Refactor wallet permissions (#18)

* Update playwright and add @types/node * Add support for latest metamask dapp * Partially implement Wallet Permissions System
cawabunga · Mar 25, 2024 · 9212c2b · 9212c2b
1 parent 3c222a5
commit 9212c2b
Show file tree

Hide file tree

Showing 8 changed files with 188 additions and 55 deletions.
diff --git a/README.md b/README.md
@@ -82,7 +82,7 @@ test('connect the wallet', async ({ page, injectWeb3Provider }) => {
   await page.goto('https://metamask.github.io/test-dapp/')
 
   // Request connecting the wallet
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
 
   // You can either authorize or reject the request
   await wallet.authorize(Web3RequestKind.RequestAccounts)

diff --git a/package.json b/package.json
@@ -36,6 +36,7 @@
     "@parcel/packager-ts": "2.7.0",
     "@parcel/transformer-typescript-types": "^2.7.0",
     "@playwright/test": "^1.26.1",
+    "@types/node": "^16.0.0",
     "generic-pool": "^3.9.0",
     "parcel": "^2.7.0",
     "prettier": "^2.7.1",

diff --git a/src/Web3ProviderBackend.ts b/src/Web3ProviderBackend.ts
@@ -1,14 +1,15 @@
 import assert from 'node:assert/strict'
 import {
+  BehaviorSubject,
   filter,
+  first,
   firstValueFrom,
-  BehaviorSubject,
-  switchMap,
   from,
-  first,
+  switchMap,
   tap,
 } from 'rxjs'
 import { ethers, Wallet } from 'ethers'
+import { toUtf8String } from 'ethers/lib/utils'
 import { signTypedData, SignTypedDataVersion } from '@metamask/eth-sig-util'
 
 import { Web3RequestKind } from './utils'
@@ -22,7 +23,7 @@ import {
 } from './errors'
 import { IWeb3Provider, PendingRequest } from './types'
 import { EventEmitter } from './EventEmitter'
-import { toUtf8String } from 'ethers/lib/utils'
+import { WalletPermissionSystem } from './wallet/WalletPermissionSystem'
 
 interface ChainConnection {
   chainId: number
@@ -32,16 +33,17 @@ interface ChainConnection {
 export interface Web3ProviderConfig {
   debug?: boolean
   logger?: typeof console.log
+  permitted?: (Web3RequestKind | string)[]
 }
 
 export class Web3ProviderBackend extends EventEmitter implements IWeb3Provider {
   #pendingRequests$ = new BehaviorSubject<PendingRequest[]>([])
   #wallets: ethers.Signer[] = []
+  #wps: WalletPermissionSystem
+
   private _activeChainId: number
   private _rpc: Record<number, ethers.providers.JsonRpcProvider> = {}
   private _config: { debug: boolean; logger: typeof console.log }
-  private _authorizedRequests: { [K in Web3RequestKind | string]?: boolean } =
-    {}
 
   constructor(
     privateKeys: string[],
@@ -52,6 +54,7 @@ export class Web3ProviderBackend extends EventEmitter implements IWeb3Provider {
     this.#wallets = privateKeys.map((key) => new ethers.Wallet(key))
     this._activeChainId = chains[0].chainId
     this._config = Object.assign({ debug: false, logger: console.log }, config)
+    this.#wps = new WalletPermissionSystem(config.permitted)
   }
 
   request(args: { method: 'eth_accounts'; params: [] }): Promise<string[]>
@@ -107,23 +110,21 @@ export class Web3ProviderBackend extends EventEmitter implements IWeb3Provider {
         return this.getRpc().send(method, params)
 
       case 'eth_requestAccounts': {
-        return this.waitAuthorization(
-          { method, params },
-          async () => {
-            const accounts = await Promise.all(
-              this.#wallets.map(async (wallet) =>
-                (await wallet.getAddress()).toLowerCase()
-              )
+        return this.waitAuthorization({ method, params }, async () => {
+          this.#wps.permit(Web3RequestKind.Accounts, '')
+
+          const accounts = await Promise.all(
+            this.#wallets.map(async (wallet) =>
+              (await wallet.getAddress()).toLowerCase()
             )
-            this.emit('accountsChanged', accounts)
-            return accounts
-          },
-          true
-        )
+          )
+          this.emit('accountsChanged', accounts)
+          return accounts
+        })
       }
 
       case 'eth_accounts': {
-        if (this._authorizedRequests['eth_requestAccounts']) {
+        if (this.#wps.isPermitted(Web3RequestKind.Accounts, '')) {
           return await Promise.all(
             this.#wallets.map(async (wallet) =>
               (await wallet.getAddress()).toLowerCase()
@@ -175,6 +176,7 @@ export class Web3ProviderBackend extends EventEmitter implements IWeb3Provider {
         })
       }
 
