feat: add shared auth flow for iOS handoff

Author: Garzas

app/build.gradle.kts

@@ -201,6 +201,7 @@ dependencies {
     implementationWithCoverage(projects.features.sketch)
     implementationWithCoverage(projects.features.meetings)
     implementationWithCoverage(projects.features.sync)
+    implementationWithCoverage(projects.shared.auth)
 
     // Anonymous Analytics
     val flavors = getFlavorsSettings()

app/src/main/kotlin/com/wire/android/ui/authentication/login/email/LoginEmailViewModel.kt

@@ -80,6 +80,7 @@ class LoginEmailViewModel constructor(
     private val dispatchers: DispatcherProvider,
     defaultServerConfig: ServerConfig.Links,
     @DefaultWebSocketEnabledByDefault private val defaultWebSocketEnabledByDefault: Boolean,
+    private val sharedAuthLoginEmailAdapter: SharedAuthLoginEmailAdapter = LegacySharedAuthLoginEmailAdapter,
 ) : LoginViewModel(
     loginNavArgs,
     clientScopeProviderFactory,
@@ -160,6 +161,7 @@ class LoginEmailViewModel constructor(
                     null
                 }
             }
+            if (tryLoginWithSharedAuth(usernameAllowed)) return@launch
             // first, cancel and revert any previous login if it's still running, just to be sure
             revertLogin()
             // then, start a new login job
@@ -172,6 +174,30 @@ class LoginEmailViewModel constructor(
         }
     }
 
+    private suspend fun tryLoginWithSharedAuth(usernameAllowed: Boolean): Boolean =
+        sharedAuthLoginEmailAdapter.tryLogin(
+            request = SharedAuthLoginEmailRequest(
+                userIdentifier = userIdentifierTextState.text.toString(),
+                password = passwordTextState.text.toString(),
+                secondFactorVerificationCode = secondFactorVerificationCodeTextState.text.toString(),
+                usernameAllowed = usernameAllowed,
+                serverConfig = serverConfig,
+            ),
+            callbacks = object : SharedAuthLoginEmailCallbacks {
+                override suspend fun updateFlowState(flowState: LoginState) {
+                    updateEmailFlowState(flowState)
+                }
+
+                override suspend fun updateSecondFactorState(update: (VerificationCodeState) -> VerificationCodeState) {
+                    secondFactorVerificationCodeState = update(secondFactorVerificationCodeState)
+                }
+
+                override suspend fun startResendCodeTimer() {
+                    this@LoginEmailViewModel.startResendCodeTimer()
+                }
+            }
+        )
+
     @Suppress("LongMethod")
     private fun startLoginJob(usernameAllowed: Boolean): Job {
         return viewModelScope.launch {

app/src/main/kotlin/com/wire/android/ui/authentication/login/email/SharedAuthLoginEmailAdapter.kt

@@ -0,0 +1,57 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+package com.wire.android.ui.authentication.login.email
+
+import com.wire.android.ui.authentication.login.LoginState
+import com.wire.android.ui.authentication.verificationcode.VerificationCodeState
+import com.wire.kalium.logic.configuration.server.ServerConfig
+
+/**
+ * Android-side boundary for replacing the email/password login step with shared/auth.
+ *
+ * A future implementation should adapt shared/auth state and effects to the existing Android UI contract.
+ * Android keeps text fields, resources, navigation, proxy form rendering and screen lifecycle ownership.
+ */
+fun interface SharedAuthLoginEmailAdapter {
+    suspend fun tryLogin(
+        request: SharedAuthLoginEmailRequest,
+        callbacks: SharedAuthLoginEmailCallbacks,
+    ): Boolean
+}
+
+data class SharedAuthLoginEmailRequest(
+    val userIdentifier: String,
+    val password: String,
+    val secondFactorVerificationCode: String,
+    val usernameAllowed: Boolean,
+    val serverConfig: ServerConfig.Links,
+)
+
+interface SharedAuthLoginEmailCallbacks {
+    suspend fun updateFlowState(flowState: LoginState)
+    suspend fun updateSecondFactorState(update: (VerificationCodeState) -> VerificationCodeState)
+    suspend fun startResendCodeTimer()
+}
+
+object LegacySharedAuthLoginEmailAdapter : SharedAuthLoginEmailAdapter {
+    override suspend fun tryLogin(
+        request: SharedAuthLoginEmailRequest,
+        callbacks: SharedAuthLoginEmailCallbacks,
+    ): Boolean = false
+}

app/src/main/kotlin/com/wire/android/ui/newauthentication/login/NewLoginViewModel.kt

