feat(onboarding): add Telegram OAuth login for seedless onboarding

[tylerc-consensys]

Description

TLDR: Adds Telegram as a third OAuth provider (alongside Google and Apple) for seedless onboarding, behind the existing onboarding flow surfaces.

This wires a new TelegramLoginHandler into the existing OAuthService infrastructure. The flow is backend-mediated:

1. App opens an in-app browser session against the auth server's /api/v2/telegram/login/initiate endpoint with a PKCE code challenge.
2. Backend handles the redirect to Telegram, exchanges the Telegram code, and stores tokens keyed by the code challenge.
3. Backend redirects back to the app via deep link.
4. App calls /api/v2/telegram/login/verify with the code verifier, exchanges the resulting OIDC token through Hydra's JWT-bearer grant, and mints the standard auth-service token set used by seedless onboarding.

Telegram entries have been added to OAUTH_CONFIG for every build type (development, main_, flask_) and platform (Android/iOS), and Telegram is exposed in the Onboarding, OnboardingSheet, and WalletRecovery views.

Architecture and bot-management notes are captured in docs/frontend-telegram-integration-architecture.md, docs/telegram-oidc-bot-creation-management.md, and docs/auth-backend-consolidation-strategy.md.

Jira: https://consensyssoftware.atlassian.net/browse/TO-738, https://consensyssoftware.atlassian.net/browse/TO-751

Changelog

CHANGELOG entry: Added Telegram as a login option for seedless onboarding.

Related issues

Fixes:

Manual testing steps

```gherkin
Feature: Telegram OAuth onboarding

Scenario: New user creates a wallet via Telegram
Given the app is freshly installed
And the user is on the Onboarding screen

When the user taps "Continue with Telegram"
And completes the Telegram authentication in the in-app browser
Then the user is returned to the app
And a new seedless wallet is created
And the account name is "Telegram <idp_sub>"

Scenario: Returning user recovers a wallet via Telegram
Given a wallet was previously created with Telegram
And the app is freshly installed
When the user taps "Continue with Telegram" on the WalletRecovery screen
And completes Telegram authentication
Then the existing wallet is rehydrated

Scenario: User cancels the Telegram auth session
Given the user is on the Onboarding screen
When the user taps "Continue with Telegram"
And dismisses the in-app browser
Then the app remains on the Onboarding screen with no error
```

Test on both Android and iOS — Android required a session-persistence fix (commit `bce106c633`).

Screenshots/Recordings

Before

N/A

After

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

High Risk
High risk because it extends seedless onboarding authentication/token flows with a new Telegram provider, new redirect/exchange logic, and updated client ID handling that could impact login, token refresh, and account identity data.

Overview
Adds Telegram as a third OAuth provider for seedless onboarding, gated by a new remote feature flag telegram_login_enabled (with env override) and surfaced in the onboarding bottom sheet when enabled.

Implements a new TelegramLoginHandler and extends the OAuth factory/config/constants to support Telegram-specific redirect URIs, connection IDs, and a backend-mediated verify → Hydra token exchange → mint flow; token refresh logic is updated to use Telegram’s platform-specific client IDs and the OAuth pipeline now derives {userId, accountName} via loginHandler.getUserInfo() (including Telegram-provided account_name).

Updates onboarding/recovery UI and analytics to recognize Telegram accounts (new AccountType variants, Telegram-specific copy, icon/styling), adds registry/CI flag constant wiring, and adjusts several UI tests/snapshots to assert loading via accessibilityState.busy instead of a spinner-container test id.

^{Reviewed by Cursor Bugbot for commit 6bd5282. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 244142f. Configure here.}

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeSeedlessOnboarding, SmokeAccounts, SmokeWalletPlatform
• Selected Performance tags: None (no tests recommended)
• Risk Level: high
• AI Confidence: 90%

click to see 🤖 AI reasoning details

E2E Test Selection:
This PR introduces Telegram login support for seedless onboarding, which is a significant new feature extending the existing Google/Apple OAuth flows.

SmokeSeedlessOnboarding (primary): The core changes directly affect the seedless onboarding infrastructure:

• OAuthService.ts - Modified handleSeedlessAuthenticate signature, added null check for auth connection config, changed getUserInfo call pattern. These changes affect ALL social login flows (Google, Apple, and new Telegram).
• AuthTokenHandler.ts - Updated createLoginHandler calls for refresh/renew/revoke to pass telegramLoginEnabled: true. This affects token refresh for existing Google/Apple sessions.
• createLoginHandler factory in OAuthLoginHandlers/index.ts - Added Telegram handler, changed AuthServerUrl to w3aAuthServerUrl (backward-compatible alias), added options parameter.
• OnboardingSheet/index.tsx - Added Telegram button (conditionally shown), which modifies the onboarding sheet UI that Google/Apple tests interact with.
• Onboarding/index.tsx - Added Telegram feature flag check, new error handling for InvalidProvider and TelegramLoginError, modified createLoginHandler call signature.
• QAMockOAuthService.ts - Changed from direct JWT decode to getUserInfo() method - this affects E2E mock behavior for all social login tests.
• tests/module-mocking/oauth/OAuthLoginHandlers/index.ts - Updated mock createLoginHandler to accept new options parameter and added getUserInfo method.
• babel.config.tests.js - Added new selector files to test overrides.

SmokeAccounts: ImportPrivateKey/index.tsx and ResetPassword/index.tsx both updated isSRP check to exclude AuthConnection.Telegram. These components are used in account import and password reset flows that SmokeAccounts tests cover.

SmokeWalletPlatform: The wallet-setup-completed-attribution.spec.ts test uses SmokeSeedlessOnboarding tag and tests wallet lifecycle analytics for new wallet creation and SRP import events. The onboarding flow changes could affect these analytics tracking tests. Also, per the tag description, wallet lifecycle analytics tracking is part of SmokeWalletPlatform.

Not selected:

• SmokeIdentity: No direct changes to profile sync or account sync flows
• SmokeConfirmations: No transaction/signature flow changes
• Other tags: No relevant changes to their areas

Performance Test Selection:
The changes are focused on OAuth authentication flows (Telegram login), feature flag additions, and onboarding UI updates. These are not performance-sensitive areas - they involve network calls to auth servers during login (not measured by performance tests), and the UI changes are minimal (adding a Telegram button to the onboarding sheet). No changes to account list rendering, asset loading, app startup initialization, or other performance-critical paths. The new expo-web-browser dependency is only used during the Telegram OAuth flow, not in hot paths.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
88.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[andrepimenta]

Approved for mobile platform owned files