[WIP] Enable syncing of vault/preferences between multiple browsers #2802
Conversation
|
hello/ :fox_face: I am a bit concerned about the worst cases for the conflict resolution, and debugging against the blackboxed nature of the chrome/firefox syncing infrastructure the ideal case seems like it would allow parts of the state to merge, or we would just import something like a redux action stream for the backend. also need to consider:
hope im not overly complicating this feature, just don't want user's vaults to get blown out by a bad sync |
|
Hi @kumavis, thanks for the warm welcome! :) Let me try and address your comments.
I agree that Chrome and Firefox's syncing feature isn't the most transparent and I'm also finding that it isn't the most well documented. However, the fact that it is built in might outweigh those points.
Are you talking about only syncing parts of the top level state, or having even more granularity by filtering out keys of each controller-based state slice? (like KeyringController and PreferencesController). I currently have it set up to only grab from a select set of top level keys:
The plan is to handle this case via an option in the settings section that a user can select to enable or disable syncing. It would be disabled by default.
I agree that there are some concerns with the security of this feature. I stumbled across this in the docs for chrome's implementation of syncing: "Confidential user information should not be stored! The storage area isn't encrypted.". However, I'm unsure how accurate the warning to not store confidental info is as, again, the docs don't seem to be maintained very well. I can look and see if there are any documented use cases of popular extensions using this feature to see if specific security concerns are mentioned. Let me know if you have any more thoughts or questions! In the meantime, I'll be working on the existing TODOs at the top of this PR. |
|
Some thoughts on this: As one of our first bounties, I think we learned that slightly ambiguous, research-y bounties are probably unfair to bounty hunters, and we're pretty embarrassed that we learned so much about this feature while it was under development. We're going to pay a bounty for Ellie's work because we're using it in another feature too, but since this one has had so much scope creep, there's some apprehension that makes us want to be very sure before ever fully adopting this feature.
The current local APIs have the same problem, and we somewhat mitigate it by encrypting the local data with the user's password ourselves. We could probably always seek better encryption for this, though (more hash cycles before generating the key, longer minimum passwords). One necessary feature for this to work well:
Another Q:
|
|
Related to #2547. Another key that would be useful to sync would be the tokens (preferences controller). |
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/28156?quickstart=1) ## **Related issues** Fixes: [#2802](MetaMask/MetaMask-planning#2802) ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.
](https://codespaces.new/MetaMask/metamask-extension/pull/28156?quickstart=1){kind=link}
This PR is to address issue #1459. Implementation details will be added to this PR, but for now, the linked issue has good amount of info.
Incomplete list of TODOS: