@0xsequence/wallet-wdk 3.0.1 → 3.0.3

package/src/sequence/wallets.ts

@@ -3,6 +3,7 @@ import { Config, Constants, Payload } from '@0xsequence/wallet-primitives'
 import { Address, Hex, Provider, RpcTransport } from 'ox'
 import { AuthCommitment } from '../dbs/auth-commitments.js'
 import { AuthCodeHandler } from './handlers/authcode.js'
+import { IdTokenHandler } from './handlers/idtoken.js'
 import { MnemonicHandler } from './handlers/mnemonic.js'
 import { OtpHandler } from './handlers/otp.js'
 import { Shared } from './manager.js'
@@ -13,6 +14,37 @@ import { Wallet, WalletSelectionUiHandler } from './types/wallet.js'
 import { PasskeysHandler } from './handlers/passkeys.js'
 import type { PasskeySigner } from './passkeys-provider.js'
 
+function getSignupHandlerKey(kind: SignupArgs['kind'] | StartSignUpWithRedirectArgs['kind'] | AuthCommitment['kind']) {
+  if (kind === 'google-pkce') {
+    return Kinds.LoginGoogle
+  }
+  if (kind.startsWith('custom-')) {
+    return kind
+  }
+  return 'login-' + kind
+}
+
+function getSignerKindForSignup(kind: SignupArgs['kind'] | AuthCommitment['kind']) {
+  if (kind === 'google-id-token' || kind === 'google-pkce') {
+    return Kinds.LoginGoogle
+  }
+  if (kind.startsWith('custom-')) {
+    return kind
+  }
+  return ('login-' + kind) as string
+}
+
+function getIdTokenSignupHandler(shared: Shared, kind: typeof Kinds.LoginGoogle | `custom-${string}`): IdTokenHandler {
+  const handler = shared.handlers.get(kind)
+  if (!handler) {
+    throw new Error('handler-not-registered')
+  }
+  if (!(handler instanceof IdTokenHandler)) {
+    throw new Error('handler-does-not-support-id-token')
+  }
+  return handler
+}
+
 export type StartSignUpWithRedirectArgs = {
   kind: 'google-pkce' | 'apple' | `custom-${string}`
   target: string
@@ -49,6 +81,11 @@ export type EmailOtpSignupArgs = CommonSignupArgs & {
   email: string
 }
 
+export type IdTokenSignupArgs = CommonSignupArgs & {
+  kind: 'google-id-token' | `custom-${string}`
+  idToken: string
+}
+
 export type CompleteRedirectArgs = CommonSignupArgs & {
   state: string
   code: string
@@ -62,7 +99,12 @@ export type AuthCodeSignupArgs = CommonSignupArgs & {
   isRedirect: boolean
 }
 
-export type SignupArgs = PasskeySignupArgs | MnemonicSignupArgs | EmailOtpSignupArgs | AuthCodeSignupArgs
+export type SignupArgs =
+  | PasskeySignupArgs
+  | MnemonicSignupArgs
+  | EmailOtpSignupArgs
+  | IdTokenSignupArgs
+  | AuthCodeSignupArgs
 
 export type LoginToWalletArgs = {
   wallet: Address.Address
@@ -180,6 +222,7 @@ export interface WalletsInterface {
    *   - `kind: 'mnemonic'`: Uses a mnemonic phrase as the login credential.
    *   - `kind: 'passkey'`: Prompts the user to create a WebAuthn passkey.
    *   - `kind: 'email-otp'`: Initiates an OTP flow to the user's email.
+   *   - `kind: 'google-id-token'`: Completes an OIDC ID token flow when Google is configured with `authMethod: 'id-token'`.
    *   - `kind: 'google-pkce' | 'apple'`: Completes an OAuth redirect flow.
    *   Common options like `noGuard` or `noRecovery` can customize the wallet's security features.
    * @returns A promise that resolves to the address of the newly created wallet, or `undefined` if the sign-up was aborted.
@@ -361,7 +404,11 @@ export function isLoginToPasskeyArgs(args: LoginArgs): args is LoginToPasskeyArg
 }
 
