Security News
Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
@toruslabs/customauth
Advanced tools
Web3Auth is where passwordless auth meets non-custodial key infrastructure for Web3 apps and wallets. By aggregating OAuth (Google, Twitter, Discord) logins, different wallets and innovative Multi Party Computation (MPC) - Web3Auth provides a seamless login experience to every user on your application.
This repo allows web applications to directly retrieve keys stored on the Torus Network. The attestation layer for the Torus Network is generalizable, below is an example of how to access keys via the SDK via Google.
Checkout the example of CustomAuth
in our examples directory.
Promises
This module is distributed in 3 formats
esm
build dist/customauth.esm.js
in es6 formatcommonjs
build dist/customauth.cjs.js
in es5 formatumd
build dist/customauth.umd.min.js
in es5 format without polyfilling corejs minifiedBy default, the appropriate format is used for your specified usecase You can use a different format (if you know what you're doing) by referencing the correct file
The cjs build is not polyfilled with core-js. It is upto the user to polyfill based on the browserlist they target
CDN's serve the non-core-js polyfilled version by default. You can use a different
jsdeliver
<script src="https://cdn.jsdelivr.net/npm/@toruslabs/customauth@6"></script>
unpkg
<script src="https://unpkg.com/@toruslabs/customauth@6"></script>
This is a plugin that works only on the client side. So please register it as a ssr-free plugin.
For more in-depth documentation, please refer to docs here
Add @toruslabs/customauth
to your project:
To allow your web app to retrieve keys:
Install the package
npm i @toruslabs/customauth
or
yarn add @toruslabs/customauth
CustomAuth Sdk supports two modes of login (uxMode: "popup"
and uxMode: "redirect"
) (default: popup
)
Serve service worker from baseUrl
where baseUrl is the one passed while instantiating CustomAuth
for specific login (example http://localhost:3000/serviceworker/). If you're already using a sw, pls ensure to port over the fetch override from our service worker
For browsers where service workers are not supported or if you wish to not use service workers, create and serve redirect page from baseUrl/redirect
where baseUrl is the one passed while instantiating CustomAuth
for specific login ( example http://localhost:3000/serviceworker/)
At verifier's interface (where you obtain client id), please use baseUrl/redirect
(eg: http://localhost:3000/serviceworker/redirect) as the redirect_uri where baseUrl is the one passed while instantiating CustomAuth
Instantiate the package
const torus = new CustomAuth({
baseUrl: "http://localhost:3000/serviceworker/",
network: "testnet", // details for test net
web3AuthClientId: "YOUR_CLIENT_ID", // get Client ID from Web3Auth Dashboard
});
await torus.init();
const loginDetails = await torus.triggerLogin({
typeOfLogin: "google",
verifier: "YOUR VERIFER DEPLOYED BY TORUS",
clientId: "MY CLIENT ID GOOGLE",
});
Note: If you're using redirectToOpener
, modify the origin of postMessage from "http://localhost:3000"
to your hosted domain in redirect.html and sw.js
At verifier's interface (where you obtain client id), please use baseUrl/auth
(eg: http://localhost:3000/auth) as the redirect_uri where baseUrl is the one passed while instantiating CustomAuth
Instantiate the package
const torus = new CustomAuth({
baseUrl: "http://localhost:3000/serviceworker/",
redirectPathName: "auth",
network: "testnet", // details for test net
uxMode: "redirect",
});
await torus.init({ skipSw: true });
await torus.triggerLogin({
typeOfLogin: "google",
verifier: "YOUR VERIFER DEPLOYED BY TORUS",
clientId: "MY CLIENT ID GOOGLE",
});
baseUrl/auth
with hashParams
In this page, use the following code to get the login detailsconst torus = new CustomAuth({
baseUrl: location.origin,
redirectPathName: "auth",
uxMode: "redirect",
network: "testnet",
});
const loginDetails = await torus.getRedirectResult();
Please refer to examples
Hosted Example for testing
The following links help you create OAuth accounts with different login providers
For other verifiers,
Question: My Redirect page is stuck in iOS Chrome
**Answer:**
iOS Chrome doesn't support service workers. So, you need to serve a fallback html page redirect.html
Please check if redirect.html is being served correctly by navigating to baseUrl/redirect#a=123
. It should show a loader
For nginx, here is a simple server configuration
```nginx
location ~* (/serviceworker/redirect) {
add_header 'Access-Control-Allow-Origin' '*';
add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline';";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
default_type "text/html";
alias PATH_TO_REDIRECT_HTML_FILE;
autoindex off;
}
```
Alternatively, you can configure your redirect url to include redirect.html by passing in an option `redirectPathName: 'redirect.html'` while instantiating the sdk.
Please remember to change the oauth redirect url to reflect this change
Question: Discord Login only works once in 30 min
Answer: Torus Login requires a new token for every login attempt. Discord returns the same access token for 30 min unless it's revoked. Unfortunately, it needs to be revoked from the backend since it needs a client secret. Here's some sample code which does it
const axios = require("axios").default;
const FormData = require("form-data");
const { DISCORD_CLIENT_SECRET, DISCORD_CLIENT_ID } = process.env;
const { token } = req.body;
const formData = new FormData();
formData.append("token", token);
await axios.post("https://discord.com/api/oauth2/token/revoke", formData, {
headers: {
...formData.getHeaders(),
Authorization: `Basic ${Buffer.from(`${DISCORD_CLIENT_ID}:${DISCORD_CLIENT_SECRET}`, "binary").toString("base64")}`,
},
});
Question: How to initialise web3 with private key (returned after login) ?
Answer: One can use privateKeyToAccount method to initialise web3 with a privatekey. If you are supplying a hexadecimal number, it must have 0x prefix in order to be in line with other Ethereum libraries.
web3.eth.accounts.privateKeyToAccount(PRIVATE_KEY);
@babel/runtime
Note: If you are using the
redirectToOpener
option, you must update your redirect.html to allow whitelisted URIs
FAQs
CustomAuth login with torus to get user private key
We found that @toruslabs/customauth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Critics call the Node.js EOL CVE a misuse of the system, sparking debate over CVE standards and the growing noise in vulnerability databases.
Security News
cURL and Go security teams are publicly rejecting CVSS as flawed for assessing vulnerabilities and are calling for more accurate, context-aware approaches.
Security News
Bun 1.2 enhances its JavaScript runtime with 90% Node.js compatibility, built-in S3 and Postgres support, HTML Imports, and faster, cloud-first performance.