From 73a31a0a6a2c2b189b107be020ad2f43bf4971e0 Mon Sep 17 00:00:00 2001 From: faisalnugroho Date: Sun, 31 May 2026 00:10:58 +0800 Subject: [PATCH] fix(docs): replace Math.random() with crypto.randomUUID() for SIWE nonces Math.random() is not cryptographically secure and should never be used for SIWE nonces. A predictable nonce can be exploited for replay attacks. Replaced all instances with crypto.randomUUID() which is: - Cryptographically secure (Web Crypto API) - Available in all modern browsers and Node.js 19+ - Consistent with the authenticate-users guide Closes #1477 --- docs/base-account/framework-integrations/wagmi/setup.mdx | 4 +--- docs/base-account/guides/sign-and-verify-typed-data.mdx | 2 +- .../reference/ui-elements/sign-in-with-base-button.mdx | 2 +- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/base-account/framework-integrations/wagmi/setup.mdx b/docs/base-account/framework-integrations/wagmi/setup.mdx index cd96ec631..36d86e5a0 100644 --- a/docs/base-account/framework-integrations/wagmi/setup.mdx +++ b/docs/base-account/framework-integrations/wagmi/setup.mdx @@ -335,9 +335,7 @@ export function SignInWithBase({ connector }: SignInWithBaseProps) { if (provider) { try { // Generate a fresh nonce (this will be overwritten with the backend nonce) - const clientNonce = - Math.random().toString(36).substring(2, 15) + - Math.random().toString(36).substring(2, 15); + const clientNonce = crypto.randomUUID(); console.log("clientNonce", clientNonce); // Connect with SIWE to get signature, message, and address const accounts = await (provider as any).request({ diff --git a/docs/base-account/guides/sign-and-verify-typed-data.mdx b/docs/base-account/guides/sign-and-verify-typed-data.mdx index 180fb15ec..dd6a8b086 100644 --- a/docs/base-account/guides/sign-and-verify-typed-data.mdx +++ b/docs/base-account/guides/sign-and-verify-typed-data.mdx @@ -190,7 +190,7 @@ const usedNonces = new Set(); app.get('/typed-data/prepare', (req, res) => { const { userAddress, action, resource } = req.query; - const nonce = Math.floor(Math.random() * 1000000); + const nonce = crypto.randomUUID(); const expiry = Math.floor(Date.now() / 1000) + 3600; // 1 hour const typedData = { diff --git a/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx b/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx index 03809c855..df314567c 100644 --- a/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx +++ b/docs/base-account/reference/ui-elements/sign-in-with-base-button.mdx @@ -325,7 +325,7 @@ const handleSignInWithSIWE = async () => { address: account, chainId: base.id, domain: window.location.host, - nonce: Math.random().toString(36).substring(7), + nonce: crypto.randomUUID(), uri: window.location.origin, version: '1', statement: 'Sign in to MyApp with your Base Account'