feat: adds auth to social controllers

[joaosantos15]

Explanation

Currently requests to the Social API are unauthenticated. This was useful during the development phase but as we near prod deployment, we need to protect the endpoints, this PR does that:

1. package.json — Added @metamask/profile-sync-controller as a dependency (for the AuthenticationController type)
2. src/SocialService.ts — 4 changes:

    - Imported AuthenticationController type from @metamask/profile-sync-controller

    - Added AllowedActions (AuthenticationControllerGetBearerTokenAction) and AllowedEvents types to SocialServiceMessenger

    - Added private #getAuthHeaders() helper that calls messenger.call('AuthenticationController:getBearerToken') and returns { Authorization: 'Bearer <token>' }

    - Updated all 7 fetch() call sites to include the auth headers

References

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

---

Note

Medium Risk
Introduces a breaking messenger dependency and changes every outgoing Social API request to include auth headers, which can cause runtime failures if token delegation is missing or tokens are invalid/expired.

Overview
SocialService now authenticates all Social API requests by fetching a JWT via messenger (AuthenticationController:getBearerToken) and sending it as a Bearer Authorization header on every fetch*/follow/unfollow call.

This introduces a breaking messenger contract change: SocialServiceMessenger’s allowed actions now include AuthenticationController:getBearerToken, requiring consumers to delegate/provide that action; the package adds @metamask/profile-sync-controller (type dependency) and updates tests/build references accordingly.

^{Reviewed by Cursor Bugbot for commit e6837da. Bugbot is set up for automated code reviews on this repo. Configure here.}

[joaosantos15]

@metamaskbot publish-preview

[github-actions]

Preview builds have been published. Learn how to use preview builds in other projects.

Expand for full list of packages and versions.

