Skip to content

feat: Add optional JWT token authentication to multi-chain accounts API #7165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Nov 21, 2025
Merged

feat: Add optional JWT token authentication to multi-chain accounts API #7165

merged 12 commits into from
Nov 21, 2025
+176 −92

Conversation

@salimtb
Copy link
Contributor

@salimtb salimtb commented Nov 14, 2025
edited by cursor bot
Loading

Explanation

What is the current state and why does it need to change?

Currently, the multi-chain accounts API calls in TokenDetectionController and TokenBalancesController are made without authentication. This limits the ability to provide user-specific data and secure API endpoints that require authenticated requests.

What is the solution and how does it work?

This PR adds optional JWT token authentication and timeout protection to the accounts API calls:

  1. API Layer Changes (multi-chain-accounts.ts):

    • Added optional jwtToken parameter to fetchMultiChainBalances and fetchMultiChainBalancesV4
    • When a JWT token is provided, it's included in the Authorization: Bearer <token> header
    • The token is optional to maintain backward compatibility

  2. Controller Integration:

    • TokenDetectionController:
      • Fetches JWT token from AuthenticationController:getBearerToken and passes it to fetchMultiChainBalances when detecting tokens via Accounts API
    • TokenBalancesController: Fetches JWT token and passes it through the balance fetcher chain to fetchMultiChainBalancesV4

  3. Balance Fetcher Updates (api-balance-fetcher.ts):

    • Updated AccountsApiBalanceFetcher to accept and pass JWT token through the fetch chain
    • Token flows from updateBalancesfetch#fetchBalances → API calls

Key Design Decisions

  • Optional Parameter: The JWT token is optional throughout the call chain, ensuring backward compatibility for environments where authentication is not available or required
  • Graceful Degradation: If no token is provided, API calls proceed without authentication, allowing the system to work in both authenticated and unauthenticated scenarios
  • No Breaking Changes: Existing callers continue to work without modification

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
    • Added tests in TokenDetectionController.test.ts to verify JWT token is passed correctly
    • Added test in TokenDetectionController.test.ts to verify 30-second timeout triggers RPC fallback
    • Added tests in TokenBalancesController.test.ts to verify JWT token flows through balance fetcher
    • Added tests in multi-chain-accounts.test.ts to verify Authorization header is set correctly
    • Added tests for both scenarios: with and without JWT token
    • Verified timeout behavior using fake timers (sinon) and the advanceTime helper
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
    • Updated JSDoc comments for fetchMultiChainBalances and fetchMultiChainBalancesV4
    • Updated JSDoc for controller methods that now handle JWT tokens
    • Added inline comments explaining timeout logic and fallback mechanism
  • I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
    • Note: No breaking changes - all JWT token parameters are optional and timeout is an internal improvement
  • I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes
    • Note: Not required - no breaking changes introduced

Note

Adds optional JWT bearer authentication to multi‑chain Accounts API calls and wires token retrieval through controllers, while lowering timeouts to 10s and reducing API batch size to 20.

  • API/Services:
    • Add optional jwtToken to fetchMultiChainBalances/fetchMultiChainBalancesV4; include Authorization: Bearer <token> header when provided.
    • Reduce Accounts API request timeout to 10s; reduce V4 batch size from 50 to 20.
  • Controllers:
    • TokenDetectionController and TokenBalancesController fetch JWT via AuthenticationController:getBearerToken and pass it through balance/token detection flows.
    • TokenDetectionController Accounts API timeout lowered to 10s.
  • Balance Fetcher:
    • AccountsApiBalanceFetcher accepts/forwards jwtToken; applies 10s timeout and 20-size batching.
  • Tests:
    • Add coverage for JWT header behavior (with/without token) and updated batching/timeout.
    • Test scaffolding updated to mock AuthenticationController:getBearerToken and token list state injection.
  • Dependencies/Meta:
    • Add @metamask/profile-sync-controller as dev/peer dep.
    • Update CHANGELOG.md to document the new optional auth.

Written by Cursor Bugbot for commit d645dcf. This will update automatically on new commits. Configure here.

@salimtb salimtb marked this pull request as ready for review November 14, 2025 23:18
@salimtb salimtb requested review from a team as code owners November 14, 2025 23:18
@salimtb
Copy link
Contributor Author

salimtb commented Nov 14, 2025

@metamaskbot publish-preview

cursor[bot]
cursor bot reviewed Nov 14, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Nov 14, 2025

Preview builds have been published. See these instructions for more information about preview builds.

