fix: fixed misc bugs#2513
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
lwin-kyaw
changed the title
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7b7aae4. Configure here.
|
|
||
| if (getAuthTokenInfo) { | ||
| await this.getAuthTokenInfo(); | ||
| await this.getAuthTokenInfo(chainId); |
There was a problem hiding this comment.
Solana auth uses stale chain
High Severity
After connect, syncChainStateAfterConnect can reconcile MetaMask Solana to a different network than requested via updateConnectorData, but getAuthTokenInfo still uses the original chainId from connect params. Connect-and-sign can build and verify proofs for the wrong chain while the wallet stays on the connected scope.
Reviewed by Cursor Bugbot for commit 7b7aae4. Configure here.
| // For solana case, metamask connect the first available scope in priority order: mainnet > devnet > testnet. | ||
| // So, if the user requested chain is different from the connected chain, | ||
| // we need to update the connector data with the connected chain id to keep the Web3Auth state aligned. | ||
| if ("scope" in this.solanaProvider && typeof this.solanaProvider.scope === "string") { |
There was a problem hiding this comment.
Null solanaProvider scope check crashes
Medium Severity
In the Solana branch of syncChainStateAfterConnect, the code uses "scope" in this.solanaProvider without guarding this.solanaProvider. If connect runs for a Solana chain while the Solana client was not created, the in operator throws and aborts the connect flow.
Reviewed by Cursor Bugbot for commit 7b7aae4. Configure here.
2 participants
Jira Link
Description
This PR fixes several chain-handling issues across external wallet flows, especially for multichain wallets like MetaMask.
chainIdintogetAuthTokenInfoandgenerateChallengeAndSign, instead of inferring the chain from provider availability.chainIdinto linking proof generation.How has this been tested?
Web3AuthNoModalstate.Screenshots (if appropriate)
N/A
Types of changes
Checklist
Note
Medium Risk
Touches connect-and-sign, account linking, and chain reconciliation in core wallet flows; changes are targeted but affect authentication and session chain state.
Overview
Fixes multichain external-wallet behavior so connect-and-sign, linking, and session state follow the active chain instead of guessing from which providers exist.
Core SDK (
no-modal/modal) threads optionalchainIdthroughgetAuthTokenInfoandgenerateChallengeAndSign, passescurrentChainIdfrom the controller into connector auth, and updates Web3Auth state when connectors reportchainIdviaCONNECTOR_DATA_UPDATED. MetaMask syncs EVM/Solana after connect (syncChainStateAfterConnect,chainChanged→updateConnectorData) and resolves auth withresolveAuthChainConfig. Account linking uses the picker’schainNamespaceto pick the right chain when EVM vs Solana differs, and linking proofs callgenerateChallengeAndSignwith the targetchainId. AA RPC middleware mapsundefinedtonullforwallet_switchEthereumChain/wallet_addEthereumChainto avoid JRPC “Nothing ended the request” errors (with tests).Demos bump
@web3auth/*lockfile versions, point x402 testers at the dev weather endpoint, and small Vue dashboard tweaks (wagmiuseChainId, AUTH-only user-info UI).Reviewed by Cursor Bugbot for commit 7b7aae4. Bugbot is set up for automated code reviews on this repo. Configure here.