chore: update seedless controller 6.1.0 (MetaMask#21991)

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**
Update seedless controller to v6.1.0
Update required types checking ( throw on not matching type / undefined
)

Remove unused code in basehandler
add jsdoc to AuthTokenHandler

Jira Link

https://consensyssoftware.atlassian.net/browse/SL-253?atlOrigin=eyJpIjoiNzc2ZjgxYTRlZGEzNGFhY2I4ZWZjNDc3ZjExNzg4NzkiLCJwIjoiaiJ9

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry: update seedless controller v6

## **Related issues**

Fixes:
MetaMask#21933

## **Manual testing steps**

```gherkin
Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]
```

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [x] I’ve followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Upgrades seedless controller to v6.1.0 and updates OAuth services to
stricter token typing/validation, new v2 revoke/renew endpoints, and
refreshed tests.
> 
> - **OAuth services**:
>   - **AuthTokenHandler**:
> - Implements controller types; validates presence of `id_token`,
`access_token`, `metadata_access_token`.
> - Adds strict checks for `refresh_token`/`revoke_token` on renew;
throws on missing tokens.
> - Switches endpoints: `AUTH_SERVER_RENEW_PATH` and
`AUTH_SERVER_REVOKE_PATH` to `/api/v2/...`.
>   - **OAuthService**:
>     - Enforces non-empty `loginHandler.login()` result.
> - Requires `refresh_token` and `revoke_token` before `authenticate`;
throws controller errors if missing.
>   - **Base handler**:
> - Removes refresh/revoke helpers; keeps `getAuthTokens` with explicit
typing.
>   - **Interfaces**:
>     - Adds `AuthRefreshTokenResponse`; documents response types.
> - **Tests**:
> - Updates and expands unit tests for new validations, error handling,
request bodies, and handler behavior across `AuthTokenHandler`, base
handler, login handlers, and service.
> - **Dependencies**:
> - Bumps `@metamask/seedless-onboarding-controller` to `^6.1.0` and
related transitive packages.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5b82940. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: ieow

app/core/OAuthService/AuthTokenHandler.test.ts

@@ -292,20 +292,18 @@ describe('AuthTokenHandler', () => {
 
       fetchSpy.mockResolvedValueOnce({
         ok: true,
+        statusText: 'OK',
         json: jest.fn().mockResolvedValueOnce(mockResponse),
       });
 
       // Act
-      const result = await AuthTokenHandler.renewRefreshToken({
+      const pendingPromise = AuthTokenHandler.renewRefreshToken({
         connection: mockConnection,
         revokeToken: mockRevokeToken,
       });
 
       // Assert
-      expect(result).toEqual({
-        newRefreshToken: undefined,
-        newRevokeToken: undefined,
-      });
+      await expect(pendingPromise).rejects.toThrow();
     });
   });
 
@@ -503,6 +501,15 @@ describe('AuthTokenHandler', () => {
         refreshToken: 'test-token',
       });
 
+      const refreshMockResponse = {
+        refresh_token: 'new-refresh-token',
+        revoke_token: 'new-revoke-token',
+      };
+      fetchSpy.mockResolvedValue({
+        ok: true,
+        json: jest.fn().mockResolvedValue(refreshMockResponse),
+      });
+
       await AuthTokenHandler.renewRefreshToken({
         connection: AuthConnection.Apple,
         revokeToken: 'test-token',

app/core/OAuthService/AuthTokenHandler.ts

@@ -1,12 +1,31 @@
 import { Platform } from 'react-native';
-import { AuthConnection } from './OAuthInterface';
+import { AuthConnection, AuthRefreshTokenResponse } from './OAuthInterface';
 import { createLoginHandler } from './OAuthLoginHandlers';
+import type {
+  RefreshJWTToken,
+  RenewRefreshToken,
+  RevokeRefreshToken,
+} from '@metamask/seedless-onboarding-controller/dist/types.d.cts';
 
 export const AUTH_SERVER_RENEW_PATH = '/api/v2/oauth/renew_refresh_token';
 export const AUTH_SERVER_REVOKE_PATH = '/api/v2/oauth/revoke';
 export const AUTH_SERVER_TOKEN_PATH = '/api/v1/oauth/token';
 