@@ -78,6 +78,7 @@ class NewLoginViewModel(
     defaultServerConfig: ServerConfig.Links,
     defaultSSOCodeConfig: String,
     private val recoverableLogoutExceptionDetector: NewLoginRecoverableLogoutExceptionDetector,
+    private val sharedAuthNewLoginAdapter: SharedAuthNewLoginAdapter = LegacySharedAuthNewLoginAdapter,
 ) : ActionsViewModel<NewLoginAction>() {
 
     private val preFilledUserIdentifier: PreFilledUserIdentifierType = loginNavArgs.userHandle ?: PreFilledUserIdentifierType.None
@@ -146,6 +147,7 @@ class NewLoginViewModel(
         viewModelScope.launch(dispatchers.io()) {
             updateLoginFlowState(NewLoginFlowState.Loading)
             val sanitizedInput = userIdentifierTextState.text.trim().toString()
+            if (tryStartSharedAuthLogin(sanitizedInput)) return@launch
             when (validateEmailOrSSOCode(sanitizedInput)) {
                 ValidateEmailOrSSOCodeUseCase.Result.InvalidInput -> {
                     updateLoginFlowState(NewLoginFlowState.Error.TextFieldError.InvalidValue)
@@ -163,6 +165,43 @@ class NewLoginViewModel(
         }
     }
 
+    private suspend fun tryStartSharedAuthLogin(userIdentifier: String): Boolean =
+        sharedAuthNewLoginAdapter.tryStartLogin(
+            request = SharedAuthNewLoginRequest(
+                userIdentifier = userIdentifier,
+                serverConfig = serverConfig,
+                customServerConfig = loginNavArgs.loginPasswordPath?.customServerConfig,
+            ),
+            callbacks = object : SharedAuthNewLoginCallbacks {
+                override suspend fun showInvalidInput() {
+                    updateLoginFlowState(NewLoginFlowState.Error.TextFieldError.InvalidValue)
+                }
+
+                override suspend fun showGenericError(failure: CoreFailure) {
+                    updateLoginFlowState(NewLoginFlowState.Error.DialogError.GenericError(failure))
+                }
+
+                override suspend fun showCustomServerDialog(serverLinks: ServerConfig.Links) {
+                    updateLoginFlowState(NewLoginFlowState.CustomConfigDialog(serverLinks))
+                }
+
+                override suspend fun openEmailPassword(userIdentifier: String, loginPasswordPath: LoginPasswordPath) {
+                    sendAction(NewLoginAction.EmailPassword(userIdentifier, loginPasswordPath))
+                    updateLoginFlowState(NewLoginFlowState.Default)
+                }
+
+                override suspend fun openSso(url: String, config: SSOUrlConfig) {
+                    sendAction(NewLoginAction.SSO(url, config))
+                    updateLoginFlowState(NewLoginFlowState.Default)
+                }
+
+                override suspend fun openEnterpriseLoginNotSupported(userIdentifier: String) {
+                    sendAction(NewLoginAction.EnterpriseLoginNotSupported(userIdentifier))
+                    updateLoginFlowState(NewLoginFlowState.Default)
+                }
+            }
+        )
+
     @VisibleForTesting
     internal suspend fun getEnterpriseLoginFlow(email: String) = withContext(dispatchers.io()) {
         ssoExtension.withAuthenticationScope(

app/src/main/kotlin/com/wire/android/ui/newauthentication/login/SharedAuthNewLoginAdapter.kt

