@0xsequence/wallet-wdk 3.0.2 → 3.0.4

package/src/sequence/wallets.ts

@@ -3,6 +3,7 @@ import { Config, Constants, Payload } from '@0xsequence/wallet-primitives'
 import { Address, Hex, Provider, RpcTransport } from 'ox'
 import { AuthCommitment } from '../dbs/auth-commitments.js'
 import { AuthCodeHandler } from './handlers/authcode.js'
+import { IdTokenHandler } from './handlers/idtoken.js'
 import { MnemonicHandler } from './handlers/mnemonic.js'
 import { OtpHandler } from './handlers/otp.js'
 import { Shared } from './manager.js'
@@ -13,6 +14,43 @@ import { Wallet, WalletSelectionUiHandler } from './types/wallet.js'
 import { PasskeysHandler } from './handlers/passkeys.js'
 import type { PasskeySigner } from './passkeys-provider.js'
 
+function getSignupHandlerKey(kind: SignupArgs['kind'] | StartSignUpWithRedirectArgs['kind'] | AuthCommitment['kind']) {
+  if (kind === 'google-pkce') {
+    return Kinds.LoginGoogle
+  }
+  if (kind.startsWith('custom-')) {
+    return kind
+  }
+  return 'login-' + kind
+}
+
+function getSignerKindForSignup(kind: SignupArgs['kind'] | AuthCommitment['kind']) {
+  if (kind === 'google-id-token' || kind === 'google-pkce') {
+    return Kinds.LoginGoogle
+  }
+  if (kind === 'apple-id-token' || kind === 'apple') {
+    return Kinds.LoginApple
+  }
+  if (kind.startsWith('custom-')) {
+    return kind
+  }
+  return ('login-' + kind) as string
+}
+
+function getIdTokenSignupHandler(
+  shared: Shared,
+  kind: typeof Kinds.LoginGoogle | typeof Kinds.LoginApple | `custom-${string}`,
+): IdTokenHandler {
+  const handler = shared.handlers.get(kind)
+  if (!handler) {
+    throw new Error('handler-not-registered')
+  }
+  if (!(handler instanceof IdTokenHandler)) {
+    throw new Error('handler-does-not-support-id-token')
+  }
+  return handler
+}
+
 export type StartSignUpWithRedirectArgs = {
   kind: 'google-pkce' | 'apple' | `custom-${string}`
   target: string
@@ -49,6 +87,11 @@ export type EmailOtpSignupArgs = CommonSignupArgs & {
   email: string
 }
 
+export type IdTokenSignupArgs = CommonSignupArgs & {
+  kind: 'google-id-token' | 'apple-id-token' | `custom-${string}`
+  idToken: string
+}
+
 export type CompleteRedirectArgs = CommonSignupArgs & {
   state: string
   code: string
@@ -62,7 +105,12 @@ export type AuthCodeSignupArgs = CommonSignupArgs & {
   isRedirect: boolean
 }
 
-export type SignupArgs = PasskeySignupArgs | MnemonicSignupArgs | EmailOtpSignupArgs | AuthCodeSignupArgs
+export type SignupArgs =
+  | PasskeySignupArgs
+  | MnemonicSignupArgs
+  | EmailOtpSignupArgs
+  | IdTokenSignupArgs
+  | AuthCodeSignupArgs
 
 export type LoginToWalletArgs = {
   wallet: Address.Address
@@ -180,6 +228,7 @@ export interface WalletsInterface {
    *   - `kind: 'mnemonic'`: Uses a mnemonic phrase as the login credential.
    *   - `kind: 'passkey'`: Prompts the user to create a WebAuthn passkey.
    *   - `kind: 'email-otp'`: Initiates an OTP flow to the user's email.
+   *   - `kind: 'google-id-token' | 'apple-id-token'`: Completes an OIDC ID token flow when the provider is configured with `authMethod: 'id-token'`.
    *   - `kind: 'google-pkce' | 'apple'`: Completes an OAuth redirect flow.
    *   Common options like `noGuard` or `noRecovery` can customize the wallet's security features.
    * @returns A promise that resolves to the address of the newly created wallet, or `undefined` if the sign-up was aborted.
@@ -361,7 +410,11 @@ export function isLoginToPasskeyArgs(args: LoginArgs): args is LoginToPasskeyArg
 }
 
