From ce3b3f67ff38f040ab95c016311c15daea2a5845 Mon Sep 17 00:00:00 2001
From: ieow <4881057+ieow@users.noreply.github.com>
Date: Tue, 24 Mar 2026 09:16:16 +0000
Subject: [PATCH] chore(runway): cherry-pick fix: support webcredentials
 cp-7.71.0 (#27741)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**
This pr patch the expo-web-browser to support https redirect schema
Taking reference from expo-web-browser sdk 55

https://github.com/expo/expo/blob/308031a6665f885811760aff7aebb68aea4a846a/packages/expo-web-browser/ios/WebAuthSession.swift#L36

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry: expo-web-browser support https redirect scheme
CHANGELOG entry: use webcredential for ios google login

## **Related issues**

Fixes:

## **Manual testing steps**

```gherkin
Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]
```

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I've included tests if applicable
- [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Moderate risk because it changes iOS `ASWebAuthenticationSession`
callback configuration and entitlements, which can affect login/redirect
flows and associated-domain behavior.
>
> **Overview**
> Enables **HTTPS redirect-based auth callbacks** on iOS by patching
`expo-web-browser`’s `WebAuthSession` to use iOS 17.4+/macOS 14.4+
`.https(host:path)` callbacks when the `redirectUrl` is `https`, falling
back to the legacy `callbackURLScheme` behavior otherwise.
>
> Updates iOS entitlements (`MetaMask.entitlements` and
`MetaMaskDebug.entitlements`) to include
`webcredentials:link.metamask.io`, and wires the patch into the build
via a Yarn `resolutions` entry plus corresponding `yarn.lock` changes.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
7730be370643b502854f27531eb6ccad29619946. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---
 ...po-web-browser-npm-14.0.2-98d00ce880.patch | 50 +++++++++++++++++++
 ios/MetaMask/MetaMask.entitlements            |  1 +
 ios/MetaMask/MetaMaskDebug.entitlements       |  1 +
 package.json                                  |  3 +-
 yarn.lock                                     | 12 ++++-
 5 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 .yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch

diff --git a/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch b/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch
new file mode 100644
index 00000000000..94024b5585b
--- /dev/null
+++ b/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch
@@ -0,0 +1,50 @@
+diff --git a/ios/WebAuthSession.swift b/ios/WebAuthSession.swift
+index 0d8101b01d7c6cd803acf6a359ceaa026993bdd0..c1beeabd962e561bf48392d58c084272247a95cc 100644
+--- a/ios/WebAuthSession.swift
++++ b/ios/WebAuthSession.swift
+@@ -20,17 +20,34 @@ final internal class WebAuthSession {
+   private var presentationContextProvider = PresentationContextProvider()
+ 
+   init(authUrl: URL, redirectUrl: URL?, options: AuthSessionOptions) {
+-    self.authSession = ASWebAuthenticationSession(
+-      url: authUrl,
+-      callbackURLScheme: redirectUrl?.scheme,
+-      completionHandler: { callbackUrl, error in
+-        self.finish(with: [
+-          "type": callbackUrl != nil ? "success" : "cancel",
+-          "url": callbackUrl?.absoluteString,
+-          "error": error?.localizedDescription
+-        ])
+-      }
+-    )
++    let completionHandler: (URL?, Error?) -> Void = { callbackUrl, error in
++      self.finish(with: [
++        "type": callbackUrl != nil ? "success" : "cancel",
++        "url": callbackUrl?.absoluteString,
++        "error": error?.localizedDescription
++      ])
++    }
++
++    // iOS 17.4+/macOS 14.4+ supports HTTPS callbacks with host/path matching
++    if #available(iOS 17.4, macOS 14.4, *),
++       let redirectUrl,
++       redirectUrl.scheme?.lowercased() == "https",
++       let host = redirectUrl.host(percentEncoded: false),
++       !host.isEmpty {
++      let rawPath = redirectUrl.path
++      let path = (rawPath.isEmpty || rawPath == "/") ? "" : rawPath
++      self.authSession = ASWebAuthenticationSession(
++        url: authUrl,
++        callback: .https(host: host, path: path),
++        completionHandler: completionHandler
++      )
++    } else {
++      self.authSession = ASWebAuthenticationSession(
++        url: authUrl,
++        callbackURLScheme: redirectUrl?.scheme,
++        completionHandler: completionHandler
++      )
++    }
+     self.authSession?.prefersEphemeralWebBrowserSession = options.preferEphemeralSession
+   }
+ 
diff --git a/ios/MetaMask/MetaMask.entitlements b/ios/MetaMask/MetaMask.entitlements
index 8a7c420fb63..5b41008a05e 100644
--- a/ios/MetaMask/MetaMask.entitlements
+++ b/ios/MetaMask/MetaMask.entitlements
@@ -15,6 +15,7 @@
 		<string>applinks:metamask-alternate.app.link</string>
 		<string>applinks:link.metamask.io</string>
 		<string>applinks:link-test.metamask.io</string>
+		<string>webcredentials:link.metamask.io</string>
 	</array>
 	<key>com.apple.developer.in-app-payments</key>
 	<array>
diff --git a/ios/MetaMask/MetaMaskDebug.entitlements b/ios/MetaMask/MetaMaskDebug.entitlements
index bb932ad1889..e4cafc45491 100644
--- a/ios/MetaMask/MetaMaskDebug.entitlements
+++ b/ios/MetaMask/MetaMaskDebug.entitlements
@@ -15,6 +15,7 @@
 		<string>applinks:metamask-alternate.app.link</string>
 		<string>applinks:link.metamask.io</string>
 		<string>applinks:link-test.metamask.io</string>
+		<string>webcredentials:link.metamask.io</string>
 	</array>
 	<key>com.apple.developer.in-app-payments</key>
 	<array>
diff --git a/package.json b/package.json
index 53e998ccddc..1fd95d9ba02 100644
--- a/package.json
+++ b/package.json
@@ -185,7 +185,8 @@
     "@metamask/accounts-controller": "37.0.0",
     "@metamask/core-backend": "^5.0.0",
     "bn.js@npm:4.11.6": "4.12.3",
-    "bn.js@npm:5.2.1": "5.2.3"
+    "bn.js@npm:5.2.1": "5.2.3",
+    "expo-web-browser@npm:~14.0.2": "patch:expo-web-browser@npm%3A14.0.2#~/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch"
   },
   "dependencies": {
     "@config-plugins/detox": "^9.0.0",
diff --git a/yarn.lock b/yarn.lock
index 1bfe4fef13d..c98b0ac0f33 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -29212,7 +29212,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"expo-web-browser@npm:~14.0.2":
+"expo-web-browser@npm:14.0.2":
   version: 14.0.2
   resolution: "expo-web-browser@npm:14.0.2"
   peerDependencies:
@@ -29222,6 +29222,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"expo-web-browser@patch:expo-web-browser@npm%3A14.0.2#~/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch":
+  version: 14.0.2
+  resolution: "expo-web-browser@patch:expo-web-browser@npm%3A14.0.2#~/.yarn/patches/expo-web-browser-npm-14.0.2-98d00ce880.patch::version=14.0.2&hash=158d79"
+  peerDependencies:
+    expo: "*"
+    react-native: "*"
+  checksum: 10/68989f3d82afed74782e67aa9106df73c76a817cea8f7dbee54206177efb7176962f050b421699cebeb87a0cf2acad501e2dcf9d1e94d487b3fde07c8c20dc99
+  languageName: node
+  linkType: hard
+
 "expo@npm:~52.0.47":
   version: 52.0.47
   resolution: "expo@npm:52.0.47"