Update RpcHandler to restrict supported chainIds (#200)

* Update RpcHandler to restrict supported chainIds

* Remove production configuration from example .env files

* Add reference to production configuration to snap example configuration files. Remove mainnet from supported chains in test dapp.

Author: jeffsmale90

.github/workflows/build-lint-test.yml

@@ -12,6 +12,7 @@ env:
   GATOR_PERMISSIONS_PROVIDER_SNAP_ID: ${{ vars.GATOR_PERMISSIONS_PROVIDER_SNAP_ID }}
   MESSAGE_SIGNING_SNAP_ID: ${{ vars.MESSAGE_SIGNING_SNAP_ID }}
   KERNEL_SNAP_ID: ${{ vars.KERNEL_SNAP_ID }}
+  SUPPORTED_CHAIN_IDS: ${{ vars.SUPPORTED_CHAIN_IDS }}
 
 jobs:
   prepare:

.github/workflows/publish-release.yml

@@ -7,22 +7,23 @@ on:
         required: true
       SLACK_WEBHOOK_URL:
         required: true
+env:
+  SNAP_ENV: ${{ vars.SNAP_ENV }}
+  PRICE_API_BASE_URL: ${{ vars.PRICE_API_BASE_URL }}
+  STORE_PERMISSIONS_ENABLED: ${{ vars.STORE_PERMISSIONS_ENABLED }}
+  ACCOUNT_API_BASE_URL: ${{ vars.ACCOUNT_API_BASE_URL }}
+  TOKENS_API_BASE_URL: ${{ vars.TOKENS_API_BASE_URL }}
+  GATOR_PERMISSIONS_PROVIDER_SNAP_ID: ${{ vars.GATOR_PERMISSIONS_PROVIDER_SNAP_ID }}
+  MESSAGE_SIGNING_SNAP_ID: ${{ vars.MESSAGE_SIGNING_SNAP_ID }}
+  KERNEL_SNAP_ID: ${{ vars.KERNEL_SNAP_ID }}
+  SUPPORTED_CHAIN_IDS: ${{ vars.SUPPORTED_CHAIN_IDS }}
 
 jobs:
   publish-release:
     name: Publish GitHub Release
     runs-on: ubuntu-latest
     permissions:
       contents: write
-    env:
-      SNAP_ENV: ${{ vars.SNAP_ENV }}
-      PRICE_API_BASE_URL: ${{ vars.PRICE_API_BASE_URL }}
-      STORE_PERMISSIONS_ENABLED: ${{ vars.STORE_PERMISSIONS_ENABLED }}
-      GATOR_PERMISSIONS_PROVIDER_SNAP_ID: ${{ vars.GATOR_PERMISSIONS_PROVIDER_SNAP_ID }}
-      MESSAGE_SIGNING_SNAP_ID: ${{ vars.MESSAGE_SIGNING_SNAP_ID }}
-      KERNEL_SNAP_ID: ${{ vars.KERNEL_SNAP_ID }}
-      ACCOUNT_API_BASE_URL: ${{ vars.ACCOUNT_API_BASE_URL }}
-      TOKENS_API_BASE_URL: ${{ vars.TOKENS_API_BASE_URL }}
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1
@@ -47,10 +48,6 @@ jobs:
     name: Dry run publish to NPM
     runs-on: ubuntu-latest
     needs: publish-release
-    env:
-      SNAP_ENV: ${{ vars.SNAP_ENV }}
-      PRICE_API_BASE_URL: ${{ vars.PRICE_API_BASE_URL }}
-      STORE_PERMISSIONS_ENABLED: ${{ vars.STORE_PERMISSIONS_ENABLED }}
     steps:
       - name: Checkout and setup environment
         uses: MetaMask/action-checkout-and-setup@v1

packages/gator-permissions-snap/.env.example

@@ -17,11 +17,7 @@ MESSAGE_SIGNING_SNAP_ID=local:http://localhost:8080
 ACCOUNT_API_BASE_URL=https://accounts.api.cx.metamask.io
 TOKENS_API_BASE_URL=https://tokens.api.cx.metamask.io
 
