Skip to content

Viem Migration - Upgrade wagmi and handling different tabs wallet connection#7467

Open
lgahdl wants to merge 53 commits intorelease/28-04-2026from
fix/diff-tabs-upgrade-wagmi
Open

Viem Migration - Upgrade wagmi and handling different tabs wallet connection#7467
lgahdl wants to merge 53 commits intorelease/28-04-2026from
fix/diff-tabs-upgrade-wagmi

Conversation

@lgahdl
Copy link
Copy Markdown
Collaborator

@lgahdl lgahdl commented May 7, 2026
edited by coderabbitai Bot
Loading

Summary

Fixes connection issues when the app is opened in Safe and in a cross-origin iframe (widget standalone mode).

Three separate problems are fixed:

  1. Safe App iframe blink / disconnect — When the user switches wallets or disconnects in a regular browser tab, the Safe App iframe would blink or lose its connection. AppKit is now skipped entirely in Safe App iframes (plain wagmi config with only the Safe connector), and @appkit/* localStorage keys are redirected to sessionStorage for all cross-origin iframes so storage events don't leak across contexts.

  2. Tab isolation — Connecting or disconnecting a wallet in Tab A was affecting Tab B. A new providerIsolation.ts module wraps every EIP-1193 provider (both EIP-6963 and legacy window.ethereum) to block wallet_revokePermissions (which revokes permissions for the entire origin, not just the current tab) and filter accountsChanged events so they only fire in the tab where the wallet is active.

  3. Widget standalone "Connection declined" on first Rabby connect — When the widget reloads, wagmi restores a stale connector UID from localStorage. AppKit's reconnect falls back to connect() without isReconnecting: true, firing eth_requestAccounts as a background call. A manual wallet connect click then triggers a second request, causing Rabby (and other strict wallets) to decline it. Fixed by disabling enableReconnect in the widget context.

Also upgrades wagmi, @wagmi/core, and @wagmi/connectors to their latest versions.

To Test

  1. Open the app normally in two browser tabs with the same wallet (e.g. Rabby)

    • Connecting in Tab A should not auto-connect Tab B
    • Disconnecting in Tab A should not disconnect Tab B

  2. Open the app as a Safe App (inside app.safe.global)

    • Switching wallets or disconnecting in a regular tab should not cause the Safe iframe to blink or lose connection
    • The Safe App should connect automatically via the Safe connector

  3. Open the widget configurator in standalone mode (localhost:4200)

    • Connecting Rabby on the first attempt (fresh page load, no prior MetaMask connection) should succeed without "Connection declined"
    • Connecting MetaMask should also work normally

Background

The root cause of the Safe iframe blink was AppKit writing to localStorage under @appkit/* keys — those writes fire storage events in all same-origin iframes, including the Safe App frame. Redirecting those writes to sessionStorage inside cross-origin iframes isolates the storage state per context.

The wallet_revokePermissions issue is a wagmi behaviour: on disconnect, wagmi calls this method to clear wallet state, but the method revokes permissions for the entire origin (all tabs share the same permission grant). Blocking it at the provider level while keeping shimDisconnect: true is sufficient — shimDisconnect prevents reconnect on next page load without touching origin-wide permissions.

Summary by CodeRabbit

  • Bug Fixes

    • Improved wallet connection handling during widget mode transitions
    • Enhanced provider event listener cleanup to prevent stale connections
    • Fixed wallet disconnection flow when switching between standalone and dapp modes

  • New Features

    • Added improved wallet state isolation for better multi-tab stability
    • Enhanced session storage handling for wallet connector state

  • Tests

    • Improved swap functionality test reliability with explicit default value verification

  • Chores

    • Updated blockchain wallet library dependencies for compatibility and stability

shoom3301 and others added 30 commits April 29, 2026 15:23
@shoom3301
fix(widget): fix ready event listener
092654f
@shoom3301
fix(widget): support cow widget with WidgetEthereumProvider
1b501b2
@shoom3301
chore: sync wagmi versions
d3a263d
@shoom3301
chore: dedupe wagmi
0e46e45
@shoom3301
fix: fix standaloneMode
7b6b8a4
@lgahdl
fix: not connecting safe on widget-configurator
50df8f9
@lgahdl
fix: removing cow wallet from wallets list
d0d76ad
@shoom3301 @github-actions @limitofzero
chore: update sdk and simplify deps (#7414)
9aa3951 
* chore: update sdk and simplify deps

* chore(i18n): extract i18n strings [automatic]

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Denis Makarov <limitofzero@gmail.com>
@lgahdl
Merge commit '9aa39511cb5c9b7176665fbc593ba8f302cd96e2' into fix/widg…
394d634 
…et-viem

# Conflicts:
#	pnpm-lock.yaml
@lgahdl
fix: fixing wallet connection in dapp mode;
31b9d09
@lgahdl
Merge commit '1e10bed15efd07ff0a313fd6b555518b308ce950' into fix/widg…
731bf42 
…et-viem
@brunota20
fix(wallet): isolate safe and regular contexts
fa92763
@lgahdl
fix(wallet): prevent Safe iframe from disconnecting browser tab via w…
31cc1e4 
…allet_revokePermissions

When SafeConnectionHandler switched from the injected connector to the safe
connector inside a Safe App iframe, it called wagmi's disconnect() which
internally calls wallet_revokePermissions on MetaMask. Since MetaMask manages
permissions per origin (not per tab), this revoked the eth_accounts permission
for the entire localhost:3000 origin, causing any open browser tab at that
URL to lose its wallet connection.