 export function isAuthCodeArgs(args: SignupArgs): args is AuthCodeSignupArgs {
-  return 'kind' in args && (args.kind === 'google-pkce' || args.kind === 'apple')
+  return 'code' in args && 'commitment' in args
+}
+
+export function isIdTokenArgs(args: SignupArgs): args is IdTokenSignupArgs {
+  return 'idToken' in args
 }
 
 function buildCappedTree(members: { address: Address.Address; imageHash?: Hex.Hex }[]): Config.Topology {
@@ -674,9 +721,24 @@ export class Wallets implements WalletsInterface {
         }
       }
 
+      case 'google-id-token': {
+        const handler = getIdTokenSignupHandler(this.shared, Kinds.LoginGoogle)
+        const [signer, metadata] = await handler.completeAuth(args.idToken)
+        const loginEmail = metadata.email
+        this.shared.modules.logger.log('Created new id token signer:', signer.address)
+
+        return {
+          signer,
+          extra: {
+            signerKind: Kinds.LoginGoogle,
+          },
+          loginEmail,
+        }
+      }
+
       case 'google-pkce':
       case 'apple': {
-        const handler = this.shared.handlers.get('login-' + args.kind) as AuthCodeHandler
+        const handler = this.shared.handlers.get(getSignupHandlerKey(args.kind)) as AuthCodeHandler
         if (!handler) {
           throw new Error('handler-not-registered')
         }
@@ -688,7 +750,7 @@ export class Wallets implements WalletsInterface {
         return {
           signer,
           extra: {
-            signerKind: 'login-' + args.kind,
+            signerKind: getSignerKindForSignup(args.kind),
           },
           loginEmail,
         }
@@ -696,7 +758,18 @@ export class Wallets implements WalletsInterface {
     }
 
     if (args.kind.startsWith('custom-')) {
-      // TODO: support other custom auth methods (e.g. id-token)
+      if (isIdTokenArgs(args)) {
+        const handler = getIdTokenSignupHandler(this.shared, args.kind)
+        const [signer, metadata] = await handler.completeAuth(args.idToken)
+        return {
+          signer,
+          extra: {
+            signerKind: args.kind,
+          },
+          loginEmail: metadata.email,
+        }
+      }
+
       const handler = this.shared.handlers.get(args.kind) as AuthCodeHandler
       if (!handler) {
         throw new Error('handler-not-registered')
@@ -716,11 +789,14 @@ export class Wallets implements WalletsInterface {
   }
 
   async startSignUpWithRedirect(args: StartSignUpWithRedirectArgs) {
-    const kind = args.kind.startsWith('custom-') ? args.kind : 'login-' + args.kind
-    const handler = this.shared.handlers.get(kind) as AuthCodeHandler
+    const kind = getSignupHandlerKey(args.kind)
+    const handler = this.shared.handlers.get(kind)
     if (!handler) {
       throw new Error('handler-not-registered')
     }
+    if (!(handler instanceof AuthCodeHandler)) {
+      throw new Error('handler-does-not-support-redirect')
+    }
     return handler.commitAuth(args.target, true)
   }
 
@@ -742,11 +818,14 @@ export class Wallets implements WalletsInterface {
         use4337: args.use4337,
       })
     } else {
-      const kind = commitment.kind.startsWith('custom-') ? commitment.kind : 'login-' + commitment.kind
-      const handler = this.shared.handlers.get(kind) as AuthCodeHandler
+      const handlerKind = getSignupHandlerKey(commitment.kind)
+      const handler = this.shared.handlers.get(handlerKind)
       if (!handler) {
         throw new Error('handler-not-registered')
       }
+      if (!(handler instanceof AuthCodeHandler)) {
+        throw new Error('handler-does-not-support-redirect')
+      }
 
       await handler.completeAuth(commitment, args.code)
     }

package/test/authcode-pkce.test.ts

@@ -326,7 +326,7 @@ describe('AuthCodePkceHandler', () => {
 
   describe('Integration and Edge Cases', () => {
     it('Should have correct kind property', () => {
-      expect(handler.kind).toBe('login-google-pkce')
+      expect(handler.kind).toBe('login-google')
     })
 
