@bloonio/lokotro-pay 1.2.2 → 1.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bloonio/lokotro-pay",
-  "version": "1.2.2",
+  "version": "1.4.0",
   "description": "Angular SDK for Lokotro Pay - Clean white-surface payment checkout with themeable brand colors and support for cards, mobile money, e-wallets, and more.",
   "keywords": [
     "angular",
@@ -18,9 +18,9 @@
     "url": "https://github.com/bloonio/lokotro-pay-angular.git"
   },
   "peerDependencies": {
-    "@angular/common": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0",
-    "@angular/core": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0",
-    "@angular/forms": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0",
+    "@angular/common": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0 || ^22.0.0",
+    "@angular/core": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0 || ^22.0.0",
+    "@angular/forms": "^17.0.0 || ^18.0.0 || ^19.0.0 || ^20.0.0 || ^21.0.0 || ^22.0.0",
     "rxjs": "^7.8.0"
   },
   "dependencies": {

package/types/bloonio-lokotro-pay.d.ts

@@ -192,9 +192,9 @@ interface LokotroPayConfig {
  * Payment body for Lokotro Pay - All-in-one request
  */
 interface LokotroPaymentBody {
-    customerReference: string;
-    amount: string;
-    currency: string;
+    customerReference?: string;
+    amount?: string;
+    currency?: string;
     paymentMethod?: string;
     userInfo?: 'full' | 'partial' | 'none';
     paymentMethodInfo?: 'full' | 'partial' | 'none';
@@ -285,6 +285,17 @@ interface LokotroPaymentInfo {
     fillingInfo?: string;
     channelInfo?: string;
 }
+/**
+ * PR-3.0 — Payment-method-level discriminator.
+ *
+ * Mirrors `ELokotroPaymentMethodFlag` in the gateway. SDK consumers use this
+ * to brand the UI when multiple providers share a channel (e.g. card payments
+ * may route through RAWBANK_CREDIT_CARD or ONAFRIQ_CREDIT_CARD).
+ *
+ * Wire values are snake_case strings — see
+ * `app/modules/enums/lokotro_enum.py:ELokotroPaymentMethodFlag`.
+ */
+type LokotroPaymentMethodFlag = 'none' | 'all' | 'onafriq_mobile_money' | 'onafriq_credit_card' | 'rawbank_credit_card' | 'lokotro_wallet' | 'lokotro_eflash' | 'cash' | 'bank_transfer' | 'google_pay' | 'apple_pay';
 /**
  * Payment method model
  */
@@ -293,6 +304,11 @@ interface LokotroPaymentMethod {
     name: string;
     displayName: string;
     channel: LokotroPayChannel;
+    /**
+     * PR-3.0 — provider-level discriminator. Optional for back-compat with
+     * legacy gateway responses; new responses always include it.
+     */
+    flag?: LokotroPaymentMethodFlag;
     iconUrl: string;
     isEnabled: boolean;
     configuration?: Record<string, unknown>;
@@ -306,6 +322,8 @@ interface LokotroPaymentMethodListItem {
     name: string;
     displayName: string;
     channel: LokotroPayChannel;
+    /** PR-3.0 — provider-level discriminator (see LokotroPaymentMethod.flag). */
+    flag?: LokotroPaymentMethodFlag;
     iconUrl: string;
     isEnabled: boolean;
     isSelected: boolean;
@@ -510,12 +528,16 @@ interface LokotroHttpClientConfig {
     customHeaders?: Record<string, string>;
 }
 /**
- * Enhanced HTTP client for Lokotro Pay with modern error handling and logging
+ * Enhanced HTTP client for Lokotro Pay with modern error handling and logging.
+ *
+ * PR-1.2 / CRIT-2: previous code emitted six `console.log` calls that
+ * truncated and printed the merchant `appKey` to the browser console on every
+ * HTTP request. The truncated form ("first 20 chars + ...") is still useful
+ * to anyone scraping the console, especially when paired with the response
+ * body. All such logs were removed.
  */
 declare class LokotroHttpClientService {
     private http;
-    private static instanceCounter;
-    private instanceId;
     private appKey?;
     private acceptLanguage;
     private customHeaders;
@@ -569,7 +591,13 @@ declare class LokotroHttpClientService {
      */
     private handleSuccess;
     /**
-     * Handle error response
+     * Handle error response.
+     *
+     * PR-1.2: previously logged the full `error` object in debug mode, which
+     * for an HttpErrorResponse includes `error.error` — i.e. the raw server
+     * response body. That body can leak validation echoes of the original
+     * request (PAN/PIN/etc.) when the backend is in development mode. Now we
+     * log only HTTP status code + url; never the body.
      */
     private handleError;
     /**
@@ -664,6 +692,19 @@ declare class LokotroPaymentService {
      * Stop mobile money status polling
      */
     private stopMobileMoneyPolling;
+    /**
+     * Validate a server-supplied redirect URL before handing the browser tab to
+     * it. Defense-in-depth for Angular HIGH-1 — server-side per-merchant
+     * allow-list (PR-2.0) is the real fix.
+     *
+     * Policy:
+     *   - Reject non-http(s) schemes (blocks `javascript:`, `data:`, `file:`,
+     *     `intent:`, custom schemes).
+     *   - Reject http:// in production.
+     *   - Reject malformed URLs.
+     *   - SSR safety: skip the redirect when window is unavailable.
+     */
+    private redirectIfAllowed;
     /**
      * Handle payment success
      */
@@ -704,6 +745,11 @@ declare class LokotroPaymentService {
      * Parse payment method from API response.
      */
     private parsePaymentMethod;
+    /**
+     * PR-3.0 — narrow an arbitrary string to the LokotroPaymentMethodFlag union.
+     * Unknown / empty inputs return undefined so the field stays optional.
+     */
+    private parsePaymentMethodFlag;
     /**
      * Parse submit response from API.
      */