@ozura/elements 0.1.0-beta.7 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (50) hide show
  1. package/README.md +906 -663
  2. package/dist/frame/element-frame.js +77 -57
  3. package/dist/frame/element-frame.js.map +1 -1
  4. package/dist/frame/tokenizer-frame.html +1 -1
  5. package/dist/frame/tokenizer-frame.js +211 -94
  6. package/dist/frame/tokenizer-frame.js.map +1 -1
  7. package/dist/oz-elements.esm.js +817 -230
  8. package/dist/oz-elements.esm.js.map +1 -1
  9. package/dist/oz-elements.umd.js +817 -229
  10. package/dist/oz-elements.umd.js.map +1 -1
  11. package/dist/react/frame/tokenizerFrame.d.ts +32 -0
  12. package/dist/react/index.cjs.js +968 -218
  13. package/dist/react/index.cjs.js.map +1 -1
  14. package/dist/react/index.esm.js +965 -219
  15. package/dist/react/index.esm.js.map +1 -1
  16. package/dist/react/react/index.d.ts +148 -6
  17. package/dist/react/sdk/OzElement.d.ts +34 -3
  18. package/dist/react/sdk/OzVault.d.ts +68 -4
  19. package/dist/react/sdk/errors.d.ts +9 -0
  20. package/dist/react/sdk/index.d.ts +29 -0
  21. package/dist/react/server/index.d.ts +181 -17
  22. package/dist/react/types/index.d.ts +69 -19
  23. package/dist/react/utils/appearance.d.ts +9 -0
  24. package/dist/react/utils/cardUtils.d.ts +14 -0
  25. package/dist/react/utils/uuid.d.ts +12 -0
  26. package/dist/server/frame/tokenizerFrame.d.ts +32 -0
  27. package/dist/server/index.cjs.js +608 -71
  28. package/dist/server/index.cjs.js.map +1 -1
  29. package/dist/server/index.esm.js +606 -72
  30. package/dist/server/index.esm.js.map +1 -1
  31. package/dist/server/sdk/OzElement.d.ts +34 -3
  32. package/dist/server/sdk/OzVault.d.ts +68 -4
  33. package/dist/server/sdk/errors.d.ts +9 -0
  34. package/dist/server/sdk/index.d.ts +29 -0
  35. package/dist/server/server/index.d.ts +181 -17
  36. package/dist/server/types/index.d.ts +69 -19
  37. package/dist/server/utils/appearance.d.ts +9 -0
  38. package/dist/server/utils/cardUtils.d.ts +14 -0
  39. package/dist/server/utils/uuid.d.ts +12 -0
  40. package/dist/types/frame/tokenizerFrame.d.ts +32 -0
  41. package/dist/types/sdk/OzElement.d.ts +34 -3
  42. package/dist/types/sdk/OzVault.d.ts +68 -4
  43. package/dist/types/sdk/errors.d.ts +9 -0
  44. package/dist/types/sdk/index.d.ts +29 -0
  45. package/dist/types/server/index.d.ts +181 -17
  46. package/dist/types/types/index.d.ts +69 -19
  47. package/dist/types/utils/appearance.d.ts +9 -0
  48. package/dist/types/utils/cardUtils.d.ts +14 -0
  49. package/dist/types/utils/uuid.d.ts +12 -0
  50. package/package.json +7 -4
package/dist/oz-elements.umd.js CHANGED
@@ -4,6 +4,147 @@
4
4
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.OzElements = {}));
5
5
  })(this, (function (exports) { 'use strict';
6
6
 
7
+ /**
8
+ * errors.ts — error types and normalisation for OzElements.
9
+ *
10
+ * Three normalisation functions:
11
+ * - normalizeVaultError — maps raw vault /tokenize errors to user-facing messages (card flows)
12
+ * - normalizeBankVaultError — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
13
+ * - normalizeCardSaleError — maps raw cardSale API errors to user-facing messages
14
+ *
15
+ * Error keys in normalizeCardSaleError are taken directly from checkout's
16
+ * errorMapping.ts so the same error strings produce the same user-facing copy.
17
+ */
18
+ const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'server', 'config', 'unknown']);
19
+ /** Returns true and narrows to OzErrorCode when `value` is a valid member of the union. */
20
+ function isOzErrorCode(value) {
21
+ return typeof value === 'string' && OZ_ERROR_CODES.has(value);
22
+ }
23
+ class OzError extends Error {
24
+ constructor(message, raw, errorCode) {
25
+ super(message);
26
+ this.name = 'OzError';
27
+ this.raw = raw !== null && raw !== void 0 ? raw : message;
28
+ this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
29
+ this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
30
+ }
31
+ }
32
+ /** Shared patterns that apply to both card and bank vault errors. */
33
+ function normalizeCommonVaultError(msg) {
34
+ if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
35
+ return 'Authentication failed. Check your vault API key configuration.';
36
+ }
37
+ if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
38
+ return 'A network error occurred. Please check your connection and try again.';
39
+ }
40
+ if (msg.includes('timeout') || msg.includes('timed out')) {
41
+ return 'The request timed out. Please try again.';
42
+ }
43
+ if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
44
+ return 'A server error occurred. Please try again shortly.';
45
+ }
46
+ return null;
47
+ }
48
+ /**
49
+ * Maps a raw vault /tokenize error string to a user-facing message for card flows.
50
+ * Falls back to the original string if no pattern matches.
51
+ */
52
+ function normalizeVaultError(raw) {
53
+ const msg = raw.toLowerCase();
54
+ if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
55
+ return 'The card number is invalid. Please check and try again.';
56
+ }
57
+ if (msg.includes('expir')) {
58
+ return 'The card expiration date is invalid or the card has expired.';
59
+ }
60
+ if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
61
+ return 'The CVV code is invalid. Please check and try again.';
62
+ }
63
+ if (msg.includes('insufficient') || msg.includes('funds')) {
64
+ return 'Your card has insufficient funds. Please use a different card.';
65
+ }
66
+ if (msg.includes('declined') || msg.includes('do not honor')) {
67
+ return 'Your card was declined. Please try a different card or contact your bank.';
68
+ }
69
+ const common = normalizeCommonVaultError(msg);
70
+ if (common)
71
+ return common;
72
+ return raw;
73
+ }
74
+ /**
75
+ * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
76
+ * Uses bank-specific pattern matching so card-specific messages are never shown for
77
+ * bank errors. Falls back to the original string if no pattern matches.
78
+ */
79
+ function normalizeBankVaultError(raw) {
80
+ const msg = raw.toLowerCase();
81
+ if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
82
+ return 'The bank account number is invalid. Please check and try again.';
83
+ }
84
+ if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
85
+ return 'The routing number is invalid. Please check and try again.';
86
+ }
87
+ const common = normalizeCommonVaultError(msg);
88
+ if (common)
89
+ return common;
90
+ return raw;
91
+ }
92
+ // ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
93
+ const CARD_SALE_ERROR_MAP = [
94
+ ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
95
+ ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
96
+ ['Card expired', 'Your card has expired. Please use a different card.'],
97
+ ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
98
+ ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
99
+ ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
100
+ ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
101
+ ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
102
+ ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
103
+ ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
104
+ ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
105
+ ['API key not found', 'Authentication failed. Please refresh the page.'],
106
+ ['Access token expired', 'Your session has expired. Please refresh the page.'],
107
+ ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
108
+ ['Unauthorized', 'Authentication failed. Please refresh the page.'],
109
+ ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
110
+ ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
111
+ ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
112
+ ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
113
+ ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
114
+ ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
115
+ ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
116
+ ];
117
+ /**
118
+ * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
119
+ *
120
+ * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
121
+ * errorMapping.ts so both surfaces produce identical copy for the same errors.
122
+ *
123
+ * Falls back to the original string when it's under 100 characters, or to a
124
+ * generic message for long/opaque server errors — matching checkout's fallback
125
+ * behaviour exactly.
126
+ *
127
+ * **Trade-off:** Short unrecognised strings (e.g. processor codes like
128
+ * `"PROC_TIMEOUT"`) are passed through verbatim. This intentionally mirrors
129
+ * checkout so the same raw Pay API errors produce the same user-facing text on
130
+ * both surfaces. If the Pay API ever returns internal codes that should never
131
+ * reach the UI, the fix belongs in the Pay API error normalisation layer rather
132
+ * than here.
133
+ */
134
+ function normalizeCardSaleError(raw) {
135
+ if (!raw)
136
+ return 'Payment processing failed. Please try again.';
137
+ for (const [key, message] of CARD_SALE_ERROR_MAP) {
138
+ if (raw.toLowerCase().includes(key.toLowerCase())) {
139
+ return message;
140
+ }
141
+ }
142
+ // Checkout fallback: pass through short errors, genericise long ones
143
+ if (raw.length < 100)
144
+ return raw;
145
+ return 'Payment processing failed. Please try again or contact support.';
146
+ }
147
+
7
148
  const THEME_DEFAULT = {
8
149
  base: {
9
150
  color: '#1a1a2e',
@@ -134,6 +275,15 @@
134
275
  * Resolution order: theme defaults → variable overrides.
135
276
  * The returned config is then used as the "base appearance" that
136
277
  * per-element `style` overrides merge on top of.
278
+ *
279
+ * @remarks
280
+ * - `appearance: undefined` → no styles injected (element iframes use their
281
+ * own minimal built-in defaults).
282
+ * - `appearance: {}` or `appearance: { variables: {...} }` without an explicit
283
+ * `theme` → the `'default'` theme is used as the base. Omitting `theme`
284
+ * does NOT mean "no theme" — it means `theme: 'default'`. To opt out of
285
+ * the preset themes entirely, use per-element `style` overrides without
286
+ * passing an `appearance` prop at all.
137
287
  */
138
288
  function resolveAppearance(appearance) {
139
289
  var _a, _b;
@@ -159,7 +309,31 @@
159
309
  return mergeStyleConfigs(appearance, elementStyle);
160
310
  }
161
311
 
162
- const BLOCKED_CSS_PATTERNS = /url\s*\(|expression\s*\(|javascript\s*:|vbscript\s*:|@import|behavior\s*:|binding\s*:|-moz-binding|-webkit-binding|<\s*script|<\s*style|\\[0-9a-fA-F]/i;
312
+ /**
313
+ * Generates a RFC 4122 v4 UUID.
