@ozura/elements 1.2.4-next.55 → 1.2.4-next.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -2
- package/dist/oz-elements.esm.js +38 -18
- package/dist/oz-elements.esm.js.map +1 -1
- package/dist/oz-elements.umd.js +38 -18
- package/dist/oz-elements.umd.js.map +1 -1
- package/dist/react/index.cjs.js +38 -18
- package/dist/react/index.cjs.js.map +1 -1
- package/dist/react/index.esm.js +38 -18
- package/dist/react/index.esm.js.map +1 -1
- package/dist/react/react/index.d.ts +5 -2
- package/dist/react/sdk/OzVault.d.ts +1 -1
- package/dist/react/types/index.d.ts +7 -3
- package/dist/react/vue/index.d.ts +6 -3
- package/dist/server/sdk/OzVault.d.ts +1 -1
- package/dist/server/types/index.d.ts +7 -3
- package/dist/server/vue/index.d.ts +6 -3
- package/dist/types/sdk/OzVault.d.ts +1 -1
- package/dist/types/types/index.d.ts +7 -3
- package/dist/types/vue/index.d.ts +6 -3
- package/dist/vue/index.cjs.js +39 -19
- package/dist/vue/index.cjs.js.map +1 -1
- package/dist/vue/index.esm.js +39 -19
- package/dist/vue/index.esm.js.map +1 -1
- package/dist/vue/sdk/OzVault.d.ts +1 -1
- package/dist/vue/types/index.d.ts +7 -3
- package/dist/vue/vue/index.d.ts +6 -3
- package/package.json +1 -1
|
@@ -26,7 +26,9 @@
|
|
|
26
26
|
import { type Ref, type PropType, type ComputedRef } from 'vue';
|
|
27
27
|
import type { TokenizeOptions, TokenResponse, BankTokenizeOptions, BankTokenResponse, FontSource, Appearance } from '../types';
|
|
28
28
|
export interface OzElementsProps {
|
|
29
|
-
|
|
29
|
+
/** Omit when using a test vault key from a Test project at ozuravault.com.
|
|
30
|
+
* Required for production vault keys. */
|
|
31
|
+
pubKey?: string;
|
|
30
32
|
sessionUrl?: string;
|
|
31
33
|
getSessionKey?: (sessionId: string) => Promise<string>;
|
|
32
34
|
frameBaseUrl?: string;
|
|
@@ -54,7 +56,7 @@ export interface OzElementsProps {
|
|
|
54
56
|
export declare const OzElements: import("vue").DefineComponent<import("vue").ExtractPropTypes<{
|
|
55
57
|
pubKey: {
|
|
56
58
|
type: StringConstructor;
|
|
57
|
-
|
|
59
|
+
default: undefined;
|
|
58
60
|
};
|
|
59
61
|
sessionUrl: {
|
|
60
62
|
type: StringConstructor;
|
|
@@ -105,7 +107,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
105
107
|
}>[] | undefined, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, "ready"[], "ready", import("vue").PublicProps, Readonly<import("vue").ExtractPropTypes<{
|
|
106
108
|
pubKey: {
|
|
107
109
|
type: StringConstructor;
|
|
108
|
-
|
|
110
|
+
default: undefined;
|
|
109
111
|
};
|
|
110
112
|
sessionUrl: {
|
|
111
113
|
type: StringConstructor;
|
|
@@ -156,6 +158,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
156
158
|
}>, {
|
|
157
159
|
debug: boolean;
|
|
158
160
|
fonts: FontSource[];
|
|
161
|
+
pubKey: string;
|
|
159
162
|
loadTimeoutMs: number;
|
|
160
163
|
frameBaseUrl: string;
|
|
161
164
|
maxTokenizeCalls: number;
|
|
@@ -9,7 +9,7 @@ import { ElementType, BankElementType, ElementOptions, VaultOptions, TokenizeOpt
|
|
|
9
9
|
* @example
|
|
10
10
|
* // Recommended — pass sessionUrl and let the SDK call your backend automatically
|
|
11
11
|
* const vault = await OzVault.create({
|
|
12
|
-
* pubKey: 'pk_prod_...', //
|
|
12
|
+
* pubKey: 'pk_prod_...', // omit for test vault keys; required for production
|
|
13
13
|
* sessionUrl: '/api/oz-session', // backend endpoint that calls ozura.createSession()
|
|
14
14
|
* });
|
|
15
15
|
* const cardNum = vault.createElement('cardNumber');
|
|
@@ -152,9 +152,13 @@ export interface Appearance {
|
|
|
152
152
|
variables?: AppearanceVariables;
|
|
153
153
|
}
|
|
154
154
|
export interface VaultOptions {
|
|
155
|
-
/** System pub key required for tokenization
|
|
156
|
-
* Sent as the `X-Pub-Key` header on tokenize requests.
