Merge pull request #349 from Web3Auth/fix/vuln

Release

.mocharc.json

@@ -1,7 +1,6 @@
 {
   "node-option": ["experimental-specifier-resolution=node", "import=tsx"],
   "extension": ["ts", "js"],
-  "require": ["./test/setup.mjs"],
   "timeout": 0,
   "exit": true
 }

package.json

@@ -68,30 +68,30 @@
   "devDependencies": {
     "@babel/register": "^7.25.9",
     "@babel/runtime": "^7.26.0",
-    "@rollup/plugin-replace": "^5.0.7",
+    "@rollup/plugin-replace": "^6.0.1",
     "@toruslabs/config": "^2.2.0",
     "@toruslabs/eslint-config-typescript": "^3.3.4",
     "@toruslabs/torus-scripts": "^6.1.6",
     "@types/color": "^4.2.0",
     "@types/elliptic": "^6.4.18",
     "@types/end-of-stream": "^1.4.4",
     "@types/json-stable-stringify": "^1.1.0",
-    "@types/mocha": "^10.0.9",
-    "@types/node": "^20",
+    "@types/mocha": "^10.0.10",
+    "@types/node": "^22",
     "@types/once": "^1.4.5",
     "@types/pump": "^1.1.3",
     "@types/readable-stream": "^4.0.18",
     "cross-env": "^7.0.3",
     "eslint": "^8.56.0",
-    "husky": "^9.1.6",
+    "husky": "^9.1.7",
     "jsdom": "^25.0.1",
     "jsdom-global": "^3.0.2",
     "lint-staged": "^15.2.10",
     "mocha": "^10.8.2",
     "prettier": "^3.3.3",
     "rimraf": "^6.0.1",
     "tsconfig-paths": "^4.2.0",
-    "tsconfig-paths-webpack-plugin": "^4.1.0",
+    "tsconfig-paths-webpack-plugin": "^4.2.0",
     "tslib": "^2.8.1",
     "tsx": "^4.19.2",
     "typescript": "^5.6.3"
@@ -100,8 +100,8 @@
     "@babel/runtime": "7.x"
   },
   "optionalDependencies": {
-    "@nx/nx-linux-x64-gnu": "^19.6.3",
-    "@rollup/rollup-linux-x64-gnu": "^4.24.4"
+    "@nx/nx-linux-x64-gnu": "^20.1.2",
+    "@rollup/rollup-linux-x64-gnu": "^4.27.3"
   },
   "author": "Torus Labs",
   "license": "MIT",
@@ -125,7 +125,7 @@
     "@toruslabs/metadata-helpers": "^6.0.0",
     "@toruslabs/secure-pub-sub": "^1.1.0",
     "@toruslabs/session-manager": "^3.2.0",
-    "@toruslabs/starkware-crypto": "^4.0.0",
+    "@toruslabs/starkware-crypto": "^4.0.1",
     "@toruslabs/tweetnacl-js": "^1.0.4",
     "base64url": "^3.0.1",
     "bip39": "^3.1.0",

src/core/auth.ts

@@ -21,8 +21,8 @@ import {
   type WEB3AUTH_LEGACY_NETWORK_TYPE,
   WEB3AUTH_NETWORK,
 } from "../utils";
+import { loglevel as log } from "../utils/logger";
 import { InitializationError, LoginError } from "./errors";
-import { loglevel as log } from "./logger";
 import PopupHandler, { PopupResponse } from "./PopupHandler";
 import { constructURL, getHashQueryParams, getTimeout, version } from "./utils";
 

src/core/index.ts

@@ -1,4 +1,4 @@
 export * from "./auth";
 export * from "./errors";
-export * from "./logger";
+export * from "../utils/logger";
 export * from "./utils";

src/core/utils.ts

@@ -1,7 +1,7 @@
 import bowser from "bowser";
 
 import { LOGIN_PROVIDER, safeatob } from "../utils";
-import { loglevel as log } from "./logger";
+import { loglevel as log } from "../utils/logger";
 
 // don't use destructuring for process.env cause it messes up webpack env plugin
 export const version = process.env.AUTH_VERSION;

src/jrpc/jrpcEngine.ts

@@ -1,7 +1,8 @@
 import { Duplex } from "readable-stream";
 
+import { loglevel as log } from "../utils/logger";
 import { JsonRpcErrorsArg, rpcErrors } from "./errors/errors";
-import { serializeError } from "./errors/utils";
+import { getMessageFromCode, serializeError } from "./errors/utils";
 import {
   JRPCEngineEndCallback,
   JRPCEngineNextCallback,
@@ -82,11 +83,12 @@ export class JRPCEngine extends SafeEventEmitter<JrpcEngineEvents> {
         const error = err || res.error;
         if (error) {
           if (typeof error === "object" && Object.keys(error).includes("stack") === false) error.stack = "Stack trace is not available.";
+          log.error(error);
 
           res.error = serializeError(error, {
             shouldIncludeStack: true,
             fallbackError: {
-              message: error?.message || error?.toString(),
+              message: error?.message || error?.toString() || getMessageFromCode(error?.code || -32603),
               code: error?.code || -32603,
               stack: error?.stack || "Stack trace is not available.",
               data: error?.data || error?.message || error?.toString(),
@@ -328,11 +330,11 @@ export class JRPCEngine extends SafeEventEmitter<JrpcEngineEvents> {
       delete res.result;
       if (!res.error) {
         if (typeof error === "object" && Object.keys(error).includes("stack") === false) error.stack = "Stack trace is not available.";
-
+        log.error(error);
         res.error = serializeError(error, {
           shouldIncludeStack: true,
           fallbackError: {
-            message: error?.message || error?.toString(),
+            message: error?.message || error?.toString() || getMessageFromCode((error as { code?: number })?.code || -32603),
             code: (error as { code?: number })?.code || -32603,
             stack: error?.stack || "Stack trace is not available.",
             data: (error as { data?: string })?.data || error?.message || error?.toString(),
@@ -428,10 +430,10 @@ export function providerFromEngine(engine: JRPCEngine): SafeEventEmitterProvider
     const res = await engine.handle(req);
     if (res.error) {
       if (typeof res.error === "object" && Object.keys(res.error).includes("stack") === false) res.error.stack = "Stack trace is not available.";
-
+      log.error(res.error);
       const err = serializeError(res.error, {
         fallbackError: {
-          message: res.error?.message || res.error?.toString(),
+          message: res.error?.message || res.error?.toString() || getMessageFromCode(res.error?.code || -32603),
           code: res.error?.code || -32603,
           stack: res.error?.stack || "Stack trace is not available.",
           data: res.error?.data || res.error?.message || res.error?.toString(),