feat: use SeedlessOnboardingController accessToken for social pairing

- Modify AuthenticationController to get accessToken from SeedlessOnboardingController state
- Add pairing logic that runs non-blocking during signIn
- Add state tracking for pairing status to prevent duplicate attempts
- Add PAIR_SOCIAL_IDENTIFIER endpoint for social pairing API
- Ensure pairing failures don't affect other authentication flows

Based on PR #6048 but using accessToken from SeedlessOnboardingController (PR #6060)
instead of injecting a separate socialPairingToken.

Author: cursoragent

packages/profile-sync-controller/src/controllers/authentication/AuthenticationController.ts

@@ -24,6 +24,8 @@ import {
   Env,
   JwtBearerAuth,
 } from '../../sdk';
+import { authorizeOIDC, getNonce, PAIR_SOCIAL_IDENTIFIER } from '../../sdk/authentication-jwt-bearer/services';
+import { PairError } from '../../sdk/errors';
 import type { MetaMetricsAuth } from '../../shared/types/services';
 
 const controllerName = 'AuthenticationController';
@@ -32,6 +34,8 @@ const controllerName = 'AuthenticationController';
 export type AuthenticationControllerState = {
   isSignedIn: boolean;
   srpSessionData?: Record<string, LoginResponse>;
+  socialPairingDone?: boolean;
+  pairingInProgress?: boolean;
 };
 export const defaultState: AuthenticationControllerState = {
   isSignedIn: false,
@@ -45,6 +49,14 @@ const metadata: StateMetadata<AuthenticationControllerState> = {
     persist: true,
     anonymous: false,
   },
+  socialPairingDone: {
+    persist: true,
+    anonymous: true,
+  },
+  pairingInProgress: {
+    persist: false,
+    anonymous: true,
+  },
 };
 
 // Messenger Actions
@@ -88,7 +100,11 @@ export type Events = AuthenticationControllerStateChangeEvent;
 // Allowed Actions
 export type AllowedActions =
   | HandleSnapRequest
-  | KeyringControllerGetStateAction;
+  | KeyringControllerGetStateAction
+  | {
+      type: 'SeedlessOnboardingController:getState';
+      handler: () => { accessToken?: string };
+    };
 
 export type AllowedEvents =
   | KeyringControllerLockEvent
@@ -277,13 +293,19 @@ export default class AuthenticationController extends BaseController<
       accessTokens.push(accessToken);
     }
 
+    // don't await for the pairing to finish
+    this.#tryPairingWithSeedlessAccessToken().catch(() => {
+      // don't care
+    });
+
     return accessTokens;
   }
 
   public performSignOut(): void {
     this.update((state) => {
       state.isSignedIn = false;
       state.srpSessionData = undefined;
+      state.socialPairingDone = false;
     });
   }
 
@@ -318,6 +340,95 @@ export default class AuthenticationController extends BaseController<
     return this.state.isSignedIn;
   }
 
+  async #tryPairingWithSeedlessAccessToken(): Promise<void> {
+    const { socialPairingDone, pairingInProgress } = this.state;
+    if (socialPairingDone || pairingInProgress) {
+      return;
+    }
+
+    // Get accessToken from SeedlessOnboardingController
+    let seedlessState;
+    try {
+      seedlessState = this.messagingSystem.call('SeedlessOnboardingController:getState');
+    } catch (error) {
+      // SeedlessOnboardingController might not be available
+      return;
+    }
+
+    const accessToken = seedlessState?.accessToken;
+    if (!accessToken) {
+      return;
+    }
+
+    try {
+      this.update((state) => {
+        state.pairingInProgress = true;
+      });
+
+      if (await this.#pairSocialIdentifier(accessToken)) {
+        this.update((state) => {
+          state.socialPairingDone = true;
+        });
+      }
+    } catch (error) {
+      // ignore the error - pairing failure should not affect other flows
+    } finally {
+      this.update((state) => {
+        state.pairingInProgress = false;
+      });
+    }
+  }
+
+  async #pairSocialIdentifier(accessToken: string): Promise<boolean> {
+    // TODO: need to hardcode the env as web3auth prod is not available.
+    const env = Env.DEV;
+
+    // Exchange the social token with an access token
+    const tokenResponse = await authorizeOIDC(accessToken, env, this.#metametrics.agent);
+
+    // Prepare the SRP signature
+    const identifier = await this.#snapGetPublicKey();
+    const profile = await this.#auth.getUserProfile();
+    const n = await getNonce(profile.profileId, env);
+    const raw = `metamask:${n.nonce}:${identifier}`;
+    const sig = await this.#snapSignMessage(raw);
+    const primaryIdentifierSignature = {
+      signature: sig,
+      raw_message: raw,
+      identifier_type: AuthType.SRP,
+      encrypted_storage_key: '', // Not yet part of this flow, so we leave it empty
+    };
+
+    const pairUrl = new URL(PAIR_SOCIAL_IDENTIFIER(env));
+
+    try {
+      const response = await fetch(pairUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          Authorization: `Bearer ${tokenResponse.accessToken}`,
+        },
+        body: JSON.stringify({
+          nonce: n.nonce,
+          login: primaryIdentifierSignature,
+        }),
+      });
+
+      if (!response.ok) {
+        const responseBody = (await response.json()) as { message: string; error: string };
+        throw new Error(
+          `HTTP error message: ${responseBody.message}, error: ${responseBody.error}`,
+        );
+      }
+
+      return true;
+    } catch (e) {
+      const errorMessage =
+        e instanceof Error ? e.message : JSON.stringify(e ?? '');
+      throw new PairError(`unable to pair identifiers: ${errorMessage}`);
+    }
+  }
+
   /**
    * Returns the auth snap public key.
    *

packages/profile-sync-controller/src/sdk/authentication-jwt-bearer/services.ts

@@ -16,6 +16,9 @@ export const NONCE_URL = (env: Env) =>
 export const PAIR_IDENTIFIERS = (env: Env) =>
   `${getEnvUrls(env).authApiUrl}/api/v2/identifiers/pair`;
 
+export const PAIR_SOCIAL_IDENTIFIER = (env: Env) =>
+  `${getEnvUrls(env).authApiUrl}/api/v2/identifiers/pair/social`;
+
 export const OIDC_TOKEN_URL = (env: Env) =>
   `${getEnvUrls(env).oidcApiUrl}/oauth2/token`;