feat: legacy-ios-redirect cp-7.72.0

[ieow]

Description

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/7148

Support webcredential for ios google login
Part 3/4 - Support legacy/ webcredential ios google login based on feature flag

This pr add feature flag for the ios google login
use legacy ios google login when flag is true
use webcredential ios google login when flag is false for ios > 17.4

Part 1/ 4 - #27741
Part 2/ 4 - #27848
Part 3/ 4 - #27850 (defer to 7.72.0)
Part 4/ 4 - #27875

Changelog

CHANGELOG entry: Support legacy/ webcredential ios google login based feature flag

Related issues

Fixes:

Manual testing steps

Feature: iOS Google OAuth and token refresh (seedless)

  Scenario: Sign in with Google on iOS using legacy configuration
    Given the legacy iOS Google feature flag and OS version yield legacy client/redirect
    When the user completes seedless Google onboarding
    Then login completes and the app persists onboarding OAuth context as expected

  Scenario: Sign in with Google on iOS using web client and universal link redirect
    Given the app selects the web Google client and universal link redirect for iOS Google
    When the user completes Google OAuth via the browser/universal link flow
    Then the user returns to the app with a successful login

  Scenario: Refresh auth tokens after Google login on iOS
    Given an existing seedless Google session on iOS
    When the client refreshes JWT / auth tokens (e.g. after background or controller refresh)
    Then refresh succeeds without client_id mismatch errors

  Scenario: Wallet reset clears seedless onboarding state
    Given seedless onboarding metadata exists in Redux
    When the user deletes the wallet or resets onboarding as implemented
    Then seedless onboarding state is cleared with other onboarding fields

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes OAuth login/refresh behavior and auth-connection selection for iOS Google, including new Redux-persisted client IDs and feature-flagged config switching; mistakes could break Google sign-in or token refresh on iOS.

Overview
Adds persisted seedless onboarding OAuth context to Redux (new SET/CLEAR_SEEDLESS_ONBOARDING actions + reducer state) and clears it when restarting onboarding or deleting/resetting a wallet.

Updates iOS Google OAuth to switch between legacy iOS redirect/clientId and web/universal-link credentials via a new getIosGoogleConfig() helper and legacy feature flag logic (with an iOS < 17.4 safety fallback), while unifying Google web constants/redirect naming.

Ensures refresh-token requests on iOS Google reuse the original client_id by reading the persisted onboarding clientId (fallbacking to legacy IosGID), and updates OAuth authentication to pick iOS vs Android auth-connection IDs based on device/clientId. Tests were expanded/updated to cover these paths (including Google prompt select-account and state reset).

^{Written by Cursor Bugbot for commit 24579e7. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeWalletPlatform, SmokeAccounts
• Selected Performance tags: @PerformanceOnboarding, @PerformanceLogin
• Risk Level: high
• AI Confidence: 88%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes primarily affect the seedless onboarding (Google/Apple OAuth) flow with several key modifications:

1. iOS Google OAuth config routing: New getIosGoogleConfig() function uses a feature flag (legacyIosGoogleConfig) and iOS version check (< 17.4) to determine which Google client ID/redirect URI to use. This is a critical change for iOS Google login.

2. Redux state persistence: New seedlessOnboarding state in the onboarding reducer stores clientId and authConnection after successful OAuth login. This is used by AuthTokenHandler to maintain backward compatibility for token refresh.

3. Auth connection ID routing: getAuthConnectionIdFromClientId() properly routes Android vs iOS auth connection configs based on client ID.

4. Wallet reset: clearSeedlessOnboarding() is now dispatched during vault reset in Authentication.ts, ensuring clean state.

5. Onboarding flow: clearSeedlessOnboarding() is dispatched when navigating to the onboarding sheet.

6. Google account selection: Prompt.SelectAccount added to force account selection in Google OAuth flow.

All seedless onboarding E2E tests (google-login-new-user, google-login-existing-user, google-login-lock-unlock, google-login-reset-wallet, apple-login tests) are tagged with SmokeWalletPlatform. The wallet reset flow in Authentication.ts also affects account management, warranting SmokeAccounts as well. The changes to the onboarding reducer could affect wallet creation analytics tracking also covered by SmokeWalletPlatform.

Performance Test Selection:
The changes affect the onboarding flow (OAuth login, Redux state persistence) and the login/unlock flow (token refresh with backward-compatible client ID lookup). The AuthTokenHandler now reads from Redux state during token refresh which could add latency to the login/unlock flow. The onboarding flow now dispatches additional Redux actions. These changes warrant performance validation for both onboarding and login flows.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
91.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details