feat: decode permissions in SignatureController#6619
Merged
jeffsmale90 merged 21 commits intomainfrom Sep 23, 2025
Merged
Conversation
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
3 times, most recently
from
217553e to
4dee17d
Compare
jeffsmale90
changed the title
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
4 times, most recently
from
8a636fc to
4b72727
Compare
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
4b72727 to
21a7c84
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
21a7c84 to
b4006dc
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
b4006dc to
47460e5
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
0ac0fd7 to
b5b431f
Compare
matthewwalsh0
requested changes
Sep 17, 2025
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
bf157ae to
48d4d7b
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
31cbe3c to
442a239
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
442a239 to
8378da7
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
jeffsmale90
force-pushed
the
feat/decodePermission_signatureController
branch
from
8378da7 to
a3a38b6
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
7 tasks
This was referenced Sep 22, 2025
matthewwalsh0
approved these changes
Sep 23, 2025
| }; | ||
|
|
||
| /** Metadata use in the signTypedData request when handling EIP-7715 execution permission requests */ | ||
| export type ExecutionPermissionMetadata = { |
Member
There was a problem hiding this comment.
Minor, this isn't necessarily specific to the permissions but general metadata.
| /** Metadata use in the signTypedData request when handling EIP-7715 execution permission requests */ | ||
| export type ExecutionPermissionMetadata = { | ||
| origin: string; | ||
| justification: string; |
Member
There was a problem hiding this comment.
Minor, JSDoc on properties?
| caveats, | ||
| } as unknown as MessageParamsTyped, | ||
| ], | ||
| [ |
There was a problem hiding this comment.
Bug: Test Label Mismatch Causes Confusion
A test case in the decodePermissionFromRequest suite is mislabeled "Missing authority." The test data for this case actually omits the delegator field, not authority. This leads to duplicate test descriptions, making test output unclear.
| await this.#approveAndSignRequest(metadata, traceContext); | ||
| } catch (error) { | ||
| log('Signature request failed', error); | ||
| log('Signature request failed', (error as Error).message); |
There was a problem hiding this comment.
Bug: Error Logging Fails with Non-Error Objects
The updated error logging in SignatureController.ts assumes caught errors are always Error objects. As JavaScript allows throwing any value, accessing .message on non-Error types can lead to undefined being logged or a runtime error, losing valuable debugging context.
jeffsmale90
added a commit
that referenced
this pull request
Sep 24, 2025
## Explanation Releases @metamask/signature-controller@34.0.0 ### Added - Add two new controller state metadata properties: `includeInStateLogs` and `usedInUi` ([#6473](#6473)) - **BREAKING:** Decode delegation permissions using `@metamask/gator-permissions-controller` when calling `newUnsignedTypedMessage`, adds `@metamask/gator-permissions-controller` as a peer dependency. ([#6619](#6619)) ### Changed - Bump `@metamask/controller-utils` from `^11.12.0` to `^11.14.0` ([#6620](#6620), [#6629](#6629)) - Bump `@metamask/base-controller` from `^8.1.0` to `^8.4.0` ([#6355](#6355), [#6465](#6465), [#6632](#6632)) - Bump `@metamask/utils` from `^11.4.2` to `^11.8.0` ([#6588](#6588)) - Bump `@metamask/network-controller` from `^24.1.0` to `^24.2.0` ([#6678](#6678)) - Bump `@metamask/keyring-controller` from `^23.0.0` to `^23.1.0` ([#6590](#6590)) - Bump `@metamask/accounts-controller` from `^33.0.0` to `^33.1.0` ([#6572](#6572))
github-merge-queue bot
pushed a commit
to MetaMask/metamask-extension
that referenced
this pull request
Sep 25, 2025
…ded permission (#36054) ## **Description** This feature is only enabled in Flask. When a dapp requests an EIP-7715 Readable Permission, the user must sign with `eth_signTypedData_v4`, but it's important that the user can understand what is being signed. This PR surfaced the decoded permission information in a new Sign Permission view. When a `eth_signTypedData_v4` request is received by `@metamask/signature-controller` that appears to be a delegation, it will pass this request to `@metamask/gator-permissions-controller` to decode the request into the originating permission. If this is successful, `@metamask/signature-controller` attaches the decoded permission to the request `metadata`. This PR adds a new view showing the details of the permission that the user is signing. This does not implement the final design, and focusses only on introducing the functionality to extension. Further iteration will be made to improve the UX. As such, no internationalization has been included in this change. A couple important points to note: - if `GATOR_PERMISSIONS_ENABLED` is not true, the request will be rejected here (this should never happen, because the method `wallet_requestExecutionPermissions` will not allow requests if the feature is not enabled - if the origin is not the configured Gator Permissions Snap, the permission will not be decoded by the `GatorPermissionsController` - if the request is for a delegation signature, and no permission is decoded, the SignatureController will reject the request - This feature is only being released into Flask at this stage - future PRs will refine the UX before this is released to end-users [](https://codespaces.new/MetaMask/metamask-extension/pull/36054?quickstart=1) ## **Changelog** CHANGELOG entry: presents a Permission confirmation view when a decoded permission exists on signTypedData metadata. Flask only. ## **Related issues** These PRs are related to this feature: - Introduce GatorPermissionsController to mobile MetaMask/metamask-mobile#20006 - Decode permissions in SignatureController MetaMask/core#6619 - Method 'decodePermissionFromPermissionContextForOrigin' is now synchronous MetaMask/core#6656 - Add `decodePermissionFromPermissionContextForOrigin` to `GatorPermissionsController` MetaMask/core#6556 ## **Manual testing steps** 1. Run the 7715 gator snaps locally 2. Build MetaMask flask with `GATOR_PERMISSIONS_ENABLED=true` and `GATOR_PERMISSIONS_PROVIDER_SNAP_ID=local:http://localhost:8082` 2. Open the 7715 gator snap page 3. Install snaps if necessary, by clicking "Install kernel snap", then "Install provider snap" 4. Select the appropriate permission type and parameters 5. Click "Grant Permission" 6. Adjust the requested permission as necessary 7. Click "Grant" Expect to see the sign permission screen: ## **Screenshots/Recordings** <img width="396" height="852" alt="image" src="https://github.com/user-attachments/assets/b45e5a7d-ccaa-4456-be65-4b990bc2ea2d" /> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
](https://codespaces.new/MetaMask/metamask-extension/pull/36054?quickstart=1){kind=link}
github-merge-queue bot
pushed a commit
to MetaMask/metamask-mobile
that referenced
this pull request
Oct 21, 2025
## **Description** Updates the dependency on @metamask/signature-controller to 34.0.0 This version bump introduces a dependency on @metamask/gator-permissions-controller via `GatorPermissionsControllerDecodePermissionFromPermissionContextForOriginAction` which has been added to signature-controller-messenger. ## **Changelog** From SignatureController https://github.com/MetaMask/core/blob/main/packages/signature-controller/CHANGELOG.md: ### @metamask/signature-controller 34.0.0 #### Added - Add two new controller state metadata properties: includeInStateLogs and usedInUi (MetaMask/core#6473) - Decode delegation permissions using `@metamask/gator-permissions-controller` when calling `newUnsignedTypedMessage` ([#6619](MetaMask/core#6619)) #### Changed - Bump @metamask/controller-utils from ^11.12.0 to ^11.14.0 (MetaMask/core#6620, MetaMask/core#6629) - Bump @metamask/base-controller from ^8.1.0 to ^8.4.0 (MetaMask/core#6355, MetaMask/core#6465, MetaMask/core#6632) - Bump @metamask/utils from ^11.4.2 to ^11.8.0 (MetaMask/core#6588) ### @metamask/signature-controller 33.0.0 #### Changed - BREAKING: Bump peer dependency @metamask/accounts-controller from ^32.0.0 to ^33.0.0 (MetaMask/core#6345) - BREAKING: Bump peer dependency @metamask/keyring-controller from ^22.0.0 to ^23.0.0 (MetaMask/core#6345) - Bump @metamask/base-controller from ^8.0.1 to ^8.1.0 (MetaMask/core#6284) - Bump @metamask/controller-utils from ^11.11.0 to ^11.12.0 (MetaMask/core#6303) CHANGELOG entry: null ## **Screenshots/Recordings** ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Upgrade @metamask/signature-controller to ^34 and allow GatorPermissionsController decode action in the signature controller messenger. > > - **Dependencies**: > - Bump `@metamask/signature-controller` to `^34.0.0`. > - **Engine**: > - **`app/core/Engine/messengers/signature-controller-messenger/signature-controller-messenger.ts`**: > - Add `GatorPermissionsControllerDecodePermissionFromPermissionContextForOriginAction` and allow `GatorPermissionsController:decodePermissionFromPermissionContextForOrigin` in `allowedActions`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 657705e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add execution-permission decoding to
SignatureControllerforeth_signTypedData_v4delegation requests. If a delegation request is unable to be decoded into a coherent Execution Permission, reject external (not fromorigin: metamask) attempts to sign delegations for internal accounts. Adds decoded permission in signature request state for rendering downstream.Why
Readable Permissions requires the ability to sign delegations, only when the delegation can be decoded to a permission that is then shown to the user.
The architecture is described in this document. Decoding has been added to
GatorPermissionsControllerin #6556Note: the request origin is always
@metamask/gator-permission-snap(any other origin is rejected). Because of this,metadatais added to the 712 payload, defining thejustificationandoriginwhich is the original origin of the request (the dapp).