Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| yalc.lock | ||
| types | ||
| build/ No newline at end of file | ||
| build/ |
There was a problem hiding this comment.
Missing gitignore exception for auth tgz file
High Severity
The .gitignore has *.tgz on line 66 with an exception only for !web3auth-ws-embed-*.tgz on line 67, but no exception for web3auth-auth-*.tgz. Since this PR adds file:web3auth-auth-11.4.3.tgz references across multiple package.json files (root, packages/modal, packages/no-modal, demo/vue-app-new), the referenced tgz file will be excluded from git. Other developers cloning the repo will fail on npm install.
Additional Locations (1)
| .catch((error: unknown) => { | ||
| // swallow the error, dont need to throw. | ||
| log.error("Error during login with social", error); | ||
| this.auditOAuditProgress(loginParams as LoginParams, "failed"); |
There was a problem hiding this comment.
Unhandled promise rejections on failed audit calls
Medium Severity
The auditOAuditProgress calls at these locations are fire-and-forget async calls without .catch(), unlike the initial call at line 541 which properly handles errors with .catch(). If the audit server is unreachable (likely during error scenarios), these will produce unhandled promise rejections.
Additional Locations (1)
| oauthInitiated: true, | ||
| }; | ||
| if (status === "failed") progressFlag.oauthFailed = true; | ||
| if (status === "completed") progressFlag.oauthCompleted = true; |
There was a problem hiding this comment.
Audit always sends oauthInitiated true even on failure
Medium Severity
The progressFlag object always initializes with oauthInitiated: true, so when status is "failed", the PUT request sends both oauthInitiated: true and oauthFailed: true. Since the initiation was already reported in a separate call, re-sending oauthInitiated: true alongside a failure report is likely unintended and could produce misleading audit data.
| "@toruslabs/base-controllers": "^9.4.1", | ||
| "@toruslabs/http-helpers": "^9.0.0", | ||
| "@web3auth/auth": "^11.4.2", | ||
| "@web3auth/auth": "file:../../web3auth-auth-11.4.3.tgz", |
There was a problem hiding this comment.
we would need to release auth sdk first
2 participants
Jira Link
https://consensyssoftware.atlassian.net/browse/EMBED-242?atlOrigin=eyJpIjoiNmZkYTgxMWNjZGUyNGY3M2E0YTU1ZWNiZjhkOWY1YTEiLCJwIjoiaiJ9
Description
AuthConnector.connectWithSocialLogin()now adds audit metadata ontologinParamsbefore login starts.recordId: generateRecordId()loginSource: "web3auth-web"auditOAuditProgress(...), was added to report OAuth progress to the audit endpoint.New audit reporting behavior
oauthInitiated: true.SecurePubSubsubscription path errors to markoauthFailed: true.postLoginInitiatedMessage(...)rejects to markoauthFailed: true.How has this been tested?
Screenshots (if appropriate)
Types of changes
Checklist
Note
Medium Risk
Touches login flow behavior by adding new network calls and identifiers during OAuth; failures are mostly swallowed, but misconfiguration or endpoint issues could affect login UX or add latency.
Overview
Adds OAuth flow auditing in
@web3auth/no-modalby generating arecordId/loginSourcefor social logins and sendingPUTupdates to Citadel (/v1/auth/audit) on OAuth initiation and failure paths.Updates the repo and demo app to consume
@web3auth/auth11.4.3from a local tarball (and bumps related Torus deps), with corresponding lockfile churn and.gitignoreupdates (ignore.npmrc, normalizebuild/).Written by Cursor Bugbot for commit 856390b. This will update automatically on new commits. Configure here.