CP-13547: Added logging to seedlesswallet to track down false == true error (#3639)

Author: B0Y3R-AVA

packages/core-mobile/app/new/common/utils/startRefreshSeedlessTokenFlow.ts

@@ -21,10 +21,23 @@ export async function startRefreshSeedlessTokenFlow(
 > {
   const oidcProvider = await SecureStorageService.load(
     KeySlot.OidcProvider
-  ).catch(Logger.error)
+  ).catch(e => {
+    Logger.error(
+      '[RefreshSeedlessTokenFlow] failed to load OidcProvider from keychain',
+      e
+    )
+    return undefined
+  })
   const oidcUserId = await SecureStorageService.load(KeySlot.OidcUserId).catch(
-    Logger.error
+    e => {
+      Logger.error(
+        '[RefreshSeedlessTokenFlow] failed to load OidcUserId from keychain',
+        e
+      )
+      return undefined
+    }
   )
+
   let oidcTokenResult: OidcPayload
 
   try {
@@ -45,6 +58,10 @@ export async function startRefreshSeedlessTokenFlow(
         }
     }
   } catch (e) {
+    Logger.error(
+      `[RefreshSeedlessTokenFlow] OIDC sign-in failed for provider: ${oidcProvider}`,
+      e
+    )
     return {
       success: false,
       error: new RefreshSeedlessTokenFlowErrors({

packages/core-mobile/app/security/SecureStorageService.ts

@@ -4,6 +4,7 @@ import Aes from 'react-native-aes-crypto'
 import { decrypt, encrypt } from 'utils/EncryptionHelper'
 import { serializeJson } from 'utils/serialization/serialize'
 import { deserializeJson } from 'utils/serialization/deserialize'
+import Logger from 'utils/Logger'
 
 export enum KeySlot {
   SignerSessionData = 'SignerSessionData',
@@ -41,7 +42,15 @@ class SecureStorageService {
         service: serviceForValues
       }
     )
-    assert(result !== false)
+    if (result === false) {
+      Logger.error(
+        `[SecureStorage] store(${slot}) - setGenericPassword returned false! Keychain write FAILED`
+      )
+    }
+    assert(
+      result !== false,
+      `[SecureStorage] store(${slot}) - Keychain write failed for service: ${serviceForValues}`
+    )
   }
 
   /**
@@ -55,7 +64,15 @@ class SecureStorageService {
     const result = await Keychain.getGenericPassword({
       service: serviceForValues
     })
-    assert(result !== false)
+    if (result === false) {
+      Logger.error(
+        `[SecureStorage] load(${slot}) - getGenericPassword returned false! No data in keychain for service: ${serviceForValues}`
+      )
+    }
+    assert(
+      result !== false,
+      `[SecureStorage] load(${slot}) - Keychain read failed for service: ${serviceForValues}`
+    )
     const decrypted = await decrypt(result.password, key)
     const stringified = decrypted.data
     return deserializeJson<T>(stringified)
@@ -86,11 +103,33 @@ class SecureStorageService {
     if (existingCredentials) {
       return existingCredentials.password
     }
+
+    // Check whether encrypted data already exists for this slot.
+    // If it does, the key was lost and data is unrecoverable — report to Sentry.
+    // If not, this is a normal first-run initialization.
+    const serviceForValues = `ss_value_${slot}`
+    const existingData = await Keychain.getGenericPassword({
+      service: serviceForValues
+    })
+
+    if (existingData) {
+      Logger.error(
+        `[SecureStorage] getOrCreateKey(${slot}) - encryption key MISSING but encrypted data EXISTS. Data for this slot is UNRECOVERABLE.`
+      )
+    } else {
+      Logger.warn(
+        `[SecureStorage] getOrCreateKey(${slot}) - no existing encryption key found, generating new key (expected on first run).`
+      )
+    }
+
     const key: string = await Aes.randomKey(32)
     const result = await Keychain.setGenericPassword(serviceForKeys, key, {
       service: serviceForKeys
     })
-    assert(result !== false)
+    assert(
+      result !== false,
+      `[SecureStorage] getOrCreateKey(${slot}) - Keychain write failed for service: ${serviceForKeys}`
+    )
     return key
   }
 }

packages/core-mobile/app/seedless/services/SeedlessSession.ts

@@ -89,7 +89,12 @@ class SeedlessSession {
    * Retrieves information about the current user's mfa.
    */
   async userMfa(): Promise<MFA[]> {
-    return (await this.aboutMe()).mfa
+    try {
+      return (await this.aboutMe()).mfa
+    } catch (error) {
+      Logger.error(`[SeedlessSession] userMfa() FAILED`, error)
+      throw error
+    }
   }
 
