@0xsequence/wallet-wdk 3.0.2 → 3.0.4

package/test/idtoken.test.ts

@@ -0,0 +1,343 @@
+import { afterEach, beforeEach, describe, expect, it, Mock, vi } from 'vitest'
+import { Address, Hex } from 'ox'
+import { Network, Payload } from '@0xsequence/wallet-primitives'
+import { IdentityInstrument, IdentityType } from '@0xsequence/identity-instrument'
+import { IdTokenHandler, PromptIdTokenHandler } from '../src/sequence/handlers/idtoken.js'
+import { Signatures } from '../src/sequence/signatures.js'
+import * as Db from '../src/dbs/index.js'
+import { IdentitySigner } from '../src/identity/signer.js'
+import { BaseSignatureRequest } from '../src/sequence/types/signature-request.js'
+import { Kinds } from '../src/sequence/types/signer.js'
+
+describe('IdTokenHandler', () => {
+  let idTokenHandler: IdTokenHandler
+  let mockNitroInstrument: IdentityInstrument
+  let mockSignatures: Signatures
+  let mockAuthKeys: Db.AuthKeys
+  let mockIdentitySigner: IdentitySigner
+  let testWallet: Address.Address
+  let testRequest: BaseSignatureRequest
+  let mockPromptIdToken: Mock<PromptIdTokenHandler>
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+
+    testWallet = '0x1234567890123456789012345678901234567890' as Address.Address
+
+    mockNitroInstrument = {
+      commitVerifier: vi.fn(),
+      completeAuth: vi.fn(),
+    } as unknown as IdentityInstrument
+
+    mockSignatures = {
+      addSignature: vi.fn(),
+    } as unknown as Signatures
+
+    mockAuthKeys = {
+      set: vi.fn(),
+      get: vi.fn(),
+      del: vi.fn(),
+      delBySigner: vi.fn(),
+      getBySigner: vi.fn(),
+      addListener: vi.fn(),
+    } as unknown as Db.AuthKeys
+
+    mockIdentitySigner = {
+      address: testWallet,
+      sign: vi.fn(),
+    } as unknown as IdentitySigner
+
+    testRequest = {
+      id: 'test-request-id',
+      envelope: {
+        wallet: testWallet,
+        chainId: Network.ChainId.ARBITRUM,
+        payload: Payload.fromMessage(Hex.fromString('Test message')),
+      },
+    } as BaseSignatureRequest
+
+    mockPromptIdToken = vi.fn()
+
+    idTokenHandler = new IdTokenHandler(
+      'google-id-token',
+      'https://accounts.google.com',
+      'test-google-client-id',
+      mockNitroInstrument,
+      mockSignatures,
+      mockAuthKeys,
+    )
+
+    vi.spyOn(idTokenHandler as any, 'nitroCommitVerifier').mockResolvedValue({
+      verifier: 'unused-verifier',
+      loginHint: '',
+      challenge: '',
+    })
+
+    vi.spyOn(idTokenHandler as any, 'nitroCompleteAuth').mockResolvedValue({
+      signer: mockIdentitySigner,
+      email: 'user@example.com',
+    })
+  })
+
+  afterEach(() => {
+    vi.resetAllMocks()
+  })
+
+  describe('Constructor', () => {
+    it('Should create IdTokenHandler with correct properties', () => {
+      const handler = new IdTokenHandler(
+        'google-id-token',
+        'https://accounts.google.com',
+        'test-google-client-id',
+        mockNitroInstrument,
+        mockSignatures,
+        mockAuthKeys,
+      )
+
+      expect(handler.signupKind).toBe('google-id-token')
+      expect(handler.issuer).toBe('https://accounts.google.com')
+      expect(handler.audience).toBe('test-google-client-id')
+      expect(handler.identityType).toBe(IdentityType.OIDC)
+      expect(handler.kind).toBe(Kinds.LoginGoogle)
+    })
+
+    it('Should normalize apple-id-token handlers to login-apple', () => {
+      const handler = new IdTokenHandler(
+        'apple-id-token',
+        'https://appleid.apple.com',
+        'test-apple-client-id',
+        mockNitroInstrument,
+        mockSignatures,
+        mockAuthKeys,
+      )
+
+      expect(handler.signupKind).toBe('apple-id-token')
+      expect(handler.issuer).toBe('https://appleid.apple.com')
+      expect(handler.audience).toBe('test-apple-client-id')
+      expect(handler.kind).toBe(Kinds.LoginApple)
+    })
+
+    it('Should initialize without a registered UI callback', () => {
