[Bug] Math.random() used for SIWE nonce in Wagmi setup example — not cryptographically secure

## Description
The Wagmi integration setup example uses `Math.random()` to generate 
a SIWE (Sign-In With Ethereum) nonce:

```js
const clientNonce =
  Math.random().toString(36).substring(2, 15) +
  Math.random().toString(36).substring(2, 15);
```

`Math.random()` is not cryptographically secure and should never be 
used for SIWE nonces. A predictable nonce can be exploited to perform 
replay attacks.

## Impact
- Developers copying this example will implement insecure SIWE flows
- Predictable nonces can be exploited for replay attacks
- Contradicts the `authenticate-users` guide which already uses 
`crypto.randomUUID()`

## Suggested Fix
Replace with `crypto.randomUUID()`:

```js
const clientNonce = crypto.randomUUID();
```

✅ Cryptographically secure (Web Crypto API)
✅ Available in all modern browsers and Node.js 14.17+
✅ Consistent with existing `authenticate-users` guide

## References
- Related PR: https://github.com/base/docs/pull/1398
- Related issue: https://github.com/base/docs/issues/1390

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Bug] Math.random() used for SIWE nonce in Wagmi setup example — not cryptographically secure #1477

Description

Impact

Suggested Fix

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Bug] Math.random() used for SIWE nonce in Wagmi setup example — not cryptographically secure #1477

Description

Description

Impact

Suggested Fix

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions