fix(web): fall back to getRandomValues when crypto.randomUUID is unavailable#523
Merged
tiann merged 1 commit intotiann:mainfrom Apr 24, 2026
Merged
fix(web): fall back to getRandomValues when crypto.randomUUID is unavailable#523tiann merged 1 commit intotiann:mainfrom
tiann merged 1 commit intotiann:mainfrom
Conversation
…ailable crypto.randomUUID is only exposed in secure contexts (HTTPS or localhost). When the web app is served over HTTP on a LAN IP the attachment adapter, toast provider, message localId helper, file attachment metadata and terminal id creation all call crypto.randomUUID() synchronously and throw TypeError, so the UI silently does nothing (e.g. the file picker opens and closes with no chip). Add a small web/src/lib/randomId helper that tries crypto.randomUUID first, then falls back to crypto.getRandomValues-derived UUID v4, and finally to a Date.now/Math.random string for very old environments. Route all five call sites through it. Output format is identical for secure contexts and UUID v4 for the getRandomValues path, so existing DB/SSE/RPC consumers see the same shape.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review mode: initial
Findings
- No issues identified in the modified lines.
Summary
- No blocking correctness, security, or regression issues found in the latest diff.
- Residual risk/testing gap: direct unit coverage was added for
web/src/lib/randomId.test.ts; Not found in repo/docs: direct tests for the updated attachment, toast, or terminal ID-generation paths. I also could not runbunin this runner (bun: command not found).
Testing
- Not run (automation environment missing
bun)
HAPI Bot
dmnkf
pushed a commit
to dmnkf/hapi
that referenced
this pull request
Apr 25, 2026
…ailable (tiann#523) crypto.randomUUID is only exposed in secure contexts (HTTPS or localhost). When the web app is served over HTTP on a LAN IP the attachment adapter, toast provider, message localId helper, file attachment metadata and terminal id creation all call crypto.randomUUID() synchronously and throw TypeError, so the UI silently does nothing (e.g. the file picker opens and closes with no chip). Add a small web/src/lib/randomId helper that tries crypto.randomUUID first, then falls back to crypto.getRandomValues-derived UUID v4, and finally to a Date.now/Math.random string for very old environments. Route all five call sites through it. Output format is identical for secure contexts and UUID v4 for the getRandomValues path, so existing DB/SSE/RPC consumers see the same shape.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The web UI uses
crypto.randomUUID()in five places (attachment adapter,message local IDs, toast IDs, file attachment metadata, terminal IDs).
crypto.randomUUIDis only defined in secure contexts — HTTPS, or thespecial-cased
http://localhost/http://127.0.0.1.When the web app is opened over HTTP from a LAN IP (a common dev /
home-network setup — e.g.
http://192.168.x.x:3006),crypto.randomUUIDis
undefined. The first place this surfaces is the attachment flow:assistant-ui'sComposerPrimitive.AddAttachmentswallows the rejection,so from the user's side "pick a file" silently does nothing — no chip, no
upload request, no error indicator. Mobile browsers that go through the
HTTPS tunnel aren't affected.
Solution
Add a small
web/src/lib/randomId.tshelper and call it everywhere theweb currently calls
crypto.randomUUID()directly:crypto.randomUUIDis available, use it (unchanged behavior forHTTPS and localhost).
crypto.getRandomValues()to produce an RFC 4122 v4UUID string — same format and character set, so existing consumers
(DB columns, SSE payloads, RPC params) see identical values.
Date.now()-based string.Only the web package is changed. CLI / hub / shared still use
crypto.randomUUID()directly — Node has no secure-context concept there.Tests
bun typecheckpasses.bun run test(web): 170 tests pass, including newrandomId.test.tscovering all three branches.http://<LAN-IP>:<port>/(not localhost):TypeError: crypto.randomUUID is not a function,no attachment chip after picking a file.