314
+ *
315
+ * Uses `crypto.randomUUID()` when available (Chrome 92+, Firefox 95+,
316
+ * Safari 15.4+, Node 14.17+) and falls back to `crypto.getRandomValues()`
317
+ * for older environments (Safari 14, some embedded WebViews, older Node).
318
+ *
319
+ * Both paths use the same CSPRNG — the difference is only in API surface.
320
+ *
321
+ * @internal
322
+ */
323
+ function uuid() {
324
+ if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
325
+ return crypto.randomUUID();
326
+ }
327
+ // Fallback: build UUID v4 from random bytes
328
+ const bytes = new Uint8Array(16);
329
+ crypto.getRandomValues(bytes);
330
+ bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
331
+ bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant RFC 4122
332
+ const hex = Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
333
+ return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
334
+ }
335
+
336
+ const BLOCKED_CSS_PATTERNS = /url\s*\(|expression\s*\(|javascript\s*:|vbscript\s*:|@import|behavior\s*:|binding\s*:|-moz-binding|-webkit-binding|<\s*script|<\s*style|\\[0-9a-fA-F]|var\s*\(/i;
163
337
  const CSS_BREAKOUT = /[{};<>]/;
164
338
  const MAX_CSS_VALUE_LEN = 200;
165
339
  function sanitizeStyleObj(obj) {
@@ -191,6 +365,11 @@
191
365
  function sanitizeOptions(options) {
192
366
  var _a;
193
367
  const result = Object.assign(Object.assign({}, options), { placeholder: (_a = options.placeholder) === null || _a === void 0 ? void 0 : _a.slice(0, 100) });
368
+ // Coerce to boolean so a string "false" (truthy in JS) does not accidentally
369
+ // disable the input when the SDK is consumed from plain JavaScript.
370
+ if (options.disabled !== undefined) {
371
+ result.disabled = Boolean(options.disabled);
372
+ }
194
373
  // Only set style when provided; omitting it avoids clobbering existing style
195
374
  // when merging (e.g. update({ placeholder: 'new' }) must not overwrite style with undefined).
196
375
  if (options.style !== undefined) {
@@ -218,7 +397,7 @@
218
397
  this.frameOrigin = new URL(frameBaseUrl).origin;
219
398
  this.fonts = fonts;
220
399
  this.appearanceStyle = appearanceStyle;
221
- this.frameId = `oz-${elementType}-${Math.random().toString(36).slice(2, 10)}`;
400
+ this.frameId = `oz-${elementType}-${uuid()}`;
222
401
  }
223
402
  /** The element type this proxy represents. */
224
403
  get type() {
@@ -236,22 +415,27 @@
236
415
  mount(target) {
237
416
  var _a;
238
417
  if (this._destroyed)
239
- throw new Error('OzElements: cannot mount a destroyed element.');
418
+ throw new OzError('Cannot mount a destroyed element.');
240
419
  if (this.iframe)
241
420
  this.unmount();
242
421
  const container = typeof target === 'string'
243
422
  ? document.querySelector(target)
244
423
  : target;
245
424
  if (!container)
246
- throw new Error(typeof target === 'string'
247
- ? `OzElements: mount target not found — no element matches "${target}"`
248
- : `OzElements: mount target not found — the provided HTMLElement is null or undefined`);
425
+ throw new OzError(typeof target === 'string'
426
+ ? `Mount target not found — no element matches "${target}"`
427
+ : 'Mount target not found — the provided HTMLElement is null or undefined');
249
428
  const iframe = document.createElement('iframe');
250
429
  iframe.setAttribute('frameborder', '0');
251
430
  iframe.setAttribute('scrolling', 'no');
252
431
  iframe.setAttribute('allowtransparency', 'true');
253
432
  iframe.style.cssText = 'border:none;width:100%;height:46px;display:block;overflow:hidden;';
254
433
  iframe.title = `Secure ${this.elementType} input`;
434
+ // Note: the `sandbox` attribute is intentionally NOT set. Field values are
435
+ // delivered to the tokenizer iframe via a MessageChannel port (transferred
436
+ // in OZ_BEGIN_COLLECT), so no window.parent named-frame lookup is needed.
437
+ // The security boundary is the vault URL hardcoded at build time and the
438
+ // origin checks on every postMessage, not the sandbox flag.
255
439
  // Use hash instead of query string — survives clean-URL redirects from static servers.
256
440
  // parentOrigin lets the frame target postMessage to the merchant origin instead of '*'.
257
441
  const parentOrigin = typeof window !== 'undefined' ? window.location.origin : '';
@@ -267,6 +451,11 @@
267
451
  }
268
452
  }, timeout);
269
453
  }
454
+ /**
455
+ * Subscribe to an element event. Returns `this` for chaining.
456
+ * @param event - Event name: `'change'`, `'focus'`, `'blur'`, `'ready'`, or `'loaderror'`.
457
+ * @param callback - Handler invoked with the event payload.
458
+ */
270
459
  on(event, callback) {
271
460
  if (this._destroyed)
272
461
  return this;
@@ -275,6 +464,10 @@
275
464
  this.handlers.get(event).push(callback);
276
465
  return this;
277
466
  }
467
+ /**
468
+ * Remove a previously registered event handler.
469
+ * Has no effect if the handler is not registered.
470
+ */
278
471
  off(event, callback) {
279
472
  const list = this.handlers.get(event);
280
473
  if (list) {
@@ -284,6 +477,10 @@
284
477
  }
285
478
  return this;
286
479
  }
480
+ /**
481
+ * Subscribe to an event for a single invocation. The handler is automatically
482
+ * removed after it fires once.
483
+ */
287
484
  once(event, callback) {
288
485
  const wrapper = (payload) => {
289
486
  this.off(event, wrapper);
@@ -291,13 +488,24 @@
291
488
  };
292
489
  return this.on(event, wrapper);
293
490
  }
491
+ /**
492
+ * Dynamically update element options (placeholder, style, etc.) without
493
+ * re-mounting the iframe. Only the provided keys are merged; omitted keys
494
+ * retain their current values.
495
+ */
294
496
  update(options) {
295
497
  if (this._destroyed)
296
498
  return;
297
499
  const safe = sanitizeOptions(options);
500
+ // Re-merge vault appearance when style is updated so focus/invalid/complete/
501
+ // placeholder buckets from the theme are not stripped by a partial style object.
502
+ if (safe.style !== undefined) {
503
+ safe.style = mergeAppearanceWithElementStyle(this.appearanceStyle, safe.style);
504
+ }
298
505
  this.options = Object.assign(Object.assign({}, this.options), safe);
299
506
  this.post({ type: 'OZ_UPDATE', options: safe });
300
507
  }
508
+ /** Clear the current field value without removing the element from the DOM. */
301
509
  clear() {
302
510
  if (this._destroyed)
303
511
  return;
@@ -310,6 +518,8 @@
310
518
  */
311
519
  unmount() {
312
520
  var _a;
521
+ if (this._destroyed)
522
+ return;
313
523
  if (this._loadTimer) {
314
524
  clearTimeout(this._loadTimer);
315
525
  this._loadTimer = null;
@@ -342,18 +552,31 @@
342
552
  this._destroyed = true;
343
553
  }
344
554
  // ─── Called by OzVault ───────────────────────────────────────────────────
345
- setTokenizerName(tokenizerName) {
346
- this.post({ type: 'OZ_SET_TOKENIZER_NAME', tokenizerName });
347
- }
348
- beginCollect(requestId) {
349
- this.post({ type: 'OZ_BEGIN_COLLECT', requestId });
555
+ /**
556
+ * Sends OZ_BEGIN_COLLECT to the element iframe, transferring `port` so the
557
+ * iframe can post its field value directly to the tokenizer without going
558
+ * through the merchant page (no named-window lookup required).
559
+ * @internal
560
+ */
561
+ beginCollect(requestId, port) {
562
+ if (this._destroyed)
563
+ return;
564
+ this.sendWithTransfer({ type: 'OZ_BEGIN_COLLECT', requestId }, [port]);
350
565
  }
351
- /** Tell a CVV element how many digits to expect. Called automatically when card brand changes. */
566
+ /**
567
+ * Tell a CVV element how many digits to expect. Called automatically when card brand changes.
568
+ * @internal
569
+ */
352
570
  setCvvLength(length) {
571
+ if (this._destroyed)
572
+ return;
353
573
  this.post({ type: 'OZ_SET_CVV_LENGTH', length });
354
574
  }
575
+ /** @internal */
355
576
  handleMessage(msg) {
356
577
  var _a, _b;
578
+ if (this._destroyed)
579
+ return;
357
580
  switch (msg.type) {
358
581
  case 'OZ_FRAME_READY': {
359
582
  this._ready = true;
@@ -367,6 +590,19 @@
367
590
  this.pendingMessages.forEach(m => this.send(m));
368
591
  this.pendingMessages = [];
369
592
  this.emit('ready', undefined);
593
+ // Warn if the mount container collapses to zero height — the input will
594
+ // be invisible but functional, which is hard to debug. Check after one
595
+ // animation frame so the browser has completed layout. Guard against
596
+ // non-rendering environments (jsdom, SSR) where all rects are zero.
597
+ if (typeof requestAnimationFrame !== 'undefined') {
598
+ requestAnimationFrame(() => {
599
+ const inRealBrowser = document.documentElement.getBoundingClientRect().height > 0;
600
+ if (inRealBrowser && this.iframe && this.iframe.getBoundingClientRect().height === 0) {
601
+ console.warn(`[OzElement] "${this.elementType}" mounted but has zero height. ` +
602
+ `Check that the container has a visible height (not overflow:hidden or height:0).`);
603
+ }
604
+ });
605
+ }
370
606
  break;
371
607
  }
372
608
  case 'OZ_CHANGE':
@@ -393,7 +629,12 @@
393
629
  break;
394
630
  case 'OZ_RESIZE':
395
631
  if (this.iframe) {
396
- this.iframe.style.height = `${msg.height}px`;
632
+ // Clamp to a sensible range to prevent a rogue or compromised frame
633
+ // from zeroing out the input or stretching the layout.