-# Prod
-SNAP_ENV=production
-STORE_PERMISSIONS_ENABLED=false
-PRICE_API_BASE_URL=https://price.api.cx.metamask.io
-ACCOUNT_API_BASE_URL=https://accounts.api.cx.metamask.io
-TOKENS_API_BASE_URL=https://tokens.api.cx.metamask.io
-KERNEL_SNAP_ID=npm:@metamask/permissions-kernel-snap
-MESSAGE_SIGNING_SNAP_ID=npm:@metamask/message-signing-snap
+# Support only testnets
+SUPPORTED_CHAIN_IDS=97,5115,6342,10200,80069,84532,421614,11155111,11155420,1301,80002,763373
+
+# Production configuration can be found here https://github.com/MetaMask/snap-7715-permissions/settings/variables/actions

packages/gator-permissions-snap/snap.config.ts

@@ -14,6 +14,7 @@ const {
   TOKENS_API_BASE_URL,
   KERNEL_SNAP_ID,
   MESSAGE_SIGNING_SNAP_ID,
+  SUPPORTED_CHAIN_IDS,
 } = process.env;
 
 if (!SNAP_ENV) {
@@ -65,6 +66,12 @@ if (!TOKENS_API_BASE_URL) {
   );
 }
 
+if (!SUPPORTED_CHAIN_IDS) {
+  throw new InternalError(
+    'SUPPORTED_CHAIN_IDS must be set as an environment variable.',
+  );
+}
+
 const config: SnapConfig = {
   input: resolve(__dirname, 'src/index.ts'),
   server: {
@@ -82,6 +89,7 @@ const config: SnapConfig = {
     TOKENS_API_BASE_URL,
     KERNEL_SNAP_ID,
     MESSAGE_SIGNING_SNAP_ID,
+    SUPPORTED_CHAIN_IDS,
   },
 };
 

packages/gator-permissions-snap/src/index.ts

@@ -67,6 +67,15 @@ if (!messageSigningSnapId) {
   throw new InternalError('MESSAGE_SIGNING_SNAP_ID is not set');
 }
 
+const supportedChainIdsString = process.env.SUPPORTED_CHAIN_IDS;
+if (!supportedChainIdsString) {
+  throw new InternalError('SUPPORTED_CHAIN_IDS is not set');
+}
+
+const supportedChainIds = supportedChainIdsString
+  .split(',')
+  .map((chainIdString) => parseInt(chainIdString, 10));
+
 // set up dependencies
 
 const accountApiClient = new AccountApiClient({
@@ -167,6 +176,7 @@ const permissionHandlerFactory = new PermissionHandlerFactory({
 const rpcHandler = createRpcHandler({
   permissionHandlerFactory,
   profileSyncManager,
+  supportedChainIds,
 });
 
 // configure RPC methods bindings

packages/gator-permissions-snap/src/rpc/rpcHandler.ts

@@ -1,6 +1,11 @@
 import type { PermissionResponse } from '@metamask/7715-permissions-shared/types';
 import { logger } from '@metamask/7715-permissions-shared/utils';
-import { UserRejectedRequestError, type Json } from '@metamask/snaps-sdk';
+import {
+  InvalidInputError,
+  UserRejectedRequestError,
+  type Json,
+} from '@metamask/snaps-sdk';
+import { hexToNumber } from '@metamask/utils';
 
 import type { PermissionHandlerFactory } from '../core/permissionHandlerFactory';
 import { DEFAULT_GATOR_PERMISSION_TO_OFFER } from '../permissions/permissionOffers';
@@ -40,14 +45,18 @@ export type RpcHandler = {
  * @param config - The parameters for creating the RPC handler.
  * @param config.permissionHandlerFactory - The factory for creating permission handlers.
  * @param config.profileSyncManager - The profile sync manager.
+ * @param config.supportedChainIds - The supported chain IDs.
  * @returns An object with RPC handler methods.
  */
-export function createRpcHandler(config: {
+export function createRpcHandler({
+  permissionHandlerFactory,
+  profileSyncManager,
+  supportedChainIds,
+}: {
   permissionHandlerFactory: PermissionHandlerFactory;
   profileSyncManager: ProfileSyncManager;
+  supportedChainIds: number[];
 }): RpcHandler {
-  const { permissionHandlerFactory, profileSyncManager } = config;
-
   /**
    * Handles grant permission requests.
    *
@@ -59,6 +68,18 @@ export function createRpcHandler(config: {
     const { permissionsRequest, siteOrigin } =
       validatePermissionRequestParam(params);
 