-class AuthTokenHandler {
+interface AuthTokenHandlerInterface {
+  refreshJWTToken: RefreshJWTToken;
+  renewRefreshToken: RenewRefreshToken;
+  revokeRefreshToken: RevokeRefreshToken;
+}
+
+class AuthTokenHandler implements AuthTokenHandlerInterface {
+  /**
+   * Refresh the JWT Token using the refresh token.
+   *
+   * @param params - The params from the login handler
+   * @param params.connection - The connection type (Google, Apple, etc.)
+   * @param params.refreshToken - The refresh token from the Web3Auth Authentication Server.
+   * @returns The id token, access token, and metadata access token.
+   */
   async refreshJWTToken(params: {
     connection: AuthConnection;
     refreshToken: string;
@@ -41,7 +60,7 @@ class AuthTokenHandler {
       throw new Error('Failed to refresh JWT token');
     }
 
-    const refreshTokenData = await response.json();
+    const refreshTokenData: AuthRefreshTokenResponse = await response.json();
     const idToken = refreshTokenData.id_token;
 
     if (
@@ -62,6 +81,14 @@ class AuthTokenHandler {
     };
   }
 
+  /**
+   * Renew the refresh token.
+   *
+   * @param params - The params from the login handler
+   * @param params.connection - The connection type (Google, Apple, etc.)
+   * @param params.revokeToken - The revoke token from the Web3Auth Authentication Server.
+   * @returns The new refresh token and revoke token.
+   */
   async renewRefreshToken(params: {
     connection: AuthConnection;
     revokeToken: string;
@@ -89,12 +116,28 @@ class AuthTokenHandler {
     }
 
     const responseData = await response.json();
+
+    const newRefreshToken = responseData.refresh_token;
+    const newRevokeToken = responseData.revoke_token;
+
+    if (!newRefreshToken || !newRevokeToken) {
+      throw new Error('Failed to renew refresh token - ' + response.statusText);
+    }
+
     return {
-      newRefreshToken: responseData.refresh_token,
-      newRevokeToken: responseData.revoke_token,
+      newRefreshToken,
+      newRevokeToken,
     };
   }
 
+  /**
+   * Revoke the refresh token.
+   *
+   * @param params - The params from the login handler
+   * @param params.connection - The connection type (Google, Apple, etc.)
+   * @param params.revokeToken - The revoke token from the Web3Auth Authentication Server.
+   * @returns void
+   */
   async revokeRefreshToken(params: {
     connection: AuthConnection;
     revokeToken: string;
@@ -122,7 +165,6 @@ class AuthTokenHandler {
         'Failed to revoke refresh token - ' + response.statusText,
       );
     }
-
     return;
   }
 }

app/core/OAuthService/OAuthInterface.ts

@@ -68,6 +68,8 @@ export type AuthRequestParams =
   | AuthRequestCodeParams
   | AuthRequestIdTokenParams;
 
+// return type for auth request with
+// grant type : authorization_code, access_type: offline
 export interface AuthResponse {
   id_token: string;
   access_token: string;
@@ -78,6 +80,17 @@ export interface AuthResponse {
   revoke_token?: string;
 }
 
+// return type for auth request with
+// grant type : refresh_token
+// grant type : authorization_code, access_type: online
+export interface AuthRefreshTokenResponse {
+  id_token: string;
+  access_token: string;
+  metadata_access_token: string;
+  indexes: number[];
+  endpoints: Record<string, string>;
+}
+
 export interface LoginHandler {
   get authConnection(): AuthConnection;
   get scope(): string[];

app/core/OAuthService/OAuthLoginHandlers/baseHandler.test.ts

@@ -183,10 +183,11 @@ describe('BaseLoginHandler', () => {
         success: true,
         id_token: 'mock-id-token',
         refresh_token: 'mock-refresh-token',
-        indexes: [1, 2, 3],
-        endpoints: { endpoint1: 'value1' },
-        message: 'Success',
-        jwt_tokens: { token1: 'value1' },
+        revoke_token: 'mock-revoke-token',
+        access_token: 'mock-access-token',
+        metadata_access_token: 'mock-metadata-access-token',
+        token_type: 'Bearer',
+        expires_in: 3600,
       };
 
       (global.fetch as jest.Mock).mockResolvedValueOnce({
@@ -225,44 +226,16 @@ describe('BaseLoginHandler', () => {
       );
 
       expect(result).toEqual(mockResponse);
-
-      jest
-        .spyOn(global, 'fetch')
-        .mockResolvedValueOnce(new Response(JSON.stringify(mockResponse)));
-
-      const refreshResult = await mockHandler.refreshAuthToken('refresh-token');
-
-      expect(refreshResult).toEqual(mockResponse);
-
-      const mockRevokeResponse = {
-        new_refresh_token: 'refresh-token',
-        new_revoke_token: 'revoke-token',
-      };
-
-      jest
-        .spyOn(global, 'fetch')
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(mockRevokeResponse)),
-        );
-
-      const revokeResult =
-        await mockHandler.revokeRefreshToken('refresh-token');
-
-      expect(revokeResult).toEqual({
-        refresh_token: 'refresh-token',
-        revoke_token: 'revoke-token',
-      });
     });
 
     it('successfully gets auth tokens with idToken', async () => {
       const mockResponse = {
-        success: true,
         id_token: 'mock-id-token',
         refresh_token: 'mock-refresh-token',
-        indexes: [1, 2, 3],
-        endpoints: { endpoint1: 'value1' },
-        message: 'Success',
-        jwt_tokens: { token1: 'value1' },
+        revoke_token: 'mock-revoke-token',
+        access_token: 'mock-access-token',
+        metadata_access_token: 'mock-metadata-access-token',
+        expires_in: 3600,
       };
 
       (global.fetch as jest.Mock).mockResolvedValueOnce({
@@ -361,6 +334,10 @@ describe('BaseLoginHandler', () => {
       const mockResponse = {
         success: true,
         id_token: 'mock-id-token',
+        refresh_token: 'mock-refresh-token',
+        revoke_token: 'mock-revoke-token',
+        access_token: 'mock-access-token',
+        metadata_access_token: 'mock-metadata-access-token',
         message: 'Success',
       };
 
@@ -410,6 +387,10 @@ describe('BaseLoginHandler', () => {
       const mockResponse = {
         success: true,
         id_token: 'mock-id-token',
+        refresh_token: 'mock-refresh-token',
+        revoke_token: 'mock-revoke-token',
+        access_token: 'mock-access-token',
+        metadata_access_token: 'mock-metadata-access-token',
         message: 'Success',
       };
 

app/core/OAuthService/OAuthLoginHandlers/baseHandler.ts

@@ -38,7 +38,7 @@ export async function getAuthTokens(
   });
 
   if (res.status === 200 || res.status === 201) {
-    const data = (await res.json()) satisfies AuthResponse;
+    const data: AuthResponse = (await res.json()) satisfies AuthResponse;
     return data;
   }
 
@@ -140,78 +140,6 @@ export abstract class BaseLoginHandler {
     }
   }
 
-  /**
-   * Refresh the JWT Token using the refresh token.
-   *
-   * @param refreshToken - The refresh token from the Web3Auth Authentication Server.
-   * @returns The JWT Token from the Web3Auth Authentication Server and new refresh token.
-   */
-  async refreshAuthToken(refreshToken: string): Promise<AuthResponse> {
-    const { web3AuthNetwork } = this.options;
-    const requestData = {
-      client_id: this.options.clientId,
-      login_provider: this.authConnection,
-      network: web3AuthNetwork,
-      refresh_token: refreshToken,
-      grant_type: 'refresh_token', // specify refresh token flow
-    };
-    const res = await this.requestAuthToken(JSON.stringify(requestData));
-    return res;
-  }
-
-  /**
-   * Revoke the refresh token.
-   *
-   * @param revokeToken - The revoke token from the Web3Auth Authentication Server.
-   */
-  async revokeRefreshToken(revokeToken: string): Promise<{
-    refresh_token: string;
-    revoke_token: string;
-  }> {
-    const requestData = {
-      revoke_token: revokeToken,
-    };
-
-    const res = await fetch(
-      `${this.options.authServerUrl}${this.AUTH_SERVER_REVOKE_PATH}`,
-      {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-        },
-        body: JSON.stringify(requestData),
-      },
-    );
-
-    const data = await res.json();
-    return {
-      refresh_token: data.new_refresh_token,
-      revoke_token: data.new_revoke_token,
-    };
-  }
-
-  /**
-   * Make a request to the Web3Auth Authentication Server to get the JWT Token.
-   *
-   * @param requestData - The request data for the Web3Auth Authentication Server.
-   * @returns The JWT Token from the Web3Auth Authentication Server.
-   */
-  protected async requestAuthToken(requestData: string): Promise<AuthResponse> {
-    const res = await fetch(
-      `${this.options.authServerUrl}${this.AUTH_SERVER_TOKEN_PATH}`,
-      {
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-        },
-        body: requestData,
-      },
-    );
-
-    const data = await res.json();
-    return data;
-  }
-
   /**
    * Generate a nonce value.
    *