|
|
157
|
-
|
|
155
|
+
/** System pub key required for tokenization with production vault keys.
|
|
156
|
+
* Sent as the `X-Pub-Key` header on tokenize requests.
|
|
157
|
+
*
|
|
158
|
+
* **Omit when using a test vault key** (from a Test project at ozuravault.com).
|
|
159
|
+
* Test keys do not require a pub key — the vault recognizes them and tokenizes
|
|
160
|
+
* without the header. For production keys this is required. */
|
|
161
|
+
pubKey?: string;
|
|
158
162
|
/**
|
|
159
163
|
* URL of your backend session endpoint. The simplest way to connect the SDK
|
|
160
164
|
* to your server — just pass the path and the SDK handles everything else.
|
|
@@ -26,7 +26,9 @@
|
|
|
26
26
|
import { type Ref, type PropType, type ComputedRef } from 'vue';
|
|
27
27
|
import type { TokenizeOptions, TokenResponse, BankTokenizeOptions, BankTokenResponse, FontSource, Appearance } from '../types';
|
|
28
28
|
export interface OzElementsProps {
|
|
29
|
-
|
|
29
|
+
/** Omit when using a test vault key from a Test project at ozuravault.com.
|
|
30
|
+
* Required for production vault keys. */
|
|
31
|
+
pubKey?: string;
|
|
30
32
|
sessionUrl?: string;
|
|
31
33
|
getSessionKey?: (sessionId: string) => Promise<string>;
|
|
32
34
|
frameBaseUrl?: string;
|
|
@@ -54,7 +56,7 @@ export interface OzElementsProps {
|
|
|
54
56
|
export declare const OzElements: import("vue").DefineComponent<import("vue").ExtractPropTypes<{
|
|
55
57
|
pubKey: {
|
|
56
58
|
type: StringConstructor;
|
|
57
|
-
|
|
59
|
+
default: undefined;
|
|
58
60
|
};
|
|
59
61
|
sessionUrl: {
|
|
60
62
|
type: StringConstructor;
|
|
@@ -105,7 +107,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
105
107
|
}>[] | undefined, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, "ready"[], "ready", import("vue").PublicProps, Readonly<import("vue").ExtractPropTypes<{
|
|
106
108
|
pubKey: {
|
|
107
109
|
type: StringConstructor;
|
|
108
|
-
|
|
110
|
+
default: undefined;
|
|
109
111
|
};
|
|
110
112
|
sessionUrl: {
|
|
111
113
|
type: StringConstructor;
|
|
@@ -156,6 +158,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
156
158
|
}>, {
|
|
157
159
|
debug: boolean;
|
|
158
160
|
fonts: FontSource[];
|
|
161
|
+
pubKey: string;
|
|
159
162
|
loadTimeoutMs: number;
|
|
160
163
|
frameBaseUrl: string;
|
|
161
164
|
maxTokenizeCalls: number;
|
|
@@ -9,7 +9,7 @@ import { ElementType, BankElementType, ElementOptions, VaultOptions, TokenizeOpt
|
|
|
9
9
|
* @example
|
|
10
10
|
* // Recommended — pass sessionUrl and let the SDK call your backend automatically
|
|
11
11
|
* const vault = await OzVault.create({
|
|
12
|
-
* pubKey: 'pk_prod_...', //
|
|
12
|
+
* pubKey: 'pk_prod_...', // omit for test vault keys; required for production
|
|
13
13
|
* sessionUrl: '/api/oz-session', // backend endpoint that calls ozura.createSession()
|
|
14
14
|
* });
|
|
15
15
|
* const cardNum = vault.createElement('cardNumber');
|
|
@@ -152,9 +152,13 @@ export interface Appearance {
|
|
|
152
152
|
variables?: AppearanceVariables;
|
|
153
153
|
}
|
|
154
154
|
export interface VaultOptions {
|
|
155
|
-
/** System pub key required for tokenization
|
|
156
|
-
* Sent as the `X-Pub-Key` header on tokenize requests.
|
|
157
|
-
|
|
155
|
+
/** System pub key required for tokenization with production vault keys.
|
|
156
|
+
* Sent as the `X-Pub-Key` header on tokenize requests.
|
|
157
|
+
*
|
|
158
|
+
* **Omit when using a test vault key** (from a Test project at ozuravault.com).
|
|
159
|
+
* Test keys do not require a pub key — the vault recognizes them and tokenizes
|
|
160
|
+
* without the header. For production keys this is required. */
|
|
161
|
+
pubKey?: string;
|
|
158
162
|
/**
|
|
159
163
|
* URL of your backend session endpoint. The simplest way to connect the SDK
|
|
160
164
|
* to your server — just pass the path and the SDK handles everything else.
|
|
@@ -26,7 +26,9 @@
|
|
|
26
26
|
import { type Ref, type PropType, type ComputedRef } from 'vue';
|
|
27
27
|
import type { TokenizeOptions, TokenResponse, BankTokenizeOptions, BankTokenResponse, FontSource, Appearance } from '../types';
|
|
28
28
|
export interface OzElementsProps {
|
|
29
|
-
|
|
29
|
+
/** Omit when using a test vault key from a Test project at ozuravault.com.
|
|
30
|
+
* Required for production vault keys. */
|
|
31
|
+
pubKey?: string;
|
|
30
32
|
sessionUrl?: string;
|
|
31
33
|
getSessionKey?: (sessionId: string) => Promise<string>;
|
|
32
34
|
frameBaseUrl?: string;
|
|
@@ -54,7 +56,7 @@ export interface OzElementsProps {
|
|
|
54
56
|
export declare const OzElements: import("vue").DefineComponent<import("vue").ExtractPropTypes<{
|
|
55
57
|
pubKey: {
|
|
56
58
|
type: StringConstructor;
|
|
57
|
-
|
|
59
|
+
default: undefined;
|
|
58
60
|
};
|
|
59
61
|
sessionUrl: {
|
|
60
62
|
type: StringConstructor;
|
|
@@ -105,7 +107,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
105
107
|
}>[] | undefined, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, "ready"[], "ready", import("vue").PublicProps, Readonly<import("vue").ExtractPropTypes<{
|
|
106
108
|
pubKey: {
|
|
107
109
|
type: StringConstructor;
|
|
108
|
-
|
|
110
|
+
default: undefined;
|
|
109
111
|
};
|
|
110
112
|
sessionUrl: {
|
|
111
113
|
type: StringConstructor;
|
|
@@ -156,6 +158,7 @@ export declare const OzElements: import("vue").DefineComponent<import("vue").Ext
|
|
|
156
158
|
}>, {
|
|
157
159
|
debug: boolean;
|
|
158
160
|
fonts: FontSource[];
|
|
161
|
+
pubKey: string;
|
|
159
162
|
loadTimeoutMs: number;
|
|
160
163
|
frameBaseUrl: string;
|
|
161
164
|
maxTokenizeCalls: number;
|
package/dist/vue/index.cjs.js
CHANGED
|
@@ -431,17 +431,26 @@ class OzElement {
|
|
|
431
431
|
accountNumber: 'account number',
|
|
432
432
|
routingNumber: 'routing number',
|
|
433
433
|
}[this.elementType]) !== null && _a !== void 0 ? _a : this.elementType} input`;
|
|
434
|
-
// sandbox="allow-scripts" gives correct iframe isolation:
|
|
435
|
-
// -
|
|
436
|
-
// -
|
|
437
|
-
//
|
|
438
|
-
//
|
|
439
|
-
//
|
|
440
|
-
//
|
|
441
|
-
//
|
|
442
|
-
//
|
|
443
|
-
//
|
|
444
|
-
|
|
434
|
+
// sandbox="allow-scripts allow-same-origin" gives correct iframe isolation:
|
|
435
|
+
// - allow-scripts: JS runs, so the field JS executes normally.