+    const unsupportedChainIds = permissionsRequest
+      .filter(
+        (request) => !supportedChainIds.includes(hexToNumber(request.chainId)),
+      )
+      .map((request) => request.chainId);
+
+    if (unsupportedChainIds.length > 0) {
+      throw new InvalidInputError(
+        `Unsupported chain IDs: ${unsupportedChainIds.join(', ')}`,
+      );
+    }
+
     const permissionsToStore: {
       permissionResponse: PermissionResponse;
       siteOrigin: string;

packages/gator-permissions-snap/test/rpc/rpcHandler.test.ts

@@ -16,6 +16,10 @@ const TEST_CHAIN_ID = '0x1' as const;
 const TEST_EXPIRY = Math.floor(Date.now() / 1000) + 86400; // 24 hours from now
 const TEST_CONTEXT = '0xabcd' as const;
 
+const TEST_SUPPORTED_CHAIN_IDS = [0x1, 0x10];
+
+const UNSUPPORTED_CHAIN_ID = '0xFA11' as const;
+
 const VALID_PERMISSION_REQUEST: PermissionRequest = {
   chainId: TEST_CHAIN_ID,
   rules: [
@@ -103,6 +107,7 @@ describe('RpcHandler', () => {
     handler = createRpcHandler({
       permissionHandlerFactory: mockHandlerFactory,
       profileSyncManager: mockProfileSyncManager,
+      supportedChainIds: TEST_SUPPORTED_CHAIN_IDS,
     });
   });
 
@@ -130,6 +135,54 @@ describe('RpcHandler', () => {
       expect(result).toStrictEqual([VALID_PERMISSION_RESPONSE]);
     });
 
+    it('should handle a permission request with a different supported chainId successfully', async () => {
+      const differentSupportedChainId = '0x10';
+      const permissionRequestWithDifferentSupportedChainId = {
+        ...VALID_PERMISSION_REQUEST,
+        chainId: differentSupportedChainId,
+      };
+
+      const requestWithDifferentSupportedChainId = {
+        permissionsRequest: [
+          permissionRequestWithDifferentSupportedChainId,
+        ] as unknown as Json[],
+        siteOrigin: TEST_SITE_ORIGIN,
+      };
+
+      const responseWithDifferentSupportedChainId = {
+        approved: true,
+        response: {
+          ...VALID_PERMISSION_RESPONSE,
+          chainId: differentSupportedChainId,
+        },
+      } as const;
+
+      mockHandler.handlePermissionRequest.mockImplementation(
+        async () => responseWithDifferentSupportedChainId,
+      );
+
+      const result = await handler.grantPermission(
+        requestWithDifferentSupportedChainId,
+      );
+
+      expect(mockHandlerFactory.createPermissionHandler).toHaveBeenCalledTimes(
+        1,
+      );
+
+      expect(mockHandlerFactory.createPermissionHandler).toHaveBeenCalledWith(
+        permissionRequestWithDifferentSupportedChainId,
+      );
+
+      expect(mockHandler.handlePermissionRequest).toHaveBeenCalledTimes(1);
+      expect(mockHandler.handlePermissionRequest).toHaveBeenCalledWith(
+        TEST_SITE_ORIGIN,
+      );
+
+      expect(result).toStrictEqual([
+        responseWithDifferentSupportedChainId.response,
+      ]);
+    });
+
     it('should throw an error if no parameters are provided', async () => {
       await expect(handler.grantPermission()).rejects.toThrow(
         'Failed type validation: : Required',
@@ -213,12 +266,12 @@ describe('RpcHandler', () => {
     it('should handle multiple permission requests in parallel', async () => {
       const secondPermissionRequest = {
         ...VALID_PERMISSION_REQUEST,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const secondResponse = {
         ...VALID_PERMISSION_RESPONSE,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const request: Json = {
@@ -259,7 +312,7 @@ describe('RpcHandler', () => {
     it('should handle mixed success/failure responses for multiple requests', async () => {
       const secondPermissionRequest = {
         ...VALID_PERMISSION_REQUEST,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const request: Json = {
@@ -290,12 +343,12 @@ describe('RpcHandler', () => {
     it('should process multiple permission requests sequentially (no concurrency)', async () => {
       const secondPermissionRequest = {
         ...VALID_PERMISSION_REQUEST,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const secondResponse = {
         ...VALID_PERMISSION_RESPONSE,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const request: Json = {
@@ -448,12 +501,12 @@ describe('RpcHandler', () => {
     it('should maintain response order matching request order', async () => {
       const secondPermissionRequest = {
         ...VALID_PERMISSION_REQUEST,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const secondResponse = {
         ...VALID_PERMISSION_RESPONSE,
-        chainId: '0x2' as const,
+        chainId: TEST_CHAIN_ID,
       };
 
