feat: update client id

[ieow]

Description

OAuth client IDs for Google and Apple sign-in (IOS_GOOGLE_CLIENT_ID, IOS_GOOGLE_REDIRECT_URI, ANDROID_GOOGLE_CLIENT_ID, ANDROID_GOOGLE_SERVER_CLIENT_ID, ANDROID_APPLE_CLIENT_ID) were previously sourced from process.env, requiring manual environment variable configuration and risking misconfiguration across different build types.

This PR moves those client IDs into the existing OAUTH_CONFIG object in config.ts, keyed by build type (development, main_prod, main_uat, main_dev, flask_prod, flask_uat, flask_dev). The constants in constants.ts now read from CURRENT_OAUTH_CONFIG instead of process.env, ensuring the correct client IDs are automatically selected based on the build type. The corresponding environment variable entries have been removed from .js.env.example.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

Feature: Seedless onboarding OAuth login

  Scenario: user signs in with Google on iOS
    Given the app is built with a main production build type
    When user taps "Sign in with Google" during onboarding
    Then the Google OAuth flow uses the correct production client ID
    And the user is authenticated successfully

  Scenario: user signs in with Google on Android
    Given the app is built with a main production build type
    When user taps "Sign in with Google" during onboarding
    Then the Google OAuth flow uses the correct production server client ID
    And the user is authenticated successfully

  Scenario: user signs in with Apple on Android
    Given the app is built with a main production build type
    When user taps "Sign in with Apple" during onboarding
    Then the Apple OAuth flow uses the correct production Apple client ID
    And the user is authenticated successfully

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Touches OAuth configuration used for Google/Apple login; incorrect client IDs/redirect URIs could break authentication in specific build targets despite being mostly a config refactor.

Overview
OAuth client IDs/redirect URIs are now defined per build type in OAuthLoginHandlers/config.ts and consumed via CURRENT_OAUTH_CONFIG in constants.ts, instead of being read from process.env.

The example env file removes the seedless-onboarding client ID entries, and unit tests are updated to assert against OAUTH_CONFIG.main_prod values for Android and legacy iOS Google config selection.

^{Reviewed by Cursor Bugbot for commit fd46114. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c3844b5. Configure here.}

[grvgoel81]

not correct. Should be: http://795351133007-47aohp9j9n7r8fef5n6ejeauhu4kfc9e.apps.googleusercontent.com/

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeSeedlessOnboarding, SmokeWalletPlatform, SmokeIdentity
• Selected Performance tags: None (no tests recommended)
• Risk Level: medium
• AI Confidence: 90%

click to see 🤖 AI reasoning details

E2E Test Selection:
The PR refactors how OAuth credentials (Google/Apple client IDs, redirect URIs) are sourced for the seedless onboarding feature. Previously these were read from environment variables (process.env.IOS_GOOGLE_CLIENT_ID, etc.), but now they are hardcoded into the OAUTH_CONFIG object per build type (development, main_prod, main_uat, main_dev, flask_prod, flask_uat, flask_dev). The .js.env.example file removes the corresponding env var definitions.

This change directly impacts:

1. SmokeSeedlessOnboarding: The OAuth credentials used for Google and Apple social login flows are now sourced from config. If the config values are incorrect or the refactoring has a bug, all seedless onboarding flows (new user creation, existing user detection, lock/unlock, wallet reset, add SRP) would break.
2. SmokeWalletPlatform: Per the SmokeSeedlessOnboarding tag description, wallet lifecycle events are related.
3. SmokeIdentity: Per the SmokeSeedlessOnboarding tag description, account sync after social login is related.

The risk is medium because: the change is a straightforward refactoring (env vars → config object), the values appear correct (matching what was in .js.env.example), and unit tests have been updated to validate the new approach. However, the OAuth flow is critical for seedless onboarding users and any misconfiguration could break authentication entirely.

Performance Test Selection:
This change is purely a configuration refactoring - moving OAuth credential sourcing from environment variables to a hardcoded config object. There is no UI rendering, data loading, state management, or critical user flow performance impact. No performance tests are warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[grvgoel81]

lgtm