Feat/seedless refresh token (#5917)

## Explanation

<!--
Thanks for your contribution! Take a moment to answer these questions so
that reviewers have the information they need to properly understand
your changes:

* What is the current state of things and why does it need to change?
* What is the solution your changes offer and how does it work?
* Are there any changes whose purpose might not obvious to those
unfamiliar with the domain?
* If your primary goal was to update one package but you found you had
to update another one along the way, why did you do so?
* If you had to upgrade a dependency, why did you do so?
-->

Add refresh token and revoke refresh token handling to
SeedlessOnboardingController

- persist refresh token in state
- store revoke token in vault
- check for token expired in toprf call, refresh token and retry
- revoke refresh token and replace with new one after password submit to
prevent malicious use if refresh token leak in persisted state

## References

<!--
Are there any issues that this pull request is tied to?
Are there other links that reviewers should consult to understand these
changes better?
Are there client or consumer pull requests to adopt any breaking
changes?

For example:

* Fixes #12345
* Related to #67890
-->

## Changelog

<!--
THIS SECTION IS NO LONGER NEEDED.

The process for updating changelogs has changed. Please consult the
"Updating changelogs" section of the Contributing doc for more.
-->

## Checklist

- [x] I've updated the test suite for new or updated code as appropriate
- [x] I've updated documentation (JSDoc, Markdown, etc.) for new or
updated code as appropriate
- [x] I've communicated my changes to consumers by [updating changelogs
for packages I've
changed](https://github.com/MetaMask/core/tree/main/docs/contributing.md#updating-changelogs),
highlighting breaking changes as necessary
- [ ] I've prepared draft pull requests for clients and consumer
packages to resolve any breaking changes

---------

Co-authored-by: lwin <[email protected]>
Co-authored-by: Chaitanya Potti <[email protected]>
Co-authored-by: himanshuchawla009 <[email protected]>
Co-authored-by: Lwin <[email protected]>
Co-authored-by: matthiasgeihs <[email protected]>
Co-authored-by: Elliot Winkler <[email protected]>
Co-authored-by: ieow <[email protected]>
Co-authored-by: Nguyen Anh Tu <[email protected]>

Author: 8 people

packages/seedless-onboarding-controller/CHANGELOG.md

@@ -16,6 +16,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   - renamed `fetchAllSeedPhrases` method to `fetchAllSecretData` and updated the return value to `Record<SecretType, Uint8Array[]>`.
   - added new error message, `MissingKeyringId` which will throw if no `keyringId` is provided during seed phrase (Mnemonic) backup.
 
+### Changed
+
+- Refresh and revoke token handling ([#5917](https://github.com/MetaMask/core/pull/5917))
+  - **BREAKING:** `authenticate` need extra `refreshToken` and `revokeToken` params, persist refresh token in state and store revoke token temporarily for user in next step
+  - `createToprfKeyAndBackupSeedPhrase`, `fetchAllSecretData` store revoke token in vault
+  - check for token expired in toprf call, refresh token and retry if expired
+  - `submitPassword` revoke refresh token and replace with new one after password submit to prevent malicious use if refresh token leak in persisted state
+
 ## [1.0.0]
 
 ### Added