+      // todo: use the Wallet Permissions System (WPS) to handle method
       case 'wallet_requestPermissions': {
         if (params.length === 0 || params[0].eth_accounts === undefined) {
           throw Deny()
@@ -264,21 +266,16 @@ export class Web3ProviderBackend extends EventEmitter implements IWeb3Provider {
 
   waitAuthorization<T>(
     requestInfo: PendingRequest['requestInfo'],
-    task: () => Promise<T>,
-    permanentPermission = false
+    task: () => Promise<T>
   ) {
-    if (this._authorizedRequests[requestInfo.method]) {
+    if (this.#wps.isPermitted(requestInfo.method, '')) {
       return task()
     }
 
     return new Promise((resolve, reject) => {
       const pendingRequest: PendingRequest = {
         requestInfo: requestInfo,
         authorize: async () => {
-          if (permanentPermission) {
-            this._authorizedRequests[requestInfo.method] = true
-          }
-
           resolve(await task())
         },
         reject(err) {

diff --git a/src/wallet/WalletPermissionSystem.ts b/src/wallet/WalletPermissionSystem.ts
@@ -0,0 +1,84 @@
+// EIP-2255: Wallet Permissions System (https://eips.ethereum.org/EIPS/eip-2255)
+
+import type { Web3RequestKind } from '../utils'
+
+// Caveat for `eth_accounts` could be:
+// { "type": "requiredMethods", "value": ["signTypedData_v3"] }
+interface Caveat {
+  type: string
+  value: any // JSON object, meaning depends on the caveat type
+}
+
+interface Permission {
+  invoker: string // DApp origin
+  parentCapability: string // RPC method name
+  caveats: Caveat[]
+}
+
+type ShorthandPermission = Web3RequestKind | string
+
+export class WalletPermissionSystem {
+  #permissions: Map<string, Permission[]> = new Map()
+  #wildcardOrigin: string = '*'
+
+  constructor(perms: ShorthandPermission[] = []) {
+    this.#permissions.set(
+      this.#wildcardOrigin,
+      perms.map((perm) => ({
+        invoker: this.#wildcardOrigin,
+        parentCapability: perm,
+        caveats: [],
+      }))
+    )
+  }
+
+  /**
+   * @param rpcMethod
+   * @param origin not used in the current implementation, empty string can be passed
+   */
+  permit(rpcMethod: Web3RequestKind | string, origin: string) {
+    const permissions = this.#permissions.get(origin) || []
+
+    const updatedPermissions = permissions.filter(
+      (permission) => permission.parentCapability !== rpcMethod
+    )
+    updatedPermissions.push({
+      invoker: origin,
+      parentCapability: rpcMethod,
+      caveats: [], // Caveats are not implemented
+    })
+
+    this.#permissions.set(origin, updatedPermissions)
+  }
+
+  /**
+   * @param rpcMethod
+   * @param origin not used in the current implementation, empty string can be passed
+   */
+  revoke(rpcMethod: Web3RequestKind | string, origin: string) {
+    const permissions = this.#permissions.get(origin) || []
+    const updatedPermissions = permissions.filter(
+      (permission) => permission.parentCapability !== rpcMethod
+    )
+    this.#permissions.set(origin, updatedPermissions)
+  }
+
+  /**
+   * @param rpcMethod
+   * @param origin not used in the current implementation, empty string can be passed
+   */
+  isPermitted(rpcMethod: Web3RequestKind | string, origin: string): boolean {
+    const permissions = this.#permissions.get(origin) || []
+    const wildcardPermissions =
+      this.#permissions.get(this.#wildcardOrigin) || []
+
+    return (
+      permissions.some(
+        (permission) => permission.parentCapability === rpcMethod
+      ) ||
+      wildcardPermissions.some(
+        (permission) => permission.parentCapability === rpcMethod
+      )
+    )
+  }
+}
diff --git a/tests/e2e/metamask-permission.spec.ts b/tests/e2e/metamask-permission.spec.ts
@@ -0,0 +1,31 @@
+import { expect, test, describe } from '../fixtures'
+import { Web3ProviderBackend, Web3RequestKind } from '../../src'
+
+let wallet: Web3ProviderBackend
+
+describe('Auto connected', () => {
+  test.beforeEach(async ({ page, injectWeb3Provider }) => {
+    // Inject window.ethereum instance
+    wallet = await injectWeb3Provider(undefined, [Web3RequestKind.Accounts])
+
+    // In order to make https://metamask.github.io/test-dapp/ work flag should be set
+    await page.addInitScript(() => (window.ethereum.isMetaMask = true))
+
+    await page.goto('https://metamask.github.io/test-dapp/')
+  })
+
+  test('my address', async ({ page, accounts }) => {
+    // Already connected, no need to connect again
+    await page
+      .getByRole('button', { name: 'Connected', exact: true })
+      .isDisabled()
+
+    // Verify if the wallet is really connected
+    await expect(page.locator('text=' + accounts[0])).toBeVisible()
+
+    // Accounts should be available
+    await expect(page.locator('#getAccountsResult')).toBeEmpty()
+    await page.getByRole('button', { name: 'ETH_ACCOUNTS' }).click()
+    await expect(page.locator('#getAccountsResult')).toContainText(accounts[0])
+  })
+})
diff --git a/tests/e2e/metamask.spec.ts b/tests/e2e/metamask.spec.ts
@@ -23,7 +23,7 @@ test('connect the wallet', async ({ page, accounts }) => {
   expect(ethAccounts).toEqual([])
 