 export function isAuthCodeArgs(args: SignupArgs): args is AuthCodeSignupArgs {
-  return 'kind' in args && (args.kind === 'google-pkce' || args.kind === 'apple')
+  return 'code' in args && 'commitment' in args
+}
+
+export function isIdTokenArgs(args: SignupArgs): args is IdTokenSignupArgs {
+  return 'idToken' in args
 }
 
 function buildCappedTree(members: { address: Address.Address; imageHash?: Hex.Hex }[]): Config.Topology {
@@ -674,9 +727,28 @@ export class Wallets implements WalletsInterface {
         }
       }
 
+      case 'google-id-token':
+      case 'apple-id-token': {
+        const handler = getIdTokenSignupHandler(
+          this.shared,
+          args.kind === 'google-id-token' ? Kinds.LoginGoogle : Kinds.LoginApple,
+        )
+        const [signer, metadata] = await handler.completeAuth(args.idToken)
+        const loginEmail = metadata.email
+        this.shared.modules.logger.log('Created new id token signer:', signer.address)
+
+        return {
+          signer,
+          extra: {
+            signerKind: getSignerKindForSignup(args.kind),
+          },
+          loginEmail,
+        }
+      }
+
       case 'google-pkce':
       case 'apple': {
-        const handler = this.shared.handlers.get('login-' + args.kind) as AuthCodeHandler
+        const handler = this.shared.handlers.get(getSignupHandlerKey(args.kind)) as AuthCodeHandler
         if (!handler) {
           throw new Error('handler-not-registered')
         }
@@ -688,7 +760,7 @@ export class Wallets implements WalletsInterface {
         return {
           signer,
           extra: {
-            signerKind: 'login-' + args.kind,
+            signerKind: getSignerKindForSignup(args.kind),
           },
           loginEmail,
         }
@@ -696,7 +768,18 @@ export class Wallets implements WalletsInterface {
     }
 
     if (args.kind.startsWith('custom-')) {
-      // TODO: support other custom auth methods (e.g. id-token)
+      if (isIdTokenArgs(args)) {
+        const handler = getIdTokenSignupHandler(this.shared, args.kind)
+        const [signer, metadata] = await handler.completeAuth(args.idToken)
+        return {
+          signer,
+          extra: {
+            signerKind: args.kind,
+          },
+          loginEmail: metadata.email,
+        }
+      }
+
       const handler = this.shared.handlers.get(args.kind) as AuthCodeHandler
       if (!handler) {
         throw new Error('handler-not-registered')
@@ -716,11 +799,14 @@ export class Wallets implements WalletsInterface {
   }
 
   async startSignUpWithRedirect(args: StartSignUpWithRedirectArgs) {
-    const kind = args.kind.startsWith('custom-') ? args.kind : 'login-' + args.kind
-    const handler = this.shared.handlers.get(kind) as AuthCodeHandler
+    const kind = getSignupHandlerKey(args.kind)
+    const handler = this.shared.handlers.get(kind)
     if (!handler) {
       throw new Error('handler-not-registered')
     }
+    if (!(handler instanceof AuthCodeHandler)) {
+      throw new Error('handler-does-not-support-redirect')
+    }
     return handler.commitAuth(args.target, true)
   }
 
@@ -742,11 +828,14 @@ export class Wallets implements WalletsInterface {
         use4337: args.use4337,
       })
     } else {
-      const kind = commitment.kind.startsWith('custom-') ? commitment.kind : 'login-' + commitment.kind
-      const handler = this.shared.handlers.get(kind) as AuthCodeHandler
+      const handlerKind = getSignupHandlerKey(commitment.kind)
+      const handler = this.shared.handlers.get(handlerKind)
       if (!handler) {
         throw new Error('handler-not-registered')
       }
+      if (!(handler instanceof AuthCodeHandler)) {
+        throw new Error('handler-does-not-support-redirect')
+      }
 
       await handler.completeAuth(commitment, args.code)
     }

package/test/authcode-pkce.test.ts

@@ -326,7 +326,7 @@ describe('AuthCodePkceHandler', () => {
 
   describe('Integration and Edge Cases', () => {
     it('Should have correct kind property', () => {
-      expect(handler.kind).toBe('login-google-pkce')
+      expect(handler.kind).toBe('login-google')
     })
 