634
+ const h = typeof msg.height === 'number' ? msg.height : 0;
635
+ if (h > 0 && h <= 300) {
636
+ this.iframe.style.height = `${h}px`;
637
+ }
397
638
  }
398
639
  break;
399
640
  }
@@ -401,8 +642,16 @@
401
642
  // ─── Internal ────────────────────────────────────────────────────────────
402
643
  emit(event, payload) {
403
644
  const list = this.handlers.get(event);
404
- if (list)
405
- [...list].forEach(fn => fn(payload));
645
+ if (!list)
646
+ return;
647
+ [...list].forEach(fn => {
648
+ try {
649
+ fn(payload);
650
+ }
651
+ catch (err) {
652
+ console.error(`[OzElement] Unhandled error in '${event}' listener:`, err);
653
+ }
654
+ });
406
655
  }
407
656
  post(data) {
408
657
  const msg = Object.assign({ __oz: true, vaultId: this.vaultId }, data);
@@ -417,135 +666,18 @@
417
666
  var _a;
418
667
  (_a = this._frameWindow) === null || _a === void 0 ? void 0 : _a.postMessage(msg, this.frameOrigin);
419
668
  }
420
- }
421
-
422
- /**
423
- * errors.ts — error types and normalisation for OzElements.
424
- *
425
- * Three normalisation functions:
426
- * - normalizeVaultError maps raw vault /tokenize errors to user-facing messages (card flows)
427
- * - normalizeBankVaultError — maps raw vault /tokenize errors to user-facing messages (bank/ACH flows)
428
- * - normalizeCardSaleError — maps raw cardSale API errors to user-facing messages
429
- *
430
- * Error keys in normalizeCardSaleError are taken directly from checkout's
431
- * errorMapping.ts so the same error strings produce the same user-facing copy.
432
- */
433
- class OzError extends Error {
434
- constructor(message, raw, errorCode) {
435
- super(message);
436
- this.name = 'OzError';
437
- this.raw = raw !== null && raw !== void 0 ? raw : message;
438
- this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
439
- this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
440
- }
441
- }
442
- /** Shared patterns that apply to both card and bank vault errors. */
443
- function normalizeCommonVaultError(msg) {
444
- if (msg.includes('api key') || msg.includes('unauthorized') || msg.includes('authentication') || msg.includes('forbidden')) {
445
- return 'Authentication failed. Check your vault API key configuration.';
446
- }
447
- if (msg.includes('network') || msg.includes('failed to fetch') || msg.includes('networkerror')) {
448
- return 'A network error occurred. Please check your connection and try again.';
449
- }
450
- if (msg.includes('timeout') || msg.includes('timed out')) {
451
- return 'The request timed out. Please try again.';
452
- }
453
- if (msg.includes('http 5') || msg.includes('500') || msg.includes('502') || msg.includes('503')) {
454
- return 'A server error occurred. Please try again shortly.';
455
- }
456
- return null;
457
- }
458
- /**
459
- * Maps a raw vault /tokenize error string to a user-facing message for card flows.
460
- * Falls back to the original string if no pattern matches.
461
- */
462
- function normalizeVaultError(raw) {
463
- const msg = raw.toLowerCase();
464
- if (msg.includes('card number') || msg.includes('invalid card') || msg.includes('luhn')) {
465
- return 'The card number is invalid. Please check and try again.';
466
- }
467
- if (msg.includes('expir')) {
468
- return 'The card expiration date is invalid or the card has expired.';
469
- }
470
- if (msg.includes('cvv') || msg.includes('cvc') || msg.includes('security code')) {
471
- return 'The CVV code is invalid. Please check and try again.';
472
- }
473
- if (msg.includes('insufficient') || msg.includes('funds')) {
474
- return 'Your card has insufficient funds. Please use a different card.';
475
- }
476
- if (msg.includes('declined') || msg.includes('do not honor')) {
477
- return 'Your card was declined. Please try a different card or contact your bank.';
478
- }
479
- const common = normalizeCommonVaultError(msg);
480
- if (common)
481
- return common;
482
- return raw;
483
- }
484
- /**
485
- * Maps a raw vault /tokenize error string to a user-facing message for bank (ACH) flows.
486
- * Uses bank-specific pattern matching so card-specific messages are never shown for
487
- * bank errors. Falls back to the original string if no pattern matches.
488
- */
489
- function normalizeBankVaultError(raw) {
490
- const msg = raw.toLowerCase();
491
- if (msg.includes('account number') || msg.includes('account_number') || msg.includes('invalid account')) {
492
- return 'The bank account number is invalid. Please check and try again.';
493
- }
494
- if (msg.includes('routing number') || msg.includes('routing_number') || msg.includes('invalid routing') || /\baba\b/.test(msg)) {
495
- return 'The routing number is invalid. Please check and try again.';
496
- }
497
- const common = normalizeCommonVaultError(msg);
498
- if (common)
499
- return common;
500
- return raw;
501
- }
502
- // ─── cardSale error map (mirrors checkout/src/utils/errorMapping.ts exactly) ─
503
- const CARD_SALE_ERROR_MAP = [
504
- ['Insufficient Funds', 'Your card has insufficient funds. Please use a different payment method.'],
505
- ['Invalid card number', 'The card number you entered is invalid. Please check and try again.'],
506
- ['Card expired', 'Your card has expired. Please use a different card.'],
507
- ['CVV Verification Failed', 'The CVV code you entered is incorrect. Please check and try again.'],
508
- ['Address Verification Failed', 'The billing address does not match your card. Please verify your address.'],
509
- ['Do Not Honor', 'Your card was declined. Please contact your bank or use a different payment method.'],
510
- ['Declined', 'Your card was declined. Please contact your bank or use a different payment method.'],
511
- ['Surcharge is currently not supported', 'Surcharge fees are not supported at this time.'],
512
- ['Surcharge percent must be between', 'Surcharge fees are not supported at this time.'],
513
- ['Forbidden - API key', 'Authentication failed. Please refresh the page.'],
514
- ['Api Key is invalid', 'Authentication failed. Please refresh the page.'],
515
- ['API key not found', 'Authentication failed. Please refresh the page.'],
516
- ['Access token expired', 'Your session has expired. Please refresh the page.'],
517
- ['Access token is invalid', 'Authentication failed. Please refresh the page.'],
518
- ['Unauthorized', 'Authentication failed. Please refresh the page.'],
519
- ['Too Many Requests', 'Too many requests. Please wait a moment and try again.'],
520
- ['Rate limit exceeded', 'System is busy. Please wait a moment and try again.'],
521
- ['No processor integrations found', 'Payment processing is not configured for this merchant. Please contact the merchant for assistance.'],
522
- ['processor integration', 'Payment processing is temporarily unavailable. Please try again later or contact the merchant.'],
523
- ['Invalid zipcode', 'The ZIP code you entered is invalid. Please check and try again.'],
524
- ['failed to save to database', 'Your payment was processed but we encountered an issue. Please contact support.'],
525
- ['CASHBACK UNAVAIL', 'This transaction type is not supported. Please try again or use a different payment method.'],
526
- ];
527
- /**
528
- * Maps a raw Ozura Pay API cardSale error string to a user-facing message.
529
- *
530
- * Uses the exact same error key table as checkout's `getUserFriendlyError()` in
531
- * errorMapping.ts so both surfaces produce identical copy for the same errors.
532
- *
533
- * Falls back to the original string when it's under 100 characters, or to a
534
- * generic message for long/opaque server errors — matching checkout's fallback
535
- * behaviour exactly.
536
- */
537
- function normalizeCardSaleError(raw) {
538
- if (!raw)
539
- return 'Payment processing failed. Please try again.';
540
- for (const [key, message] of CARD_SALE_ERROR_MAP) {
541
- if (raw.toLowerCase().includes(key.toLowerCase())) {
542
- return message;
669
+ /** Posts a message with transferable objects (e.g. MessagePort). Bypasses the
670
+ * pending-message queue — only call when the frame is already ready. */
671
+ sendWithTransfer(data, transfer) {
672
+ if (this._destroyed)
673
+ return;
674
+ if (!this._frameWindow) {
675
+ console.error('[OzElement] sendWithTransfer called before frame window is available port will not be transferred. This is a bug.');
676
+ return;
543
677
  }
678
+ const msg = Object.assign({ __oz: true, vaultId: this.vaultId }, data);
679
+ this._frameWindow.postMessage(msg, this.frameOrigin, transfer);
544
680
  }
545
- // Checkout fallback: pass through short errors, genericise long ones
546
- if (raw.length < 100)
547
- return raw;
548
- return 'Payment processing failed. Please try again or contact support.';
549
681
  }
550
682
 
551
683
  /**
@@ -597,6 +729,14 @@
597
729
  'south dakota': 'SD', tennessee: 'TN', texas: 'TX', utah: 'UT',
598
730
  vermont: 'VT', virginia: 'VA', washington: 'WA', 'west virginia': 'WV',
599
731
  wisconsin: 'WI', wyoming: 'WY',
732
+ // US territories
733
+ 'puerto rico': 'PR', guam: 'GU', 'virgin islands': 'VI',
734
+ 'us virgin islands': 'VI', 'u.s. virgin islands': 'VI',
735
+ 'american samoa': 'AS', 'northern mariana islands': 'MP',
736
+ 'commonwealth of the northern mariana islands': 'MP',
737
+ // Military / diplomatic addresses
738
+ 'armed forces europe': 'AE', 'armed forces pacific': 'AP',
739
+ 'armed forces americas': 'AA',
600
740
  };
601
741
  const US_ABBREVS = new Set(Object.values(US_STATES));
602
742
  const CA_PROVINCES = {
@@ -705,8 +845,15 @@
705
845
  errors.push('billing.address.line2 must be 1–50 characters if provided');
706
846
  if (!isValidBillingField(city))
707
847
  errors.push('billing.address.city must be 1–50 characters');
708
- if (!isValidBillingField(state))
848
+ if (!isValidBillingField(state)) {
709
849
  errors.push('billing.address.state must be 1–50 characters');
850
+ }
851
+ else if (country === 'US' && !US_ABBREVS.has(state)) {
852
+ errors.push(`billing.address.state "${state}" is not a recognized US state or territory abbreviation (e.g. "CA", "NY", "PR")`);
853
+ }
854
+ else if (country === 'CA' && !CA_ABBREVS.has(state)) {
855
+ errors.push(`billing.address.state "${state}" is not a recognized Canadian province or territory abbreviation (e.g. "ON", "BC", "QC")`);
856
+ }
710
857
  // cardSale backend uses strict enum validation on country — must be exactly 2 uppercase letters
711
858
  if (!/^[A-Z]{2}$/.test(country)) {
712
859
  errors.push('billing.address.country must be a 2-letter ISO 3166-1 alpha-2 code (e.g. "US", "CA", "GB")');
@@ -730,7 +877,13 @@
730
877
  return { valid: errors.length === 0, errors, normalized };
731
878
  }
732
879
 
733
- const DEFAULT_FRAME_BASE_URL = "https://lively-hill-097170c0f.4.azurestaticapps.net";
880
+ function isCardMetadata(v) {
881
+ return !!v && typeof v === 'object' && typeof v.last4 === 'string';
882
+ }
883
+ function isBankAccountMetadata(v) {
884
+ return !!v && typeof v === 'object' && typeof v.last4 === 'string';
885
+ }
886
+ const DEFAULT_FRAME_BASE_URL = "https://elements.ozura.com";
734
887
  /**
735
888
  * The main entry point for OzElements. Creates and manages iframe-based
736
889
  * card input elements that keep raw card data isolated from the merchant page.
