Bug: Secure token functions crash with TypeError — users on secure auth flow cannot log in or log out #1225
Description
Description
In packages/react/src/lib/auth.js, the secure token storage functions (saveTokenSecure, getTokenSecure, deleteTokenSecure) reference this.handleSecureLogin(...) — but they are plain standalone async functions, not class methods. When invoked via getTokenStorage(secure: true), this is undefined in strict mode, causing an immediate TypeError crash. Any user or deployment configured to use the secure auth flow cannot log in or log out.
File: packages/react/src/lib/auth.js — lines 28–33
Steps to Reproduce
- Configure EmbeddedChat with
secure: true(or any auth flow that callsgetTokenStorage(true)) - Launch the app and attempt to log in
- Observe a
TypeError: Cannot read properties of undefined (reading 'handleSecureLogin')in the browser console - The user remains stuck on the login screen with no visible error message in the UI
Expected Behavior
Logging in and out should work correctly when the secure auth flow is configured. The token should be saved and deleted via the secure handler without any runtime errors.
Actual Behavior
A TypeError is thrown as soon as login is attempted on the secure flow:
The crash is thrown inside an async chain, so the UI shows no meaningful error — the user is silently stuck on the login screen or unable to log out.
Environment
- Affects all environments where
secure: trueis configured - The
localStorage(non-secure) auth path is completely unaffected - No specific OS or browser dependency
Additional Information
Root Cause:
deleteTokenSecure (and related functions) use this.handleSecureLogin(...), but are defined as plain async function declarations. In strict mode (enforced by all modern bundlers), this is undefined when these functions are called outside of a class/object context.
Buggy code:
async function deleteTokenSecure() {
this.handleSecureLogin('delete'); // 💥 TypeError in strict mode
}