-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support security alerts API (#25544)
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** This PR enables the use of the Security Alerts API to validate dApp requests, with a fallback to local PPOM validation if the API request fails. #### Environment Variables Add the following variables to `.metamaskrc`: ```shell SECURITY_ALERTS_API_URL='http://localhost:3000' SECURITY_ALERTS_API_ENABLED='true' ``` #### Additional Changes Introduces the security_alert_source property to transaction and signature events, indicating api or local as the source. #### Related Repository Refer to the [Security Alerts API repository](https://github.com/consensys-vertical-apps/va-mmcx-security-alerts-api) for more details. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/25544?quickstart=1) ## **Related issues** Fixes: MetaMask/MetaMask-planning#2514 MetaMask/MetaMask-planning#2515 ## **Manual testing steps** 1. Test blockaid regression 2. add the envs ```shell SECURITY_ALERTS_API_URL='https://security-alerts.dev-api.cx.metamask.io' SECURITY_ALERTS_API_ENABLED='true' ``` - Go to test dapp and trigger on of the malicious signatures - To verify in chrome go to dev tools > network. Search for `security-alerts` and find the call to the API service. Existing PPOM logic should function as before, even with the above environment variables added, due to the fallback to the controller in the event of an error. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ![image](https://github.com/MetaMask/metamask-extension/assets/45455812/ace14a9e-32e4-4489-a9a0-c648128674bc) ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
- Loading branch information
1 parent
a935093
commit fe23ae0
Showing
18 changed files
with
334 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
import { | ||
BlockaidReason, | ||
BlockaidResultType, | ||
} from '../../../../shared/constants/security-provider'; | ||
import { | ||
isSecurityAlertsAPIEnabled, | ||
validateWithSecurityAlertsAPI, | ||
} from './security-alerts-api'; | ||
|
||
const CHAIN_ID_MOCK = '0x1'; | ||
|
||
const REQUEST_MOCK = { | ||
method: 'eth_sendTransaction', | ||
params: [ | ||
{ | ||
from: '0x123', | ||
to: '0x456', | ||
value: '0x123', | ||
}, | ||
], | ||
}; | ||
|
||
const RESPONSE_MOCK = { | ||
result_type: BlockaidResultType.Errored, | ||
reason: BlockaidReason.maliciousDomain, | ||
description: 'Test Description', | ||
}; | ||
|
||
describe('Security Alerts API', () => { | ||
const fetchMock = jest.fn(); | ||
|
||
beforeEach(() => { | ||
jest.resetAllMocks(); | ||
|
||
global.fetch = fetchMock; | ||
|
||
fetchMock.mockResolvedValue({ | ||
ok: true, | ||
json: async () => RESPONSE_MOCK, | ||
}); | ||
|
||
process.env.SECURITY_ALERTS_API_URL = 'https://example.com'; | ||
}); | ||
|
||
describe('validateWithSecurityAlertsAPI', () => { | ||
it('sends POST request', async () => { | ||
const response = await validateWithSecurityAlertsAPI( | ||
CHAIN_ID_MOCK, | ||
REQUEST_MOCK, | ||
); | ||
|
||
expect(response).toEqual(RESPONSE_MOCK); | ||
|
||
expect(fetchMock).toHaveBeenCalledTimes(1); | ||
expect(fetchMock).toHaveBeenCalledWith( | ||
`https://example.com/validate/${CHAIN_ID_MOCK}`, | ||
expect.any(Object), | ||
); | ||
}); | ||
|
||
it('throws an error if response is not ok', async () => { | ||
fetchMock.mockResolvedValue({ ok: false, status: 567 }); | ||
|
||
const responsePromise = validateWithSecurityAlertsAPI( | ||
CHAIN_ID_MOCK, | ||
REQUEST_MOCK, | ||
); | ||
|
||
await expect(responsePromise).rejects.toThrow( | ||
'Security alerts API request failed with status: 567', | ||
); | ||
}); | ||
|
||
it('throws an error if SECURITY_ALERTS_API_URL is not set', async () => { | ||
delete process.env.SECURITY_ALERTS_API_URL; | ||
|
||
await expect( | ||
validateWithSecurityAlertsAPI(CHAIN_ID_MOCK, REQUEST_MOCK), | ||
).rejects.toThrow('Security alerts API URL is not set'); | ||
}); | ||
|
||
it('throws an error if SECURITY_ALERTS_API_ENABLED is false', () => { | ||
process.env.SECURITY_ALERTS_API_ENABLED = 'false'; | ||
|
||
const isEnabled = isSecurityAlertsAPIEnabled(); | ||
expect(isEnabled).toBe(false); | ||
}); | ||
}); | ||
}); |
Oops, something went wrong.