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+  })
+
+  describe('UI Registration', () => {
+    it('Should register ID token UI callback', () => {
+      const unregister = idTokenHandler.registerUI(mockPromptIdToken)
+
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+      expect(typeof unregister).toBe('function')
+    })
+
+    it('Should unregister UI callback when returned function is called', () => {
+      const unregister = idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      unregister()
+
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+
+    it('Should unregister UI callback directly', () => {
+      idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      idTokenHandler.unregisterUI()
+
+      expect(idTokenHandler['onPromptIdToken']).toBeUndefined()
+    })
+
+    it('Should allow multiple registrations by overwriting the previous callback', () => {
+      const secondCallback = vi.fn()
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+      expect(idTokenHandler['onPromptIdToken']).toBe(mockPromptIdToken)
+
+      idTokenHandler.registerUI(secondCallback)
+
+      expect(idTokenHandler['onPromptIdToken']).toBe(secondCallback)
+    })
+  })
+
+  describe('completeAuth()', () => {
+    it('Should complete auth using an OIDC ID token challenge', async () => {
+      const idToken = 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.'
+
+      const [signer, metadata] = await idTokenHandler.completeAuth(idToken)
+
+      expect(idTokenHandler['nitroCommitVerifier']).toHaveBeenCalledWith(
+        expect.objectContaining({
+          issuer: 'https://accounts.google.com',
+          audience: 'test-google-client-id',
+          idToken,
+        }),
+      )
+      expect(idTokenHandler['nitroCompleteAuth']).toHaveBeenCalledWith(
+        expect.objectContaining({
+          issuer: 'https://accounts.google.com',
+          audience: 'test-google-client-id',
+          idToken,
+        }),
+      )
+      expect(signer).toBe(mockIdentitySigner)
+      expect(metadata).toEqual({ email: 'user@example.com' })
+    })
+  })
+
+  describe('getSigner()', () => {
+    it('Should throw when UI is not registered', async () => {
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('id-token-handler-ui-not-registered')
+    })
+
+    it('Should acquire a signer by prompting for a fresh ID token', async () => {
+      const idToken = 'header.payload.signature'
+      const completeAuthSpy = vi
+        .spyOn(idTokenHandler, 'completeAuth')
+        .mockResolvedValue([mockIdentitySigner, { email: 'user@example.com' }])
+
+      mockPromptIdToken.mockImplementation(async (kind, respond) => {
+        expect(kind).toBe('google-id-token')
+        await respond(idToken)
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const result = await idTokenHandler.getSigner()
+
+      expect(result).toEqual({
+        signer: mockIdentitySigner,
+        email: 'user@example.com',
+      })
+      expect(completeAuthSpy).toHaveBeenCalledWith(idToken)
+      expect(mockPromptIdToken).toHaveBeenCalledWith('google-id-token', expect.any(Function))
+    })
+
+    it('Should surface authentication failures from completeAuth', async () => {
+      const error = new Error('Authentication failed')
+      vi.spyOn(idTokenHandler, 'completeAuth').mockRejectedValue(error)
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('Authentication failed')
+    })
+
+    it('Should surface UI callback errors', async () => {
+      mockPromptIdToken.mockRejectedValue(new Error('UI callback failed'))
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      await expect(idTokenHandler.getSigner()).rejects.toThrow('UI callback failed')
+    })
+  })
+
+  describe('status()', () => {
+    it('Should return ready status when an auth key signer is available', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(mockIdentitySigner)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status.status).toBe('ready')
+      expect(status.handler).toBe(idTokenHandler)
+    })
+
+    it('Should sign the request when ready handle is invoked', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(mockIdentitySigner)
+      const signSpy = vi.spyOn(idTokenHandler as any, 'sign').mockResolvedValue(undefined)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(true)
+      expect(signSpy).toHaveBeenCalledWith(mockIdentitySigner, testRequest)
+    })
+
+    it('Should return unavailable when no auth key signer exists and UI is not registered', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status).toMatchObject({
+        address: testWallet,
+        handler: idTokenHandler,
+        status: 'unavailable',
+        reason: 'ui-not-registered',
+      })
+    })
+
+    it('Should return actionable when no auth key signer exists and UI is registered', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+
+      expect(status.status).toBe('actionable')
+      expect(status.address).toBe(testWallet)
+      expect(status.handler).toBe(idTokenHandler)
+      expect((status as any).message).toBe('request-id-token')
+      expect(typeof (status as any).handle).toBe('function')
+    })
+
+    it('Should reacquire the signer when actionable handle is invoked', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      const completeAuthSpy = vi
+        .spyOn(idTokenHandler, 'completeAuth')
+        .mockResolvedValue([mockIdentitySigner, { email: 'user@example.com' }])
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(true)
+      expect(completeAuthSpy).toHaveBeenCalledWith('header.payload.signature')
+    })
+
+    it('Should return false when actionable handle authentication fails', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      vi.spyOn(idTokenHandler, 'completeAuth').mockRejectedValue(new Error('Authentication failed'))
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(false)
+    })
+
+    it('Should return false when actionable handle authenticates the wrong signer', async () => {
+      vi.spyOn(idTokenHandler as any, 'getAuthKeySigner').mockResolvedValue(undefined)
+      const wrongSigner = '0x9999999999999999999999999999999999999999' as Address.Address
+      vi.spyOn(idTokenHandler, 'completeAuth').mockResolvedValue([
+        {
+          ...mockIdentitySigner,
+          address: wrongSigner,
+        } as unknown as IdentitySigner,
+        { email: 'other-user@example.com' },
+      ])
+
+      mockPromptIdToken.mockImplementation(async (_kind, respond) => {
+        await respond('header.payload.signature')
+      })
+
+      idTokenHandler.registerUI(mockPromptIdToken)
+
+      const status = await idTokenHandler.status(testWallet, undefined, testRequest)
+      const handled = await (status as any).handle()
+
+      expect(handled).toBe(false)
+      expect(mockAuthKeys.delBySigner).toHaveBeenCalledWith(wrongSigner)
+    })
+  })
+})

package/test/sessions-idtoken.test.ts

@@ -0,0 +1,98 @@
+import { afterEach, describe, expect, it, vi } from 'vitest'
+import { Hash, Hex, Mnemonic, Secp256k1, Address as OxAddress } from 'ox'
+import { Payload } from '@0xsequence/wallet-primitives'
+import { newManager } from './constants.js'
+import { Manager } from '../src/sequence/index.js'
+import { Kinds } from '../src/sequence/types/signer.js'
+
+describe('Sessions ID token attestation', () => {
+  let manager: Manager | undefined
+
+  afterEach(async () => {
+    await manager?.stop()
+  })
+
+  it('Should include issuer and audience hashes for google-id-token implicit session authorization', async () => {
+    manager = newManager({
+      identity: {
+        google: {
+          enabled: true,
+          clientId: 'test-google-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const wallet = await manager.wallets.signUp({
+      mnemonic: Mnemonic.random(Mnemonic.english),