@metamask-previews/account-tree-controller@7.1.0-preview-e6837dad2
@metamask-previews/accounts-controller@37.2.0-preview-e6837dad2
@metamask-previews/address-book-controller@7.1.1-preview-e6837dad2
@metamask-previews/ai-controllers@0.6.3-preview-e6837dad2
@metamask-previews/analytics-controller@1.0.1-preview-e6837dad2
@metamask-previews/analytics-data-regulation-controller@0.0.0-preview-e6837dad2
@metamask-previews/announcement-controller@8.1.0-preview-e6837dad2
@metamask-previews/app-metadata-controller@2.0.1-preview-e6837dad2
@metamask-previews/approval-controller@9.0.1-preview-e6837dad2
@metamask-previews/assets-controller@6.0.0-preview-e6837dad2
@metamask-previews/assets-controllers@104.0.0-preview-e6837dad2
@metamask-previews/base-controller@9.1.0-preview-e6837dad2
@metamask-previews/base-data-service@0.1.1-preview-e6837dad2
@metamask-previews/bridge-controller@70.1.1-preview-e6837dad2
@metamask-previews/bridge-status-controller@70.0.5-preview-e6837dad2
@metamask-previews/build-utils@3.0.4-preview-e6837dad2
@metamask-previews/chain-agnostic-permission@1.5.0-preview-e6837dad2
@metamask-previews/claims-controller@0.5.0-preview-e6837dad2
@metamask-previews/client-controller@1.0.1-preview-e6837dad2
@metamask-previews/compliance-controller@2.0.0-preview-e6837dad2
@metamask-previews/composable-controller@12.0.1-preview-e6837dad2
@metamask-previews/config-registry-controller@0.2.0-preview-e6837dad2
@metamask-previews/connectivity-controller@0.2.0-preview-e6837dad2
@metamask-previews/controller-utils@11.20.0-preview-e6837dad2
@metamask-previews/core-backend@6.2.1-preview-e6837dad2
@metamask-previews/delegation-controller@3.0.0-preview-e6837dad2
@metamask-previews/earn-controller@12.0.0-preview-e6837dad2
@metamask-previews/eip-5792-middleware@3.0.3-preview-e6837dad2
@metamask-previews/eip-7702-internal-rpc-middleware@0.1.0-preview-e6837dad2
@metamask-previews/eip1193-permission-middleware@1.0.3-preview-e6837dad2
@metamask-previews/ens-controller@19.1.1-preview-e6837dad2
@metamask-previews/eth-block-tracker@15.0.1-preview-e6837dad2
@metamask-previews/eth-json-rpc-middleware@23.1.1-preview-e6837dad2
@metamask-previews/eth-json-rpc-provider@6.0.1-preview-e6837dad2
@metamask-previews/foundryup@1.0.1-preview-e6837dad2
@metamask-previews/gas-fee-controller@26.1.1-preview-e6837dad2
@metamask-previews/gator-permissions-controller@4.0.0-preview-e6837dad2
@metamask-previews/geolocation-controller@0.1.2-preview-e6837dad2
@metamask-previews/json-rpc-engine@10.2.4-preview-e6837dad2
@metamask-previews/json-rpc-middleware-stream@8.0.8-preview-e6837dad2
@metamask-previews/keyring-controller@25.2.0-preview-e6837dad2
@metamask-previews/logging-controller@8.0.1-preview-e6837dad2
@metamask-previews/message-manager@14.1.1-preview-e6837dad2
@metamask-previews/messenger@1.1.1-preview-e6837dad2
@metamask-previews/messenger-cli@0.1.0-preview-e6837dad2
@metamask-previews/money-account-balance-service@0.1.0-preview-e6837dad2
@metamask-previews/money-account-controller@0.1.0-preview-e6837dad2
@metamask-previews/multichain-account-service@8.0.1-preview-e6837dad2
@metamask-previews/multichain-api-middleware@2.0.0-preview-e6837dad2
@metamask-previews/multichain-network-controller@3.0.6-preview-e6837dad2
@metamask-previews/multichain-transactions-controller@7.0.4-preview-e6837dad2
@metamask-previews/name-controller@9.1.1-preview-e6837dad2
@metamask-previews/network-controller@30.0.1-preview-e6837dad2
@metamask-previews/network-enablement-controller@5.0.2-preview-e6837dad2
@metamask-previews/notification-services-controller@23.1.0-preview-e6837dad2
@metamask-previews/permission-controller@12.3.0-preview-e6837dad2
@metamask-previews/permission-log-controller@5.1.0-preview-e6837dad2
@metamask-previews/perps-controller@3.1.1-preview-e6837dad2
@metamask-previews/phishing-controller@17.1.1-preview-e6837dad2
@metamask-previews/polling-controller@16.0.4-preview-e6837dad2
@metamask-previews/preferences-controller@23.1.0-preview-e6837dad2
@metamask-previews/profile-metrics-controller@3.1.3-preview-e6837dad2
@metamask-previews/profile-sync-controller@28.0.2-preview-e6837dad2
@metamask-previews/ramps-controller@13.2.0-preview-e6837dad2
@metamask-previews/rate-limit-controller@7.0.1-preview-e6837dad2
@metamask-previews/react-data-query@0.2.0-preview-e6837dad2
@metamask-previews/remote-feature-flag-controller@4.2.0-preview-e6837dad2
@metamask-previews/sample-controllers@4.0.4-preview-e6837dad2
@metamask-previews/seedless-onboarding-controller@9.1.0-preview-e6837dad2
@metamask-previews/selected-network-controller@26.1.0-preview-e6837dad2
@metamask-previews/shield-controller@5.1.1-preview-e6837dad2
@metamask-previews/signature-controller@39.2.0-preview-e6837dad2
@metamask-previews/social-controllers@0.2.0-preview-e6837dad2
@metamask-previews/storage-service@1.0.1-preview-e6837dad2
@metamask-previews/subscription-controller@6.1.2-preview-e6837dad2
@metamask-previews/transaction-controller@64.3.0-preview-e6837dad2
@metamask-previews/transaction-pay-controller@19.2.0-preview-e6837dad2
@metamask-previews/user-operation-controller@41.2.0-preview-e6837dad2