@@ -741,7 +894,7 @@
741
894
  * const vault = await OzVault.create({
742
895
  * pubKey: 'pk_live_...',
743
896
  * fetchWaxKey: async (sessionId) => {
744
- * // Call your backend — which calls ozura.mintWaxKey() from oz-elements/server
897
+ * // Call your backend — which calls ozura.mintWaxKey() from @ozura/elements/server
745
898
  * const { waxKey } = await fetch('/api/mint-wax', {
746
899
  * method: 'POST',
747
900
  * body: JSON.stringify({ sessionId }),
@@ -760,9 +913,10 @@
760
913
  * Internal constructor — use `OzVault.create()` instead.
761
914
  * The constructor mounts the tokenizer iframe immediately so it can start
762
915
  * loading in parallel while `fetchWaxKey` is being awaited.
916
+ * @internal
763
917
  */
764
918
  constructor(options, waxKey, tokenizationSessionId) {
765
- var _a, _b;
919
+ var _a, _b, _c;
766
920
  this.elements = new Map();
767
921
  this.elementsByType = new Map();
768
922
  this.bankElementsByType = new Map();
@@ -775,8 +929,16 @@
775
929
  this.tokenizerReady = false;
776
930
  this._tokenizing = null;
777
931
  this._destroyed = false;
932
+ // Tracks successful tokenizations against the per-key call budget so the SDK
933
+ // can proactively refresh the wax key after it has been consumed rather than
934
+ // waiting for the next createToken() call to fail.
935
+ this._tokenizeSuccessCount = 0;
778
936
  this._pendingMount = null;
937
+ this._storedFetchWaxKey = null;
938
+ this._waxRefreshing = null;
779
939
  this.loadErrorTimeoutId = null;
940
+ // Proactive wax refresh on visibility restore after long idle
941
+ this._hiddenAt = null;
780
942
  this.waxKey = waxKey;
781
943
  this.tokenizationSessionId = tokenizationSessionId;
782
944
  this.pubKey = options.pubKey;
@@ -784,13 +946,15 @@
784
946
  this.frameOrigin = new URL(this.frameBaseUrl).origin;
785
947
  this.fonts = (_a = options.fonts) !== null && _a !== void 0 ? _a : [];
786
948
  this.resolvedAppearance = resolveAppearance(options.appearance);
787
- this.vaultId = `vault-${crypto.randomUUID()}`;
788
- this.tokenizerName = `__oz_tok_${this.vaultId}`;
949
+ this.vaultId = `vault-${uuid()}`;
950
+ this._maxTokenizeCalls = (_b = options.maxTokenizeCalls) !== null && _b !== void 0 ? _b : 3;
789
951
  this.boundHandleMessage = this.handleMessage.bind(this);
790
952
  window.addEventListener('message', this.boundHandleMessage);
953
+ this.boundHandleVisibility = this.handleVisibilityChange.bind(this);
954
+ document.addEventListener('visibilitychange', this.boundHandleVisibility);
791
955
  this.mountTokenizerFrame();
792
956
  if (options.onLoadError) {
793
- const timeout = (_b = options.loadTimeoutMs) !== null && _b !== void 0 ? _b : 10000;
957
+ const timeout = (_c = options.loadTimeoutMs) !== null && _c !== void 0 ? _c : 10000;
794
958
  this.loadErrorTimeoutId = setTimeout(() => {
795
959
  this.loadErrorTimeoutId = null;
796
960
  if (!this._destroyed && !this.tokenizerReady) {
@@ -798,6 +962,8 @@
798
962
  }
799
963
  }, timeout);
800
964
  }
965
+ this._onWaxRefresh = options.onWaxRefresh;
966
+ this._onReady = options.onReady;
801
967
  }
802
968
  /**
803
969
  * Creates and returns a ready `OzVault` instance.
@@ -814,45 +980,95 @@
814
980
  * The returned vault is ready to create elements immediately. `createToken()`
815
981
  * additionally requires `vault.isReady` (tokenizer iframe loaded).
816
982
  *
817
- * @throws {OzError} if `fetchWaxKey` throws or returns an empty string.
983
+ * @throws {OzError} if `fetchWaxKey` throws, returns a non-string value, or returns an empty/whitespace-only string.
818
984
  */
819
- static async create(options) {
985
+ static async create(options, signal) {
820
986
  if (!options.pubKey || !options.pubKey.trim()) {
821
987
  throw new OzError('pubKey is required in options. Obtain your public key from the Ozura admin.');
822
988
  }
823
989
  if (typeof options.fetchWaxKey !== 'function') {
824
990
  throw new OzError('fetchWaxKey must be a function. See OzVault.create() docs for the expected signature.');
825
991
  }
826
- const tokenizationSessionId = crypto.randomUUID();
992
+ const tokenizationSessionId = uuid();
827
993
  // Construct the vault immediately — this mounts the tokenizer iframe so it
828
994
  // starts loading while fetchWaxKey is in flight. The waxKey field starts
829
995
  // empty and is set below before create() returns.
830
996
  const vault = new OzVault(options, '', tokenizationSessionId);
997
+ // If the caller provides an AbortSignal (e.g. React useEffect cleanup),
998
+ // destroy the vault immediately on abort so the tokenizer iframe and message
999
+ // listener are removed synchronously rather than waiting for fetchWaxKey to
1000
+ // settle. This eliminates the brief double-iframe window in React StrictMode.
1001
+ const onAbort = () => vault.destroy();
1002
+ signal === null || signal === void 0 ? void 0 : signal.addEventListener('abort', onAbort, { once: true });
831
1003
  let waxKey;
832
1004
  try {
833
1005
  waxKey = await options.fetchWaxKey(tokenizationSessionId);
834
1006
  }
835
1007
  catch (err) {
1008
+ signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort);
836
1009
  vault.destroy();
1010
+ if (signal === null || signal === void 0 ? void 0 : signal.aborted)
1011
+ throw new OzError('OzVault.create() was cancelled.');
1012
+ // Preserve errorCode/retryable from OzError (e.g. timeout/network from createFetchWaxKey)
1013
+ // so callers can distinguish transient failures from config errors.
1014
+ const originalCode = err instanceof OzError ? err.errorCode : undefined;
837
1015
  const msg = err instanceof Error ? err.message : 'Unknown error';
838
- throw new OzError(`fetchWaxKey threw an error: ${msg}`);
1016
+ throw new OzError(`fetchWaxKey threw an error: ${msg}`, undefined, originalCode);
839
1017
  }
840
- if (!waxKey || !waxKey.trim()) {
1018
+ signal === null || signal === void 0 ? void 0 : signal.removeEventListener('abort', onAbort);
1019
+ if (signal === null || signal === void 0 ? void 0 : signal.aborted) {
1020
+ vault.destroy();
1021
+ throw new OzError('OzVault.create() was cancelled.');
1022
+ }
1023
+ if (typeof waxKey !== 'string' || !waxKey.trim()) {
841
1024
  vault.destroy();
842
1025
  throw new OzError('fetchWaxKey must return a non-empty wax key string. Check your mint endpoint.');
843
1026
  }
844
1027
  // Static methods can access private fields of instances of the same class.
845
1028
  vault.waxKey = waxKey;
1029
+ vault._storedFetchWaxKey = options.fetchWaxKey;
1030
+ // If the tokenizer iframe fired OZ_FRAME_READY before fetchWaxKey resolved,
1031
+ // the OZ_INIT sent at that point had an empty waxKey. Send a follow-up now
1032
+ // so the tokenizer has the key stored before any createToken() call.
1033
+ if (vault.tokenizerReady) {
1034
+ vault.sendToTokenizer({ type: 'OZ_INIT', frameId: '__tokenizer__', waxKey });
1035
+ }
846
1036
  return vault;
847
1037
  }
848
1038
  /**
849
1039
  * True once the hidden tokenizer iframe has loaded and signalled ready.
850
1040
  * Use this to gate the pay button when building custom UIs without React.
851
1041
  * React consumers should use the `ready` value returned by `useOzElements()`.
1042
+ *
1043
+ * Once `true`, remains `true` for the lifetime of this vault instance.
1044
+ * It only reverts to `false` after `vault.destroy()` is called, at which
1045
+ * point the vault is unusable and a new instance must be created.
1046
+ *
1047
+ * @remarks
1048
+ * This tracks **tokenizer readiness only** — it says nothing about whether
1049
+ * the individual element iframes (card number, CVV, etc.) have loaded.
1050
+ * A vault can be `isReady === true` while elements are still mounting.
1051
+ * To gate a submit button correctly in vanilla JS, wait for every element's
1052
+ * `'ready'` event in addition to this flag. In React, use the `ready` value
1053
+ * from `useOzElements()` instead, which combines both checks automatically.
852
1054
  */
853
1055
  get isReady() {
854
1056
  return this.tokenizerReady;
855
1057
  }
1058
+ /**
1059
+ * Number of successful tokenize calls made against the current wax key.
1060
+ *
1061
+ * Resets to `0` each time the wax key is refreshed (proactively or reactively).
1062
+ * Useful in vanilla JS integrations to display "attempts remaining" UI.
1063
+ * In React, use `tokenizeCount` from `useOzElements()` instead.
1064
+ *
1065
+ * @example
1066
+ * const remaining = 3 - vault.tokenizeCount;
1067
+ * payButton.textContent = remaining > 0 ? `Pay (${remaining} attempts left)` : 'Pay';
1068
+ */
1069
+ get tokenizeCount() {
1070
+ return this._tokenizeSuccessCount;
1071
+ }
856
1072
  /**
857
1073
  * Creates a new OzElement of the given type. Call `.mount(selector)` on the
858
1074
  * returned element to attach it to the DOM.
@@ -887,6 +1103,9 @@
887
1103
  if (this._destroyed) {
888
1104
  throw new OzError('Cannot create elements on a destroyed vault. Call await OzVault.create() to get a new instance.');
889
1105
  }
1106
+ if (this._tokenizing) {
1107
+ throw new OzError('Cannot create or replace elements while a tokenization is in progress. Wait for the active createToken() / createBankToken() call to settle first.');
1108
+ }
890
1109
  const existing = typeMap.get(type);
891
1110
  if (existing) {
892
1111
  this.elements.delete(existing.frameId);
@@ -934,10 +1153,10 @@
934
1153
  throw new OzError('lastName is required for bank account tokenization.');
935
1154
  }
936
1155
  if (options.firstName.trim().length > 50) {
937
- throw new OzError('firstName must be 50 characters or fewer');
1156
+ throw new OzError('firstName must be 50 characters or fewer.');
938
1157
  }
939
1158
  if (options.lastName.trim().length > 50) {
940
- throw new OzError('lastName must be 50 characters or fewer');
1159
+ throw new OzError('lastName must be 50 characters or fewer.');
941
1160
  }
942
1161
  const accountEl = this.bankElementsByType.get('accountNumber');
943
1162
  const routingEl = this.bankElementsByType.get('routingNumber');
@@ -954,31 +1173,47 @@
954
1173
  }
955
1174
  const readyBankElements = [accountEl, routingEl];
956
1175
  this._tokenizing = 'bank';
957
- const requestId = `req-${Math.random().toString(36).slice(2, 10)}`;
1176
+ const requestId = `req-${uuid()}`;
958
1177
  return new Promise((resolve, reject) => {
959
1178
  const cleanup = () => { this._tokenizing = null; };
960
1179
  this.bankTokenizeResolvers.set(requestId, {
961
1180
  resolve: (v) => { cleanup(); resolve(v); },
962
1181
  reject: (e) => { cleanup(); reject(e); },
963
- });
964
- this.sendToTokenizer({
965
- type: 'OZ_BANK_TOKENIZE',
966
- requestId,
967
- waxKey: this.waxKey,
968
- tokenizationSessionId: this.tokenizationSessionId,
969
- pubKey: this.pubKey,
970
1182
  firstName: options.firstName.trim(),
971
1183
  lastName: options.lastName.trim(),
1184
+ readyElements: readyBankElements,
972
1185
  fieldCount: readyBankElements.length,
973
1186
  });
974
- readyBankElements.forEach(el => el.beginCollect(requestId));
975
- setTimeout(() => {
976
- if (this.bankTokenizeResolvers.has(requestId)) {
977
- this.bankTokenizeResolvers.delete(requestId);
978
- cleanup();
979
- reject(new OzError('Bank tokenization timed out after 30 seconds', undefined, 'timeout'));
980
- }
981
- }, 30000);
1187
+ try {
1188
+ const bankChannels = readyBankElements.map(() => new MessageChannel());
1189
+ this.sendToTokenizer({
1190
+ type: 'OZ_BANK_TOKENIZE',
1191
+ requestId,
1192
+ waxKey: this.waxKey,
1193
+ tokenizationSessionId: this.tokenizationSessionId,
1194
+ pubKey: this.pubKey,
1195
+ firstName: options.firstName.trim(),
1196
+ lastName: options.lastName.trim(),
1197
+ fieldCount: readyBankElements.length,
1198
+ }, bankChannels.map(ch => ch.port1));
1199
+ readyBankElements.forEach((el, i) => el.beginCollect(requestId, bankChannels[i].port2));
1200
+ const bankTimeoutId = setTimeout(() => {
1201
+ if (this.bankTokenizeResolvers.has(requestId)) {
1202
+ this.bankTokenizeResolvers.delete(requestId);
1203
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId });
1204
+ cleanup();
1205
+ reject(new OzError('Bank tokenization timed out after 30 seconds', undefined, 'timeout'));
1206
+ }
1207
+ }, 30000);
1208
+ const bankPendingEntry = this.bankTokenizeResolvers.get(requestId);
1209
+ if (bankPendingEntry)
1210
+ bankPendingEntry.timeoutId = bankTimeoutId;
1211
+ }
1212
+ catch (err) {
1213
+ this.bankTokenizeResolvers.delete(requestId);
1214
+ cleanup();
1215
+ reject(err instanceof OzError ? err : new OzError('Bank tokenization failed to start'));
1216
+ }
982
1217
  });
983
1218
  }
984
1219
  /**
@@ -1000,29 +1235,33 @@
1000
1235
  ? 'A bank tokenization is already in progress. Wait for it to complete before calling createToken().'
1001
1236
  : 'A card tokenization is already in progress. Wait for it to complete before calling createToken() again.');
1002
1237
  }
1003
- this._tokenizing = 'card';
1004
- const requestId = `req-${Math.random().toString(36).slice(2, 10)}`;
1005
- // Only include card elements whose iframes have actually loaded an element
1006
- // created but never mounted will never send OZ_FIELD_VALUE, which would
1007
- // cause the tokenizer to hang waiting for a value that never arrives.
1008
- // Explicitly exclude bank elements (accountNumber/routingNumber) that share
1009
- // the same this.elements map; including them would inflate fieldCount and
1010
- // allow the accountNumber iframe's last4 to overwrite cardMeta.last4.
1011
- const cardElements = new Set(this.elementsByType.values());
1012
- const readyElements = [...this.elements.values()].filter(el => el.isReady && cardElements.has(el));
1013
- if (readyElements.length === 0) {
1014
- this._tokenizing = null;
1015
- throw new OzError('No elements are mounted and ready. Mount at least one element before calling createToken.');
1238
+ // All synchronous validation runs before _tokenizing is set so these throws
1239
+ // need no manual cleanup — _tokenizing is still null when they fire.
1240
+ // Collect all card elements that have been created (mounted or not) so we
1241
+ // can require every created field to be ready before proceeding. An element
1242
+ // that was created but whose iframe hasn't loaded yet will never send
1243
+ // OZ_FIELD_VALUE tokenizing without it would silently submit an empty or
1244
+ // incomplete card and produce an opaque vault rejection.
1245
+ // Bank elements (accountNumber/routingNumber) share this.elements but live
1246
+ // in elementsByType under bank-only keys, so they are excluded by the Set.
1247
+ const cardElements = [...this.elementsByType.values()];
1248
+ if (cardElements.length === 0) {
1249
+ throw new OzError('No card elements have been created. Call vault.createElement() for each field before calling createToken.');
1250
+ }
1251
+ const notReady = cardElements.filter(el => !el.isReady);
1252
+ if (notReady.length > 0) {
1253
+ throw new OzError(`Not all elements are ready. Wait for all fields to finish loading before calling createToken. ` +
1254
+ `Not yet ready: ${notReady.map(el => el.type).join(', ')}.`);
1016
1255
  }
1256
+ const readyElements = cardElements;
1017
1257
  // Validate billing details if provided and extract firstName/lastName for the vault payload.
1018
1258
  // billing.firstName/lastName take precedence over the deprecated top-level params.
