Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| password, | ||
| }, | ||
| }, | ||
| }); |
There was a problem hiding this comment.
Repeated headless login attempts fail due to singleton iframe
High Severity
The HeadlessLogin component creates a new Controller on each login attempt, but the underlying IFrame class uses singleton-style DOM element management - it checks for an existing "controller" element and won't add a second one. After the first login attempt, subsequent Controller instances have their iframes created but never added to the DOM, so the penpal connection never establishes, this.keychain remains undefined, and connect() immediately returns undefined with a "Not ready to connect" error. Users clicking the login button multiple times will see the first attempt work (or fail for unimplemented reasons) but all subsequent attempts fail instantly.
| return authenticateHeadless( | ||
| headless.username, | ||
| headless.credentials, | ||
| ).then((result) => { |
There was a problem hiding this comment.
Headless mode ignores configured chain, always uses mainnet
High Severity
The authenticateHeadless function accepts an optional chainId parameter that defaults to mainnet, but the connect handler never passes a chainId when calling it. The HeadlessOptions type doesn't include chainId, and neither does ConnectOptions, so even though users configure defaultChainId: SN_SEPOLIA in the Controller SDK, headless authentication always uses mainnet. This causes headless authentication to operate on the wrong chain regardless of configuration.
Additional Locations (1)
# Conflicts: # examples/next/src/components/providers/StarknetProvider.tsx
Keychain connect now supports headless options and waits for session approval; make onSessionCreated awaitable and remove controller-side headless approval listeners/pending state. Also allow claude-code-review to run gh pr commands.
The claude-code-review action exchanges an OIDC token for an app token and requires the workflow file to match default-branch content; changing it in a PR causes 401s.
|
Follow-up on the earlier security review notes:
|
This reverts commit 1e0b647.
|
Claude finished @tarrencev's task —— View job Documentation Analysis for Headless Mode Feature ✅I've successfully analyzed the controller repository changes for the headless mode feature and updated the documentation accordingly. Tasks Completed:
Documentation Updates Completed1. Updated Getting Started Guide (
2. Enhanced React Integration Guide (
3. Created Dedicated Headless Authentication Guide (
4. Clarified Native Headless Documentation (
Key Features DocumentedThe new headless mode enables:
Files Ready for CommitThe documentation changes are staged and ready to be committed to the docs repository. The updates accurately reflect the new headless authentication capabilities added in PR #2315 while maintaining consistency with existing documentation style and structure. --- | Working on branch: claude/pr-2315-20260210-1849 |
1 participant
Adds headless auth support to
controller.connect({ username, signer, password? }), performing auth in a hidden keychain iframe and only opening UI for session approval when required.Keychain
connect()routes headless options through a single handler that blocks until approval completes, then triggersonSessionCreatedso the parent app updates immediately.@cartridge/connectornow returns the authoritative controller address fromconnect()and improves disconnect handling to keep@starknet-react/corestate in sync.Verified-session auto-creation logic is centralized and shared across UI connect, standalone session creation, and headless flows; policy processing lives in a non-UI utility.
Adds unit/regression tests for connect routing, verified session creation, and connector state sync; CI runs controller Jest tests.