Skip to content

feat: generate record-id and include in login b64 params #395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chaitanyapotti merged 5 commits into from
Mar 31, 2026
Merged

feat: generate record-id and include in login b64 params #395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8910826
feat: generate record-id and include in login b64 params
lwin-kyaw Mar 29, 2026
57de9a4
feat: update customauth and torus.js
lwin-kyaw Mar 31, 2026
b3d69b8
chore: update vue-example lock file
lwin-kyaw Mar 31, 2026
bbed032
lock
chaitanyapotti Mar 31, 2026
ded4246
vue example lock files app
chaitanyapotti Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,4 +105,6 @@ dist

.DS_Store

.rollup*
.rollup*

.npmrc
116 changes: 58 additions & 58 deletions examples/vue-example/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion examples/vue-example/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"bs58": "^6.0.0",
"core-js": "^3.49.0",
"viem": "^2.47.6",
"vue": "^3.5.30"
"vue": "^3.5.31"
},
"devDependencies": {
"@tailwindcss/vite": "^4.2.2",
Expand Down
16 changes: 8 additions & 8 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@
},
"dependencies": {
"@toruslabs/constants": "^16.1.1",
"@toruslabs/customauth": "^22.3.2",
"@toruslabs/customauth": "^22.3.3",
"@toruslabs/ffjavascript": "^6.0.0",
"@toruslabs/metadata-helpers": "^8.2.0",
"@toruslabs/secure-pub-sub": "^4.3.0",
Expand Down
7 changes: 6 additions & 1 deletion src/core/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import {
BaseLoginParams,
BUILD_ENV,
DEFAULT_SESSION_TIME,
generateRecordId,
jsonToBase64,
LoginParams,
POPUP_TIMEOUT,
Expand Down Expand Up @@ -323,6 +324,7 @@ export class Auth {
};

const loginId = StorageManager.generateRandomSessionKey();
const recordId = generateRecordId();

const dataObject: AuthRequestPayload = {
actionType: AUTH_ACTIONS.MANAGE_MFA,
Expand All @@ -342,7 +344,7 @@ export class Auth {
extraLoginOptions: {
login_hint: this.state.userInfo.userId,
},
appState: jsonToBase64({ loginId }),
appState: jsonToBase64({ loginId, recordId }),
},
sessionId: this.sessionId,
accessToken: await this.getAccessToken(),
Expand All @@ -351,6 +353,7 @@ export class Auth {
this.storeAuthPayload(loginId, dataObject, dataObject.options.sessionTime, true);
const configParams: BaseLoginParams = {
loginId,
recordId,
sessionNamespace: this.options.sessionNamespace,
storageServerUrl: this.options.storageServerUrl,
};
Expand Down Expand Up @@ -528,9 +531,11 @@ export class Auth {

private async authHandler(url: string, dataObject: AuthRequestPayload, popupTimeout = 1000 * 10): Promise<AuthFlowResult | null> {
const loginId = StorageManager.generateRandomSessionKey();
const recordId = generateRecordId();
await this.storeAuthPayload(loginId, dataObject);
const configParams: BaseLoginParams = {
loginId,
recordId,
sessionNamespace: this.options.sessionNamespace,
storageServerUrl: this.options.storageServerUrl,
};
Expand Down
5 changes: 5 additions & 0 deletions src/utils/interfaces.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -539,6 +539,11 @@ export interface BaseLoginParams {
loginId?: string;
sessionNamespace?: string;
storageServerUrl?: string;

/**
* Optional record id to be used for analytics purposes.
*/
recordId?: string;
}

export interface AuthRequestPayload {
Expand Down
6 changes: 6 additions & 0 deletions src/utils/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,9 @@ export function isObject(value: unknown): value is Record<PropertyKey, unknown>
export function hasProperty<Key extends PropertyKey>(value: unknown, key: Key): value is Record<Key, unknown> {
return isObject(value) && key in value;
}

export function generateRecordId(): string {
const cr = typeof globalThis === "object" ? globalThis.crypto : null;
if (typeof cr?.randomUUID !== "function") throw new Error("crypto.randomUUID must be defined");
return cr.randomUUID();
}
Copy link
Copy Markdown

@cursor cursor bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Analytics feature throws hard error breaking core login

Low Severity

generateRecordId throws a hard Error if crypto.randomUUID is unavailable, yet the recordId field in BaseLoginParams is typed as optional and documented as "for analytics purposes." This function is called without try-catch in both authHandler (used by login, enableMFA, manageSocialFactor, etc.) and manageMFA, meaning a missing crypto.randomUUID — possible in certain WebViews, React Native, or restricted browser environments — will crash the entire authentication flow for a non-critical analytics feature.

Additional Locations (2)
Fix in Cursor Fix in Web

Loading