1019
1259
  let normalizedBilling;
1020
- let firstName = (_a = options.firstName) !== null && _a !== void 0 ? _a : '';
1021
- let lastName = (_b = options.lastName) !== null && _b !== void 0 ? _b : '';
1260
+ let firstName = ((_a = options.firstName) !== null && _a !== void 0 ? _a : '').trim();
1261
+ let lastName = ((_b = options.lastName) !== null && _b !== void 0 ? _b : '').trim();
1022
1262
  if (options.billing) {
1023
1263
  const result = validateBilling(options.billing);
1024
1264
  if (!result.valid) {
1025
- this._tokenizing = null;
1026
1265
  throw new OzError(`Invalid billing details: ${result.errors.join('; ')}`);
1027
1266
  }
1028
1267
  normalizedBilling = result.normalized;
@@ -1031,41 +1270,57 @@
1031
1270
  }
1032
1271
  else {
1033
1272
  if (firstName.length > 50) {
1034
- this._tokenizing = null;
1035
- throw new OzError('firstName must be 50 characters or fewer');
1273
+ throw new OzError('firstName must be 50 characters or fewer.');
1036
1274
  }
1037
1275
  if (lastName.length > 50) {
1038
- this._tokenizing = null;
1039
- throw new OzError('lastName must be 50 characters or fewer');
1276
+ throw new OzError('lastName must be 50 characters or fewer.');
1040
1277
  }
1041
1278
  }
1279
+ this._tokenizing = 'card';
1280
+ const requestId = `req-${uuid()}`;
1042
1281
  return new Promise((resolve, reject) => {
1043
1282
  const cleanup = () => { this._tokenizing = null; };
1044
1283
  this.tokenizeResolvers.set(requestId, {
1045
1284
  resolve: (v) => { cleanup(); resolve(v); },
1046
1285
  reject: (e) => { cleanup(); reject(e); },
1047
1286
  billing: normalizedBilling,
1048
- });
1049
- // Tell tokenizer frame to expect N field values, then tokenize
1050
- this.sendToTokenizer({
1051
- type: 'OZ_TOKENIZE',
1052
- requestId,
1053
- waxKey: this.waxKey,
1054
- tokenizationSessionId: this.tokenizationSessionId,
1055
- pubKey: this.pubKey,
1056
1287
  firstName,
1057
1288
  lastName,
1289
+ readyElements,
1058
1290
  fieldCount: readyElements.length,
1059
1291
  });
1060
- // Tell each ready element frame to send its raw value to the tokenizer
1061
- readyElements.forEach(el => el.beginCollect(requestId));
1062
- setTimeout(() => {
1063
- if (this.tokenizeResolvers.has(requestId)) {
1064
- this.tokenizeResolvers.delete(requestId);
1065
- cleanup();
1066
- reject(new OzError('Tokenization timed out after 30 seconds', undefined, 'timeout'));
1067
- }
1068
- }, 30000);
1292
+ try {
1293
+ // Tell tokenizer frame to expect N field values, then tokenize
1294
+ const cardChannels = readyElements.map(() => new MessageChannel());
1295
+ this.sendToTokenizer({
1296
+ type: 'OZ_TOKENIZE',
1297
+ requestId,
1298
+ waxKey: this.waxKey,
1299
+ tokenizationSessionId: this.tokenizationSessionId,
1300
+ pubKey: this.pubKey,
1301
+ firstName,
1302
+ lastName,
1303
+ fieldCount: readyElements.length,
1304
+ }, cardChannels.map(ch => ch.port1));
1305
+ // Tell each ready element frame to send its raw value to the tokenizer
1306
+ readyElements.forEach((el, i) => el.beginCollect(requestId, cardChannels[i].port2));
1307
+ const cardTimeoutId = setTimeout(() => {
1308
+ if (this.tokenizeResolvers.has(requestId)) {
1309
+ this.tokenizeResolvers.delete(requestId);
1310
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId });
1311
+ cleanup();
1312
+ reject(new OzError('Tokenization timed out after 30 seconds', undefined, 'timeout'));
1313
+ }
1314
+ }, 30000);
1315
+ const cardPendingEntry = this.tokenizeResolvers.get(requestId);
1316
+ if (cardPendingEntry)
1317
+ cardPendingEntry.timeoutId = cardTimeoutId;
1318
+ }
1319
+ catch (err) {
1320
+ this.tokenizeResolvers.delete(requestId);
1321
+ cleanup();
1322
+ reject(err instanceof OzError ? err : new OzError('Tokenization failed to start'));
1323
+ }
1069
1324
  });
1070
1325
  }
1071
1326
  /**
@@ -1079,6 +1334,7 @@
1079
1334
  return;
1080
1335
  this._destroyed = true;
1081
1336
  window.removeEventListener('message', this.boundHandleMessage);
1337
+ document.removeEventListener('visibilitychange', this.boundHandleVisibility);
1082
1338
  if (this._pendingMount) {
1083
1339
  document.removeEventListener('DOMContentLoaded', this._pendingMount);
1084
1340
  this._pendingMount = null;
@@ -1089,11 +1345,17 @@
1089
1345
  }
1090
1346
  // Reject any pending tokenize promises so callers aren't left hanging
1091
1347
  this._tokenizing = null;
1092
- this.tokenizeResolvers.forEach(({ reject }) => {
1348
+ this.tokenizeResolvers.forEach(({ reject, timeoutId }, requestId) => {
1349
+ if (timeoutId != null)
1350
+ clearTimeout(timeoutId);
1351
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId });
1093
1352
  reject(new OzError('Vault destroyed before tokenization completed.'));
1094
1353
  });
1095
1354
  this.tokenizeResolvers.clear();
1096
- this.bankTokenizeResolvers.forEach(({ reject }) => {
1355
+ this.bankTokenizeResolvers.forEach(({ reject, timeoutId }, requestId) => {
1356
+ if (timeoutId != null)
1357
+ clearTimeout(timeoutId);
1358
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId });
1097
1359
  reject(new OzError('Vault destroyed before bank tokenization completed.'));
1098
1360
  });
1099
1361
  this.bankTokenizeResolvers.clear();
@@ -1102,17 +1364,49 @@
1102
1364
  this.elementsByType.clear();
1103
1365
  this.bankElementsByType.clear();
1104
1366
  this.completionState.clear();
1367
+ this._tokenizeSuccessCount = 0;
1105
1368
  (_a = this.tokenizerFrame) === null || _a === void 0 ? void 0 : _a.remove();
1106
1369
  this.tokenizerFrame = null;
1107
1370
  this.tokenizerWindow = null;
1108
1371
  this.tokenizerReady = false;
1109
1372
  }
1110
1373
  // ─── Private ─────────────────────────────────────────────────────────────
1374
+ /**
1375
+ * Proactively re-mints the wax key when the page becomes visible again after
1376
+ * a long idle period. Wax keys have a fixed TTL (~30 minutes); a user who
1377
+ * leaves the tab in the background and returns could have an expired key.
1378
+ * Rather than waiting for a failed tokenization to trigger the reactive
1379
+ * refresh path, this pre-empts the failure when the vault is idle.
1380
+ *
1381
+ * Threshold: 20 minutes hidden. Chosen to be comfortably inside the ~30m TTL
1382
+ * while avoiding spurious refreshes for brief tab-switches.
1383
+ */
1384
+ handleVisibilityChange() {
1385
+ if (this._destroyed)
1386
+ return;
1387
+ const REFRESH_THRESHOLD_MS = 20 * 60 * 1000; // 20 minutes
1388
+ if (document.hidden) {
1389
+ this._hiddenAt = Date.now();
1390
+ }
1391
+ else {
1392
+ if (this._hiddenAt !== null &&
1393
+ Date.now() - this._hiddenAt >= REFRESH_THRESHOLD_MS &&
1394
+ this._storedFetchWaxKey &&
1395
+ !this._tokenizing &&
1396
+ !this._waxRefreshing) {
1397
+ this.refreshWaxKey().catch((err) => {
1398
+ // Proactive refresh failure is non-fatal — the reactive path on the
1399
+ // next createToken() call will handle it, including the auth retry.
1400
+ console.warn('[OzVault] Proactive wax key refresh failed:', err instanceof Error ? err.message : err);
1401
+ });
1402
+ }
1403
+ this._hiddenAt = null;
1404
+ }
1405
+ }
1111
1406
  mountTokenizerFrame() {
1112
1407
  const mount = () => {
1113
1408
  this._pendingMount = null;
1114
1409
  const iframe = document.createElement('iframe');
1115
- iframe.name = this.tokenizerName;
1116
1410
  iframe.style.cssText = 'position:absolute;top:-9999px;left:-9999px;width:1px;height:1px;';
1117
1411
  iframe.setAttribute('aria-hidden', 'true');
1118
1412
  iframe.tabIndex = -1;
@@ -1131,6 +1425,8 @@
1131
1425
  }
1132
1426
  handleMessage(event) {
1133
1427
  var _a;
1428
+ if (this._destroyed)
1429
+ return;
1134
1430
  // Only accept messages from our frame origin (defense in depth; prevents
1135
1431
  // arbitrary pages from injecting OZ_TOKEN_RESULT etc. with a guessed vaultId).
1136
1432
  if (event.origin !== this.frameOrigin)
@@ -1148,14 +1444,17 @@
1148
1444
  if (frameId) {
1149
1445
  const el = this.elements.get(frameId);
1150
1446
  if (el) {
1447
+ // Reset stale completion state when an element iframe re-loads (e.g. after
1448
+ // unmount() + mount() in a SPA). Without this, wasComplete stays true from
1449
+ // the previous session and justCompleted never fires, breaking auto-advance.
1450
+ if (msg.type === 'OZ_FRAME_READY') {
1451
+ this.completionState.set(frameId, false);
1452
+ }
1151
1453
  // Intercept OZ_CHANGE before forwarding — handle auto-advance and CVV sync
1152
1454
  if (msg.type === 'OZ_CHANGE') {
1153
1455
  this.handleElementChange(msg, el);
1154
1456
  }
1155
1457
  el.handleMessage(msg);
1156
- if (msg.type === 'OZ_FRAME_READY' && this.tokenizerReady) {
1157
- el.setTokenizerName(this.tokenizerName);
1158
- }
1159
1458
  }
1160
1459
  }
1161
1460
  }
@@ -1169,7 +1468,7 @@
1169
1468
  const complete = msg.complete;
1170
1469
  const valid = msg.valid;
1171
1470
  const wasComplete = (_a = this.completionState.get(el.frameId)) !== null && _a !== void 0 ? _a : false;
1172
- this.completionState.set(el.frameId, complete);
1471
+ this.completionState.set(el.frameId, complete && valid);
1173
1472
  // Require valid too — avoids advancing at 13 digits for unknown-brand cards
1174
1473
  // where isComplete() fires before the user has finished typing.
1175
1474
  const justCompleted = complete && valid && !wasComplete;
@@ -1192,7 +1491,7 @@
1192
1491
  }
1193
1492
  }
1194
1493
  handleTokenizerMessage(msg) {
1195
- var _a, _b;
1494
+ var _a, _b, _c;
1196
1495
  switch (msg.type) {
1197
1496
  case 'OZ_FRAME_READY':
1198
1497
  this.tokenizerReady = true;
@@ -1201,57 +1500,346 @@
1201
1500
  this.loadErrorTimeoutId = null;
1202
1501
  }
1203
1502
  this.tokenizerWindow = (_b = (_a = this.tokenizerFrame) === null || _a === void 0 ? void 0 : _a.contentWindow) !== null && _b !== void 0 ? _b : null;
1204
- this.sendToTokenizer({ type: 'OZ_INIT', frameId: '__tokenizer__' });
1205
- this.elements.forEach(el => el.setTokenizerName(this.tokenizerName));
1503
+ // Deliver the wax key via OZ_INIT so the tokenizer stores it internally.
