npm - @ozura/elements - Versions diffs - 1.2.4-next.55 → 1.2.4-next.57 - Mend

@ozura/elements 1.2.4-next.55 → 1.2.4-next.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +4 -2
package/dist/oz-elements.esm.js +38 -18
package/dist/oz-elements.esm.js.map +1 -1
package/dist/oz-elements.umd.js +38 -18
package/dist/oz-elements.umd.js.map +1 -1
package/dist/react/index.cjs.js +38 -18
package/dist/react/index.cjs.js.map +1 -1
package/dist/react/index.esm.js +38 -18
package/dist/react/index.esm.js.map +1 -1
package/dist/react/react/index.d.ts +5 -2
package/dist/react/sdk/OzVault.d.ts +1 -1
package/dist/react/types/index.d.ts +7 -3
package/dist/react/vue/index.d.ts +6 -3
package/dist/server/sdk/OzVault.d.ts +1 -1
package/dist/server/types/index.d.ts +7 -3
package/dist/server/vue/index.d.ts +6 -3
package/dist/types/sdk/OzVault.d.ts +1 -1
package/dist/types/types/index.d.ts +7 -3
package/dist/types/vue/index.d.ts +6 -3
package/dist/vue/index.cjs.js +39 -19
package/dist/vue/index.cjs.js.map +1 -1
package/dist/vue/index.esm.js +39 -19
package/dist/vue/index.esm.js.map +1 -1
package/dist/vue/sdk/OzVault.d.ts +1 -1
package/dist/vue/types/index.d.ts +7 -3
package/dist/vue/vue/index.d.ts +6 -3
package/package.json +1 -1

package/dist/react/index.cjs.js CHANGED Viewed

@@ -432,17 +432,26 @@ class OzElement {
             accountNumber: 'account number',
             routingNumber: 'routing number',
         }[this.elementType]) !== null && _a !== void 0 ? _a : this.elementType} input`;
-        // sandbox="allow-scripts" gives correct iframe isolation:
-        // - Scripts run (allow-scripts), so the field JS executes normally.
-        // - NO allow-same-origin: the frame cannot access window.parent's DOM,
-        //   localStorage, or cookies — prevents sandbox escape even if served
-        //   from the same origin.
-        // - NO allow-top-navigation: a rogue/compromised element frame cannot
-        //   navigate window.top (clickjacking prevention).
-        // - NO allow-forms / allow-popups: reduces attack surface.
-        // Field values are delivered via postMessage, so no parent access is
-        // needed — allow-scripts alone is sufficient.
-        iframe.setAttribute('sandbox', 'allow-scripts');
+        // sandbox="allow-scripts allow-same-origin" gives correct iframe isolation:
+        // - allow-scripts: JS runs, so the field JS executes normally.
+        // - allow-same-origin: the frame keeps its actual origin (elements.ozura.com
+        //   in production) so that:
+        //   (a) window.parent.postMessage() carries a real origin that OzVault can
+        //       validate (without this the frame gets a null/opaque origin and every
+        //       OZ_FRAME_READY message is silently dropped by the origin check), and
+        //   (b) OzVault can deliver OZ_INIT back to the frame (postMessage to a
+        //       null-origin target is never delivered).
+        // - In PRODUCTION the frames are served from elements.ozura.com and embedded
+        //   on a different merchant domain — Same-Origin Policy already prevents the
+        //   frame from accessing window.parent.document or merchant cookies, making
+        //   allow-same-origin a no-op from a security perspective.
+        // - In LOCAL DEV (localhost) both parent and frames share the same origin;
+        //   allow-same-origin alongside allow-scripts does technically weaken sandbox
+        //   isolation, but this is a local dev server only — not a production risk.
+        // NOT included: allow-top-navigation, allow-popups, allow-forms — prevents
+        // a compromised element frame from navigating the merchant page or opening
+        // popups even if the CDN bundle were somehow replaced.
+        iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
         // Use hash instead of query string — survives clean-URL redirects from static servers.
         // parentOrigin lets the frame target postMessage to the merchant origin instead of '*'.
         const parentOrigin = typeof window !== 'undefined' ? window.location.origin : '';
@@ -1028,7 +1037,7 @@ const DEFAULT_FRAME_BASE_URL = "https://lively-hill-097170c0f.4.azurestaticapps.
  * @example
  * // Recommended — pass sessionUrl and let the SDK call your backend automatically
  * const vault = await OzVault.create({
- *   pubKey: 'pk_prod_...',  // or 'pk_test_...' for test mode
+ *   pubKey: 'pk_prod_...',  // omit for test vault keys; required for production
  *   sessionUrl: '/api/oz-session',  // backend endpoint that calls ozura.createSession()
  * });
  * const cardNum = vault.createElement('cardNumber');
@@ -1136,8 +1145,15 @@ class OzVault {
      * @throws {OzError} if the session fetch fails, times out, or returns an empty string.
      */
     static async create(options, signal) {
-        if (!options.pubKey || !options.pubKey.trim()) {
-            throw new OzError('pubKey is required in options. Obtain your public key from the Ozura admin.');
+        // pubKey is optional — test vault keys (from a Test project on the vault)
+        // do not require a pub key. Production keys do. If provided, it must be
+        // non-empty after trimming; if omitted entirely, warn but continue.
+        if (options.pubKey !== undefined && !options.pubKey.trim()) {
+            throw new OzError('pubKey must be a non-empty string. Omit the option entirely to use a test vault key.');
+        }
+        if (options.pubKey === undefined) {
+            console.warn('[OzVault] pubKey not provided — this only works with a test vault key from a Test project on the vault. ' +
+                'For production, set pubKey to your pk_live_... or pk_prod_... value.');
         }
         // Normalize the session callback. Priority: sessionUrl > getSessionKey > fetchWaxKey (deprecated).
         // This allows merchants to use the clean new API without touching legacy code.
@@ -1346,6 +1362,7 @@ class OzVault {
         const requestId = `req-${uuid()}`;
         this.log('createBankToken() called');
         return new Promise((resolve, reject) => {
+            var _a;
             const resetCountAtStart = this._resetCount;
             const cleanup = () => {
                 if (this._resetCount === resetCountAtStart)
@@ -1366,7 +1383,7 @@ class OzVault {
                     type: 'OZ_BANK_TOKENIZE',
                     requestId,
                     tokenizationSessionId: this.tokenizationSessionId,
-                    pubKey: this.pubKey,
+                    pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
                     firstName: options.firstName.trim(),
                     lastName: options.lastName.trim(),
                     fieldCount: readyBankElements.length,
@@ -1465,6 +1482,7 @@ class OzVault {
             billingPresent: Boolean(options.billing),
         });
         return new Promise((resolve, reject) => {
+            var _a;
             // Capture the reset generation so cleanup() only zeros _tokenizing when it
             // still belongs to this invocation — not a newer one that started after a reset.
             const resetCountAtStart = this._resetCount;
@@ -1489,7 +1507,7 @@ class OzVault {
                     type: 'OZ_TOKENIZE',
                     requestId,
                     tokenizationSessionId: this.tokenizationSessionId,
-                    pubKey: this.pubKey,
+                    pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
                     firstName,
                     lastName,
                     fieldCount: readyElements.length,
@@ -1937,6 +1955,7 @@ class OzVault {
                     if (willRefresh) {
                         const resetCountAtRetry = this._resetCount;
                         this.refreshWaxKey().then(() => {
+                            var _a;
                             if (this._destroyed) {
                                 pending.reject(new OzError('Vault destroyed during wax key refresh.'));
                                 return;
@@ -1969,7 +1988,7 @@ class OzVault {
                                     type: 'OZ_TOKENIZE',
                                     requestId: newRequestId,
                                     tokenizationSessionId: this.tokenizationSessionId,
-                                    pubKey: this.pubKey,
+                                    pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
                                     firstName: pending.firstName,
                                     lastName: pending.lastName,
                                     fieldCount: pending.fieldCount,
@@ -2013,6 +2032,7 @@ class OzVault {
                         if (this.isRefreshableAuthError(errorCode, raw) && !bankPending.retried && this._storedFetchWaxKey) {
                             const resetCountAtRetry = this._resetCount;
                             this.refreshWaxKey().then(() => {
+                                var _a;
                                 if (this._destroyed) {
                                     bankPending.reject(new OzError('Vault destroyed during wax key refresh.'));
                                     return;
@@ -2035,7 +2055,7 @@ class OzVault {
                                         type: 'OZ_BANK_TOKENIZE',
                                         requestId: newRequestId,
                                         tokenizationSessionId: this.tokenizationSessionId,
-                                        pubKey: this.pubKey,
+                                        pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
                                         firstName: bankPending.firstName,
                                         lastName: bankPending.lastName,
                                         fieldCount: bankPending.fieldCount,