feat: revamp user storage encryption process

[mathieuartu]

Explanation

This PR adds new steps when both UserStorageController and SDK performs:

• getUserStorageAllFeatureEntries
• getUserStorage

This steps looks for fetched entries' salts and, if random salts are found, re-encrypts these entries with a constant salt and uploads them back to user storage.

This PR also removes the salt randomness when generating the keys, by adding a new shared salt.

This is done to prevent performance issues when decrypting multiple entries that have different salts in applications using UserStorageController / SDK.

References

Changelog

@metamask/profile-sync-controller

• CHANGED: Stop using a random salt when generating scrypt keys and use a shared one
• ADDED: Re-encrypt data fetched by getUserStorageAllFeatureEntries and getUserStorage with the shared salt if fetched entries were encrypted with random salts

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've highlighted breaking changes using the "BREAKING" category above as appropriate
• I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

[Prithpal-Sooriya]

Can you validate both Scrypt KDFs work with an empty salt size?

[Prithpal-Sooriya]

FUTURE - This is a missing test on mobile, but I would like us to add a test to assert that both scrypt functions generate the exact same encrypted data (to avoid the issue we had early on)

[mathieuartu]

Can you validate both Scrypt KDFs work with an empty salt size?

I CAN! 😄

[mirceanis]

I'd argue that if we want to avoid running into multiple salts we can hardcode a salt here instead of fiddling with the size.
I'm also concerned about the behavior of different libraries when given empty salts

[Prithpal-Sooriya]

FUTURE - this tests have a lot of repetition, it would be nice to clean up these up so the tests clearly show us what we are testing instead of needing to read all this setup/acting.

[Prithpal-Sooriya]

Future - I don't like how we've shoved all the user storage logic in a class, this bloats the SDK class and makes it harder to test things individually.

Similar to the authentication SDK, we should split out services from the user storage SDK.

[mathieuartu]

@Prithpal-Sooriya Agreed! Added that to my to-do list!

[Prithpal-Sooriya]

LGTM.

Test this on mobile before merging. I want to ensure that both JS and Native Scrypt will generate same key / same encrypted payload.

[mirceanis]

Overall looks good.

There's a spot where the comparison is still done by salt.length instead of comparing to the shared salt.

Once that's fixed it should be good to go.

[mirceanis]

This is missing a comparison to the SHARED_SALT

Suggested change

	if (salt.length) {
	if (salt.toString() !== SHARED_SALT.toString())

[mirceanis]

I wonder if it's difficult to cover this in a test too

[mirceanis]

looks good

[mirceanis]

I disagree with the approach to delete the data that fails to decrypt.
Such failures can happen for multiple unforeseen reasons so any such destructive operation should be guarded much more thoroughly.

If we intend to avoid spending time in KDF on seemingly corrupted entries perhaps an alternative approach can be considered: marking the corrupted entries locally so that decryption attempts are stopped before KDF is triggered.

[mirceanis]

To me this is a foot gun.
Exceptions during decryption can happen in situations we can't predict now.

Also, this delete operation can be invoked if there's any other problem obtaining the salt, or deriving the decryption key, or there's any error during upsert, including any network error.

[mirceanis]

same unintentional failure scenarios as with getUserStorage().
The try block is too broad

[mirceanis]

Looks good again :)

[mirceanis]

Let's address this in a separate issue.