npm - @bloonio/lokotro-pay - Versions diffs - 1.2.2 → 1.3.0 - Mend

@bloonio/lokotro-pay 1.2.2 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/fesm2022/bloonio-lokotro-pay.mjs +116 -37
package/fesm2022/bloonio-lokotro-pay.mjs.map +1 -1
package/package.json +1 -1
package/types/bloonio-lokotro-pay.d.ts +53 -7

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bloonio/lokotro-pay",
-  "version": "1.2.2",
+  "version": "1.3.0",
   "description": "Angular SDK for Lokotro Pay - Clean white-surface payment checkout with themeable brand colors and support for cards, mobile money, e-wallets, and more.",
   "keywords": [
     "angular",

package/types/bloonio-lokotro-pay.d.ts CHANGED Viewed

@@ -192,9 +192,9 @@ interface LokotroPayConfig {
  * Payment body for Lokotro Pay - All-in-one request
  */
 interface LokotroPaymentBody {
-    customerReference: string;
-    amount: string;
-    currency: string;
+    customerReference?: string;
+    amount?: string;
+    currency?: string;
     paymentMethod?: string;
     userInfo?: 'full' | 'partial' | 'none';
     paymentMethodInfo?: 'full' | 'partial' | 'none';
@@ -285,6 +285,17 @@ interface LokotroPaymentInfo {
     fillingInfo?: string;
     channelInfo?: string;
 }
+/**
+ * PR-3.0 — Payment-method-level discriminator.
+ *
+ * Mirrors `ELokotroPaymentMethodFlag` in the gateway. SDK consumers use this
+ * to brand the UI when multiple providers share a channel (e.g. card payments
+ * may route through RAWBANK_CREDIT_CARD or ONAFRIQ_CREDIT_CARD).
+ *
+ * Wire values are snake_case strings — see
+ * `app/modules/enums/lokotro_enum.py:ELokotroPaymentMethodFlag`.
+ */
+type LokotroPaymentMethodFlag = 'none' | 'all' | 'onafriq_mobile_money' | 'onafriq_credit_card' | 'rawbank_credit_card' | 'lokotro_wallet' | 'lokotro_eflash' | 'cash' | 'bank_transfer' | 'google_pay' | 'apple_pay';
 /**
  * Payment method model
  */
@@ -293,6 +304,11 @@ interface LokotroPaymentMethod {
     name: string;
     displayName: string;
     channel: LokotroPayChannel;
+    /**
+     * PR-3.0 — provider-level discriminator. Optional for back-compat with
+     * legacy gateway responses; new responses always include it.
+     */
+    flag?: LokotroPaymentMethodFlag;
     iconUrl: string;
     isEnabled: boolean;
     configuration?: Record<string, unknown>;
@@ -306,6 +322,8 @@ interface LokotroPaymentMethodListItem {
     name: string;
     displayName: string;
     channel: LokotroPayChannel;
+    /** PR-3.0 — provider-level discriminator (see LokotroPaymentMethod.flag). */
+    flag?: LokotroPaymentMethodFlag;
     iconUrl: string;
     isEnabled: boolean;
     isSelected: boolean;
@@ -510,12 +528,16 @@ interface LokotroHttpClientConfig {
     customHeaders?: Record<string, string>;
 }
 /**
- * Enhanced HTTP client for Lokotro Pay with modern error handling and logging
+ * Enhanced HTTP client for Lokotro Pay with modern error handling and logging.
+ *
+ * PR-1.2 / CRIT-2: previous code emitted six `console.log` calls that
+ * truncated and printed the merchant `appKey` to the browser console on every
+ * HTTP request. The truncated form ("first 20 chars + ...") is still useful
+ * to anyone scraping the console, especially when paired with the response
+ * body. All such logs were removed.
  */
 declare class LokotroHttpClientService {
     private http;
-    private static instanceCounter;
-    private instanceId;
     private appKey?;
     private acceptLanguage;
     private customHeaders;
@@ -569,7 +591,13 @@ declare class LokotroHttpClientService {
      */
     private handleSuccess;
     /**
-     * Handle error response
+     * Handle error response.
+     *
+     * PR-1.2: previously logged the full `error` object in debug mode, which
+     * for an HttpErrorResponse includes `error.error` — i.e. the raw server
+     * response body. That body can leak validation echoes of the original
+     * request (PAN/PIN/etc.) when the backend is in development mode. Now we
+     * log only HTTP status code + url; never the body.
      */
     private handleError;
     /**
@@ -664,6 +692,19 @@ declare class LokotroPaymentService {
      * Stop mobile money status polling
      */
     private stopMobileMoneyPolling;
+    /**
+     * Validate a server-supplied redirect URL before handing the browser tab to
+     * it. Defense-in-depth for Angular HIGH-1 — server-side per-merchant
+     * allow-list (PR-2.0) is the real fix.
+     *
+     * Policy:
+     *   - Reject non-http(s) schemes (blocks `javascript:`, `data:`, `file:`,
+     *     `intent:`, custom schemes).
+     *   - Reject http:// in production.
+     *   - Reject malformed URLs.
+     *   - SSR safety: skip the redirect when window is unavailable.
+     */
+    private redirectIfAllowed;
     /**
      * Handle payment success
      */
@@ -704,6 +745,11 @@ declare class LokotroPaymentService {
      * Parse payment method from API response.
      */
     private parsePaymentMethod;
+    /**
+     * PR-3.0 — narrow an arbitrary string to the LokotroPaymentMethodFlag union.
+     * Unknown / empty inputs return undefined so the field stays optional.
+     */
+    private parsePaymentMethodFlag;
     /**
      * Parse submit response from API.
      */