     it('Should handle redirect URI configuration', () => {

package/test/authcode.test.ts

@@ -188,7 +188,7 @@ describe('AuthCodeHandler', () => {
   // === KIND GETTER ===
 
   describe('kind getter', () => {
-    it('Should return login-google-pkce for Google PKCE handler', () => {
+    it('Should return login-google for Google PKCE handler', () => {
       const googleHandler = new AuthCodeHandler(
         'google-pkce',
         'https://accounts.google.com',
@@ -200,7 +200,7 @@ describe('AuthCodeHandler', () => {
         mockAuthKeys,
       )
 
-      expect(googleHandler.kind).toBe('login-google-pkce')
+      expect(googleHandler.kind).toBe('login-google')
     })
 
     it('Should return login-apple for Apple handler', () => {

package/test/identity-auth-dbs.test.ts

@@ -351,9 +351,48 @@ describe('Identity Authentication Databases', () => {
         },
       })
 
-      // Verify that Google handler is registered and uses our databases
+      // Verify that Google is registered under the canonical signer kind while
+      // still using the PKCE flow by default.
       const handlers = (manager as any).shared.handlers
-      expect(handlers.has('login-google-pkce')).toBe(true)
+      expect(handlers.has('login-google')).toBe(true)
+      expect(handlers.has('login-google-pkce')).toBe(false)
+    })
+
+    it('Should register the Google ID token handler when configured explicitly', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-google-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          google: {
+            enabled: true,
+            clientId: 'test-google-client-id',
+            authMethod: 'id-token',
+          },
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('login-google-id-token')).toBe(false)
+      expect(handlers.has('login-google')).toBe(true)
+      expect(handlers.has('login-google-pkce')).toBe(false)
     })
 
     it('Should use auth databases when email authentication is enabled', async () => {
@@ -424,5 +463,50 @@ describe('Identity Authentication Databases', () => {
       const handlers = (manager as any).shared.handlers
       expect(handlers.has('login-apple')).toBe(true)
     })
+
+    it('Should register custom ID token providers without enabling redirect flow for them', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-custom-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          customProviders: [
+            {
+              kind: 'custom-google-native',
+              authMethod: 'id-token',
+              issuer: 'https://accounts.google.com',
+              clientId: 'test-google-client-id',
+            },
+          ],
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('custom-google-native')).toBe(true)
+      await expect(
+        manager.wallets.startSignUpWithRedirect({
+          kind: 'custom-google-native',
+          target: '/home',
+          metadata: {},
+        }),
+      ).rejects.toThrow('handler-does-not-support-redirect')
+    })
   })
 })

package/test/identity-signer.test.ts

@@ -13,7 +13,7 @@ const mockCryptoSubtle = {
   exportKey: vi.fn(),
 }
 
-Object.defineProperty(global, 'window', {
+Object.defineProperty(globalThis, 'window', {
   value: {
     crypto: {
       subtle: mockCryptoSubtle,

