1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-23 09:52:26 +01:00
Commit Graph

105 Commits

Author SHA1 Message Date
Mark Stacey
48c02ef641
Add validation to production build script (#15468)
Validation has been added to the build script when the "prod" target is
selected. We now ensure that all expected environment variables are
set, and that no extra environment variables are present (which might
indicate that the wrong configuration file is being used).

The `prod` target uses a new `.metamaskprodrc` configuration file. Each
required variable can be specified either via environment variable or
via this config file. CI will continue set these via environment
variable, but for local manual builds we can use the config file to
simplify the build process and ensure consistency.

A new "dist" target has been added to preserve the ability to build a
"production-like" build without this validation.

The config validation is invoked early in the script, in the CLI
argument parsing step, so that it would fail more quickly. Otherwise
we'd have to wait a few minutes longer for the validation to run.
This required some refactoring, moving functions to the utility module
and moving the config to a dedicated module.

Additionally, support has been added for all environment variables to
be set via the config file. Previously the values `PUBNUB_PUB_KEY`,
`PUBNUB_SUB_KEY`, `SENTRY_DSN`, and `SWAPS_USE_DEV_APIS` could only be
set via environment variable. Now, all of these variables can be set
either way.

Closes #15003
2022-08-19 15:46:18 -02:30
Niranjana Binoy
650eac88a5
Cleanup after TOKEN_DETECTION_V2 flag removal (#15564) 2022-08-16 10:22:05 -04:00
Mark Stacey
e3420a4262
Fix build script errors (#15493)
There is a SES bug that results in errors being printed to the console
as `{}`[1]. The known workaround is to print the error stack rather
than printing the error directly. This affects our build script when it
is run with LavaMoat.

We used this workaround in one place in the build script already, but
not in the handler for task errors. We now use it in both places.

The workaround has been moved to a function that we can use throughout
the build script.

[1]: https://github.com/endojs/endo/issues/944
2022-08-06 03:33:35 -04:00
Mark Stacey
44f8e9e10e
Replace rc with ini (#15464)
We use the `rc` package to read the `.metamaskrc` configuration file,
which is in "ini" format. This package has been replaced by the `ini`
package.

The `rc` package was not actively maintained, and it has had recent
security vulnerabilities. But most importantly, the config object
returned by `rc` includes a bunch of extra information that made build
script validation [1] difficult to implement. Specifically, it made it
challenging to ensure no extra environment variables were present.

The `ini` package on the other hand is simple, well maintained, and
is simpler to use. This package doesn't add any extra properties to the
object it returns, making validation easy.

[1]: https://github.com/MetaMask/metamask-extension/issues/15003
2022-08-05 15:11:18 -02:30
Mark Stacey
fa336b5137
Refactor build script to include build target (#15447)
The "scripts" portion of the build script has been refactored to pass
the "build target" throughout the file. The "build target" is the
target environment for the build, reflected by the command used to
start the build (e.g. "dev", "prod", "test", or "testDev").

Beforehand we derived the variables `devMode` and `testing` from this
build target, and passed these throughout the script. However, there is
a future change [1] that requires adding a new build target that acts
like "prod" in some ways but not others. It was easier to refactor to
pass through `buildTarget` directly than it was to add a _third_
boolean flag to indirectly represent the target.

The existence of the "testDev" target made it convenient to still have
the `testing` and `devMode` flag, so helper functions were added to
derive those values from the build target. I anticipate that these will
only be needed temporarily though. We will probably be able to get rid
of the `testDev` target and the related complexities when we start
adding more flags (like `--watch`[2] and `--minify`[3]) to the build
script directly.

[1]: https://github.com/MetaMask/metamask-extension/issues/15003
[2]: https://github.com/MetaMask/metamask-extension/issues/12767
[3]: https://github.com/MetaMask/metamask-extension/issues/12768
2022-08-04 15:42:06 -02:30
Mark Stacey
3b30984ce5
Fix "app-init" injection (#15320)
* Fix "app-init" injection

The way we were injecting variables into the `app-init.js` bundle was
accidentally overwriting the bundle output with the raw `app-init.js`
source file. This is a problem because the bundling process handles a
lot of things we care about like source maps, polyfills and other
necessary Babel transformations, environment variable injection, and
minification.

Instead of using string replacement to inject variables, we are now
using environment variables. The old string replacement strategy has
been removed, and the `app-init.js` module is now generated using the
same process as our other bundles.

A new option, "extraEnvironmentVariables", was added to allow us to
inject environment variables specifically for this bundle.

* Add check to ensure APPLY_LAVAMOAT is set
2022-08-03 12:51:10 -02:30
Sam Gbafa
5802805597
Add Sign-In with Ethereum (#14438)
Co-authored-by: Gregório Granado Magalhães <greg.magalhaes@gmail.com>
Co-authored-by: George Marshall <georgewrmarshall@gmail.com>
Co-authored-by: georgewrmarshall <george.marshall@consensys.net>
Co-authored-by: Ariella Vu <20778143+digiwand@users.noreply.github.com>
Co-authored-by: brad-decker <bhdecker84@gmail.com>
2022-08-03 09:56:11 -05:00
Brad Decker
693a6dfc0c
Remove unnecessary file extensions (#15352) 2022-07-27 14:32:17 -05:00
Mark Stacey
73cd2b0306
Add comments to build script (#15319)
This is a follow-up to #15318, which fixed a problem with environment
variables. Every function in this module that passes options related to
environment variables has been updated with a doc comment. This should
make it clearer which options are mandatory and which are optional,
hopefully preventing a similar mistake from happening in the future.
2022-07-27 13:04:02 -02:30
Brad Decker
1db0ee87ec
Update Eslint and deps (#15293) 2022-07-26 13:10:51 -05:00
Mark Stacey
2bcc1c512c
Fix environment variable injection (#15318)
The environment variables `IN_TEST` and `METAMASK_DEBUG` were not
being set to `false` correctly. Instead those variables were being
skipped, and were resolved to `undefined` at runtime. This is confusing
because the other environment variables do not work that way - they can
be set to false.

The build script has been updated to ensure those two environment
variables are always set to `true` or `false` - never `undefined`.

Additionally, the `METAMASK_VERSION` environment variable was being
omitted from the `app-init.js` bundle. For the sake of consistency,
that has also been restored.
2022-07-22 12:37:39 -02:30
Mark Stacey
4c942aa008
Rename various build script functions (#15317)
Some of the functions in `development/build/scripts.js` have been
renamed to better describe their function, and to be more consistent
with other similar functions.
2022-07-21 21:03:28 -02:30
Mark Stacey
61783bbe89
Remove unused bundling options in build script (#15316)
Two unused options have been removed from the `createNormalBundle`
function in the build script: 'extraEntries` and `modulesToExpose`.'

Both of these options were used in the old "main" bundles, before we
began using the "factored" bundles. They have been unused since #11080.
2022-07-21 21:03:06 -02:30
Jyoti Puri
0622883a3c
Capturing load time stats (#15157) 2022-07-20 11:40:31 +04:00
Jyoti Puri
6aa0ecce2a
Capturing lavamoat stats in E2E (#15153) 2022-07-20 03:07:15 +04:00
ryanml
959a376347
Remove 'ADD_POPULAR_NETWORKS' feature flag (#15229) 2022-07-14 08:58:34 -07:00
Jyoti Puri
aeb0147846
Adding tasks for MV3 test build (#15133) 2022-07-14 03:34:33 +04:00
Dan J Miller
e8ea973f0f
Add feature flag to prevent add popular networks from being available on prod (#15117) 2022-07-04 12:20:37 -02:30
Jyoti Puri
843beb6d20
MV3: fix injection of applyLavamoat variable in service worker (#14920) 2022-06-18 12:40:30 +05:30
Jyoti Puri
d8e1961fd1
MV3: Fix dynamic file list injection on service worker reload (#14795) 2022-06-15 20:27:51 +05:30
Mark Stacey
e6d5af5f9a Merge remote-tracking branch 'origin/develop' into master-sync
* origin/develop: (131 commits)
  Update `protobufjs` and remove obsolete advisory exclusion (#14841)
  Include snap version in pill (#14803)
  Update PULL_REQUEST_TEMPLATE.md (#14790)
  fix: keystone transaction qrcode has no white spacing (#14798)
  Snap notifications integration (#14605)
  Upgrade @metamask/eth-ledger-bridge-keyring (#14799)
  snaps-skunkworks@0.15.0 (#14772)
  Fix proptype errors in network dropdown, tx list item details, and account details modal tests (#14747)
  Ensure transaction type is correctly updated on edit (#14721)
  Add fiat onboarding for AVAX and MATIC through Wyre (#14683)
  Bump @metamask/contract-metadata from 1.33.0 to 1.35.0 (#14791)
  Slight cleanup of constants/transactions, useTransactionDisplayData, and TransactionIcon (#14784)
  Migrate the "estimateGas" API call to "getFees" for STX (#14767)
  Ignore advisory GHSA-wm7h-9275-46v2 (#14789)
  Adding flag for MV3 (#14762)
  Add types to send state (#14740)
  Remove site origin on snap install (#14752)
  Update design tokens library from 1.5 to 1.6 WIP (#14732)
  Enables the "Safe Transaction From" copy for safeTransferFrom transactions (#14769)
  remove draft transaction (#14701)
  ...
2022-06-03 11:53:40 -02:30
Jyoti Puri
25082ae272
Adding flag for MV3 (#14762) 2022-05-26 10:18:23 +05:30
Mark Stacey
d1ac1a8389 Rename phishing warning page environment variable
The phishing warning page URL environment variable has been renamed
from `PHISHING_PAGE_URL` to `PHISHING_WARNING_PAGE_URL`. We call this
page the "phishing warning page" everywhere else, and this name seemed
better suited (it's not a phishing page itself).

The variable has been listed and documented in `.metamaskrc.dist` as
well.
2022-05-16 18:48:20 -02:30
Mark Stacey
5a5e541b5e Fix e2e tests
The e2e tests have been updated for `@metamask/phishing-warning@1.1.0`.
The iframe case was updated with a new design, which required test
changes. The third test that was meant to ensure the phishing page
can't redirect to an extension page has been updated to navigate
directly to the phishing warning page and setting the URL manually via
query parameters, as that was the only way to test that redirect.
2022-05-16 18:48:20 -02:30
Mark Stacey
7199d9c567 Use externally hosted phishing warning page
An externally hosted phishing warning page is now used rather than the
built-in phishing warning page.The phishing page warning URL is set via
configuration file or environment variable. The default URL is either
the expected production URL or `http://localhost:9999/` for e2e testing
environments.

The new external phishing page includes a design change when it is
loaded within an iframe. In that case it now shows a condensed message,
and prompts the user to open the full warning page in a new tab to see
more details or bypass the warning. This is to prevent a clickjacking
attack from safelisting a site without user consent.

The new external phishing page also includes a simple caching service
worker to ensure it continues to work offline (or if our hosting goes
offline), as long as the user has successfully loaded the page at least
once. We also load the page temporarily during the extension startup
process to trigger the service worker installation.

The old phishing page and all related lines have been removed. The
property `web_accessible_resources` has also been removed from the
manifest. The only entry apart from the phishing page was `inpage.js`,
and we don't need that to be web accessible anymore because we inject
the script inline into each page rather than loading the file directly.

New e2e tests have been added to cover more phishing warning page
functionality, including the "safelist" action and the "iframe" case.
2022-05-16 14:40:50 -02:30
kumavis
07da8ce589
LavaMoat - UI upgrade - secure package naming (#14565)
* lavamoat - update lavamoat-browserify to v15

* lavamoat/ui - unify override across build types

* lavamoat/ui - update policy overrides

* lavamoat - update to lavapack@3 to match lavamoat-browserify@15

* lavamoat - add missing policy

* lavamoat - add missing nanoid policy

* lavamoat - regenerate policy

* deps - update lock

* lavamoat - update policy

* lavamoat - update policy
2022-05-05 12:47:51 -10:00
Erik Marks
6915dd1a57
Fix development build scripts (#14594)
#14583 broke the development build scripts (e.g. `yarn start`) by adding a positional argument to a package script (`build:dev`) that is used and passed positional arguments in the build script itself. This PR removes the positional argument from the `build:dev` script and `yarn start` now works again. In addition, the `--apply-lavamoat` flag is properly forwarded to child processes, which was not the case in the original implementation.

