fix: support webcredentials cp-7.71.0

[ieow]

Description

This pr patch the expo-web-browser to support https redirect schema
Taking reference from expo-web-browser sdk 55
https://github.com/expo/expo/blob/308031a6665f885811760aff7aebb68aea4a846a/packages/expo-web-browser/ios/WebAuthSession.swift#L36

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/7148

PR list
Part 1/ 4 - #27741
Part 2/ 4 - #27848
Part 3/ 4 - #27850
Part 4/ 4 - #27875

Changelog

CHANGELOG entry: expo-web-browser support https redirect scheme
CHANGELOG entry: use webcredential for ios google login

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Moderate risk because it changes iOS ASWebAuthenticationSession callback configuration and entitlements, which can affect login/redirect flows and associated-domain behavior.

Overview
Enables HTTPS redirect-based auth callbacks on iOS by patching expo-web-browser’s WebAuthSession to use iOS 17.4+/macOS 14.4+ .https(host:path) callbacks when the redirectUrl is https, falling back to the legacy callbackURLScheme behavior otherwise.

Updates iOS entitlements (MetaMask.entitlements and MetaMaskDebug.entitlements) to include webcredentials:link.metamask.io, and wires the patch into the build via a Yarn resolutions entry plus corresponding yarn.lock changes.

^{Written by Cursor Bugbot for commit 7730be3. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[Cal-L]

LGTM

[ieow]

revert the ios client id so that this pr is purely package patch update.
the client id will be updated in next pr

[github-actions]

✅ E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 85%

click to see 🤖 AI reasoning details

E2E Test Selection:
The changes in this PR are:

1. expo-web-browser patch: Patches WebAuthSession.swift in expo-web-browser to support iOS 17.4+ HTTPS-based callbacks for ASWebAuthenticationSession. This is a low-level iOS native improvement for web authentication sessions. No direct app code imports expo-web-browser (grep found zero matches), so it's a transitive dependency fix.

2. iOS entitlements: Adds webcredentials:link.metamask.io to both production and debug entitlements. This enables password autofill / passkey (WebAuthn) support for the link.metamask.io domain on iOS.

3. yarn.lock / package.json: Dependency resolution changes to apply the patch.

These are iOS-specific infrastructure changes with no modifications to app logic, UI components, controllers, or test infrastructure. The changes improve web authentication session handling on newer iOS versions and add webcredentials domain association. No existing E2E tests cover ASWebAuthenticationSession flows or webcredentials directly. The risk is low — these are additive changes that don't modify existing behavior for older iOS versions (the patch uses #available(iOS 17.4, *) guard). No performance impact is expected.

Performance Test Selection:
No performance-sensitive code paths are modified. These are iOS entitlement and native web auth session changes with no impact on rendering, data loading, or app startup performance.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud