feat(react): enable OAuth in React Native

[andrascodes]

This PR is part of a stack created with Aviator. feat(expo-example): add export wallet on mobile #168 feat(expo-example): configure and add magic link login #142 fix(expo-example): add EAS local build config and fix HMR bug with secureStoreStamper #141 feat(expo-example): migrate to expo-router #131 ➡️ feat(react): enable OAuth in React Native #80 main

Closes FS-1922, FS-2000

This PR comes after #124. So make sure you review #124 before this one if you want to go in a chronological order.

Update: Changed this PR to be on top of the stack and added Passkeys and Android setup before this. This way this PR can be tested by just running pnpm android and using the Android Emulator.

Refactored the OAuth implementation in wallet-react to be more contained in a single place so it's easier to create web and mobile modules for it.
The new structure of the authenticateOAuth action looks like this:

// setup - same as it was
// `getSessionId` - injected module for web and mobile, this takes care of opening the popup and waiting for the sessionId, sessionId is the result of a Promise
// `completeAuth` - calling `wallet.auth` and changing the state, this used to be here too so basically unchanged

The main change is the behavior of the web OAuth flow. The new code doesn't rely on using postMessage and a message listener anymore. It instead polls for the URL change of the popup. The main advantage of this is that we don't need any of the additional code that we had in the old logic where the popup had to open, load the app, run JS to detect the OAuth callback and complete the auth with the sessionId. We can do that all in the getSessionIdWeb module. This meant that we could get rid of the OAuth related code in connector.ts.
So the new logic just checks the URL of the popup every 250ms and if it's on the same origin (same URL as the app) then it tries to get the sessionId param off of the query params.
An additional security advantage to this is that checking for same origin is implicit as we can't get the popup's URL across origins. So if the popup is still on the Google OAuth flow the check errors on popup.location.href already. In the old flow we had to make sure to check for origin === expectedOrigin to be secure.

[SahilVasava]

Architecture is right — pluggable getSessionId is a much cleaner native story than what the old design could have grown into. Five inline notes:

• 🟡 No timeout on getSessionIdWeb — promise hangs on stuck popups
• 🟡 popup.closed checked before URL — closed-vs-success race
• 🟡 Native dismissBrowser() only on success — auth tab stays open on error
• 🟡 Same returnTo path-drop as #143 fixed — cherry-pick when rebasing
• 🟡 Variables type only in this hook — drop by aligning action's Parameters

Nothing blocking the architectural direction; all addressable in this PR or follow-ups.