package/test/idtoken.test.ts

@@ -0,0 +1,327 @@
+import { afterEach, beforeEach, describe, expect, it, Mock, vi } from 'vitest'
+import { Address, Hex } from 'ox'
+import { Network, Payload } from '@0xsequence/wallet-primitives'
+import { IdentityInstrument, IdentityType } from '@0xsequence/identity-instrument'
+import { IdTokenHandler, PromptIdTokenHandler } from '../src/sequence/handlers/idtoken.js'
+import { Signatures } from '../src/sequence/signatures.js'
+import * as Db from '../src/dbs/index.js'
+import { IdentitySigner } from '../src/identity/signer.js'
+import { BaseSignatureRequest } from '../src/sequence/types/signature-request.js'
+import { Kinds } from '../src/sequence/types/signer.js'
+
+describe('IdTokenHandler', () => {
+  let idTokenHandler: IdTokenHandler
+  let mockNitroInstrument: IdentityInstrument
+  let mockSignatures: Signatures
+  let mockAuthKeys: Db.AuthKeys
+  let mockIdentitySigner: IdentitySigner
+  let testWallet: Address.Address
+  let testRequest: BaseSignatureRequest
+  let mockPromptIdToken: Mock<PromptIdTokenHandler>
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+
+    testWallet = '0x1234567890123456789012345678901234567890' as Address.Address
+
+    mockNitroInstrument = {
+      commitVerifier: vi.fn(),
+      completeAuth: vi.fn(),
+    } as unknown as IdentityInstrument
+
+    mockSignatures = {
+      addSignature: vi.fn(),
+    } as unknown as Signatures
+
+    mockAuthKeys = {
+      set: vi.fn(),
+      get: vi.fn(),
+      del: vi.fn(),
+      delBySigner: vi.fn(),
+      getBySigner: vi.fn(),
+      addListener: vi.fn(),
+    } as unknown as Db.AuthKeys
+
+    mockIdentitySigner = {
+      address: testWallet,
+      sign: vi.fn(),
+    } as unknown as IdentitySigner
+
+    testRequest = {
+      id: 'test-request-id',
+      envelope: {
+        wallet: testWallet,
+        chainId: Network.ChainId.ARBITRUM,
+        payload: Payload.fromMessage(Hex.fromString('Test message')),
+      },
+    } as BaseSignatureRequest
+
+    mockPromptIdToken = vi.fn()
+
+    idTokenHandler = new IdTokenHandler(
+      'google-id-token',
+      'https://accounts.google.com',
+      'test-google-client-id',
+      mockNitroInstrument,
+      mockSignatures,
+      mockAuthKeys,
+    )
+
+    vi.spyOn(idTokenHandler as any, 'nitroCommitVerifier').mockResolvedValue({
+      verifier: 'unused-verifier',
+      loginHint: '',
+      challenge: '',
+    })
+
+    vi.spyOn(idTokenHandler as any, 'nitroCompleteAuth').mockResolvedValue({
+      signer: mockIdentitySigner,
+      email: 'user@example.com',
+    })
+  })
+
+  afterEach(() => {
+    vi.resetAllMocks()
+  })
+
+  describe('Constructor', () => {
+    it('Should create IdTokenHandler with correct properties', () => {
+      const handler = new IdTokenHandler(
+        'google-id-token',
+        'https://accounts.google.com',
+        'test-google-client-id',
+        mockNitroInstrument,
+        mockSignatures,
+        mockAuthKeys,
+      )
+
+      expect(handler.signupKind).toBe('google-id-token')
+      expect(handler.issuer).toBe('https://accounts.google.com')
+      expect(handler.audience).toBe('test-google-client-id')
+      expect(handler.identityType).toBe(IdentityType.OIDC)
+      expect(handler.kind).toBe(Kinds.LoginGoogle)
+    })
+
+    it('Should initialize without a registered UI callback', () => {
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+  })
+
+  describe('UI Registration', () => {
+    it('Should register ID token UI callback', () => {
+      const unregister = idTokenHandler.registerUI(mockPromptIdToken)
+
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+      expect(typeof unregister).toBe('function')
+    })
+
+    it('Should unregister UI callback when returned function is called', () => {
+      const unregister = idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      unregister()
+
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+
+    it('Should unregister UI callback directly', () => {
+      idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      idTokenHandler.unregisterUI()
+
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+
+    it('Should allow multiple registrations by overwriting the previous callback', () => {
+      const secondCallback = vi.fn()
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      idTokenHandler.registerUI(secondCallback)
+
+      expect(idTokenHandler['onPromptIdToken']).toBe(secondCallback)
+    })
+  })
+
+  describe('completeAuth()', () => {
+    it('Should complete auth using an OIDC ID token challenge', async () => {
+      const idToken = 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.'
+
+      const [signer, metadata] = await idTokenHandler.completeAuth(idToken)
+
+      expect(idTokenHandler['nitroCommitVerifier']).toHaveBeenCalledWith(
+        expect.objectContaining({