   // Request connecting the wallet
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
 
   expect(
     wallet.getPendingRequestCount(Web3RequestKind.RequestAccounts)
@@ -83,7 +83,7 @@ test('switch a new network', async ({ page }) => {
 })
 
 test('request permissions', async ({ page, accounts }) => {
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
   await wallet.authorize(Web3RequestKind.RequestAccounts)
 
   // Request permissions
@@ -107,15 +107,15 @@ test('request permissions', async ({ page, accounts }) => {
 })
 
 test('deploy a token', async ({ page }) => {
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
   await wallet.authorize(Web3RequestKind.RequestAccounts)
 
-  await expect(page.locator('#tokenAddress')).toBeEmpty()
+  await expect(page.locator('#tokenAddresses')).toBeEmpty()
   await page.locator('text=Create Token').click()
-  await expect(page.locator('#tokenAddress')).toBeEmpty()
+  await expect(page.locator('#tokenAddresses')).toBeEmpty()
 
   await wallet.authorize(Web3RequestKind.SendTransaction)
-  await expect(page.locator('#tokenAddress')).toContainText(/0x.+/)
+  await expect(page.locator('#tokenAddresses')).toContainText(/0x.+/)
 })
 
 const getTransactionCount = async (
@@ -134,7 +134,7 @@ const getTransactionCount = async (
 }
 
 test('send legacy transaction', async ({ page, accounts }) => {
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
   await wallet.authorize(Web3RequestKind.RequestAccounts)
 
   await page.locator('text=Send Legacy Transaction').click()
@@ -146,7 +146,7 @@ test('send legacy transaction', async ({ page, accounts }) => {
 })
 
 test('send EIP-1559 transaction', async ({ page, accounts }) => {
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
   await wallet.authorize(Web3RequestKind.RequestAccounts)
 
   await page.locator('text=Send EIP 1559 Transaction').click()
@@ -162,7 +162,7 @@ test('send EIP-1559 transaction', async ({ page, accounts }) => {
  */
 test('sign a message', async ({ page, signers }) => {
   // Establish a connection with the wallet
-  await page.locator('text=Connect').click()
+  await page.getByRole('button', { name: 'Connect', exact: true }).click()
   // Authorize the request for account access
   await wallet.authorize(Web3RequestKind.RequestAccounts)
 
@@ -223,7 +223,7 @@ for (const {
 } of data) {
   test(`sign a typed message (${version})`, async ({ page, signers }) => {
     // Establish a connection with the wallet
-    await page.locator('text=Connect').click()
+    await page.getByRole('button', { name: 'Connect', exact: true }).click()
     // Authorize the request for account access
     await wallet.authorize(Web3RequestKind.RequestAccounts)
 

diff --git a/tests/fixtures.ts b/tests/fixtures.ts
@@ -1,10 +1,15 @@
 import { ethers } from 'ethers'
 import { test as base } from '@playwright/test'
-import { injectHeadlessWeb3Provider, Web3ProviderBackend } from '../src'
+import {
+  injectHeadlessWeb3Provider,
+  Web3ProviderBackend,
+  Web3RequestKind,
+} from '../src'
 import { getAnvilInstance } from './services/anvil/anvilPoolClient'
 
 type InjectWeb3Provider = (
-  privateKeys?: string[]
+  privateKeys?: string[],
+  permitted?: (Web3RequestKind | string)[]
 ) => Promise<Web3ProviderBackend>
 
 export const test = base.extend<{
@@ -29,10 +34,12 @@ export const test = base.extend<{
   },
 
   injectWeb3Provider: async ({ page, signers, anvilRpcUrl }, use) => {
-    await use((privateKeys = signers) =>
-      injectHeadlessWeb3Provider(page, privateKeys, 31337, anvilRpcUrl)
+    await use((privateKeys = signers, permitted = []) =>
+      injectHeadlessWeb3Provider(page, privateKeys, 31337, anvilRpcUrl, {
+        permitted,
+      })
     )
   },
 })
 
-export const { expect } = test
+export const { expect, describe } = test