounts if any are permitted, otherwise shows connection prompt
• wallet_requestPermissions prompts for unlock
• signature methods fails with method or accounts not authorized
• non-signature methods work as usual
• accountsChanged empty array on lock. no event after revokePermissions which makes sense since the dapp was told empty array on lock and now it's actually empty array so no changes have occurred as far as the dapp should be concerned.
• CHANGED: for dapps that were granted chain permissions via the wallet_addEthereum or wallet_switchEthereumChain flows without account permissions, these permissions will be removed with this migration. We think this ok because:
  • This is a very uncommon scenario for dapps to request chain switches without account permissions.
  • These permissions can be regained very trivially with subsequent chain switch requests.

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@metamask/[email protected] 🔁 npm/@metamask/[email protected]	None	0	270 kB	metamaskbot
npm/@metamask/[email protected]	None	0	318 kB	metamaskbot
npm/@open-rpc/[email protected] 🔁 npm/@open-rpc/[email protected]	None	0	38.4 kB	belfordz

🚮 Removed packages: npm/@json-schema-spec/[email protected], npm/@json-schema-tools/[email protected]

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[jiexi]

@metamask-bot update-policies

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@SocketSecurity ignore npm/@metamask/[email protected]

i know that mcmire guy

[jiexi]

@SocketSecurity ignore npm/@metamask/[email protected]

i still know that mcmire fellow

[jiexi]

@SocketSecurity ignore npm/@metamask/[email protected]

the fetch isn't new, but even then it's fine because it fetches caller supplied url

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[sonarqubecloud]

Quality Gate passed

Issues
15 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[jiexi]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[metamaskbot]

Builds ready [29d2381]

• builds: chrome, firefox
• builds (flask): chrome, firefox
• builds (MMI): chrome
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • content-script: 0
  • offscreen: 0

Page Load Metrics (1566 ± 46 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	1369	1741	1572	104	50
		domContentLoaded	1361	1694	1544	89	43
		load	1370	1703	1566	96	46
		domInteractive	19	89	37	19	9
		backgroundConnect	5	58	23	16	8
		firstReactRender	15	100	47	31	15
		getState	5	96	22	27	13
		initialActions	0	1	0	0	0
		loadScripts	984	1248	1136	86	41
		setupStore	6	80	19	22	11
		uiStartup	1556	2330	1892	225	108

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 15.13 KiB (0.26%)
• ui: 691 Bytes (0.01%)
• common: 132.64 KiB (1.57%)

[metamaskbot]

Builds ready [2f0a4e5]

• builds: chrome, firefox
• builds (flask): chrome, firefox
• builds (MMI): chrome
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13
  • content-script: 0
  • offscreen: 0

Page Load Metrics (1637 ± 74 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	324	1961	1579	323	155
		domContentLoaded	1398	1951	1606	152	73
		load	1401	1960	1637	154	74
		domInteractive	19	164	42	32	16
		backgroundConnect	5	78	32	24	11
		firstReactRender	15	100	32	25	12
		getState	4	37	10	9	4
		initialActions	0	1	0	0	0
		loadScripts	1013	1560	1210	135	65
		setupStore	6	56	18	20	10
		uiStartup	1675	2255	1869	174	83

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 16.22 KiB (0.28%)
• ui: 691 Bytes (0.01%)
• common: 132.64 KiB (1.57%)

[Gudahtt]

Why is this being stringified? Both here and in edit-networks-modal, I see the same change made in both places

[jiexi]

this change can be moved into main. It's because this component can sometimes rerender while you're using it and your checkboxes get overwritten with the default selected again

[Gudahtt]

Nit: I think this can be made separately against main as well

[Gudahtt]

Nit: The changes here and in switch-custom-network can probably be reverted (I think they were needed for the previous version of withPermissionControllerConnectedToTestDapp)

[Gudahtt]

Recording something we discussed on a call: We should verify whether the order has changed here

[Gudahtt]

These prefixes don't need to be here, they're added by the migration

[Gudahtt]

Nit: Maybe we can revert these re-order changes to minimize the diff

[Gudahtt]

Curious why this was added

[Gudahtt]

Nit: I see that the changes here are different than the prior file, despite the changes being similar in nature. The previous file uses connectAccount on the test dapp instance rather than running these connect steps one by one. Worth considering which approach we prefer, if they are indeed equivalent.