Skip to content

fix: Add PPOM validation for deeplink requests #22473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 12, 2025
Merged

fix: Add PPOM validation for deeplink requests #22473

merged 4 commits into from
Nov 12, 2025
+181 −34

Conversation

@OGPoyraz
Copy link
Member

@OGPoyraz OGPoyraz commented Nov 11, 2025
edited by cursor bot
Loading

Description

This PR aims to add PPOM validation requests for deeplinks.

Changelog

CHANGELOG entry: null

Related issues

Fixes: https://github.com/MetaMask/mobile-planning/issues/2370
Fixes: #17358

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Integrates PPOM validation into deeplink transfer/approve flows, generating a securityAlertId and passing it to addTransaction, with refactors and tests.

  • Deeplink handling (app/components/Views/confirmations/utils/deeplink.ts):
    • Add validateWithPPOM to build a PPOM request (with uuid-based securityAlertId) and call ppomUtil.validateRequest.
    • Pass returned securityAlertResponse to addTransaction for both native and ERC20 transfers.
    • Refactor tx construction to derive txParams and transactionType; downgrade duplicate-request log from error to log.
  • Approve flow (app/core/DeeplinkManager/TransactionManager/approveTransaction.ts):
    • Compute chainId/networkClientId, call validateWithPPOM, and include securityAlertResponse in addTransaction.
  • Tests:
    • Extend deeplink and approve tests to mock PPOM and UUID, assert PPOM validation payload, securityAlertResponse, and networkClientId wiring.

Written by Cursor Bugbot for commit daa4941. This will update automatically on new commits. Configure here.

@OGPoyraz OGPoyraz requested review from a team as code owners November 11, 2025 10:00
@metamaskbot metamaskbot added the team-confirmations Push issues to confirmations team label Nov 11, 2025
OGPoyraz
OGPoyraz commented Nov 11, 2025
View reviewed changes
app/components/Views/confirmations/utils/deeplink.ts

// Temporary solution for preventing back to back deeplink requests
if (isAddingDeeplinkTransaction) {
Logger.error(new Error('Cannot add another deeplink transaction'));
Copy link
Member Author

@OGPoyraz OGPoyraz Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is causing false positives in the Sentry logs - hence we are decreasing it to log instead of error.

See comment here: #17358 (comment)

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 11, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@OGPoyraz OGPoyraz enabled auto-merge November 12, 2025 10:03
@OGPoyraz OGPoyraz added this pull request to the merge queue Nov 12, 2025
Merged via the queue into main with commit 86d1bd3 Nov 12, 2025
86 checks passed
@OGPoyraz OGPoyraz deleted the ogp/2370 branch November 12, 2025 11:19
@github-actions github-actions bot locked and limited conversation to collaborators Nov 12, 2025
@metamaskbot metamaskbot added the release-7.60.0 Issue or pull request that will be included in release 7.60.0 label Nov 12, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@vinistevam vinistevam vinistevam approved these changes

@tommasini tommasini tommasini approved these changes

Assignees

No one assigned

Labels

release-7.60.0 Issue or pull request that will be included in release 7.60.0 size-M team-confirmations Push issues to confirmations team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Sentry] Error: Cannot add another deeplink transaction

5 participants

@OGPoyraz @vinistevam @tommasini @metamaskbot