To test, `yarn start` should work and LavaMoat should _not_ be applied, in distinction to `yarn build:dev dev --apply-lavamoat=true`. Whether LavaMoat is applied can be determined by checking whether `Object.isFrozen(Object.prototype)` is `true` (with LavaMoat) or `false` (without LavaMoat).
2022-05-02 15:35:52 -07:00
Erik Marks
73a7ce9e39
Add applyLavaMoat build flag (#14583)
Adds a new flag, `--apply-lavamoat`, to the main build script. The flag controls whether LavaMoat is actually applied to the output of the build process. The flag defaults to `true`, but we explicitly set it to `false` in the `start` package script. Meanwhile, the `start:lavamoat` script is modified such that it applies LavaMoat to the build output in development mode, but it no longer runs the build process itself under LavaMoat as there aren't very compelling reasons to do so.

This change is motivated by the fact that development builds do not have their own dedicated LavaMoat policies, which causes development builds to fail since #14537. The downside of this change is that LavaMoat-related failures will not be detected when running `yarn start`. @kumavis has plans for fixing this problem in a future major version of the `@lavamoat` suite.
2022-04-29 15:56:30 -07:00
kumavis
66bd172980
Lavamoat - protect all UI contexts (#14537)
* lavamoat - apply lavamoat protections to popup and notification

* build - enable lavamoat for home

* lavamoat - add missing ui overrides for react family

* deps/patches - patch zxcvbn for ses compat
2022-04-28 08:45:46 -10:00
ryanml
b8c9f370ef Merge remote-tracking branch 'origin/master' into Version-v10.13.0 2022-04-07 02:32:07 -07:00
Mark Stacey
831d274a40 Restore version missing from certain build steps (#14344)
Certain build steps accidentally omitted the `version` variable. It has
now been restored to all steps, ensuring that all environment variables
are correctly injected into all bundles.

A check has been added to the Sentry setup module to ensure the release
is not omitted in the future.
2022-04-04 21:06:12 -02:30
Mark Stacey
2d08fe35e5
Restore version missing from certain build steps (#14344)
Certain build steps accidentally omitted the `version` variable. It has
now been restored to all steps, ensuring that all environment variables
are correctly injected into all bundles.

A check has been added to the Sentry setup module to ensure the release
is not omitted in the future.
2022-04-04 16:44:32 -02:30
Elliot Winkler
53006d4cf0
Add TypeScript to the build system (#13489)
This commit modifies the build system so that TypeScript files can be
transpiled into ES5 just like JavaScript files.

Note that this commit does NOT change the build system to run TypeScript
files through the TypeScript compiler. In other words, no files will be
type-checked at the build stage, as we expect type-checking to be
handled elsewhere (live, via your editor integration with `tsserver`,
and before a PR is merged, via `yarn lint`). Rather, we merely instruct
Babel to strip TypeScript-specific syntax from any files that have it,
as if those files had been written using JavaScript syntax alone.

Why take this approach? Because it prevents the build process from being
negatively impacted with respect to performance (as TypeScript takes a
significant amount of time to run).

It's worth noting the downside of this approach: because we aren't
running files through TypeScript, but relying on Babel's [TypeScript
transform][1] to identify TypeScript syntax, this transform has to keep
up with any syntax changes that TypeScript adds in the future. In fact
there are a few syntactical forms that Babel already does not recognize.
These forms are rare or are deprecated by TypeScript, so I don't
consider them to be a blocker, but it's worth noting just in case it
comes up later. Also, any settings we place in `tsconfig.json` will be
completely ignored by Babel. Again, this isn't a blocker because there
are some analogs for the most important settings reflected in the
options we can pass to the transform. These and other caveats are
detailed in the [documentation for the transform][2].