Fix: write the shimDisconnect storage flag directly instead of calling
disconnect(). This prevents the connector from being reconnected on next load
without touching MetaMask's global permissions. The connectSafeInIframe effect
still runs and makes the safe connector the active connection.

Also introduce IS_CROSS_ORIGIN_IFRAME — a one-time check that distinguishes
genuine cross-origin iframes (Safe App) from same-origin ones (browser
extensions like Loom or 1Password that also run inside iframes). This ensures
SafeConnectionHandler only activates in actual cross-origin contexts.
@elena-zh
Merge branch 'release/28-04-2026' into bruno/cow-925-connection-issue…
8f17fad 
…s-when-the-app-is-opened-in-safe-and-in-a
@elena-zh
Merge branch 'release/28-04-2026' into fix/widget-viem
ad8165b
@brunota20
fix: isolate iframe and regular tabs on storage
fa9f70c
@brunota20
fix(wallet): eliminate safe iframe blink when switching wallets in re…
aace492 
…gular tab
@fairlighteth @github-actions
feat: add AffiliateFeedbackButton (#7431)
74d8348 
* feat: add AffiliateFeedbackButton

Co-authored-by: Copilot <copilot@github.com>

* chore(i18n): extract i18n strings [automatic]

* fix: adjust Wrapper styling for AffiliateFeedbackButton

* feat: update affiliate feedback button text and add tests for account page

* feat: enhance affiliate feedback button logic and integrate wallet status checks

* feat: add font size to affiliate feedback button styles

---------

Co-authored-by: Copilot <copilot@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@brunota20
fix(wallet): remove injected iframe from safe
0d9b86e
@brunota20
fix(wallet): skip AppKit in Safe iframe to eliminate cross-tab interf…
36292eb 
…erence
@brunota20
Merge remote-tracking branch 'origin/develop' into bruno/cow-925-conn…
c7ffaef 
…ection-issues-when-the-app-is-opened-in-safe-and-in-a
@brunota20
Merge remote-tracking branch 'origin/release/28-04-2026' into bruno/c…
626d8d7 
…ow-925-connection-issues-when-the-app-is-opened-in-safe-and-in-a
@lgahdl
fix(wallet): disable AppKit in Safe App iframes to prevent postMessag…
b6ff9d5 
…e conflicts
@lgahdl
chore: removing unused log
bd203ed
@lgahdl
Merge commit '0e40b3503cf3030cd24b105e3ce67a72a8c798e6' into fix/widg…
6945389 
…et-viem

# Conflicts:
#	apps/cowswap-frontend/package.json
#	libs/wallet/package.json
#	pnpm-lock.yaml
@lgahdl
chore: updating pnpm-lock.yaml
8286f8f
@brunota20 @lgahdl
Merge remote-tracking branch 'origin/release/28-04-2026' into bruno/c…
e6d7656 
…ow-925-connection-issues-when-the-app-is-opened-in-safe-and-in-a
@lgahdl
fix(wallet): resolve merge conflicts — conditional AppKit, widget rec…
5f92dbc 
…onnect
@lgahdl
Merge branch 'fix/widget-viem' into bruno/cow-925-connection-issues-w…
7dc8f05 
…hen-the-app-is-opened-in-safe-and-in-a
@lgahdl
chore: updating pnpm-lock;
3b28737
alfetopito
alfetopito reviewed May 8, 2026
View reviewed changes
Comment thread libs/iframe-transport/src/iframeRpcProvider/IframeRpcProviderBridge.ts Outdated
alfetopito
alfetopito reviewed May 8, 2026
View reviewed changes
Comment thread libs/iframe-transport/src/iframeRpcProvider/WidgetEthereumProvider.ts
alfetopito
alfetopito reviewed May 8, 2026
View reviewed changes
Comment thread libs/wallet/src/wagmi/config.ts
alfetopito
alfetopito reviewed May 8, 2026
View reviewed changes
Comment thread libs/wallet/src/wagmi/providerIsolation.ts
@lgahdl
Copy link
Copy Markdown
Collaborator Author

lgahdl commented May 8, 2026

@coderabbitai review

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 8, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@lgahdl lgahdl requested a review from limitofzero May 8, 2026 17:56
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 8, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedtslib@​2.8.110010010085100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alfetopito alfetopito alfetopito left review comments

@brunota20 brunota20 brunota20 left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@limitofzero limitofzero limitofzero approved these changes

@elena-zh elena-zh elena-zh approved these changes

Assignees

@lgahdl lgahdl

@brunota20 brunota20

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@lgahdl @yvesfracari @alfetopito @limitofzero @elena-zh @brunota20 @shoom3301 @fairlighteth