Skip to content

chore: improve MFA session handling and add public session APIs#392

Merged
chaitanyapotti merged 2 commits intomasterfrom
chore/mfa-fixes
Mar 20, 2026
Merged

chore: improve MFA session handling and add public session APIs#392
chaitanyapotti merged 2 commits intomasterfrom
chore/mfa-fixes

Conversation

@arch1995
Copy link
Contributor

@arch1995 arch1995 commented Mar 20, 2026
edited by cursor bot
Loading

Jira Link

EMBED-211

Description

  • Add public getAccessToken() method to Auth class — exposes access token with null-safety guard (throws userNotLoggedIn if token is missing)
  • Add public refreshSession() method — re-authorizes the session against the server; if the session is invalid or expired, cleans up via sessionManager.logout(), clears all local SDK state, and throws userNotLoggedIn
  • Unified session handling across all protected operationsenableMFA, manageMFA, manageSocialFactor, addAuthenticatorFactor, and addPasskeyFactor now all use refreshSession() with accessToken in request payloads, replacing inconsistent rehydrateSession() / raw sessionId checks
  • Extracted clearState() helper from logout() to eliminate state-clearing duplication between logout() and refreshSession()
  • Removed authSessionManager getter that leaked the internal AuthSessionManager instance — public methods (getAccessToken(), refreshSession()) now cover the needed surface area
  • Removed dead rehydrateSession() method — fully replaced by refreshSession() everywhere
  • Restored MFA_LEVELS.DEFAULT to avoid a breaking change for external consumers
  • Vue example: track MFA status via a reactive ref so the UI updates immediately after enableMFA popup completes; reset mfaEnabled on logout
  • Dependency updates: updated @toruslabs/session-manager, @toruslabs/constants, and related packages; migrated to CITADEL_SERVER_MAP, STORAGE_SERVER_MAP, STORAGE_SERVER_SOCKET_URL_MAP from @toruslabs/constants
  • PopupHandler: made socketUrl/serverUrl required (always provided by Auth)
  • messageStream: made cb() fire-and-forget for async handleRequest; added comprehensive tests

How has this been tested?

  • Developer tested this

Screenshots (if appropriate)

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • My code follows the code style of this project. (run lint)
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Note

Medium Risk
Medium risk because it changes session/token handling for login and all MFA-related flows, and updates several core dependencies (@toruslabs/session-manager, @toruslabs/customauth, vite/vitest). It also changes JSON-RPC stream write semantics to be non-blocking, which could affect request ordering and error timing.

Overview
Improves session robustness and MFA flows by introducing Auth.refreshSession() (server re-authorization with automatic logout/state clear on invalid sessions) and Auth.getAccessToken() for guarded access-token retrieval.

All MFA/protected operations (enableMFA, manageMFA, social/passkey/authenticator factor ops) now refresh session first and include accessToken in the AuthRequestPayload; logout/state reset is centralized via a new clearState() helper, and token field names passed to sessionManager.setTokens are updated.

Defaults for citadel/storage server URLs are switched to @toruslabs/constants env maps, PopupHandler now requires explicit serverUrl/socketUrl, and the Vue example updates MFA UI state reactively after enabling MFA and resets it on logout.

createEngineStreamV2 is changed to call the stream write callback synchronously (fire-and-forget request handling), with extensive new tests covering concurrency/out-of-order behavior. Dependency and lockfile updates bump Torus packages and tooling versions.

Written by Cursor Bugbot for commit d2bd27e. This will update automatically on new commits. Configure here.

@arch1995
chore: improve MFA session handling and add public session APIs
29b07bc 
- Add public getAccessToken() and refreshSession() methods to Auth class
- refreshSession() validates session and clears SDK state on failure
- Replace all rehydrateSession() calls with refreshSession() for consistent
  error handling; remove dead rehydrateSession() method
- Update enableMFA, manageMFA, and all factor management methods to use
  refreshSession() and pass accessToken in request payloads
- Extract clearState() helper from logout() to avoid duplication
- Remove authSessionManager getter that exposed internal session manager
- Restore MFA_LEVELS.DEFAULT to avoid breaking change
- Vue example: track MFA status via reactive ref and reset on logout

Made-with: Cursor
@arch1995 arch1995 requested a review from a team as a code owner March 20, 2026 09:58
cursor[bot]
cursor bot reviewed Mar 20, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

@arch1995
Copy link
Contributor Author

arch1995 commented Mar 20, 2026

Updating flag after enableMFA popup

Exported on 20/03/2026 at 17:18:33 GMT+7 from Cursor (2.6.20)

User

/code-reviewer review the code

Cursor

The review confirmed the critical issue flagged by Bugbot. Here's the summary:

Review Results

CRITICAL — refreshSession() breaks login

This is a real bug. refreshSession() checks this.sessionId (which reads from this.state.sessionId), but after login() calls setTokens(), only the session manager's internal storage is updated — this.state.sessionId is still empty. So refreshSession() throws userNotLoggedIn immediately on first login.

Fix: Use a separate private method without the guard for login() and postLoginInitiatedMessage(), and keep refreshSession() (with its guard) for MFA/factor methods where the user must already be logged in.

IMPORTANT — MFA_LEVELS.DEFAULT still missing

The diff shows DEFAULT: "default" is not present in constants.ts despite the intent to restore it. The JSDoc in interfaces.ts still documents "default" as valid.

IMPORTANT — authSessionManager getter was added, not removed

The getter at line 112-114 was added in this branch (it doesn't exist on master). It should be removed if the intent was to not expose internals.

IMPORTANT — messageStream.ts fire-and-forget

The cb() is now called before handleRequest() finishes, which changes backpressure/ordering behavior. May be intentional but should be documented.

Want me to fix the critical login issue and the MFA_LEVELS.DEFAULT / authSessionManager getter issues now?

User

no just fix 1

Cursor

The fix is straightforward: add a private rehydrateSession() method (without the sessionId guard) for use after login() and postLoginInitiatedMessage(), and keep refreshSession() (with the guard) for MFA/factor methods.

Now add the private rehydrateSession() back, right before authHandler:

Fixed. The login flow now uses a private rehydrateSession() (no sessionId guard) while all MFA/factor methods continue to use the public refreshSession() (with the guard). This way:

  • login() / postLoginInitiatedMessage()rehydrateSession() — works when this.state.sessionId is empty (right after setTokens()), throws a clear loginFailed error if authorization returns no data
  • enableMFA / manageMFA / factor methodsrefreshSession() — requires an active session, clears state and throws on failure

@chaitanyapotti chaitanyapotti merged commit 1c68d15 into master Mar 20, 2026
5 checks passed
@chaitanyapotti chaitanyapotti deleted the chore/mfa-fixes branch March 20, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@chaitanyapotti chaitanyapotti chaitanyapotti approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arch1995 @chaitanyapotti