   /**
@@ -99,42 +104,50 @@ class SeedlessSession {
     oidcToken: string,
     mfaReceipt?: MfaReceipt | undefined
   ): Promise<CubeSignerResponse<SessionData>> {
-    const response = await CubeSignerClient.createOidcSession(
-      envInterface,
-      SEEDLESS_ORG_ID,
-      oidcToken,
-      this.scopes,
-      {
-        // How long singing with a particular token works from the token creation
-        auth_lifetime: minutesToSeconds(5),
-        // How long a refresh token is valid, the user has to unlock Core in this timeframe otherwise they will have to re-login
-        // Sessions expire either if the session lifetime expires or if a refresh token expires before a new one is generated
-        refresh_lifetime: hoursToSeconds(90 * 24),
-        // How long till the user absolutely must sign in again
-        session_lifetime: hoursToSeconds(365 * 24)
-      },
-      mfaReceipt
-    )
+    try {
+      const response = await CubeSignerClient.createOidcSession(
+        envInterface,
+        SEEDLESS_ORG_ID,
+        oidcToken,
+        this.scopes,
+        {
+          // How long singing with a particular token works from the token creation
+          auth_lifetime: minutesToSeconds(5),
+          // How long a refresh token is valid, the user has to unlock Core in this timeframe otherwise they will have to re-login
+          // Sessions expire either if the session lifetime expires or if a refresh token expires before a new one is generated
+          refresh_lifetime: hoursToSeconds(90 * 24),
+          // How long till the user absolutely must sign in again
+          session_lifetime: hoursToSeconds(365 * 24)
+        },
+        mfaReceipt
+      )
+
+      if (response.requiresMfa()) {
+        // if MFA is required, we cannot access session data until MFA verification is complete
+        // thus, we are just storing the MFA client here (for verification operations)
+        const client = await response.mfaClient()
+        if (!client) throw new Error('MFA client is missing')
+        this.signerClient = client
+      } else {
+        // when MFA is not required or MFA verification is complete
+        // we can safely access session data
+        const sessionData = response.data()
+
+        // destroy outdated client instance
+        this.signerClient = null
+
+        // persist session data
+        await this.sessionManager.store(sessionData)
+      }
 
-    if (response.requiresMfa()) {
-      // if MFA is required, we cannot access session data until MFA verification is complete
-      // thus, we are just storing the MFA client here (for verification operations)
-      const client = await response.mfaClient()
-      if (!client) throw new Error('MFA client is missing')
-      this.signerClient = client
-    } else {
-      // when MFA is not required or MFA verification is complete
-      // we can safely access session data
-      const sessionData = response.data()
-
-      // destroy outdated client instance
-      this.signerClient = null
-
-      // persist session data
-      await this.sessionManager.store(sessionData)
+      return response
+    } catch (error) {
+      Logger.error(
+        `[SeedlessSession] requestOidcAuth() FAILED - hasMfaReceipt: ${!!mfaReceipt}`,
+        error
+      )
+      throw error
     }
-
-    return response
   }
 
   async refreshToken(): Promise<Result<void, Error>> {
@@ -152,7 +165,15 @@ class SeedlessSession {
         err.status === 403 &&
         err.isSessionExpiredError()
       ) {
+        Logger.warn(
+          `[SeedlessSession] refreshToken() - 403 session expired. errorCode: ${err.errorCode}, calling onSessionExpired`
+        )
         this.onSessionExpired?.()
+      } else {
+        Logger.error(
+          `[SeedlessSession] refreshToken() - forceRefresh failed with non-403 error`,
+          err
+        )
       }
 
       return {
@@ -163,45 +184,70 @@ class SeedlessSession {
   }
 
   async totpResetInit(): Promise<CubeSignerResponse<TotpChallenge>> {
-    const cubeSignerClient = await this.getSignerClient()
-
-    return await cubeSignerClient.resetTotp('Core')
+    try {
+      const cubeSignerClient = await this.getSignerClient()
+      return await cubeSignerClient.resetTotp('Core')
+    } catch (error) {
+      Logger.error(`[SeedlessSession] totpResetInit() FAILED`, error)
+      throw error
+    }
   }
 
