Fix/disable hashed factorkey

[ieow]

Motivation and Context

Jira Link:

Description

Fix disableHashedFactorkey feature
device factorkey is not set when disableHashedFactoryKey flag is set.
this is causing user lose the device factorkey during signup.
reinitialization - save deviceFactorkey on device if available

Fix atomic sync for
backupMetadataShare
deleteMetadataShareBackup

Add checking for already log-in state in the beginning of loginWithJWT to prevent double login

Add checking for valid factor key during InputFactorKey via Metadata's FactorEncs instead of depend only on checking for metadata linking

update tests
update tests cases

How has this been tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Adds strict factor key validation and double-login guards, persists device factor for disableHashedFactorKey, wraps metadata transitions in atomic sync, and updates tests (incl. ed25519 export/import).

• Core (mpcCoreKit)
  • Enforce login guards: block OAuth/JWT when already logged in/rehydrated.
  • Validate inputFactorKey via metadata.factorEncs instead of relying only on metadata linking.
  • Improve disableHashedFactorKey flow: generate random factor, delete old hashed backup, set/persist device factor; set on rehydrate if missing.
  • Atomicize metadata ops: wrap backupMetadataShare and deleteMetadataShareBackup in atomicSync (with conditional auto-commit).
  • Use constants KEY_NOT_FOUND and SHARE_DELETED for metadata checks; minor log/message tweaks.
• Tests
  • Add login-disableHashedFactorKey.spec.ts covering device-factor persistence, signing, wallet index, and pre-sign hooks.
  • Update ed25519.spec.ts: add export/import seed test, session manager toggles, and ids.
  • Revamp factors.spec.ts and importRecovery.spec.ts: add signing helpers, recovery/import paths, storage/session adjustments, and test data updates.
  • Minor updates in securityQuestion.spec.ts and setup.ts (init params, emails).

^{Written by Cursor Bugbot for commit ccff02e. This will update automatically on new commits. Configure here.}

[himanshuchawla009]

this PR changes a lot of other things which are not well documented in PR description. Please describe the reasoning behind the changes for better review.

[himanshuchawla009]

new wht?

[cursor]

Bug: Double Login Vulnerability in JWT Authentication

The loginWithJWT method is missing the double-login prevention check that was added to loginWithOAuth. According to the PR description, both login methods should check if this.state.factorKey exists to prevent double login, but only loginWithOAuth has this guard. This allows users to call loginWithJWT multiple times or after already being logged in, potentially causing state corruption.

src/mpcCoreKit.ts#L404-L415

mpc-core-kit/src/mpcCoreKit.ts

Lines 404 to 415 in 5d11a85

	public async loginWithJWT(params: JWTLoginParams): Promise<void> {
	this.checkReady();
	const { prefetchTssPublicKeys = 1 } = params;
	if (prefetchTssPublicKeys > 3) {
	throw CoreKitError.prefetchValueExceeded(`The prefetch value '${prefetchTssPublicKeys}' exceeds the maximum allowed limit of 3.`);
	}
	const { verifier, verifierId, idToken, importTssKey, registerExistingSFAKey } = params;
	this.torusSp.verifierName = verifier;
	this.torusSp.verifierId = verifierId;

 

---