+      kind: 'mnemonic',
+      noGuard: true,
+    })
+    expect(wallet).toBeDefined()
+
+    const signersModule = (manager as any).shared.modules.signers
+    vi.spyOn(signersModule, 'kindOf').mockResolvedValue(Kinds.LoginGoogle)
+
+    const sessionAddress = OxAddress.fromPublicKey(Secp256k1.getPublicKey({ privateKey: Secp256k1.randomPrivateKey() }))
+    const requestId = await manager.sessions.prepareAuthorizeImplicitSession(wallet!, sessionAddress, {
+      target: 'https://example.com',
+      applicationData: '0x1234',
+    })
+
+    const request = await manager.signatures.get(requestId)
+    expect(request.action).toBe('session-implicit-authorize')
+    expect(Payload.isSessionImplicitAuthorize(request.envelope.payload)).toBe(true)
+
+    if (!Payload.isSessionImplicitAuthorize(request.envelope.payload)) {
+      throw new Error('Expected session implicit authorize payload')
+    }
+
+    const attestation = request.envelope.payload.attestation
+    expect(Hex.fromBytes(attestation.issuerHash)).toBe(Hash.keccak256(Hex.fromString('https://accounts.google.com')))
+    expect(Hex.fromBytes(attestation.audienceHash)).toBe(Hash.keccak256(Hex.fromString('test-google-client-id')))
+    expect(Hex.fromBytes(attestation.applicationData)).toBe('0x1234')
+    expect(Hex.fromBytes(attestation.identityType)).toBe('0x00000002')
+  })
+
+  it('Should include issuer and audience hashes for apple implicit session authorization', async () => {
+    manager = newManager({
+      identity: {
+        apple: {
+          enabled: true,
+          clientId: 'test-apple-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const wallet = await manager.wallets.signUp({
+      mnemonic: Mnemonic.random(Mnemonic.english),
+      kind: 'mnemonic',
+      noGuard: true,
+    })
+    expect(wallet).toBeDefined()
+
+    const signersModule = (manager as any).shared.modules.signers
+    vi.spyOn(signersModule, 'kindOf').mockResolvedValue(Kinds.LoginApple)
+
+    const sessionAddress = OxAddress.fromPublicKey(Secp256k1.getPublicKey({ privateKey: Secp256k1.randomPrivateKey() }))
+    const requestId = await manager.sessions.prepareAuthorizeImplicitSession(wallet!, sessionAddress, {
+      target: 'https://example.com',
+      applicationData: '0x1234',
+    })
+
+    const request = await manager.signatures.get(requestId)
+    expect(request.action).toBe('session-implicit-authorize')
+    expect(Payload.isSessionImplicitAuthorize(request.envelope.payload)).toBe(true)
+
+    if (!Payload.isSessionImplicitAuthorize(request.envelope.payload)) {
+      throw new Error('Expected session implicit authorize payload')
+    }
+
+    const attestation = request.envelope.payload.attestation
+    expect(Hex.fromBytes(attestation.issuerHash)).toBe(Hash.keccak256(Hex.fromString('https://appleid.apple.com')))
+    expect(Hex.fromBytes(attestation.audienceHash)).toBe(Hash.keccak256(Hex.fromString('test-apple-client-id')))
+    expect(Hex.fromBytes(attestation.applicationData)).toBe('0x1234')
+    expect(Hex.fromBytes(attestation.identityType)).toBe('0x00000002')
+  })
+})

package/test/signers-kindof.test.ts

@@ -37,4 +37,26 @@ describe('Signers.kindOf', () => {
     await signers.kindOf(wallet, '0x2222222222222222222222222222222222222222')
     expect(getWitnessFor).toHaveBeenCalledTimes(1)
   })
+
+  it('normalizes legacy Google PKCE signer kind to the canonical Google signer kind', async () => {
+    const getWitnessFor = vi.fn().mockResolvedValue({
+      payload: {
+        type: 'message',
+        message: '0x' + Buffer.from(JSON.stringify({ signerKind: 'login-google-pkce' }), 'utf8').toString('hex'),
+      },
+    })
+
+    const manager = newManager({
+      stateProvider: {
+        getWitnessFor,
+        getWitnessForSapient: vi.fn(),
+      } as any,
+    })
+
+    const signers = (manager as any).shared.modules.signers
+    const wallet = '0x1111111111111111111111111111111111111111'
