metamask-extension/app/scripts/controllers/provider-approval.js

const ObservableStore = require('obs-store')
const SafeEventEmitter = require('safe-event-emitter')
const createAsyncMiddleware = require('json-rpc-engine/src/createAsyncMiddleware')
const { errors: rpcErrors } = require('eth-json-rpc-errors')

/**
 * A controller that services user-approved requests for a full Ethereum provider API
 */
class ProviderApprovalController extends SafeEventEmitter {
  /**
   * Creates a ProviderApprovalController
   *
   * @param {Object} [config] - Options to configure controller
   */
  constructor ({ closePopup, initState, keyringController, openPopup, preferencesController } = {}) {
    super()
    this.closePopup = closePopup
    this.keyringController = keyringController
    this.openPopup = openPopup
    this.preferencesController = preferencesController
    this.memStore = new ObservableStore({
      providerRequests: [],
    })

    const defaultState = { approvedOrigins: {} }
    this.store = new ObservableStore(Object.assign(defaultState, initState))
  }

  /**
   * Called when a user approves access to a full Ethereum provider API
   *
   * @param {object} opts - opts for the middleware contains the origin for the middleware
   */
  createMiddleware ({ senderUrl, extensionId, getSiteMetadata }) {
    return createAsyncMiddleware(async (req, res, next) => {
      // only handle requestAccounts
      if (req.method !== 'eth_requestAccounts') return next()
      // if already approved or privacy mode disabled, return early
      const isUnlocked = this.keyringController.memStore.getState().isUnlocked
      const origin = senderUrl.hostname
      if (this.shouldExposeAccounts(origin) && isUnlocked) {
        res.result = [this.preferencesController.getSelectedAddress()]
        return
      }
      // register the provider request
      const metadata = { hostname: senderUrl.hostname, origin }
      if (extensionId) {
        metadata.extensionId = extensionId
      } else {
        const siteMetadata = await getSiteMetadata(origin)
        Object.assign(metadata, { siteTitle: siteMetadata.name, siteImage: siteMetadata.icon})
      }
      this._handleProviderRequest(metadata)
      // wait for resolution of request
      const approved = await new Promise(resolve => this.once(`resolvedRequest:${origin}`, ({ approved }) => resolve(approved)))
      if (approved) {
        res.result = [this.preferencesController.getSelectedAddress()]
      } else {
        throw rpcErrors.eth.userRejectedRequest('User denied account authorization')
      }
    })
  }

  /**
  * @typedef {Object} SiteMetadata
  * @param {string} hostname - The hostname of the site
  * @param {string} origin - The origin of the site
  * @param {string} [siteTitle] - The title of the site
  * @param {string} [siteImage] - The icon for the site
  * @param {string} [extensionId] - The extension ID of the extension
  */
  /**
   * Called when a tab requests access to a full Ethereum provider API
   *
   * @param {SiteMetadata} siteMetadata - The metadata for the site requesting full provider access
   */
  _handleProviderRequest (siteMetadata) {
    const { providerRequests } = this.memStore.getState()
    const origin = siteMetadata.origin
    this.memStore.updateState({
      providerRequests: [
        ...providerRequests,
        siteMetadata,
      ],
    })
    const isUnlocked = this.keyringController.memStore.getState().isUnlocked
    const { approvedOrigins } = this.store.getState()
    const originAlreadyHandled = approvedOrigins[origin]
    if (originAlreadyHandled && isUnlocked) {
      return
    }
    this.openPopup && this.openPopup()
  }

  /**
   * Called when a user approves access to a full Ethereum provider API
   *
   * @param {string} origin - origin of the domain that had provider access approved
   */
  approveProviderRequestByOrigin (origin) {
    if (this.closePopup) {
      this.closePopup()
    }

    const { approvedOrigins } = this.store.getState()
    const { providerRequests } = this.memStore.getState()
    const providerRequest = providerRequests.find((request) => request.origin === origin)
    const remainingProviderRequests = providerRequests.filter(request => request.origin !== origin)
    this.store.updateState({
      approvedOrigins: {
        ...approvedOrigins,
        [origin]: {
          siteTitle: providerRequest ? providerRequest.siteTitle : null,
          siteImage: providerRequest ? providerRequest.siteImage : null,
          hostname: providerRequest ? providerRequest.hostname : null,
        },
      },
    })
    this.memStore.updateState({ providerRequests: remainingProviderRequests })
    this.emit(`resolvedRequest:${origin}`, { approved: true })
  }

  /**
   * Called when a tab rejects access to a full Ethereum provider API
   *
   * @param {string} origin - origin of the domain that had provider access approved
   */
  rejectProviderRequestByOrigin (origin) {
    if (this.closePopup) {
      this.closePopup()
    }

    const { approvedOrigins } = this.store.getState()
    const { providerRequests } = this.memStore.getState()
    const remainingProviderRequests = providerRequests.filter(request => request.origin !== origin)

    // We're cloning and deleting keys here because we don't want to keep unneeded keys
    const _approvedOrigins = Object.assign({}, approvedOrigins)
    delete _approvedOrigins[origin]

    this.store.putState({ approvedOrigins: _approvedOrigins })
    this.memStore.putState({ providerRequests: remainingProviderRequests })
    this.emit(`resolvedRequest:${origin}`, { approved: false })
  }

  /**
   * Clears any approvals for user-approved origins
   */
  clearApprovedOrigins () {
    this.store.updateState({
      approvedOrigins: {},
    })
  }

  /**
   * Determines if a given origin should have accounts exposed
   *
   * @param {string} origin - Domain origin to check for approval status
   * @returns {boolean} - True if the origin has been approved
   */
  shouldExposeAccounts (origin) {
    return Boolean(this.store.getState().approvedOrigins[origin])
  }

  /**
   * Returns a merged state representation
   * @return {object}
   * @private
   */
  _getMergedState () {
    return Object.assign({}, this.memStore.getState(), this.store.getState())
  }
}

module.exports = ProviderApprovalController