+          issuer: 'https://accounts.google.com',
+          audience: 'test-google-client-id',
+          idToken,
+        }),
+      )
+      expect(idTokenHandler['nitroCompleteAuth']).toHaveBeenCalledWith(
+        expect.objectContaining({
+          issuer: 'https://accounts.google.com',
+          audience: 'test-google-client-id',
+          idToken,
+        }),
+      )
+      expect(signer).toBe(mockIdentitySigner)
+      expect(metadata).toEqual({ email: 'user@example.com' })
+    })
+  })
+
+  describe('getSigner()', () => {
+    it('Should throw when UI is not registered', async () => {
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('id-token-handler-ui-not-registered')
+    })
+
+    it('Should acquire a signer by prompting for a fresh ID token', async () => {
+      const idToken = 'header.payload.signature'
+      const completeAuthSpy = vi
+        .spyOn(idTokenHandler, 'completeAuth')
+        .mockResolvedValue([mockIdentitySigner, { email: 'user@example.com' }])
+
+      mockPromptIdToken.mockImplementation(async (kind, respond) => {
+        expect(kind).toBe('google-id-token')
+        await respond(idToken)
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const result = await idTokenHandler.getSigner()
+
+      expect(result).toEqual({
+        signer: mockIdentitySigner,
+        email: 'user@example.com',
+      })
+      expect(completeAuthSpy).toHaveBeenCalledWith(idToken)
+      expect(mockPromptIdToken).toHaveBeenCalledWith('google-id-token', expect.any(Function))
+    })
+
+    it('Should surface authentication failures from completeAuth', async () => {
+      const error = new Error('Authentication failed')
+      vi.spyOn(idTokenHandler, 'completeAuth').mockRejectedValue(error)
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('Authentication failed')
+    })
+
+    it('Should surface UI callback errors', async () => {
+      mockPromptIdToken.mockRejectedValue(new Error('UI callback failed'))
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('UI callback failed')
+    })
+  })
+
+  describe('status()', () => {
+    it('Should return ready status when an auth key signer is available', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(mockIdentitySigner)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status.status).toBe('ready')
+      expect(status.handler).toBe(idTokenHandler)
+    })
+
+    it('Should sign the request when ready handle is invoked', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(mockIdentitySigner)
+      const signSpy = vi.spyOn(idTokenHandler as any, 'sign').mockResolvedValue(undefined)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(true)
+      expect(signSpy).toHaveBeenCalledWith(mockIdentitySigner, testRequest)
+    })
+
+    it('Should return unavailable when no auth key signer exists and UI is not registered', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status).toMatchObject({
+        address: testWallet,
+        handler: idTokenHandler,
+        status: 'unavailable',
+        reason: 'ui-not-registered',
+      })
+    })
+
+    it('Should return actionable when no auth key signer exists and UI is registered', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status.status).toBe('actionable')
+      expect(status.address).toBe(testWallet)
+      expect(status.handler).toBe(idTokenHandler)
+      expect((status as any).message).toBe('request-id-token')
+      expect(typeof (status as any).handle).toBe('function')
+    })
+
+    it('Should reacquire the signer when actionable handle is invoked', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      const completeAuthSpy = vi
+        .spyOn(idTokenHandler, 'completeAuth')
+        .mockResolvedValue([mockIdentitySigner, { email: 'user@example.com' }])
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(true)
+      expect(completeAuthSpy).toHaveBeenCalledWith('header.payload.signature')
+    })
+
+    it('Should return false when actionable handle authentication fails', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      vi.spyOn(idTokenHandler, 'completeAuth').mockRejectedValue(new Error('Authentication failed'))
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(false)
+    })
+
+    it('Should return false when actionable handle authenticates the wrong signer', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      const wrongSigner = '0x9999999999999999999999999999999999999999' as Address.Address
+      vi.spyOn(idTokenHandler, 'completeAuth').mockResolvedValue([
+        {
+          ...mockIdentitySigner,
+          address: wrongSigner,
+        } as unknown as IdentitySigner,
+        { email: 'other-user@example.com' },
+      ])
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(false)
+      expect(mockAuthKeys.delBySigner).toHaveBeenCalledWith(wrongSigner)
+    })
+  })
+})