Skip to content

feat: handle mfa and audit params#137

Open
tuna1207 wants to merge 2 commits into
feat/sdk-v11from
feat/sdk-v11-mfa
Open

feat: handle mfa and audit params#137
tuna1207 wants to merge 2 commits into
feat/sdk-v11from
feat/sdk-v11-mfa

Conversation

@tuna1207

@tuna1207 tuna1207 commented Jul 10, 2026

Copy link
Copy Markdown
Member

Motivation and Context

Align login / MFA redirect handling with @web3auth/auth v11: refresh session after storing citadel tokens, audit params on auth URLs (recordId, loginSource), and MFA payloads that include accessToken + manageMFA appState.

Jira Link:

Description

  • Add generateRecordId() (UUID via crypto.randomUUID, Hermes-safe fallback) in src/utils.ts
  • Add private refreshSession() — authorize → update state, or logout + userNotLoggedIn on empty data
  • login / enableMFA: setTokens → refreshSession() → persist dappShare from this.state
  • enableMFA / manageMFA: call refreshSession() before MFA guards; include accessToken on AuthRequestPayload
  • authHandler / openAuthSession: shared browser staging with recordId, sessionNamespace (SFA), loginSource: "web3auth-react-native"
  • manageMFA: pre-generate loginId/recordId for appState, set dashboard redirectUrl on payload options while the in-app browser still returns to the dapp redirectUrl; parse redirect tokens when present and refresh

How has this been tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the code style of this project. (run lint)
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • My code requires a db migration.

Note

Medium Risk
Touches authentication session lifecycle, MFA redirects, and token handling; behavior changes on failed refresh (logout + not logged in) and SFA access-token expectations.

Overview
Aligns the React Native SDK with @web3auth/auth v11 for login/MFA redirects: after storing citadel tokens, flows call refreshSession() (authorize → update state, or logout and userNotLoggedIn on empty data) instead of inlining authorizeSession() and manual state updates.

Auth browser staging is refactored into openAuthSession, which adds recordId, loginSource: "web3auth-react-native", and SFA sessionNamespace on URL params; the in-app browser always returns to the dapp redirectUrl even when payload options point at the dashboard.

MFA: enableMFA / manageMFA refresh session before guards, send accessToken on the payload, and manageMFA pre-generates loginId/recordId for appState, sets dashboard redirect on options, parses redirect tokens when present, and refreshes again. generateRecordId() supports Hermes without crypto.randomUUID.

Exposes getAccessToken, getIdentityToken, and refreshSession on IWeb3Auth; adds useAccessToken and switches useIdentityToken to citadel-backed getIdentityToken().

Reviewed by Cursor Bugbot for commit c68fa9e. Bugbot is set up for automated code reviews on this repo. Configure here.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.

Comment thread src/Web3Auth.ts Outdated
throw LoginError.userNotLoggedIn();
}
this.updateState({ ...data, currentChainId: this.currentChainId });
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refresh failure leaves active signer

High Severity

The new refreshSession path clears the session and throws when authorize returns empty, but it never clears signer or resets the provider the way init and logout do. After a failed refresh at the start or end of MFA/login, connected is false while the wallet engine may still sign with the prior keys.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.

Comment thread src/Web3Auth.ts
loginId,
recordId,
sessionTime: this.options.sessionTime,
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manage MFA staging TTL too long

Medium Severity

manageMFA now passes this.options.sessionTime into openAuthSession, so the staged /start payload (including accessToken) is stored with the default 86400s TTL instead of the 600s used elsewhere. That widens the window to retrieve sensitive staged auth data if the login key is exposed.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit cc0e62a. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant