Add headless username lookup and auto-signup connect (#2400)

This adds `controller.lookupUsername(username)` for headless flows,
returning whether an account exists and normalized signer options for
the controller’s configured chain. It also updates headless connect to
auto-signup when a username is missing, while keeping strict signer
matching for existing accounts. The connector now exposes the lookup
helper, and docs were updated with the recommended lookup-first flow.
Tests were added for lookup normalization/error handling and for
password-based headless auto-signup.

Author: tarrencev

packages/connector/src/controller.ts

@@ -38,6 +38,10 @@ export default class ControllerConnector extends InjectedConnector {
     return this.controller.username();
   }
 
+  lookupUsername(username: string) {
+    return this.controller.lookupUsername(username);
+  }
+
   isReady(): boolean {
     return this.controller.isReady();
   }

packages/controller/HEADLESS_MODE.md

@@ -2,20 +2,37 @@
 
 ## Overview
 
-Headless mode enables programmatic authentication with the Cartridge Controller SDK without displaying any UI. You trigger headless mode by passing a `username` and `signer` to `connect(...)`.
+Headless mode enables programmatic authentication with the Cartridge Controller
+SDK without displaying any UI. You trigger headless mode by passing a `username`
+and `signer` to `connect(...)`.
 
 ```
 Controller SDK → Keychain iframe (hidden) → Backend API
 ```
 
 **Key Points**
+
 - The keychain iframe still exists, but the modal is not opened.
 - The SDK passes the connect request to keychain over Penpal.
 - Keychain executes the same authentication logic as the UI flow.
 - No duplicated auth logic in the SDK.
 
 ## Usage
 
+### Username Lookup (Recommended)
+
+Use lookup first so your app can decide whether to login or signup and show the
+available signer methods for existing accounts.
+
+```ts
+const lookup = await controller.lookupUsername("alice");
+
+if (lookup.exists) {
+  // e.g. ["webauthn", "google", "password"]
+  console.log(lookup.signers);
+}
+```
+
 ### Basic (Passkey / WebAuthn)
 
 ```ts
@@ -31,6 +48,9 @@ await controller.connect({
 });
 ```
 
+If `alice` does not exist yet, headless connect will create a new account and
+continue.
+
 ### Password
 
 ```ts
@@ -60,6 +80,7 @@ await controller.connect({ username: "alice", signer: "walletconnect" });
 ## Supported Auth Options
 
 Headless mode supports all **implemented** auth options:
+
 - `webauthn`
 - `password`
 - `google`
@@ -72,8 +93,8 @@ Headless mode supports all **implemented** auth options:
 ## Handling Session Approval
 
 If policies are unverified or include approvals, Keychain will prompt for
-session approval **after** authentication. In that case, `connect` will open
-the approval UI and resolve once the session is approved.
+session approval **after** authentication. In that case, `connect` will open the
+approval UI and resolve once the session is approved.
 
 ```ts
 const account = await controller.connect({
@@ -83,6 +104,7 @@ const account = await controller.connect({
 
 console.log("Session approved:", account.address);
 ```
+
 If you want to react to connection state changes, subscribe to the standard
 wallet events (for example `accountsChanged`) or just await `connect(...)` and
 update your app state afterwards.
@@ -92,9 +114,7 @@ update your app state afterwards.
 The SDK provides specific error classes for headless mode:
 
 ```ts
-import {
-  HeadlessAuthenticationError,
-} from "@cartridge/controller";
+import { HeadlessAuthenticationError } from "@cartridge/controller";
 
 try {
   await controller.connect({ username: "alice", signer: "webauthn" });
@@ -107,7 +127,8 @@ try {
 
 ## Notes
 
-- Headless mode uses the **existing signers** on the controller for the given username.
+- Headless mode can create new accounts when the username does not exist.
+- For existing accounts, the requested signer must already be registered.
 - For passkeys, the account must already have a WebAuthn signer registered.
 - If policies are unverified or include approvals, Keychain will request
   explicit approval after authentication.