1504
+ // If waxKey is still empty (fetchWaxKey hasn't resolved yet), it will be
1505
+ // sent again from create() once the key is available.
1506
+ this.sendToTokenizer(Object.assign({ type: 'OZ_INIT', frameId: '__tokenizer__' }, (this.waxKey ? { waxKey: this.waxKey } : {})));
1507
+ (_c = this._onReady) === null || _c === void 0 ? void 0 : _c.call(this);
1206
1508
  break;
1207
1509
  case 'OZ_TOKEN_RESULT': {
1510
+ if (typeof msg.requestId !== 'string' || !msg.requestId) {
1511
+ console.error('[OzVault] OZ_TOKEN_RESULT missing requestId — discarding message.');
1512
+ break;
1513
+ }
1208
1514
  const pending = this.tokenizeResolvers.get(msg.requestId);
1209
1515
  if (pending) {
1210
1516
  this.tokenizeResolvers.delete(msg.requestId);
1211
- const card = msg.card;
1212
- pending.resolve(Object.assign(Object.assign({ token: msg.token, cvcSession: msg.cvcSession }, (card ? { card } : {})), (pending.billing ? { billing: pending.billing } : {})));
1517
+ if (pending.timeoutId != null)
1518
+ clearTimeout(pending.timeoutId);
1519
+ const token = msg.token;
1520
+ if (typeof token !== 'string' || !token) {
1521
+ pending.reject(new OzError('Vault returned a token result with a missing or empty token — possible vault API change.', undefined, 'server'));
1522
+ break;
1523
+ }
1524
+ const card = isCardMetadata(msg.card) ? msg.card : undefined;
1525
+ const cvcSession = typeof msg.cvcSession === 'string' && msg.cvcSession ? msg.cvcSession : undefined;
1526
+ if (!cvcSession) {
1527
+ pending.reject(new OzError('Vault returned a token result without a cvcSession — possible vault misconfiguration or API change.', undefined, 'server'));
1528
+ break;
1529
+ }
1530
+ if (!card) {
1531
+ pending.reject(new OzError('Vault returned a token result without card metadata — possible vault API change.', undefined, 'server'));
1532
+ break;
1533
+ }
1534
+ pending.resolve(Object.assign({ token,
1535
+ cvcSession,
1536
+ card }, (pending.billing ? { billing: pending.billing } : {})));
1537
+ // Increment the per-key success counter and proactively refresh once
1538
+ // the budget is exhausted so the next createToken() call uses a fresh
1539
+ // key without waiting for a vault rejection.
1540
+ this._tokenizeSuccessCount++;
1541
+ if (this._tokenizeSuccessCount >= this._maxTokenizeCalls) {
1542
+ this.refreshWaxKey().catch((err) => {
1543
+ console.warn('[OzVault] Post-budget wax key refresh failed:', err instanceof Error ? err.message : err);
1544
+ });
1545
+ }
1213
1546
  }
1214
1547
  break;
1215
1548
  }
1216
1549
  case 'OZ_TOKEN_ERROR': {
1550
+ if (typeof msg.requestId !== 'string' || !msg.requestId) {
1551
+ console.error('[OzVault] OZ_TOKEN_ERROR missing requestId — discarding message.');
1552
+ break;
1553
+ }
1554
+ const raw = typeof msg.error === 'string' ? msg.error : '';
1555
+ const errorCode = isOzErrorCode(msg.errorCode) ? msg.errorCode : 'unknown';
1217
1556
  const pending = this.tokenizeResolvers.get(msg.requestId);
1218
1557
  if (pending) {
1219
1558
  this.tokenizeResolvers.delete(msg.requestId);
1220
- const raw = msg.error;
1221
- const errorCode = (msg.errorCode || 'unknown');
1559
+ if (pending.timeoutId != null)
1560
+ clearTimeout(pending.timeoutId);
1561
+ // Auto-refresh: if the wax key expired or was consumed and we haven't
1562
+ // already retried for this request, transparently re-mint and retry.
1563
+ if (this.isRefreshableAuthError(errorCode, raw) && !pending.retried && this._storedFetchWaxKey) {
1564
+ this.refreshWaxKey().then(() => {
1565
+ if (this._destroyed) {
1566
+ pending.reject(new OzError('Vault destroyed during wax key refresh.'));
1567
+ return;
1568
+ }
1569
+ const newRequestId = `req-${uuid()}`;
1570
+ // _tokenizing is still 'card' (cleanup() hasn't been called yet)
1571
+ this.tokenizeResolvers.set(newRequestId, Object.assign(Object.assign({}, pending), { retried: true }));
1572
+ try {
1573
+ const retryCardChannels = pending.readyElements.map(() => new MessageChannel());
1574
+ this.sendToTokenizer({
1575
+ type: 'OZ_TOKENIZE',
1576
+ requestId: newRequestId,
1577
+ waxKey: this.waxKey,
1578
+ tokenizationSessionId: this.tokenizationSessionId,
1579
+ pubKey: this.pubKey,
1580
+ firstName: pending.firstName,
1581
+ lastName: pending.lastName,
1582
+ fieldCount: pending.fieldCount,
1583
+ }, retryCardChannels.map(ch => ch.port1));
1584
+ pending.readyElements.forEach((el, i) => el.beginCollect(newRequestId, retryCardChannels[i].port2));
1585
+ const retryCardTimeoutId = setTimeout(() => {
1586
+ if (this.tokenizeResolvers.has(newRequestId)) {
1587
+ this.tokenizeResolvers.delete(newRequestId);
1588
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId: newRequestId });
1589
+ pending.reject(new OzError('Tokenization timed out after wax key refresh.', undefined, 'timeout'));
1590
+ }
1591
+ }, 30000);
1592
+ const retryCardEntry = this.tokenizeResolvers.get(newRequestId);
1593
+ if (retryCardEntry)
1594
+ retryCardEntry.timeoutId = retryCardTimeoutId;
1595
+ }
1596
+ catch (setupErr) {
1597
+ this.tokenizeResolvers.delete(newRequestId);
1598
+ pending.reject(setupErr instanceof OzError ? setupErr : new OzError('Retry tokenization failed to start'));
1599
+ }
1600
+ }).catch((refreshErr) => {
1601
+ const msg = refreshErr instanceof Error ? refreshErr.message : 'Wax key refresh failed';
1602
+ pending.reject(new OzError(msg, undefined, 'auth'));
1603
+ });
1604
+ break;
1605
+ }
1222
1606
  pending.reject(new OzError(normalizeVaultError(raw), raw, errorCode));
1223
1607
  }
1224
1608
  // Also check bank resolvers — both card and bank errors use OZ_TOKEN_ERROR
1225
1609
  const bankPending = this.bankTokenizeResolvers.get(msg.requestId);
1226
1610
  if (bankPending) {
1227
1611
  this.bankTokenizeResolvers.delete(msg.requestId);
1228
- const raw = msg.error;
1229
- const errorCode = (msg.errorCode || 'unknown');
1612
+ if (bankPending.timeoutId != null)
1613
+ clearTimeout(bankPending.timeoutId);
1614
+ if (this.isRefreshableAuthError(errorCode, raw) && !bankPending.retried && this._storedFetchWaxKey) {
1615
+ this.refreshWaxKey().then(() => {
1616
+ if (this._destroyed) {
1617
+ bankPending.reject(new OzError('Vault destroyed during wax key refresh.'));
1618
+ return;
1619
+ }
1620
+ const newRequestId = `req-${uuid()}`;
1621
+ this.bankTokenizeResolvers.set(newRequestId, Object.assign(Object.assign({}, bankPending), { retried: true }));
1622
+ try {
1623
+ const retryBankChannels = bankPending.readyElements.map(() => new MessageChannel());
1624
+ this.sendToTokenizer({
1625
+ type: 'OZ_BANK_TOKENIZE',
1626
+ requestId: newRequestId,
1627
+ waxKey: this.waxKey,
1628
+ tokenizationSessionId: this.tokenizationSessionId,
1629
+ pubKey: this.pubKey,
1630
+ firstName: bankPending.firstName,
1631
+ lastName: bankPending.lastName,
1632
+ fieldCount: bankPending.fieldCount,
1633
+ }, retryBankChannels.map(ch => ch.port1));
1634
+ bankPending.readyElements.forEach((el, i) => el.beginCollect(newRequestId, retryBankChannels[i].port2));
1635
+ const retryBankTimeoutId = setTimeout(() => {
1636
+ if (this.bankTokenizeResolvers.has(newRequestId)) {
1637
+ this.bankTokenizeResolvers.delete(newRequestId);
1638
+ this.sendToTokenizer({ type: 'OZ_TOKENIZE_CANCEL', requestId: newRequestId });
1639
+ bankPending.reject(new OzError('Bank tokenization timed out after wax key refresh.', undefined, 'timeout'));
1640
+ }
1641
+ }, 30000);
1642
+ const retryBankEntry = this.bankTokenizeResolvers.get(newRequestId);
1643
+ if (retryBankEntry)
1644
+ retryBankEntry.timeoutId = retryBankTimeoutId;
1645
+ }
1646
+ catch (setupErr) {
1647
+ this.bankTokenizeResolvers.delete(newRequestId);
1648
+ bankPending.reject(setupErr instanceof OzError ? setupErr : new OzError('Retry bank tokenization failed to start'));
1649
+ }
1650
+ }).catch((refreshErr) => {
1651
+ const msg = refreshErr instanceof Error ? refreshErr.message : 'Wax key refresh failed';
1652
+ bankPending.reject(new OzError(msg, undefined, 'auth'));
1653
+ });
1654
+ break;
1655
+ }
1230
1656
  bankPending.reject(new OzError(normalizeBankVaultError(raw), raw, errorCode));
1231
1657
  }
1232
1658
  break;
1233
1659
  }
1234
1660
  case 'OZ_BANK_TOKEN_RESULT': {
1661
+ if (typeof msg.requestId !== 'string' || !msg.requestId) {
1662
+ console.error('[OzVault] OZ_BANK_TOKEN_RESULT missing requestId — discarding message.');
1663
+ break;
1664
+ }
1235
1665
  const pending = this.bankTokenizeResolvers.get(msg.requestId);
1236
1666
  if (pending) {
1237
1667
  this.bankTokenizeResolvers.delete(msg.requestId);
1238
- const bank = msg.bank;
1239
- pending.resolve(Object.assign({ token: msg.token }, (bank ? { bank } : {})));
1668
+ if (pending.timeoutId != null)
1669
+ clearTimeout(pending.timeoutId);
1670
+ const token = msg.token;
1671
+ if (typeof token !== 'string' || !token) {
1672
+ pending.reject(new OzError('Vault returned a bank token result with a missing or empty token — possible vault API change.', undefined, 'server'));
1673
+ break;
1674
+ }
1675
+ const bank = isBankAccountMetadata(msg.bank) ? msg.bank : undefined;
1676
+ pending.resolve(Object.assign({ token }, (bank ? { bank } : {})));
1677
+ // Same proactive refresh logic as card tokenization.
1678
+ this._tokenizeSuccessCount++;
1679
+ if (this._tokenizeSuccessCount >= this._maxTokenizeCalls) {
1680
+ this.refreshWaxKey().catch((err) => {
1681
+ console.warn('[OzVault] Post-budget wax key refresh failed:', err instanceof Error ? err.message : err);
1682
+ });
1683
+ }
1240
1684
  }
1241
1685
  break;
1242
1686
  }
1243
1687
  }
1244
1688
  }
1245
- sendToTokenizer(data) {
1689
+ /**
1690
+ * Returns true when an OZ_TOKEN_ERROR should trigger a wax key refresh.
1691
+ *
1692
+ * Primary path: vault returns 401/403 → errorCode 'auth'.
1693
+ * Defensive path: vault returns 400 → errorCode 'validation', but the raw
1694
+ * message contains wax-key-specific language (consumed, expired, invalid key,
1695
+ * etc.). This avoids a hard dependency on the vault returning a unified HTTP
1696
+ * status for consumed-key vs expired-key failures — both should refresh.
1697
+ *
1698
+ * Deliberately excludes 'network', 'timeout', and 'server' codes (transient
1699
+ * errors are already retried in fetchWithRetry) and 'unknown' (too broad).
1700
+ */
1701
+ isRefreshableAuthError(errorCode, raw) {
1702
+ if (errorCode === 'auth')
1703
+ return true;
1704
+ if (errorCode === 'validation') {
1705
+ const msg = raw.toLowerCase();
1706
+ // Only treat validation errors as wax-related if the message explicitly
1707
+ // names the wax/tokenization session mechanism. A bare "session" match
1708
+ // was too broad — any message mentioning "session" (e.g. a merchant
1709
+ // session field error) would trigger a spurious re-mint.
1710
+ return (msg.includes('wax') ||
1711
+ msg.includes('expired') ||
1712
+ msg.includes('consumed') ||
1713
+ msg.includes('invalid key') ||
1714
+ msg.includes('key not found') ||
1715
+ msg.includes('tokenization session'));
1716
+ }
1717
+ return false;
1718
+ }
1719
+ /**
1720
+ * Re-mints the wax key using the stored fetchWaxKey callback and updates
1721
+ * the tokenizer with the new key. Used for transparent auto-refresh when
1722
+ * the vault returns an auth error on tokenization.
1723
+ *
1724
+ * Only one refresh runs at a time — concurrent retries share the same promise.
1725
+ */
1726
+ refreshWaxKey() {
1727
+ var _a;
1728
+ if (this._waxRefreshing)
1729
+ return this._waxRefreshing;
1730
+ if (!this._storedFetchWaxKey) {
1731
+ return Promise.reject(new OzError('Wax key expired and no fetchWaxKey callback is available for auto-refresh. Call OzVault.create() again to obtain a new vault instance.', undefined, 'auth'));
1732
+ }
1733
+ const newSessionId = uuid();
1734
+ (_a = this._onWaxRefresh) === null || _a === void 0 ? void 0 : _a.call(this);
1735
+ this._waxRefreshing = this._storedFetchWaxKey(newSessionId)
1736
+ .then(newWaxKey => {
1737
+ if (typeof newWaxKey !== 'string' || !newWaxKey.trim()) {
1738
+ throw new OzError('fetchWaxKey returned an empty string during auto-refresh.', undefined, 'auth');
1739
+ }
1740
+ if (!this._destroyed) {
1741
+ this.waxKey = newWaxKey;
1742
+ this.tokenizationSessionId = newSessionId;
1743
+ this._tokenizeSuccessCount = 0;
1744
+ }
1745
+ if (!this._destroyed && this.tokenizerReady) {
1746
+ this.sendToTokenizer({ type: 'OZ_INIT', frameId: '__tokenizer__', waxKey: newWaxKey });
1747
+ }
1748
+ })
1749
+ .finally(() => {
1750
+ this._waxRefreshing = null;
1751
+ });
1752
+ return this._waxRefreshing;
1753
+ }
1754
+ sendToTokenizer(data, transfer) {
1246
1755
  var _a;
1247
1756
  const msg = Object.assign({ __oz: true, vaultId: this.vaultId }, data);
1248
- (_a = this.tokenizerWindow) === null || _a === void 0 ? void 0 : _a.postMessage(msg, this.frameOrigin);
1757
+ (_a = this.tokenizerWindow) === null || _a === void 0 ? void 0 : _a.postMessage(msg, this.frameOrigin, transfer !== null && transfer !== void 0 ? transfer : []);
1249
1758
  }
1250
1759
  }
1251
1760
 
1761
+ /**
1762
+ * Creates a ready-to-use `fetchWaxKey` callback for `OzVault.create()` and `<OzElements>`.
1763
+ *
1764
+ * Calls your backend mint endpoint with `{ sessionId }` and returns the wax key string.
1765
+ * Throws on non-OK responses or a missing `waxKey` field so the vault can surface the
1766
+ * error through its normal error path.
1767
+ *
1768
+ * Each call enforces a 10-second per-attempt timeout. On a pure network-level
1769
+ * failure (connection refused, DNS failure, etc.) the call is retried once after
1770
+ * 750ms before throwing. HTTP errors (4xx/5xx) are never retried — they indicate
1771
+ * an endpoint misconfiguration or an invalid key, not a transient failure.
1772
+ *
1773
+ * The mint endpoint is typically the one-line `createMintWaxHandler` / `createMintWaxMiddleware`
1774
+ * from `@ozura/elements/server`.
1775
+ *
1776
+ * @param mintUrl - Absolute or relative URL of your wax-key mint endpoint, e.g. `'/api/mint-wax'`.
1777
+ *
1778
+ * @example
1779
+ * // Vanilla JS
1780
+ * const vault = await OzVault.create({
1781
+ * pubKey: 'pk_live_...',
1782
+ * fetchWaxKey: createFetchWaxKey('/api/mint-wax'),
1783
+ * });
1784
+ *
1785
+ * @example
1786
+ * // React
1787
+ * <OzElements pubKey="pk_live_..." fetchWaxKey={createFetchWaxKey('/api/mint-wax')}>
1788
+ */
1789
+ function createFetchWaxKey(mintUrl) {
1790
+ const TIMEOUT_MS = 10000;
1791
+ // Each attempt gets its own AbortController so a timeout on attempt 1 does
1792
+ // not bleed into the retry. Uses AbortController + setTimeout instead of
1793
+ // AbortSignal.timeout() to support environments without that API.
1794
+ const attemptFetch = (sessionId) => {
1795
+ const controller = new AbortController();
1796
+ const timer = setTimeout(() => controller.abort(), TIMEOUT_MS);
1797
+ return fetch(mintUrl, {
1798
+ method: 'POST',
1799
+ headers: { 'Content-Type': 'application/json' },
1800
+ body: JSON.stringify({ sessionId }),
1801
+ signal: controller.signal,
1802
+ }).finally(() => clearTimeout(timer));
1803
+ };
1804
+ return async (sessionId) => {
1805
+ let res;
1806
+ try {
1807
+ res = await attemptFetch(sessionId);
1808
+ }
1809
+ catch (firstErr) {
1810
+ // Abort/timeout should not be retried — the server received nothing or
1811
+ // we already waited the full timeout duration.
1812
+ if (firstErr instanceof Error && (firstErr.name === 'AbortError' || firstErr.name === 'TimeoutError')) {
1813
+ throw new OzError(`Wax key mint timed out after ${TIMEOUT_MS / 1000}s (${mintUrl})`, undefined, 'timeout');
1814
+ }
1815
+ // Pure network error (offline, DNS, connection refused) — retry once
1816
+ // after a short pause in case of a transient blip.
1817
+ await new Promise(resolve => setTimeout(resolve, 750));
1818
+ try {
1819
+ res = await attemptFetch(sessionId);
1820
+ }
1821
+ catch (retryErr) {
1822
+ const msg = retryErr instanceof Error ? retryErr.message : 'Network error';
1823
+ throw new OzError(`Could not reach wax key mint endpoint (${mintUrl}): ${msg}`, undefined, 'network');
1824
+ }
1825
+ }
1826
+ const data = await res.json().catch(() => ({}));
1827
+ if (!res.ok) {
1828
+ throw new OzError(typeof data.error === 'string' && data.error
1829
+ ? data.error
1830
+ : `Wax key mint failed (HTTP ${res.status})`, undefined, res.status >= 500 ? 'server' : res.status === 401 || res.status === 403 ? 'auth' : 'validation');
1831
+ }
1832
+ if (typeof data.waxKey !== 'string' || !data.waxKey.trim()) {
1833
+ throw new OzError('Mint endpoint response is missing waxKey. Check your /api/mint-wax implementation.', undefined, 'validation');
1834
+ }
1835
+ return data.waxKey;
1836
+ };
1837
+ }
1838
+
1252
1839
  exports.OzElement = OzElement;
1253
1840
  exports.OzError = OzError;
1254
1841
  exports.OzVault = OzVault;
1842
+ exports.createFetchWaxKey = createFetchWaxKey;
1255
1843
  exports.normalizeBankVaultError = normalizeBankVaultError;
1256
1844
  exports.normalizeCardSaleError = normalizeCardSaleError;
1257
1845
  exports.normalizeVaultError = normalizeVaultError;