[1]: https://babeljs.io/docs/en/babel-plugin-transform-typescript
[2]: https://babeljs.io/docs/en/babel-plugin-transform-typescript#caveats
2022-03-28 16:33:40 -06:00
David Walsh
7f239997dc
Dark Mode: Remove feature flag (#14207) 2022-03-25 20:42:52 -05:00
Niranjana Binoy
90d6143071
Move Token Detection toggle to Advanced tab. (#13977) 2022-03-22 15:14:59 -04:00
Mark Stacey
75a8aedc32
Derive version suffix from build type and version (#13895)
The version of a build is now derived from both the `version` field in
`package.json` and the requested build type and version. The build type
and version are added onto the manifest version as a suffix, according
to the SemVer prerelease format.

We already have support in the extension for versions of this format,
but to apply a Flask or Beta version required manual updates to
`package.json`. Now it can be done just with build arguments.

A `get-version` module was created to make it easier to generate the
version in the various places we do that during the build. It was
created in the `development/lib` directory because it will be used by
other non-build development scripts in a future PR.

The `BuildType` constant was extracted to its own module as well, and
moved to the `development/lib` directory. This was to make it clear
that it's used by various different development scripts, not just the
build.
2022-03-10 12:31:50 -03:30
Niranjana Binoy
4bb3ba4aef
Adding new settings dropdown for Dark mode in Experimental tab (#13097) 2022-03-07 12:53:19 -06:00
Elliot Winkler
b1b4e64ad0
Prevent Browserify error from being swallowed (#13647)
If an error occurs while running Browserify, the stream that Browserify
creates will emit an `error` event. However, this event is not being
handled, so Node will catch it instead. But the error message it
produces is very nebulous, as it merely spits out the stream object and
completely ignores the actual error that occurred. So this commit
listens for the `error` event and outputs the error.

One note here is that when we are outputting the error, we must get
around a bug that exists in Endo where if you pass an Error object to
`console.{log,error,info,debug}` then you will just see `{}` on-screen.
We get around this by printing `err.stack`.
2022-02-17 13:47:50 -07:00
Jyoti Puri
760ed3457d
Removing EIP_1559_V2 feature flag (#13481) 2022-02-03 05:58:28 +05:30
Mark Stacey
3732c5f71e
Add JSDoc ESLint rules (#12112)
ESLint rules have been added to enforce our JSDoc conventions. These
rules were introduced by updating `@metamask/eslint-config` to v9.

Some of the rules have been disabled because the effort to fix all lint
errors was too high. It might be easiest to enable these rules one
directory at a time, or one rule at a time.

Most of the changes in this PR were a result of running
`yarn lint:fix`. There were a handful of manual changes that seemed
obvious and simple to make. Anything beyond that and the rule was left
disabled.
2022-01-07 12:27:33 -03:30
Elliot Winkler
af971cd5b6
Remove dupe Prettier config from ESLint config (#13234)
The ESLint config for the extension explicitly includes support for
Prettier. However, this is already being provided by our global ESLint
config (`@metamask/eslint-config`). Therefore there is no need to
include it here. In fact, this is causing weird issues where the `curly`
option is getting overridden somehow. After this change, these syntaxes
are invalid:

``` javascript
if (foo) return;
```

``` javascript
if (foo) return 'bar';
```
2022-01-06 15:56:51 -07:00
Mark Stacey
b983971bfd
Disable remote-redux-devtools in non-dev builds (#12956)
`remote-redux-devtools` is now explicitly excluded and disabled in non-
dev builds, and in the `testDev` build. This was causing console errors
in the `testDev` build during e2e tests, which would cause certain
tests to fail.

This was already only supposed to be enabled for development builds,
but this library used the `NODE_ENV` environment variable to make that
determination. This gives us more control over when it's disabled.
2021-12-06 11:55:40 -03:30
Mark Stacey
56c91262e9
Disable React dev tools in testDev builds (#12955)
The React dev tools can result in console errors if dev tools is not
open during the test. Some of our e2e tests fail if there are any
console errors, so these errors break those tests.

`react-devtools` has been completely disabled for `testDev` builds to
make debugging e2e tests easier. The React dev tools can still be used
from development builds.
2021-12-03 11:22:43 -03:30
Mark Stacey
7226357422
Fix isMainnet propType error (#12951)
A propType error was showing up during e2e tests with a `testDev`
build. It was caused by `process.env.IN_TEST` being treated as a
boolean, when in fact it is either the string `'true'` or a boolean.

