feat: auth services v10 & wallet-service changes.#104
feat: auth services v10 & wallet-service changes.#104
Conversation
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
grvgoel81
changed the title
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
…into feat/auth_services_v10_changes # Conflicts: # android/build.gradle
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <gaurav@tor.us>
Signed-off-by: Gaurav Goel <grvgoel19@gmail.com>
Signed-off-by: Gaurav Goel <grvgoel19@gmail.com>
Signed-off-by: Gaurav Goel <grvgoel19@gmail.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 6 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| "sub": "email|hello", | ||
| "aud": "torus-key-test", | ||
| "exp": DateTime.now().millisecond, | ||
| "iat": DateTime.now().millisecond, |
There was a problem hiding this comment.
JWT exp/iat use millisecond component, not timestamp
High Severity
DateTime.now().millisecond returns only the millisecond component of the current time (0–999), not a Unix timestamp. The JWT exp and iat fields expect a Unix timestamp in seconds. This means tokens will always appear expired (with exp set to a value near epoch). The correct property is DateTime.now().millisecondsSinceEpoch ~/ 1000.
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| #Fri Jun 23 08:50:38 CEST 2017 | ||
| distributionBase=GRADLE_USER_HOME | ||
| distributionPath=wrapper/dists | ||
| https://github.com/Web3Auth/web3auth-flutter-sdk/pull/104/conflict?name=example%252Fandroid%252Fapp%252Fsrc%252Fmain%252FAndroidManifest.xml&ancestor_oid=ec00abe0c8ddb6dfa91343c66f24e48b431d1a15&base_oid=697fc9ac55830ca35e100ca84d4439da7ffddd85&head_oid=479557102c69887429d4fb9b8c21bf4760acb305distributionPath=wrapper/dists |
There was a problem hiding this comment.
Merge conflict URL corrupts gradle-wrapper.properties file
High Severity
A GitHub merge conflict URL was accidentally concatenated with the distributionPath property. The line now starts with https://github.com/Web3Auth/... followed by distributionPath=wrapper/dists, making the distributionPath property unparseable by Gradle. This will break the Gradle wrapper for the example Android app.
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| let clientId: String | ||
| let redirectUrl: String | ||
| let originData: [String: String]? | ||
| let authBuildEnv: String? |
There was a problem hiding this comment.
iOS ignores buildEnv due to JSON key mismatch
Medium Severity
The iOS InitParams struct declares the property as authBuildEnv, so Swift's Codable looks for the JSON key "authBuildEnv". However, the Dart toJson() serializes this field under the key "buildEnv". Since there's no CodingKeys override, params.authBuildEnv will always be nil on iOS, causing the build environment to silently default to production.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| /// | ||
| /// Checkout [MFA SDK Reference](https://web3auth.io/docs/sdk/pnp/flutter/mfa) for more details. | ||
| final MfaSettings? mfaSettings; | ||
| Chains? chains; |
There was a problem hiding this comment.
Dart chains is singular but iOS expects array
Medium Severity
chains is declared as Chains? (a single object) in the Dart Web3AuthOptions, but the iOS InitParams struct expects [Chains]? (an array). When a non-null Chains value is serialized via chains?.toJson(), it produces a JSON object, but iOS decoding expects a JSON array, causing a runtime deserialization failure.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| print("loginParams: \(loginParams)") | ||
| } catch { | ||
| //print(error) | ||
| print(error) |
There was a problem hiding this comment.
Debug print statements left in iOS production code
Low Severity
Two previously commented-out print statements were uncommented in the connectTo case. These log loginParams (which may contain sensitive authentication data) and error details to the console in production builds. Other print statements in the same file remain correctly commented out.
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
| if (obj.has("redirectUrl")) loginParams.redirectUrl = Uri.parse(obj.get("redirectUrl") as String?) | ||
| val loginCF = web3auth.login(loginParams) | ||
| // Log.d(loginParams.toString(), "#loginParams") | ||
| //Log.d("#loginParams", loginParams.toString()) |
There was a problem hiding this comment.
Unused obj variables left after removing redirectUrl handling
Low Severity
In the connectTo, enableMFA, and manageMFA cases, val obj = JSONObject(loginArgs) is created but never read. These were previously used to extract redirectUrl, but the redirectUrl handling was removed while the obj creation was left behind. Each one performs unnecessary JSON parsing at runtime.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit bf17edb. Configure here.
1 participant
Motivation and Context
Jira Link: https://toruslabs.atlassian.net/browse/PD-4517, https://toruslabs.atlassian.net/browse/PD-4551
Description
How has this been tested?
Screenshots (if appropriate):
Screen.Recording.2026-01-12.at.2.07.55.PM.mov
Screen.Recording.2026-01-12.at.2.10.28.PM.mov
Types of changes
Checklist:
Note
Medium Risk
Medium risk because it upgrades underlying native Web3Auth SDKs and changes the Flutter API surface (method names, params, and option schemas) used for authentication, keys, and wallet UI, which can break existing integrations.
Overview
Migrates the Flutter plugin to auth-service v10 and newer native SDKs. Android updates
web3auth-android-sdkto10.0.1, and iOS updates the pod dependency toWeb3Auth ~> 12.0.1with corresponding plugin-side init parsing and option mapping.Updates the public Flutter API and payload schemas.
loginbecomesconnectTo, key getters are renamed togetPrivateKey/getEd25519PrivateKey, wallet services moves toshowWalletUI(noChainConfig), andrequestno longer includes chain config; options/config types shift fromNetwork/Provider/LoginConfigItemtoWeb3AuthNetwork/AuthConnection/AuthConnectionConfigand add new fields (e.g., chains/default chain, analytics flag, wallet services config).Refreshes the example apps and build tooling. Example app is updated to the new APIs (including an SFA sign-in demo using a generated ES256 JWT), Android build files/versions are adjusted, and iOS pods are regenerated; note
example/android/gradle-wrapper.propertiescontains an accidental merge-conflict URL string beforedistributionPath.Reviewed by Cursor Bugbot for commit bf17edb. Configure here.