fix: kotlin sample frontend crashes on http://0.0.0.0 and quiets HPKE build warnings#474
Conversation
… build warnings - Add a randomUUID() helper with a Math.random fallback for non-secure contexts. crypto.randomUUID() throws on http://0.0.0.0:8080 (which is the host Ktor binds to) in some browsers, leaving the page blank. - Filter the @hpke/common build noise (Node-only `import("crypto")` externalization message and misplaced /* @__PURE__ */ comments) in vite.config.ts so real warnings stay visible. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This stack of pull requests is managed by Graphite. Learn more about stacking. |
pengying
deleted the
05-18-fix_kotlin_sample_frontend_crashes_on_http__0.0.0.0_and_quiets_hpke_build_warnings
branch
Greptile SummaryThis PR fixes a crash in the Kotlin sample frontend caused by
Confidence Score: 4/5Safe to merge; changes are limited to the sample frontend and address a real crash in the dev HTTP context. The fix is well-targeted and the UUID fallback logic is correct. The Vite logger filter silences all externalization warnings across every dependency rather than only @hpke/common — a future package being improperly externalized would go unnoticed at build time. samples/frontend/vite.config.ts — the logger.warn filter could use the same @hpke/common scope check already present in rollupOptions.onwarn.
|
| Filename | Overview |
|---|---|
| samples/frontend/src/lib/uuid.ts | New helper that wraps crypto.randomUUID() with a Math.random() UUID v4 fallback for non-secure HTTP contexts; fallback entropy is weak but acceptable for a dev sample. |
| samples/frontend/src/lib/session.ts | Straightforward swap of crypto.randomUUID() for the new randomUUID() helper; no logic changes. |
| samples/frontend/src/steps/embeddedWallet/ExecuteSignedQuote.tsx | Replaces inline crypto.randomUUID() with the shared randomUUID() helper for the Idempotency-Key header; behaviorally identical in secure contexts. |
| samples/frontend/vite.config.ts | Adds custom Vite logger and Rollup onwarn to silence @hpke/common build noise; the logger filter is overly broad and silences externalization warnings from all packages, not just @hpke/common. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[randomUUID called] --> B{crypto defined AND crypto.randomUUID is a function?}
B -- Yes --> C[crypto.randomUUID returns CSPRNG UUID]
B -- No --> D[Math.random fallback generates UUID v4]
C --> E[Caller receives UUID]
D --> E
subgraph Callers
F[session.ts - session ID]
G[ExecuteSignedQuote.tsx - Idempotency-Key header]
end
E --> F
E --> G
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
samples/frontend/vite.config.ts:11-14
The logger filter matches any warning that contains `'has been externalized for browser compatibility'`, which suppresses the message from every dependency — not just `@hpke/common`. If a future (or existing) package is being externalized for a reason that would cause a real browser runtime error, the build would remain silent about it. The `rollupOptions.onwarn` handler correctly gates on `warning.id?.includes('@hpke/common')`; the same scoping should apply here.
```suggestion
logger.warn = (msg, opts) => {
if (
msg.includes('has been externalized for browser compatibility') &&
msg.includes('@hpke/common')
)
return
originalWarn(msg, opts)
}
```
### Issue 2 of 2
samples/frontend/src/lib/uuid.ts:7-11
`Math.random()` is not cryptographically secure and produces low-entropy output. This only matters here in the `Idempotency-Key` usage in `ExecuteSignedQuote.tsx`: a collision, however unlikely, could cause the server to treat a fresh quote execution as a duplicate of a prior one. For a sample/dev-only path this is acceptable, but worth a comment at the call-site so future readers understand the trade-off.
Reviews (1): Last reviewed commit: "fix: kotlin sample frontend crashes on h..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| logger.warn = (msg, opts) => { | ||
| if (msg.includes('has been externalized for browser compatibility')) return | ||
| originalWarn(msg, opts) | ||
| } |
There was a problem hiding this comment.
'has been externalized for browser compatibility', which suppresses the message from every dependency — not just @hpke/common. If a future (or existing) package is being externalized for a reason that would cause a real browser runtime error, the build would remain silent about it. The rollupOptions.onwarn handler correctly gates on warning.id?.includes('@hpke/common'); the same scoping should apply here.
| logger.warn = (msg, opts) => { | |
| if (msg.includes('has been externalized for browser compatibility')) return | |
| originalWarn(msg, opts) | |
| } | |
| logger.warn = (msg, opts) => { | |
| if ( | |
| msg.includes('has been externalized for browser compatibility') && | |
| msg.includes('@hpke/common') | |
| ) | |
| return | |
| originalWarn(msg, opts) | |
| } |
Prompt To Fix With AI
This is a comment left during a code review.
Path: samples/frontend/vite.config.ts
Line: 11-14
Comment:
The logger filter matches any warning that contains `'has been externalized for browser compatibility'`, which suppresses the message from every dependency — not just `@hpke/common`. If a future (or existing) package is being externalized for a reason that would cause a real browser runtime error, the build would remain silent about it. The `rollupOptions.onwarn` handler correctly gates on `warning.id?.includes('@hpke/common')`; the same scoping should apply here.
```suggestion
logger.warn = (msg, opts) => {
if (
msg.includes('has been externalized for browser compatibility') &&
msg.includes('@hpke/common')
)
return
originalWarn(msg, opts)
}
```
How can I resolve this? If you propose a fix, please make it concise.
| return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => { | ||
| const r = (Math.random() * 16) | 0 | ||
| const v = c === 'x' ? r : (r & 0x3) | 0x8 | ||
| return v.toString(16) | ||
| }) |
There was a problem hiding this comment.
Math.random() is not cryptographically secure and produces low-entropy output. This only matters here in the Idempotency-Key usage in ExecuteSignedQuote.tsx: a collision, however unlikely, could cause the server to treat a fresh quote execution as a duplicate of a prior one. For a sample/dev-only path this is acceptable, but worth a comment at the call-site so future readers understand the trade-off.
Prompt To Fix With AI
This is a comment left during a code review.
Path: samples/frontend/src/lib/uuid.ts
Line: 7-11
Comment:
`Math.random()` is not cryptographically secure and produces low-entropy output. This only matters here in the `Idempotency-Key` usage in `ExecuteSignedQuote.tsx`: a collision, however unlikely, could cause the server to treat a fresh quote execution as a duplicate of a prior one. For a sample/dev-only path this is acceptable, but worth a comment at the call-site so future readers understand the trade-off.
How can I resolve this? If you propose a fix, please make it concise.3 participants
contexts. crypto.randomUUID() throws on http://0.0.0.0:8080 (which is
the host Ktor binds to) in some browsers, leaving the page blank.
import("crypto")externalization message and misplaced /* @PURE */ comments) in
vite.config.ts so real warnings stay visible.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com