@@ -0,0 +1,59 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+package com.wire.android.ui.newauthentication.login
+
+import com.wire.android.ui.authentication.login.LoginPasswordPath
+import com.wire.android.ui.authentication.login.sso.SSOUrlConfig
+import com.wire.kalium.common.error.CoreFailure
+import com.wire.kalium.logic.configuration.server.ServerConfig
+
+/**
+ * Android-side boundary for replacing the new login identifier step with shared/auth.
+ *
+ * The production shared/auth implementation should map shared state/effects into these Android callbacks.
+ * Android keeps Compose text fields, navigation, dialogs, custom tabs and resources in app.
+ */
+fun interface SharedAuthNewLoginAdapter {
+    suspend fun tryStartLogin(
+        request: SharedAuthNewLoginRequest,
+        callbacks: SharedAuthNewLoginCallbacks,
+    ): Boolean
+}
+
+data class SharedAuthNewLoginRequest(
+    val userIdentifier: String,
+    val serverConfig: ServerConfig.Links,
+    val customServerConfig: ServerConfig.Links?,
+)
+
+interface SharedAuthNewLoginCallbacks {
+    suspend fun showInvalidInput()
+    suspend fun showGenericError(failure: CoreFailure)
+    suspend fun showCustomServerDialog(serverLinks: ServerConfig.Links)
+    suspend fun openEmailPassword(userIdentifier: String, loginPasswordPath: LoginPasswordPath)
+    suspend fun openSso(url: String, config: SSOUrlConfig)
+    suspend fun openEnterpriseLoginNotSupported(userIdentifier: String)
+}
+
+object LegacySharedAuthNewLoginAdapter : SharedAuthNewLoginAdapter {
+    override suspend fun tryStartLogin(
+        request: SharedAuthNewLoginRequest,
+        callbacks: SharedAuthNewLoginCallbacks,
+    ): Boolean = false
+}

shared/auth/build.gradle.kts

@@ -0,0 +1,25 @@
+plugins {
+    id(libs.plugins.wire.kmp.library.get().pluginId)
+    alias(libs.plugins.metro)
+}
+
+kotlin {
+    android {
+        namespace = "com.wire.shared.auth"
+    }
+
+    sourceSets {
+        val commonMain by getting {
+            dependencies {
+                api(libs.coroutines.core)
+            }
+        }
+
+        val commonTest by getting {
+            dependencies {
+                implementation(kotlin("test"))
+                implementation(libs.coroutines.test)
+            }
+        }
+    }
+}

shared/auth/src/commonMain/kotlin/com/wire/shared/auth/AuthLoginSuccessPayload.kt

@@ -0,0 +1,43 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.shared.auth
+
+data class AuthLoginSuccessPayload(
+    val userIdValue: String,
+    val userIdDomain: String?,
+    val accessTokenValue: String,
+    val accessTokenType: String,
+    val accessTokenExpiresInSeconds: Int?,
+    val refreshTokenValue: String,
+    val refreshTokenCookieName: String = REFRESH_TOKEN_COOKIE_NAME,
+    val refreshTokenCookieDomain: String?,
+    val refreshTokenCookiePath: String = REFRESH_TOKEN_COOKIE_PATH,
+    val refreshTokenCookieSecure: Boolean = true,
+    val refreshTokenCookieHttpOnly: Boolean = true,
+    val email: String?,
+    val password: String?,
+    val secondFactorCode: String?,
+    val initialSyncCompleted: Boolean,
+    val isE2EIRequired: Boolean,
+    val clientId: String?,
+) {
+    companion object {
+        const val REFRESH_TOKEN_COOKIE_NAME = "zuid"
+        const val REFRESH_TOKEN_COOKIE_PATH = "/"
+    }
+}

shared/auth/src/commonMain/kotlin/com/wire/shared/auth/CoroutineScopeExt.kt

@@ -0,0 +1,25 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.shared.auth
+
+import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Job
+
+internal fun CoroutineScope.cancelScope() {
+    coroutineContext[Job]?.cancel()
+}

shared/auth/src/commonMain/kotlin/com/wire/shared/auth/NoEffect.kt

@@ -0,0 +1,20 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.shared.auth
+
+data object NoEffect

shared/auth/src/commonMain/kotlin/com/wire/shared/auth/SharedAuthConfig.kt

@@ -0,0 +1,29 @@
+/*
+ * Wire
+ * Copyright (C) 2026 Wire Swiss GmbH
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+package com.wire.shared.auth
+
+import com.wire.shared.auth.login.model.LoginServerLinks
+
+data class SharedAuthConfig(
+    val defaultServerLinks: LoginServerLinks,
+    val isThereActiveSession: Boolean = false,
+    val maxAccountsReached: Boolean = false,
+    val nomadAccountBlocksLogin: Boolean = false,
+    val isAccountCreationAllowed: Boolean = true,
+    val useNewRegistration: Boolean = true,
+)