`IN_TEST` has been updated to always be a boolean. `loose-envify` has
no trouble injecting boolean values, so there's no reason to treat this
as a string.
2021-12-02 14:46:46 -03:30
Mark Stacey
e8b7fcf8dc
Fix LavaMoat background policy generation (#12844)
The LavaMoat policy generation script would sporadically fail because
it ran the build concurrently three times, and the build includes
steps that delete the `dist` directory and write to it. So if one build
process tried to write to the directory after another deleted it, it
would fail.

This was solved by adding a new `--policy-only` flag to the build
script, and a new `scripts:prod` task. The `scripts:prod` task only
runs the script tasks for prod, rather than the entire build process.
The `--policy-only` flag stops the script tasks once the policy has
been written, and stops any other files from being written to disk.

This prevents the three concurrent build processes from getting in each
others way, and it dramatically speeds up the process.
2021-11-26 16:38:23 -03:30
Mark Stacey
609f541b76
Fix environment variables used during test builds (#12855)
The environment variables used for test builds was wrong for certain
bundles because the `testing` flag wasn't passed through to the
function that determines which environment variables to inject.
Effectively this means that test builds on `master` were going to the
production `metamask` Sentry project rather than the `test-metamask`
project. This has been the case since #11080.

The `testing` flag is now included for all bundles, and test builds now
use the `test-metamask` Sentry project in all cases.
2021-11-26 15:39:32 -03:30
Erik Marks
d4c71b8683
Add per-build type LavaMoat policies (#12702)
This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files.

We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules.

Co-authored-by: Mark Stacey <markjstacey@gmail.com>
2021-11-15 14:23:46 -08:00
kumavis
a4053b6b88
Lavamoat - enable lavamoat for the webapp background (#12566)
* lavamoat - update policy for current repo state

* lavamoat - enable for webapp background

* lavamoat - update policy for current repo state
2021-11-10 09:33:19 -10:00
Jyoti Puri
3dfc1cc5f6
Edit transaction screen changes for EIP-1559 V2 (#12493)
Edit transaction screen changes for EIP-1559 V2
2021-11-05 22:53:15 +05:30
Erik Marks
a2d3d942ec
Exclude files from builds by build type (#12521)
This PR enables the exclusion of JavaScript and JSON source by `buildType`, and enables the running of `eslint` under LavaMoat. 80-90% of the changes in this PR are `.patch` files and LavaMoat policy additions.

The file exclusion is designed to work in conjunction with our code fencing. If you forget to fence an import statement of an excluded file, the application will now error on boot. **This PR commits us to a particular naming convention for files intended only for certain builds.** Continue reading for details.

### Code Fencing and ESLint

When a file is modified by the code fencing transform, we run ESLint on it to ensure that we fail early for syntax-related issues. This PR adds the first code fences that will be actually be removed in production builds. As a consequence, this was also the first time we attempted to run ESLint under LavaMoat. Making that work required a lot of manual labor because of ESLint's use of dynamic imports, but the manual changes necessary were ultimately quite minor.

### File Exclusion

For all builds, any file in `app/`, `shared/` or `ui/` in a sub-directory matching `**/${otherBuildType}/**` (where `otherBuildType` is any build type except `main`) will be added to the list of excluded files, regardless of its file extension. For example, if we want to add one or more pages to the UI settings in Flask, we'd create the folder `ui/pages/settings/flask`, add any necessary files or sub-folders there, and fence the import statements for anything in that folder. If we wanted the same thing for Beta, we would name the directory `ui/pages/settings/beta`.

As it happens, we already organize some of our source files in this way, namely the logo JSON for Beta and Flask builds. See `ui/helpers/utils/build-types.js` to see how this works in practice.

Because the list of ignored filed is only passed to `browserify.exclude()`, any files not bundled by `browserify` will be ignored. For our purposes, this is mostly relevant for `.scss`. Since we don't have anything like code fencing for SCSS, we'll have to consider how to handle our styles separately.
2021-11-01 20:20:31 -07:00