fix: preserve custom-scheme redirect_uri in standalone session flow (#2481)

## Summary
- preserve custom-scheme redirect targets when deriving the standalone
session app origin instead of collapsing them to the literal `"null"`
- restore standalone verification to check both `redirect_url` and
`redirect_uri`, matching the session flow inputs
- harden the session consent UI so non-HTTP origins do not crash
`/session`
- add regression coverage for custom-scheme standalone redirects and
redirect param fallback

## Context
- this fixes standalone `/session` flows for apps using custom redirect
schemes such as `cagecalls://open` and `jokers://open`
- this also restores the earlier domain-verification fix for
integrations that only provide `redirect_uri`

## Test plan
- [x] `pnpm --filter @cartridge/keychain exec vitest run
src/hooks/connection.test.ts src/components/session.test.tsx
src/components/ConnectRoute.test.tsx`
- [x] Pre-commit checks via `git commit` (lint, tests, build, graphql
codegen)
- [ ] Verify `/session` completes with `redirect_uri=cagecalls://open`
- [ ] Verify `/session` completes with `redirect_uri=jokers://open`

Author: broody

packages/keychain/src/components/connect/SessionConsent.tsx

@@ -11,10 +11,17 @@ export function SessionConsent({
   variant?: "default" | "slot" | "signup";
 }) {
   const { origin } = useConnection();
-  const hostname = useMemo(
-    () => (origin ? new URL(origin).hostname : undefined),
-    [origin],
-  );
+  const hostname = useMemo(() => {
+    if (!origin) {
+      return undefined;
+    }
+
+    try {
+      return new URL(origin).hostname;
+    } catch {
+      return undefined;
+    }
+  }, [origin]);
 
   switch (variant) {
     case "slot":

packages/keychain/src/components/provider/index.test.tsx

@@ -0,0 +1,184 @@
+import { render, screen } from "@testing-library/react";
+import { PropsWithChildren } from "react";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { Provider } from "./index";
+
+const mockUseConnectionValue = vi.fn();
+
+vi.mock("@/hooks/connection", () => ({
+  useConnectionValue: () => mockUseConnectionValue(),
+}));
+
+vi.mock("@/components/provider/upgrade", () => ({
+  UpgradeProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/hooks/wallets", () => ({
+  WalletsProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/utils/graphql", () => ({
+  ENDPOINT: "https://example.com",
+}));
+
+vi.mock("@auth0/auth0-react", () => ({
+  Auth0Provider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@starknet-react/chains", () => ({
+  mainnet: {},
+  sepolia: {},
+}));
+
+vi.mock("@starknet-react/core", () => ({
+  cartridge: {},
+  jsonRpcProvider: vi.fn(() => ({})),
+  StarknetConfig: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@turnkey/sdk-react", () => ({
+  TurnkeyProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("react-query", () => ({
+  QueryClient: class {},
+  QueryClientProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("starknet", () => ({
+  constants: {
+    StarknetChainId: {
+      SN_MAIN: "SN_MAIN",
+      SN_SEPOLIA: "SN_SEPOLIA",
+    },
+  },
+  num: {
+    toBigInt: () => 0n,
+  },
+}));
+
+vi.mock("./posthog", () => ({
+  PostHogProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("./tokens", () => ({
+  TokensProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("./ui", () => ({
+  UIProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/hooks/features", () => ({
+  FeatureProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/components/provider/arcade", () => ({
+  ArcadeProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/components/provider/data", () => ({
+  DataProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/context", () => ({
+  ToastProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@/context/quest", () => ({
+  QuestProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@cartridge/ui/utils/api/indexer", () => ({
+  IndexerAPIProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@cartridge/ui/utils/api/cartridge", () => ({
+  CartridgeAPIProvider: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("../ErrorBoundary", () => ({
+  ErrorBoundary: ({ children }: PropsWithChildren) => <>{children}</>,
+}));
+
+vi.mock("@cartridge/arcade/marketplace/react", () => ({
+  MarketplaceClientProvider: ({ children }: PropsWithChildren) => (
+    <>{children}</>
+  ),
+}));
+
+vi.mock("@cartridge/ui", () => ({
+  SpinnerIcon: () => <div data-testid="loading-spinner" />,
+}));
+
+const baseConnection = {
+  parent: undefined,
+  controller: undefined,
+  origin: "",
+  rpcUrl: "https://rpc.example.com",
+  project: null,
+  namespace: null,
+  propagateError: false,
+  webauthnPopup: {
+    create: false,
+    get: false,
+  },
+  preset: null,
+  policiesStr: null,
+  theme: {
+    name: "default",
+    verified: true,
+  },
+  isConfigLoading: false,
+  isPoliciesResolved: true,
+  isMainnet: false,
+  verified: true,
+  chainId: undefined,
+  setController: vi.fn(),
+  controllerVersion: undefined,
+  setRpcUrl: vi.fn(),
+  openModal: vi.fn().mockResolvedValue(undefined),
+  logout: vi.fn().mockResolvedValue(undefined),
+  openSettings: vi.fn(),
+  externalDetectWallets: vi.fn().mockResolvedValue([]),
+  externalConnectWallet: vi.fn(),
+  externalSignTypedData: vi.fn(),
+  externalSignMessage: vi.fn(),
+  externalSendTransaction: vi.fn(),
+  externalGetBalance: vi.fn(),
+  externalWaitForTransaction: vi.fn(),
+};
+
+describe("Provider", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockUseConnectionValue.mockReturnValue(baseConnection);
+  });
+
+  it("shows a loading spinner while preset config is loading", () => {
+    mockUseConnectionValue.mockReturnValue({
+      ...baseConnection,
+      isConfigLoading: true,
+    });
+
+    render(
+      <Provider>
+        <div>child content</div>
+      </Provider>,
+    );
+
+    expect(screen.getByTestId("loading-spinner")).toBeInTheDocument();
+    expect(screen.queryByText("child content")).not.toBeInTheDocument();
+  });
+
+  it("renders children once preset config loading has finished", () => {
+    render(
+      <Provider>
+        <div>child content</div>
+      </Provider>,
+    );
+
+    expect(screen.getByText("child content")).toBeInTheDocument();
+    expect(screen.queryByTestId("loading-spinner")).not.toBeInTheDocument();
+  });
+});

packages/keychain/src/components/provider/index.tsx

@@ -26,6 +26,7 @@ import { IndexerAPIProvider } from "@cartridge/ui/utils/api/indexer";
 import { CartridgeAPIProvider } from "@cartridge/ui/utils/api/cartridge";
 import { ErrorBoundary } from "../ErrorBoundary";
 import { MarketplaceClientProvider } from "@cartridge/arcade/marketplace/react";
+import { SpinnerIcon } from "@cartridge/ui";
 
 export function Provider({ children }: PropsWithChildren) {
   const connection = useConnectionValue();
@@ -59,6 +60,14 @@ export function Provider({ children }: PropsWithChildren) {
     [connection.controller, connection.project],
   );
 
+  if (connection.isConfigLoading) {
+    return (
+      <div className="flex h-screen w-screen items-center justify-center bg-background">
+        <SpinnerIcon className="animate-spin text-muted-foreground" size="lg" />
+      </div>
+    );
+  }
+
   return (
     <FeatureProvider>
       <CartridgeAPIProvider url={ENDPOINT}>

packages/keychain/src/hooks/connection.test.ts

@@ -1,4 +1,6 @@
 import {
+  getStandaloneAppOrigin,
+  getStandaloneRedirectUrl,
   isNestedIframe,
   isOriginVerified,
   resolvePolicies,
@@ -79,6 +81,43 @@ describe("isOriginVerified", () => {
   });
 });
 
+describe("getStandaloneAppOrigin", () => {
+  it("should use the URL origin for http redirects", () => {
+    expect(getStandaloneAppOrigin("https://example.com/callback?foo=bar")).toBe(
+      "https://example.com",
+    );
+  });
+
+  it("should preserve custom-scheme redirects instead of collapsing to null", () => {
+    expect(getStandaloneAppOrigin("cagecalls://open")).toBe("cagecalls://open");
+  });
+});
+
+describe("getStandaloneRedirectUrl", () => {
+  it("prefers redirect_url when present", () => {
+    const searchParams = new URLSearchParams({
+      redirect_url: "https://example.com/callback",
+      redirect_uri: "jokers://open",
+    });
+
+    expect(getStandaloneRedirectUrl(searchParams)).toBe(
+      "https://example.com/callback",
+    );
+  });
+
+  it("falls back to redirect_uri when redirect_url is absent", () => {
+    const searchParams = new URLSearchParams({
+      redirect_uri: "jokers://open",
+    });
+
+    expect(getStandaloneRedirectUrl(searchParams)).toBe("jokers://open");
+  });
+
+  it("returns null when no standalone redirect target is present", () => {
+    expect(getStandaloneRedirectUrl(new URLSearchParams())).toBeNull();
+  });
+});
+
 describe("isNestedIframe", () => {
   it("returns false for the top-level window", () => {
     const top = {};