     it('Should handle redirect URI configuration', () => {

package/test/authcode.test.ts

@@ -188,7 +188,7 @@ describe('AuthCodeHandler', () => {
   // === KIND GETTER ===
 
   describe('kind getter', () => {
-    it('Should return login-google-pkce for Google PKCE handler', () => {
+    it('Should return login-google for Google PKCE handler', () => {
       const googleHandler = new AuthCodeHandler(
         'google-pkce',
         'https://accounts.google.com',
@@ -200,7 +200,7 @@ describe('AuthCodeHandler', () => {
         mockAuthKeys,
       )
 
-      expect(googleHandler.kind).toBe('login-google-pkce')
+      expect(googleHandler.kind).toBe('login-google')
     })
 
     it('Should return login-apple for Apple handler', () => {

package/test/identity-auth-dbs.test.ts

@@ -351,9 +351,84 @@ describe('Identity Authentication Databases', () => {
         },
       })
 
-      // Verify that Google handler is registered and uses our databases
+      // Verify that Google is registered under the canonical signer kind while
+      // still using the PKCE flow by default.
       const handlers = (manager as any).shared.handlers
-      expect(handlers.has('login-google-pkce')).toBe(true)
+      expect(handlers.has('login-google')).toBe(true)
+      expect(handlers.has('login-google-pkce')).toBe(false)
+    })
+
+    it('Should register the Google ID token handler when configured explicitly', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-google-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          google: {
+            enabled: true,
+            clientId: 'test-google-client-id',
+            authMethod: 'id-token',
+          },
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('login-google-id-token')).toBe(false)
+      expect(handlers.has('login-google')).toBe(true)
+      expect(handlers.has('login-google-pkce')).toBe(false)
+    })
+
+    it('Should register the Apple ID token handler when configured explicitly', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-apple-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          apple: {
+            enabled: true,
+            clientId: 'test-apple-client-id',
+            authMethod: 'id-token',
+          },
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('login-apple-id-token')).toBe(false)
+      expect(handlers.has('login-apple')).toBe(true)
     })
 
     it('Should use auth databases when email authentication is enabled', async () => {
@@ -424,5 +499,50 @@ describe('Identity Authentication Databases', () => {
       const handlers = (manager as any).shared.handlers
       expect(handlers.has('login-apple')).toBe(true)
     })
+
+    it('Should register custom ID token providers without enabling redirect flow for them', async () => {
+      manager = new Manager({
+        stateProvider: new State.Local.Provider(new State.Local.IndexedDbStore(`manager-custom-idtoken-${Date.now()}`)),
+        networks: [
+          {
+            name: 'Test Network',
+            type: Network.NetworkType.MAINNET,
+            rpcUrl: LOCAL_RPC_URL,
+            chainId: Network.ChainId.ARBITRUM,
+            blockExplorer: { url: 'https://arbiscan.io' },
+            nativeCurrency: {
+              name: 'Ether',
+              symbol: 'ETH',
+              decimals: 18,
+            },
+          },
+        ],
+        relayers: [],
+        authCommitmentsDb,
+        authKeysDb,
+        identity: {
+          url: 'https://dev-identity.sequence-dev.app',
+          fetch: window.fetch,
+          customProviders: [
+            {
+              kind: 'custom-google-native',
+              authMethod: 'id-token',
+              issuer: 'https://accounts.google.com',
+              clientId: 'test-google-client-id',
+            },
+          ],
+        },
+      })
+
+      const handlers = (manager as any).shared.handlers
+      expect(handlers.has('custom-google-native')).toBe(true)
+      await expect(
+        manager.wallets.startSignUpWithRedirect({
+          kind: 'custom-google-native',
+          target: '/home',
+          metadata: {},
+        }),
+      ).rejects.toThrow('handler-does-not-support-redirect')
+    })
   })
 })

package/test/identity-signer.test.ts

@@ -13,7 +13,7 @@ const mockCryptoSubtle = {
   exportKey: vi.fn(),
 }
 
-Object.defineProperty(global, 'window', {
+Object.defineProperty(globalThis, 'window', {
   value: {
     crypto: {
       subtle: mockCryptoSubtle,