Summary of What Needs to be Done
Remove the module-level setInterval from src/utils/signatureValidator.js that runs every 60 seconds to prune expired nonces from the usedNonces Map. The interval is never cleared, and in browsers the unref() call has no effect, so the timer runs for the lifetime of the page. Replace it with lazy on-demand pruning inside validateSignature.
Changes
- Remove the module-level cleanupInterval setInterval
- Add a pruneExpiredNonces() helper that removes entries older than MAX_REQUEST_AGE_MS
- Call pruneExpiredNonces() once per validateSignature invocation to keep the nonce Map bounded at no extra cost
Impact
Severity: Medium — Long-running SPA sessions accumulate orphaned timer references. In apps that stay open for hours/days, the interval continues firing even after the signature validator is no longer needed.
Please assign this task to me.
Summary of What Needs to be Done
Remove the module-level setInterval from src/utils/signatureValidator.js that runs every 60 seconds to prune expired nonces from the usedNonces Map. The interval is never cleared, and in browsers the unref() call has no effect, so the timer runs for the lifetime of the page. Replace it with lazy on-demand pruning inside validateSignature.
Changes
Impact
Severity: Medium — Long-running SPA sessions accumulate orphaned timer references. In apps that stay open for hours/days, the interval continues firing even after the signature validator is no longer needed.
Please assign this task to me.