+    const signer = '0x2222222222222222222222222222222222222222'
+
+    await expect(signers.kindOf(wallet, signer)).resolves.toBe(Kinds.LoginGoogle)
+  })
 })

package/test/wallets.test.ts

@@ -1,8 +1,13 @@
-import { afterEach, describe, expect, it } from 'vitest'
+import { afterEach, describe, expect, it, vi } from 'vitest'
 import { Manager, SignerActionable, SignerReady } from '../src/sequence/index.js'
 import { Mnemonic, Address } from 'ox'
 import { newManager } from './constants.js'
 import { Config, Constants, Network } from '@0xsequence/wallet-primitives'
+import { AuthCodePkceHandler } from '../src/sequence/handlers/authcode-pkce.js'
+import { IdTokenHandler } from '../src/sequence/handlers/idtoken.js'
+import { IdentitySigner } from '../src/identity/signer.js'
+import { MnemonicHandler } from '../src/sequence/handlers/mnemonic.js'
+import { Kinds } from '../src/sequence/types/signer.js'
 
 describe('Wallets', () => {
   let manager: Manager | undefined
@@ -24,6 +29,202 @@ describe('Wallets', () => {
     await expect(manager.wallets.has(wallet!)).resolves.toBeTruthy()
   })
 
+  it('Should create a new wallet using google-id-token when Google ID token auth is enabled', async () => {
+    manager = newManager({
+      identity: {
+        google: {
+          enabled: true,
+          clientId: 'test-google-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const handler = (manager as any).shared.handlers.get(Kinds.LoginGoogle) as IdTokenHandler
+    const loginMnemonic = Mnemonic.random(Mnemonic.english)
+    const loginSigner = MnemonicHandler.toSigner(loginMnemonic)
+    if (!loginSigner) {
+      throw new Error('Failed to create login signer for test')
+    }
+
+    const completeAuthSpy = vi
+      .spyOn(handler, 'completeAuth')
+      .mockResolvedValue([loginSigner as unknown as IdentitySigner, { email: 'google-user@example.com' }])
+
+    const wallet = await manager.wallets.signUp({
+      kind: 'google-id-token',
+      idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+      noGuard: true,
+    })
+
+    expect(wallet).toBeDefined()
+    expect(completeAuthSpy).toHaveBeenCalledWith('eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.')
+    await expect(manager.wallets.has(wallet!)).resolves.toBeTruthy()
+
+    const walletEntry = await manager.wallets.get(wallet!)
+    expect(walletEntry).toBeDefined()
+    expect(walletEntry!.loginType).toBe(Kinds.LoginGoogle)
+    expect(walletEntry!.loginEmail).toBe('google-user@example.com')
+
+    const configuration = await manager.wallets.getConfiguration(wallet!)
+    expect(configuration.login).toHaveLength(1)
+    expect(configuration.login[0]!.kind).toBe(Kinds.LoginGoogle)
+  })
+
+  it('Should create a new wallet using apple-id-token when Apple ID token auth is enabled', async () => {
+    manager = newManager({
+      identity: {
+        apple: {
+          enabled: true,
+          clientId: 'test-apple-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const handler = (manager as any).shared.handlers.get(Kinds.LoginApple) as IdTokenHandler
+    const loginMnemonic = Mnemonic.random(Mnemonic.english)
+    const loginSigner = MnemonicHandler.toSigner(loginMnemonic)
+    if (!loginSigner) {
+      throw new Error('Failed to create login signer for test')
+    }
+
+    const completeAuthSpy = vi
+      .spyOn(handler, 'completeAuth')
+      .mockResolvedValue([loginSigner as unknown as IdentitySigner, { email: 'apple-user@example.com' }])
+
+    const wallet = await manager.wallets.signUp({
+      kind: 'apple-id-token',
+      idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+      noGuard: true,
+    })
+
+    expect(wallet).toBeDefined()
+    expect(completeAuthSpy).toHaveBeenCalledWith('eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.')
+    await expect(manager.wallets.has(wallet!)).resolves.toBeTruthy()
+
+    const walletEntry = await manager.wallets.get(wallet!)
