Feat/seedless refresh token

[tuna1207]

Explanation

Add refresh token handling to SeedlessOnboardingController

• store refresh token in vault
• check for token expired in toprf call, refresh token and retry

References

Changelog

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
• I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

[lwin-kyaw]

should it be stored inside the vault as encrypted?

[tuna1207]

@lwin-kyaw ah yes, it is stored inside the vault, this is only stored in state for convienience of usage in multiple places, it's not persisted.
It's only restored to state after unlockVaultAndGetBackupEncKey similar to other vault secret

[lwin-kyaw]

From what I saw, only nodeAuthTokens (and authPubKey?) is stored inside both vault and state. I think we should remove it from the vault, if we intent to use as plain text.

And for the refreshToken, I don't see any places that is used without needing to decrypt the vault. So, I think it should be only inside the vault.

[lwin-kyaw]

can we refactor this inner function to class method, (private maybe), for the better readibility?

[tuna1207]

@lwin-kyaw hmm i'm not sure about this, since the method is already authenticate and keeping the logic in other methods would actually make it harder to follow i think, what do you think ?

[lwin-kyaw]

I assume that this is due to the skipLock param. May I know why it is needed?

[lwin-kyaw]

Why do we need to skip lock?

[tuna1207]

@lwin-kyaw this one is for executeWithRefreshToken to authenticate again when refreshing the token since executeWithRefreshToken should already be inside a lock

[lwin-kyaw]

Is this method, executeWithRefreshToken in the controller?

Anyway, I don't think we should skip the lock, the lock state represents the wallet access and also synced with other controllers.

[lwin-kyaw]

Actually, we don't need to skip the lock. If the wallet is unlocked (user has logged in), the isLockUnlocked is already set to true.
And the refresh token can be retrieved from the vault (either with password or cachedEncryptionKey in state), and can proceed to the authenticateWithRefreshToken

[tuna1207]

@lwin-kyaw yes, by default we don't skip the lock, we skip only when it's already inside another lock

[lwin-kyaw]

May I know what's the use for the refreshToken here? Seems like it's never used.

And refreshToken can be retrieved from the encrypted vault?

[tuna1207]

@lwin-kyaw yes it's in the vault, this function decrypt the vault and return the refreshToken from the vault

[lwin-kyaw]

Then we should remove this from the method params?

[lwin-kyaw]

This can be provided from the method params, so that we don't need to store it in the state.

[tuna1207]

@lwin-kyaw we currently only receive refreshToken from authenticate method, and these methods are using refreshToken in #createNewVaultWithAuthData: createToprfKeyAndBackupSeedPhrase, fetchAllSeedPhrases, changePassword, syncLatestGlobalPassword
i'm not sure if it's a good idea to always redo #unlockVaultAndGetBackupEncKey in all of the above methods to pass refreshToken in again

[lwin-kyaw]

Should it be retrieved from the vault?

[tuna1207]

@lwin-kyaw yes, in this case the vault is decrypted and refreshToken is set in temporal state