       const request: Json = {
@@ -480,6 +533,20 @@ describe('RpcHandler', () => {
       const result = await handler.grantPermission(request);
       expect(result).toStrictEqual([VALID_PERMISSION_RESPONSE, secondResponse]);
     });
+
+    it('throws an error if the chain ID is not supported', async () => {
+      const request: Json = {
+        permissionsRequest: [
+          VALID_PERMISSION_REQUEST,
+          { ...VALID_PERMISSION_REQUEST, chainId: UNSUPPORTED_CHAIN_ID },
+        ],
+        siteOrigin: TEST_SITE_ORIGIN,
+      } as unknown as Json;
+
+      await expect(handler.grantPermission(request)).rejects.toThrow(
+        `Unsupported chain IDs: ${UNSUPPORTED_CHAIN_ID}`,
+      );
+    });
   });
 
   describe('getPermissionOffers', () => {
@@ -532,7 +599,7 @@ describe('RpcHandler', () => {
         },
         {
           permissionResponse: {
-            chainId: '0x2' as const,
+            chainId: TEST_CHAIN_ID,
             expiry: TEST_EXPIRY + 1000,
             signer: {
               type: 'account' as const,

packages/permissions-kernel-snap/.env.example

@@ -5,9 +5,4 @@ SNAP_ENV=local
 # Permissions snap id
 GATOR_PERMISSIONS_PROVIDER_SNAP_ID=local:http://localhost:8082
 
-
-# Prod
-SNAP_ENV=production
-GATOR_PERMISSIONS_PROVIDER_SNAP_ID=npm:@metamask/gator-permissions-snap
-# By default logging is disabled in production. If you want to enable it in production you have to set this variable to true
-# ENABLE_LOGGING=true
+# Production configuration can be found here https://github.com/MetaMask/snap-7715-permissions/settings/variables/actions

packages/site/.env.example

@@ -3,11 +3,4 @@ GATSBY_KERNEL_SNAP_ORIGIN=local:http://localhost:8081
 GATSBY_GATOR_SNAP_ORIGIN=local:http://localhost:8082
 GATSBY_MESSAGE_SIGNING_SNAP_ORIGIN=npm:@metamask/message-signing-snap
 GATSBY_BUNDLER_RPC_URL=https://<bundler-url>
-GATSBY_SUPPORTED_CHAINS=1,11155111
-
-# Production
-GATSBY_GATOR_SNAP_ORIGIN=npm:@metamask/gator-permissions-snap
-GATSBY_KERNEL_SNAP_ORIGIN=npm:@metamask/permissions-kernel-snap
-GATSBY_MESSAGE_SIGNING_SNAP_ORIGIN=npm:@metamask/message-signing-snap
-GATSBY_BUNDLER_RPC_URL=https://<bundler-url>
 GATSBY_SUPPORTED_CHAINS=11155111