feat: generate record-id and include in login b64 params#395
Merged
chaitanyapotti merged 5 commits intomasterfrom Mar 31, 2026
Merged
feat: generate record-id and include in login b64 params#395chaitanyapotti merged 5 commits intomasterfrom
chaitanyapotti merged 5 commits intomasterfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
chaitanyapotti
approved these changes
Mar 31, 2026
| const cr = typeof globalThis === "object" ? globalThis.crypto : null; | ||
| if (typeof cr?.randomUUID !== "function") throw new Error("crypto.randomUUID must be defined"); | ||
| return cr.randomUUID(); | ||
| } |
There was a problem hiding this comment.
Analytics feature throws hard error breaking core login
Low Severity
generateRecordId throws a hard Error if crypto.randomUUID is unavailable, yet the recordId field in BaseLoginParams is typed as optional and documented as "for analytics purposes." This function is called without try-catch in both authHandler (used by login, enableMFA, manageSocialFactor, etc.) and manageMFA, meaning a missing crypto.randomUUID — possible in certain WebViews, React Native, or restricted browser environments — will crash the entire authentication flow for a non-critical analytics feature.
Additional Locations (2)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira Link
https://consensyssoftware.atlassian.net/browse/EMBED-226
Description
How has this been tested?
Screenshots (if appropriate)
Types of changes
Checklist
Note
Medium Risk
Changes the encoded login parameters sent to the auth service and introduces a hard dependency on
crypto.randomUUID, which could break flows in environments without it.Overview
Adds
generateRecordId()(UUID viacrypto.randomUUID) and threads a new optionalrecordIdthroughBaseLoginParams.Authnow generates arecordIdforauthHandler(login/start flows) andmanageMFA, embedding it into theb64Paramspayload (andappStatefor MFA) passed to the auth service/dashboard.Also updates dependencies (
@toruslabs/customauth/@toruslabs/torus.js, Vue example) and ignores.npmrcin.gitignore.Written by Cursor Bugbot for commit ded4246. This will update automatically on new commits. Configure here.