packages/controller/src/__tests__/lookupUsername.test.ts

@@ -0,0 +1,166 @@
+import { constants } from "starknet";
+import ControllerProvider from "../controller";
+import { IMPLEMENTED_AUTH_OPTIONS } from "../types";
+
+describe("lookupUsername", () => {
+  beforeEach(() => {
+    (global as any).fetch = jest.fn();
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  test("returns normalized signer options in canonical order", async () => {
+    (global.fetch as jest.Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          account: {
+            username: "alice",
+            controllers: {
+              edges: [
+                {
+                  node: {
+                    signers: [
+                      {
+                        isOriginal: true,
+                        isRevoked: false,
+                        metadata: {
+                          __typename: "Eip191Credentials",
+                          eip191: [
+                            { provider: "metamask", ethAddress: "0x1" },
+                            { provider: "google", ethAddress: "0x2" },
+                            { provider: "unknown", ethAddress: "0x3" },
+                          ],
+                        },
+                      },
+                      {
+                        isOriginal: true,
+                        isRevoked: false,
+                        metadata: { __typename: "PasswordCredentials" },
+                      },
+                      {
+                        isOriginal: true,
+                        isRevoked: false,
+                        metadata: { __typename: "WebauthnCredentials" },
+                      },
+                      {
+                        isOriginal: true,
+                        isRevoked: true,
+                        metadata: { __typename: "WebauthnCredentials" },
+                      },
+                      {
+                        isOriginal: true,
+                        isRevoked: false,
+                        metadata: {
+                          __typename: "Eip191Credentials",
+                          eip191: [{ provider: "discord", ethAddress: "0x4" }],
+                        },
+                      },
+                    ],
+                  },
+                },
+              ],
+            },
+          },
+        },
+      }),
+    });
+
+    const provider = new ControllerProvider({ lazyload: true });
+    const result = await provider.lookupUsername("alice");
+    const expectedOrder = IMPLEMENTED_AUTH_OPTIONS.filter((option) =>
+      ["google", "webauthn", "discord", "password", "metamask"].includes(
+        option,
+      ),
+    );
+
+    expect(result).toEqual({
+      username: "alice",
+      exists: true,
+      signers: expectedOrder,
+    });
+    expect(global.fetch).toHaveBeenCalledWith(
+      "https://api.cartridge.gg/query",
+      expect.any(Object),
+    );
+  });
+
+  test("filters non-original signers on non-mainnet chains", async () => {
+    (global.fetch as jest.Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          account: {
+            username: "alice",
+            controllers: {
+              edges: [
+                {
+                  node: {
+                    signers: [
+                      {
+                        isOriginal: false,
+                        isRevoked: false,
+                        metadata: {
+                          __typename: "Eip191Credentials",
+                          eip191: [{ provider: "google", ethAddress: "0x1" }],
+                        },
+                      },
+                      {
+                        isOriginal: true,
+                        isRevoked: false,
+                        metadata: { __typename: "PasswordCredentials" },
+                      },
+                    ],
+                  },
+                },
+              ],
+            },
+          },
+        },
+      }),
+    });
+
+    const provider = new ControllerProvider({
+      lazyload: true,
+      defaultChainId: constants.StarknetChainId.SN_SEPOLIA,
+    });
+    const result = await provider.lookupUsername("alice");
+
+    expect(result.signers).toEqual(["password"]);
+  });
+
+  test("returns exists=false for unknown usernames", async () => {
+    (global.fetch as jest.Mock).mockResolvedValue({
+      ok: true,
+      json: async () => ({
+        data: {
+          account: null,
+        },
+      }),
+    });
+
+    const provider = new ControllerProvider({ lazyload: true });
+    const result = await provider.lookupUsername("missing-user");
+
+    expect(result).toEqual({
+      username: "missing-user",
+      exists: false,
+      signers: [],
+    });
+  });
+
+  test("throws on network failures", async () => {
+    (global.fetch as jest.Mock).mockResolvedValue({
+      ok: false,
+      status: 503,
+    });
+
+    const provider = new ControllerProvider({ lazyload: true });
+
+    await expect(provider.lookupUsername("alice")).rejects.toThrow(
+      "HTTP error! status: 503",
+    );
+  });
+});

packages/controller/src/controller.ts

@@ -15,6 +15,7 @@ import { KEYCHAIN_URL } from "./constants";
 import { HeadlessAuthenticationError, NotReadyToConnect } from "./errors";
 import { KeychainIFrame } from "./iframe";
 import BaseProvider from "./provider";
+import { lookupUsername as lookupUsernameApi } from "./lookup";
 import {
   AuthOptions,
   Chain,
@@ -28,6 +29,7 @@ import {
   ProfileContextTypeVariant,
   ResponseCodes,
   OpenOptions,
+  HeadlessUsernameLookupResult,
   StarterpackOptions,
 } from "./types";
 import { validateRedirectUrl } from "./url-validator";
@@ -530,6 +532,17 @@ export default class ControllerProvider extends BaseProvider {
     return this.keychain.username();
   }
 
+  async lookupUsername(
+    username: string,
+  ): Promise<HeadlessUsernameLookupResult> {
+    const trimmed = username.trim();
+    if (!trimmed) {
+      throw new Error("Username is required");
+    }
+
+    return lookupUsernameApi(trimmed, this.selectedChain);
+  }
+
   openPurchaseCredits() {
     if (!this.iframes) {
       return;