Expand for full list of packages and versions. 
{
  "@metamask-previews/account-tree-controller": "3.0.0-preview-81857e91",
  "@metamask-previews/accounts-controller": "34.0.0-preview-81857e91",
  "@metamask-previews/address-book-controller": "7.0.0-preview-81857e91",
  "@metamask-previews/analytics-controller": "0.0.0-preview-81857e91",
  "@metamask-previews/announcement-controller": "8.0.0-preview-81857e91",
  "@metamask-previews/app-metadata-controller": "2.0.0-preview-81857e91",
  "@metamask-previews/approval-controller": "8.0.0-preview-81857e91",
  "@metamask-previews/assets-controllers": "88.0.0-preview-81857e91",
  "@metamask-previews/base-controller": "9.0.0-preview-81857e91",
  "@metamask-previews/bridge-controller": "60.1.0-preview-81857e91",
  "@metamask-previews/bridge-status-controller": "60.1.0-preview-81857e91",
  "@metamask-previews/build-utils": "3.0.4-preview-81857e91",
  "@metamask-previews/chain-agnostic-permission": "1.2.2-preview-81857e91",
  "@metamask-previews/claims-controller": "0.2.0-preview-81857e91",
  "@metamask-previews/composable-controller": "12.0.0-preview-81857e91",
  "@metamask-previews/controller-utils": "11.15.0-preview-81857e91",
  "@metamask-previews/core-backend": "4.0.0-preview-81857e91",
  "@metamask-previews/delegation-controller": "1.0.0-preview-81857e91",
  "@metamask-previews/earn-controller": "10.0.0-preview-81857e91",
  "@metamask-previews/eip-5792-middleware": "2.0.0-preview-81857e91",
  "@metamask-previews/eip-7702-internal-rpc-middleware": "0.1.0-preview-81857e91",
  "@metamask-previews/eip1193-permission-middleware": "1.0.2-preview-81857e91",
  "@metamask-previews/ens-controller": "18.0.0-preview-81857e91",
  "@metamask-previews/error-reporting-service": "3.0.0-preview-81857e91",
  "@metamask-previews/eth-block-tracker": "14.0.0-preview-81857e91",
  "@metamask-previews/eth-json-rpc-middleware": "21.0.0-preview-81857e91",
  "@metamask-previews/eth-json-rpc-provider": "5.0.1-preview-81857e91",
  "@metamask-previews/foundryup": "1.0.1-preview-81857e91",
  "@metamask-previews/gas-fee-controller": "25.0.0-preview-81857e91",
  "@metamask-previews/gator-permissions-controller": "0.4.0-preview-81857e91",
  "@metamask-previews/json-rpc-engine": "10.1.1-preview-81857e91",
  "@metamask-previews/json-rpc-middleware-stream": "8.0.8-preview-81857e91",
  "@metamask-previews/keyring-controller": "24.0.0-preview-81857e91",
  "@metamask-previews/logging-controller": "7.0.0-preview-81857e91",
  "@metamask-previews/message-manager": "14.0.0-preview-81857e91",
  "@metamask-previews/messenger": "0.3.0-preview-81857e91",
  "@metamask-previews/multichain-account-service": "3.0.0-preview-81857e91",
  "@metamask-previews/multichain-api-middleware": "1.2.4-preview-81857e91",
  "@metamask-previews/multichain-network-controller": "2.0.0-preview-81857e91",
  "@metamask-previews/multichain-transactions-controller": "6.0.0-preview-81857e91",
  "@metamask-previews/name-controller": "9.0.0-preview-81857e91",
  "@metamask-previews/network-controller": "25.0.0-preview-81857e91",
  "@metamask-previews/network-enablement-controller": "3.1.0-preview-81857e91",
  "@metamask-previews/notification-services-controller": "20.0.0-preview-81857e91",
  "@metamask-previews/permission-controller": "12.1.0-preview-81857e91",
  "@metamask-previews/permission-log-controller": "5.0.0-preview-81857e91",
  "@metamask-previews/phishing-controller": "15.0.0-preview-81857e91",
  "@metamask-previews/polling-controller": "15.0.0-preview-81857e91",
  "@metamask-previews/preferences-controller": "21.0.0-preview-81857e91",
  "@metamask-previews/profile-sync-controller": "26.0.0-preview-81857e91",
  "@metamask-previews/rate-limit-controller": "7.0.0-preview-81857e91",
  "@metamask-previews/remote-feature-flag-controller": "2.0.0-preview-81857e91",
  "@metamask-previews/sample-controllers": "3.0.0-preview-81857e91",
  "@metamask-previews/seedless-onboarding-controller": "6.1.0-preview-81857e91",
  "@metamask-previews/selected-network-controller": "25.0.0-preview-81857e91",
  "@metamask-previews/shield-controller": "2.1.0-preview-81857e91",
  "@metamask-previews/signature-controller": "36.0.0-preview-81857e91",
  "@metamask-previews/subscription-controller": "4.2.2-preview-81857e91",
  "@metamask-previews/token-search-discovery-controller": "4.0.0-preview-81857e91",
  "@metamask-previews/transaction-controller": "61.3.0-preview-81857e91",
  "@metamask-previews/transaction-pay-controller": "6.0.0-preview-81857e91",
  "@metamask-previews/user-operation-controller": "40.0.0-preview-81857e91"
}

cursor[bot]
cursor bot reviewed Nov 20, 2025
View reviewed changes
@socket-security
Copy link

socket-security bot commented Nov 21, 2025
edited
Loading

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

cursor[bot]
cursor bot reviewed Nov 21, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Test timeout value doesn't match updated constant

The test comment and advanceTime call use 30000ms to simulate the timeout, but ACCOUNTS_API_TIMEOUT_MS was changed from 30000 to 10000 in TokenDetectionController.ts. The test advances time by 30000ms when it should advance by 10000ms to properly test the timeout behavior. This causes the test to wait 3x longer than necessary and doesn't accurately test the actual timeout threshold.

packages/assets-controllers/src/TokenDetectionController.test.ts#L2833-L2836

core/packages/assets-controllers/src/TokenDetectionController.test.ts

Lines 2833 to 2836 in 71af222

// Fast-forward time by 30 seconds to trigger the timeout
// This simulates the API call taking longer than the ACCOUNTS_API_TIMEOUT_MS (30000ms)
await advanceTime({ clock, duration: 30000 });

Fix in Cursor Fix in Web

@salimtb salimtb added this pull request to the merge queue Nov 21, 2025
Merged via the queue into main with commit c85107f Nov 21, 2025
273 checks passed
@salimtb salimtb deleted the feat/jwt-auth-accounts-api-integration branch November 21, 2025 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Prithpal-Sooriya Prithpal-Sooriya Prithpal-Sooriya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@salimtb @Prithpal-Sooriya