Fix apple auth scope (0xsequence#950)

[Dargon789]

2c49090
15de255

Summary by Sourcery

Adjust authentication and session utilities in the dapp client while fixing Apple OAuth handling and updating package versions and changelogs across the workspace.

New Features:

• Expose new explicit session configuration helpers and related types from the dapp client utilities and public API.
• Extend supported login methods with an EOA login option in the dapp client types.

Bug Fixes:

• Update the auth code handler to omit the OAuth scope parameter for Apple signups to align with Apple auth requirements.

Enhancements:

• Re-export additional wallet primitive types and network-related helpers from the dapp client entrypoint for easier consumer access.

Build:

• Bump multiple packages to the 3.0.0-beta.10 prerelease and record corresponding changesets and changelog entries reflecting dapp-client and Apple auth updates.

Tests:

• Extend auth code handler tests to assert that Apple authorization URLs no longer include a scope parameter.

Chores:

• Add repository-wide changesets to track dapp-client updates, Apple auth fixes, and EOA login support.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sourcery-ai]

Reviewer's Guide

Adjusts OAuth scope handling for Apple login, enhances dapp-client session utilities and exports, extends supported login methods with EOA, and rolls forward package versions and changelogs across the monorepo for new beta releases focused on Apple auth fixes and dapp-client updates.

Sequence diagram for updated Apple OAuth auth code URL generation

sequenceDiagram
  participant DappClient
  participant AuthCodeHandler
  participant OAuthProvider

  DappClient->>AuthCodeHandler: buildAuthUrl(signupKind)
  AuthCodeHandler->>AuthCodeHandler: init URLSearchParams(client_id, redirect_uri, response_type, state)
  alt signupKind is apple
    AuthCodeHandler->>AuthCodeHandler: do not set scope parameter
  else other OAuth providers
    AuthCodeHandler->>AuthCodeHandler: set scope=openid profile email
  end
  AuthCodeHandler-->>DappClient: oauthUrlWithQuery
  DappClient->>OAuthProvider: redirect user to oauthUrlWithQuery

Loading

Class diagram for new explicit session configuration types and updated login methods

classDiagram
  class SessionDuration {
    +number days
    +number hours
    +number minutes
  }

  class NativeTokenSpending {
    +bigint valueLimit
    +Address.Address[] allowedRecipients
  }

  class ExplicitSessionParams {
    +number chainId
    +SessionDuration expiresIn
    +Permission.Permission[] permissions
    +NativeTokenSpending nativeTokenSpending
  }

  class ExplicitSessionConfig {
    +number chainId
    +bigint valueLimit
    +bigint deadline
    +Permission.Permission[] permissions
  }

  class DappClientUtils {
    +createExplicitSessionConfig(params ExplicitSessionParams) ExplicitSessionConfig
  }

  class LoginMethod {
    google
    apple
    email
    passkey
    mnemonic
    eoa
  }

  ExplicitSessionParams --> SessionDuration : expiresIn
  ExplicitSessionParams --> NativeTokenSpending : nativeTokenSpending
  DappClientUtils ..> ExplicitSessionConfig : creates
  DappClientUtils ..> ExplicitSessionParams : uses

Loading

Flow diagram for createExplicitSessionConfig logic

flowchart TD
  A["Start createExplicitSessionConfig(params)"] --> B["Compute nowInSeconds from Date.now()"]
  B --> C["Calculate sessionLifetimeSeconds from expiresIn days, hours, minutes"]
  C --> D["deadline = nowInSeconds + BigInt(sessionLifetimeSeconds)"]
  D --> E{"params.permissions is empty?"}
  E -->|"Yes"| F["Throw Error: At least one permission is required"]
  E -->|"No"| G["Read nativeTokenSpending from params"]
  G --> H["Set valueLimit from nativeTokenSpending or 0n"]
  H --> I["Collect nativeTokenReceivers from allowedRecipients"]
  I --> J["Map nativeTokenReceivers to nativeTokenSpendingPermissions"]
  J --> K["Merge params.permissions with nativeTokenSpendingPermissions"]
  K --> L["Return ExplicitSessionConfig { chainId, valueLimit, deadline, permissions }"]

Loading

File-Level Changes

Change	Details	Files
Introduce utilities for building explicit session configs and re-export additional dapp-client helpers and types.	Add SessionDuration, NativeTokenSpending, and ExplicitSessionParams helper types to describe explicit session creation inputs. Implement createExplicitSessionConfig to compute deadline, value limits, and permissions (including native token spending permissions) from the helper types. Export VALUE_FORWARDER_ADDRESS from utils and re-export new helpers (createExplicitSessionConfig, network/relayer/RPC URL getters, VALUE_FORWARDER_ADDRESS) plus ExplicitSession-related types and Network/MessageType/TransportMessage from the dapp-client package entrypoint.	packages/wallet/dapp-client/src/utils/index.ts packages/wallet/dapp-client/src/index.ts
Adjust Apple OAuth authorization URL to omit the scope parameter and update tests accordingly.	Change AuthCodeHandler authorization URL construction to only include scope for non-Apple signup kinds, leaving it out when signupKind is 'apple'. Update authcode handler tests to assert that generated Apple authorize URLs do not contain a scope query parameter.	packages/wallet/wdk/src/sequence/handlers/authcode.ts packages/wallet/wdk/test/authcode.test.ts
Extend supported login methods and align typings with new flows.	Add 'eoa' as a valid LoginMethod value to support EOA login in the dapp client.	packages/wallet/dapp-client/src/types/index.ts
Version bump and changelog entries for Apple auth fixes and dapp-client updates across packages.	Update multiple package.json versions from 3.0.0-beta.6 to 3.0.0-beta.10 across services, utils, wallet-core, dapp-client, wallet-primitives, and wallet-wdk. Add corresponding CHANGELOG entries describing Apple auth fixes, dapp-client updates, and EOA login support for the new beta versions. Add changeset files documenting patch releases for Apple auth fixes and dapp-client/EOA login updates.	packages/services/api/package.json packages/services/builder/package.json packages/services/guard/package.json packages/services/identity-instrument/package.json packages/services/indexer/package.json packages/services/marketplace/package.json packages/services/metadata/package.json packages/services/relayer/package.json packages/services/userdata/package.json packages/utils/abi/package.json packages/wallet/core/package.json packages/wallet/dapp-client/package.json packages/wallet/primitives/package.json packages/wallet/wdk/package.json packages/services/api/CHANGELOG.md packages/services/builder/CHANGELOG.md packages/services/guard/CHANGELOG.md packages/services/identity-instrument/CHANGELOG.md packages/services/indexer/CHANGELOG.md packages/services/marketplace/CHANGELOG.md packages/services/metadata/CHANGELOG.md packages/services/userdata/CHANGELOG.md packages/utils/abi/CHANGELOG.md packages/wallet/core/CHANGELOG.md packages/wallet/dapp-client/CHANGELOG.md packages/wallet/primitives/CHANGELOG.md packages/wallet/wdk/CHANGELOG.md .changeset/crisp-zoos-retire.md .changeset/new-turkeys-double.md .changeset/nice-tips-slide.md .changeset/tiny-files-chew.md

Possibly linked issues

• 3.0.0-beta.10 #237: They match: both introduce explicit session helpers, EOA login, and Apple auth scope omission with related version bumps.
• 3.0.0-beta.9 #214: PR fulfills the issue by adding explicit session config utilities, EOA login support, and fixing Apple OAuth scope handling.
• Wagmi project #199: PR implements the Apple-specific OAuth scope omission in AuthCodeHandler and tests exactly as described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on refining the Apple authentication process within the system by ensuring the correct handling of OAuth scopes. Concurrently, it significantly upgrades the dapp-client capabilities, offering developers enhanced control over user session configurations, such as setting explicit session durations and managing native token spending permissions. It also broadens login options by integrating support for EOA logins. These functional improvements are accompanied by a synchronized version bump across many core @0xsequence packages.

Highlights

• Apple Authentication Scope Fix: The scope parameter is now conditionally omitted from Apple authentication URLs in the AuthCodeHandler to align with Apple's OAuth requirements, resolving a potential authentication issue.
• dapp-client Enhancements: New utilities and types have been introduced in dapp-client for more flexible explicit session management, including createExplicitSessionConfig for defining session duration and native token spending limits.
• EOA Login Support: The LoginMethod type in dapp-client has been extended to include 'eoa', enabling support for Externally Owned Account (EOA) logins.
• Widespread Version Update: Numerous @0xsequence packages across services, utilities, and wallet components have been updated to version 3.0.0-beta.10, along with corresponding changelog entries.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey - I've left some high level feedback:

• In createExplicitSessionConfig, sessionLifetimeSeconds is calculated as a plain number before being cast to BigInt; consider either validating upper bounds or doing the arithmetic in BigInt to avoid potential overflow if very large durations are passed in.
• createExplicitSessionConfig currently allows an expiresIn of all zeros, resulting in an immediate expiry; if this is not desired, consider enforcing a minimum non-zero duration or throwing when the computed lifetime is zero.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `createExplicitSessionConfig`, `sessionLifetimeSeconds` is calculated as a plain number before being cast to `BigInt`; consider either validating upper bounds or doing the arithmetic in `BigInt` to avoid potential overflow if very large durations are passed in.
- `createExplicitSessionConfig` currently allows an `expiresIn` of all zeros, resulting in an immediate expiry; if this is not desired, consider enforcing a minimum non-zero duration or throwing when the computed lifetime is zero.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

This pull request correctly fixes an issue with Apple authentication by conditionally omitting the scope parameter, and adds a corresponding test to verify the behavior. It also introduces support for EOA (Externally Owned Account) login and exports new helper functions for creating explicit session configurations. While the changes are generally good, I've identified a logical issue in the new createExplicitSessionConfig helper function that could cause it to incorrectly reject valid session configurations. My review includes a suggestion to fix this.

[Dargon789]

#243

[vercel]

@tolgahan-arikan is attempting to deploy a commit to the Foundry development Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
sequence.js	Canceled		Jan 28, 2026 1:35pm
wagmi-project	Canceled		Jan 28, 2026 1:35pm