   async fidoRegisterInit(
     name: string
   ): Promise<CubeSignerResponse<AddFidoChallenge>> {
-    const cubeSignerClient = await this.getSignerClient()
-    return await cubeSignerClient.addFido(name)
+    try {
+      const cubeSignerClient = await this.getSignerClient()
+      return await cubeSignerClient.addFido(name)
+    } catch (error) {
+      Logger.error(`[SeedlessSession] fidoRegisterInit() FAILED`, error)
+      throw error
+    }
   }
 
   async deleteFido(fidoId: string): Promise<CubeSignerResponse<Empty>> {
-    const cubeSignerClient = await this.getSignerClient()
-    return await cubeSignerClient.deleteFido(fidoId)
+    try {
+      const cubeSignerClient = await this.getSignerClient()
+      return await cubeSignerClient.deleteFido(fidoId)
+    } catch (error) {
+      Logger.error(
+        `[SeedlessSession] deleteFido() FAILED - fidoId: ${fidoId}`,
+        error
+      )
+      throw error
+    }
   }
 
   async approveFido(
     oidcToken: string,
     mfaId: string,
     withSecurityKey: boolean
   ): Promise<void> {
-    const challenge = await this.fidoApproveStart(mfaId)
-    const credential = await PasskeyService.getCredential(
-      challenge.options,
-      withSecurityKey
-    )
-
-    const mfaRequestInfo = await challenge.answer(credential)
-    const mfaReceipt = await mfaRequestInfo.receipt()
-
-    if (mfaReceipt?.mfaConf) {
-      await this.requestOidcAuth(oidcToken, {
-        mfaOrgId: SEEDLESS_ORG_ID,
-        mfaId: mfaId,
-        mfaConf: mfaReceipt.mfaConf
-      })
-    } else {
-      throw new Error('Passkey authentication failed')
+    try {
+      const challenge = await this.fidoApproveStart(mfaId)
+      const credential = await PasskeyService.getCredential(
+        challenge.options,
+        withSecurityKey
+      )
+
+      const mfaRequestInfo = await challenge.answer(credential)
+      const mfaReceipt = await mfaRequestInfo.receipt()
+
+      if (mfaReceipt?.mfaConf) {
+        await this.requestOidcAuth(oidcToken, {
+          mfaOrgId: SEEDLESS_ORG_ID,
+          mfaId: mfaId,
+          mfaConf: mfaReceipt.mfaConf
+        })
+      } else {
+        throw new Error('Passkey authentication failed')
+      }
+    } catch (error) {
+      Logger.error(
+        `[SeedlessSession] approveFido() FAILED - mfaId: ${mfaId}`,
+        error
+      )
+      throw error
     }
   }
 
@@ -241,7 +287,11 @@ class SeedlessSession {
       })
 
       return { success: true, value: undefined }
-    } catch {
+    } catch (error) {
+      Logger.error(
+        `[SeedlessSession] verifyCode() FAILED - mfaId: ${mfaId}`,
+        error
+      )
       return {
         success: false,
         error: new TotpErrors({
@@ -257,8 +307,16 @@ class SeedlessSession {
    * MfaFidoChallenge.answer or fidoApproveComplete.
    */
   async fidoApproveStart(mfaId: string): Promise<MfaFidoChallenge> {
-    const signerClient = await this.getSignerClient()
-    return signerClient.apiClient.mfaFidoInit(mfaId)
+    try {
+      const signerClient = await this.getSignerClient()
+      return signerClient.apiClient.mfaFidoInit(mfaId)
+    } catch (error) {
+      Logger.error(
+        `[SeedlessSession] fidoApproveStart() FAILED - mfaId: ${mfaId}`,
+        error
+      )
+      throw error
+    }
   }
 
   /**
@@ -292,6 +350,12 @@ class SeedlessSession {
 
           this.signerClient = client
           return client
+        } catch (error) {
+          Logger.error(
+            `[SeedlessSession] getSignerClient() - CubeSignerClient.create() FAILED`,
+            error
+          )
+          throw error
         } finally {
           // Always reset the promise lock (success or failure) so later calls can retry.
           this.signerClientPromise = null