feat: handle mfa and audit params#137
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.
| throw LoginError.userNotLoggedIn(); | ||
| } | ||
| this.updateState({ ...data, currentChainId: this.currentChainId }); | ||
| } |
There was a problem hiding this comment.
Refresh failure leaves active signer
High Severity
The new refreshSession path clears the session and throws when authorize returns empty, but it never clears signer or resets the provider the way init and logout do. After a failed refresh at the start or end of MFA/login, connected is false while the wallet engine may still sign with the prior keys.
Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.
| loginId, | ||
| recordId, | ||
| sessionTime: this.options.sessionTime, | ||
| }); |
There was a problem hiding this comment.
Manage MFA staging TTL too long
Medium Severity
manageMFA now passes this.options.sessionTime into openAuthSession, so the staged /start payload (including accessToken) is stored with the default 86400s TTL instead of the 600s used elsewhere. That widens the window to retrieve sensitive staged auth data if the login key is exposed.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.


Motivation and Context
Align login / MFA redirect handling with @web3auth/auth v11: refresh session after storing citadel tokens, audit params on auth URLs (recordId, loginSource), and MFA payloads that include accessToken + manageMFA appState.
Jira Link:
Description
How has this been tested?
Screenshots (if appropriate):
Types of changes
Checklist:
Note
Medium Risk
Touches authentication session lifecycle, MFA redirects, and token handling; behavior changes on failed refresh (logout + not logged in) and SFA access-token expectations.
Overview
Aligns the React Native SDK with @web3auth/auth v11 for login/MFA redirects: after storing citadel tokens, flows call
refreshSession()(authorize → update state, or logout anduserNotLoggedInon empty data) instead of inliningauthorizeSession()and manual state updates.Auth browser staging is refactored into
openAuthSession, which addsrecordId,loginSource: "web3auth-react-native", and SFAsessionNamespaceon URL params; the in-app browser always returns to the dappredirectUrleven when payload options point at the dashboard.MFA:
enableMFA/manageMFArefresh session before guards, sendaccessTokenon the payload, andmanageMFApre-generatesloginId/recordIdforappState, sets dashboard redirect on options, parses redirect tokens when present, and refreshes again.generateRecordId()supports Hermes withoutcrypto.randomUUID.Exposes
getAccessToken,getIdentityToken, andrefreshSessiononIWeb3Auth; addsuseAccessTokenand switchesuseIdentityTokento citadel-backedgetIdentityToken().Reviewed by Cursor Bugbot for commit c68fa9e. Bugbot is set up for automated code reviews on this repo. Configure here.