+    expect(walletEntry).toBeDefined()
+    expect(walletEntry!.loginType).toBe(Kinds.LoginApple)
+    expect(walletEntry!.loginEmail).toBe('apple-user@example.com')
+
+    const configuration = await manager.wallets.getConfiguration(wallet!)
+    expect(configuration.login).toHaveLength(1)
+    expect(configuration.login[0]!.kind).toBe(Kinds.LoginApple)
+  })
+
+  it('Should register and unregister Google ID token UI callbacks through the manager', async () => {
+    manager = newManager({
+      identity: {
+        google: {
+          enabled: true,
+          clientId: 'test-google-client-id',
+          authMethod: 'id-token',
+        },
+      },
+    })
+
+    const handler = (manager as any).shared.handlers.get(Kinds.LoginGoogle) as IdTokenHandler
+    const promptIdToken = vi.fn()
+
+    const unregister = manager.registerIdTokenUI(promptIdToken)
+
+    expect(handler['onPromptIdToken']).toBe(promptIdToken)
+
+    unregister()
+
+    expect(handler['onPromptIdToken']).toBeUndefined()
+  })
+
+  it('Should keep Google PKCE redirect flow as the default when authMethod is not specified', async () => {
+    manager = newManager({
+      identity: {
+        google: {
+          enabled: true,
+          clientId: 'test-google-client-id',
+        },
+      },
+    })
+
+    const handler = (manager as any).shared.handlers.get(Kinds.LoginGoogle) as AuthCodePkceHandler
+    expect(handler).toBeInstanceOf(AuthCodePkceHandler)
+
+    const commitAuthSpy = vi
+      .spyOn(handler, 'commitAuth')
+      .mockResolvedValue('https://accounts.google.com/o/oauth2/v2/auth?state=test-state')
+
+    const url = await manager.wallets.startSignUpWithRedirect({
+      kind: 'google-pkce',
+      target: '/auth/return',
+      metadata: {},
+    })
+
+    expect(url).toBe('https://accounts.google.com/o/oauth2/v2/auth?state=test-state')
+    expect(commitAuthSpy).toHaveBeenCalledWith('/auth/return', true)
+  })
+
+  it('Should reject google-id-token signup when Google is configured for redirect auth', async () => {
+    manager = newManager({
+      identity: {
+        google: {
+          enabled: true,
+          clientId: 'test-google-client-id',
+        },
+      },
+    })
+
+    await expect(
+      manager.wallets.signUp({
+        kind: 'google-id-token',
+        idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+        noGuard: true,
+      }),
+    ).rejects.toThrow('handler-does-not-support-id-token')
+  })
+
+  it('Should reject apple-id-token signup when Apple is configured for redirect auth', async () => {
+    manager = newManager({
+      identity: {
+        apple: {
+          enabled: true,
+          clientId: 'test-apple-client-id',
+        },
+      },
+    })
+
+    await expect(
+      manager.wallets.signUp({
+        kind: 'apple-id-token',
+        idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+        noGuard: true,
+      }),
+    ).rejects.toThrow('handler-does-not-support-id-token')
+  })
+
+  it('Should reject custom ID token signup when the provider uses redirect auth', async () => {
+    manager = newManager({
+      identity: {
+        customProviders: [
+          {
+            kind: 'custom-oidc',
+            authMethod: 'authcode',
+            issuer: 'https://issuer.example.com',
+            oauthUrl: 'https://issuer.example.com/oauth/authorize',
+            clientId: 'test-custom-client-id',
+          },
+        ],
+      },
+    })
+
+    await expect(
+      manager.wallets.signUp({
+        kind: 'custom-oidc',
+        idToken: 'eyJhbGciOiJub25lIn0.eyJleHAiOjQxMDI0NDQ4MDB9.',
+        noGuard: true,
+      }),
+    ).rejects.toThrow('handler-does-not-support-id-token')
+  })
+
   it('Should get a specific wallet by address', async () => {
     manager = newManager()
     const mnemonic = Mnemonic.random(Mnemonic.english)