feat: add consent screen

[lionellbriones]

Motivation and Context

Introduces a consent gate that requires users to accept Terms and Conditions / Privacy Policy before completing the login flow. When consentRequired is enabled in uiConfig (along with tncLink and privacyPolicy URLs), the SDK pauses after wallet connection and prompts the user to accept or decline before proceeding.

Jira Link:
https://consensyssoftware.atlassian.net/browse/EMBED-80

Description

New Connector Status: CONSENT_REQUIRED

• Added CONSENT_REQUIRED to CONNECTOR_STATUS and CONNECTOR_EVENTS constants.
• Defined CAN_LOGOUT_STATUSES to allow logout from the consent-required state.
• Extended ConnectorEvents and Web3AuthNoModalEvents typings with the new event.

Core SDK (no-modal)

• Web3AuthNoModal: Added consentRequired flag, pendingConnectedData, and pendingAuthorizedData fields to buffer connection/authorization data while awaiting user consent.
• connectToConnector: When consent is required, the connected event handler now emits CONSENT_REQUIRED instead of CONNECTED, and buffers the AUTHORIZED event data.
• acceptConsent(): New public method that resumes the login flow — transitions status from CONSENT_REQUIRED to CONNECTED/AUTHORIZED, connects plugins, and emits buffered events.
• logout(): Updated to allow logout from CONSENT_REQUIRED state, clearing any pending data.
• SSR rehydration: Respects consentRequired when restoring status from idToken.

Modal Manager (modal)

• Reads consentRequired, privacyPolicy, and tncLink from uiConfig in the constructor.
• Wires up onAcceptConsent and onDeclineConsent callbacks to LoginModal.
• onAcceptConsent calls acceptConsent(); onDeclineConsent calls logout() and closes the modal.

UI Components (modal UI layer)

• LoginModal: Listens for the CONSENT_REQUIRED connector event and transitions modal to consent status. Exposes consentRequired flag. Forwards accept/decline handlers.
• WidgetContext: Added handleAcceptConsent and handleDeclineConsent to the widget context.
• Root: Passes consent handlers and TnC/privacy links to the Loader. Hides footer links when consent screen is active.
• Loader: New ConsentRequiredStatus sub-component renders the consent UI with accept/decline buttons, TnC link, and privacy policy link. Shown when modalStatus === CONSENT_REQUIRED.

How has this been tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Medium Risk
Introduces a new CONSENT_REQUIRED state that buffers connection/authorization events until user action, changing the core login state machine and event ordering. Risk is mainly around regressions in connect/authorize/logout flows (including SSR rehydration) and modal UX transitions.

Overview
Adds an optional consent-gated login flow: when uiConfig.consentRequired is enabled (with privacyPolicy and tncLink), the SDK pauses after a wallet connects and emits a new CONSENT_REQUIRED status/event instead of completing login.

In no-modal, this introduces CONNECTOR_STATUS.CONSENT_REQUIRED, allows logout() from that state, buffers CONNECTED/AUTHORIZED payloads, and adds acceptConsent() to resume by emitting the buffered events and connecting plugins (with special handling for SSR rehydration and suppressing AUTHORIZING/AUTHORIZED emissions while pending consent).

In modal, the manager wires accept/decline callbacks (acceptConsent() vs logout()+close), the UI adds a consent screen in Loader and routes handlers via context/root, and the footer links are hidden while the consent screen is active. (Note: modalManager.init currently force-enables consent and injects example policy URLs behind a TODO test override.)

^{Written by Cursor Bugbot for commit 95d0da7. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	Apr 2, 2026 3:58am

[cursor]

Accidentally committed test code forces consent for all users

High Severity

Debug override left in the init() method unconditionally forces consentRequired to true and sets dummy privacyPolicy and tncLink URLs pointing to example.com for every user. The TODO: remove override comment confirms this is test scaffolding. Every user initializing the modal SDK will be blocked by a consent screen with fake links, breaking the normal login flow entirely.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 3 total unresolved issues (including 2 from previous reviews).

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}