|
|
436
|
+
// - allow-same-origin: the frame keeps its actual origin (elements.ozura.com
|
|
437
|
+
// in production) so that:
|
|
438
|
+
// (a) window.parent.postMessage() carries a real origin that OzVault can
|
|
439
|
+
// validate (without this the frame gets a null/opaque origin and every
|
|
440
|
+
// OZ_FRAME_READY message is silently dropped by the origin check), and
|
|
441
|
+
// (b) OzVault can deliver OZ_INIT back to the frame (postMessage to a
|
|
442
|
+
// null-origin target is never delivered).
|
|
443
|
+
// - In PRODUCTION the frames are served from elements.ozura.com and embedded
|
|
444
|
+
// on a different merchant domain — Same-Origin Policy already prevents the
|
|
445
|
+
// frame from accessing window.parent.document or merchant cookies, making
|
|
446
|
+
// allow-same-origin a no-op from a security perspective.
|
|
447
|
+
// - In LOCAL DEV (localhost) both parent and frames share the same origin;
|
|
448
|
+
// allow-same-origin alongside allow-scripts does technically weaken sandbox
|
|
449
|
+
// isolation, but this is a local dev server only — not a production risk.
|
|
450
|
+
// NOT included: allow-top-navigation, allow-popups, allow-forms — prevents
|
|
451
|
+
// a compromised element frame from navigating the merchant page or opening
|
|
452
|
+
// popups even if the CDN bundle were somehow replaced.
|
|
453
|
+
iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
|
|
445
454
|
// Use hash instead of query string — survives clean-URL redirects from static servers.
|
|
446
455
|
// parentOrigin lets the frame target postMessage to the merchant origin instead of '*'.
|
|
447
456
|
const parentOrigin = typeof window !== 'undefined' ? window.location.origin : '';
|
|
@@ -1027,7 +1036,7 @@ const DEFAULT_FRAME_BASE_URL = "https://lively-hill-097170c0f.4.azurestaticapps.
|
|
|
1027
1036
|
* @example
|
|
1028
1037
|
* // Recommended — pass sessionUrl and let the SDK call your backend automatically
|
|
1029
1038
|
* const vault = await OzVault.create({
|
|
1030
|
-
* pubKey: 'pk_prod_...', //
|
|
1039
|
+
* pubKey: 'pk_prod_...', // omit for test vault keys; required for production
|
|
1031
1040
|
* sessionUrl: '/api/oz-session', // backend endpoint that calls ozura.createSession()
|
|
1032
1041
|
* });
|
|
1033
1042
|
* const cardNum = vault.createElement('cardNumber');
|
|
@@ -1135,8 +1144,15 @@ class OzVault {
|
|
|
1135
1144
|
* @throws {OzError} if the session fetch fails, times out, or returns an empty string.
|
|
1136
1145
|
*/
|
|
1137
1146
|
static async create(options, signal) {
|
|
1138
|
-
|
|
1139
|
-
|
|
1147
|
+
// pubKey is optional — test vault keys (from a Test project on the vault)
|
|
1148
|
+
// do not require a pub key. Production keys do. If provided, it must be
|
|
1149
|
+
// non-empty after trimming; if omitted entirely, warn but continue.
|
|
1150
|
+
if (options.pubKey !== undefined && !options.pubKey.trim()) {
|
|
1151
|
+
throw new OzError('pubKey must be a non-empty string. Omit the option entirely to use a test vault key.');
|
|
1152
|
+
}
|
|
1153
|
+
if (options.pubKey === undefined) {
|
|
1154
|
+
console.warn('[OzVault] pubKey not provided — this only works with a test vault key from a Test project on the vault. ' +
|
|
1155
|
+
'For production, set pubKey to your pk_live_... or pk_prod_... value.');
|
|
1140
1156
|
}
|
|
1141
1157
|
// Normalize the session callback. Priority: sessionUrl > getSessionKey > fetchWaxKey (deprecated).
|
|
1142
1158
|
// This allows merchants to use the clean new API without touching legacy code.
|
|
@@ -1345,6 +1361,7 @@ class OzVault {
|
|
|
1345
1361
|
const requestId = `req-${uuid()}`;
|
|
1346
1362
|
this.log('createBankToken() called');
|
|
1347
1363
|
return new Promise((resolve, reject) => {
|
|
1364
|
+
var _a;
|
|
1348
1365
|
const resetCountAtStart = this._resetCount;
|
|
1349
1366
|
const cleanup = () => {
|
|
1350
1367
|
if (this._resetCount === resetCountAtStart)
|
|
@@ -1365,7 +1382,7 @@ class OzVault {
|
|
|
1365
1382
|
type: 'OZ_BANK_TOKENIZE',
|
|
1366
1383
|
requestId,
|
|
1367
1384
|
tokenizationSessionId: this.tokenizationSessionId,
|
|
1368
|
-
pubKey: this.pubKey,
|
|
1385
|
+
pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
|
|
1369
1386
|
firstName: options.firstName.trim(),
|
|
1370
1387
|
lastName: options.lastName.trim(),
|
|
1371
1388
|
fieldCount: readyBankElements.length,
|
|
@@ -1464,6 +1481,7 @@ class OzVault {
|
|
|
1464
1481
|
billingPresent: Boolean(options.billing),
|
|
1465
1482
|
});
|
|
1466
1483
|
return new Promise((resolve, reject) => {
|
|
1484
|
+
var _a;
|
|
1467
1485
|
// Capture the reset generation so cleanup() only zeros _tokenizing when it
|
|
1468
1486
|
// still belongs to this invocation — not a newer one that started after a reset.
|
|
1469
1487
|
const resetCountAtStart = this._resetCount;
|
|
@@ -1488,7 +1506,7 @@ class OzVault {
|
|
|
1488
1506
|
type: 'OZ_TOKENIZE',
|
|
1489
1507
|
requestId,
|
|
1490
1508
|
tokenizationSessionId: this.tokenizationSessionId,
|
|
1491
|
-
pubKey: this.pubKey,
|
|
1509
|
+
pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
|
|
1492
1510
|
firstName,
|
|
1493
1511
|
lastName,
|
|
1494
1512
|
fieldCount: readyElements.length,
|
|
@@ -1936,6 +1954,7 @@ class OzVault {
|
|
|
1936
1954
|
if (willRefresh) {
|
|
1937
1955
|
const resetCountAtRetry = this._resetCount;
|
|
1938
1956
|
this.refreshWaxKey().then(() => {
|
|
1957
|
+
var _a;
|
|
1939
1958
|
if (this._destroyed) {
|
|
1940
1959
|
pending.reject(new OzError('Vault destroyed during wax key refresh.'));
|
|
1941
1960
|
return;
|
|
@@ -1968,7 +1987,7 @@ class OzVault {
|
|
|
1968
1987
|
type: 'OZ_TOKENIZE',
|
|
1969
1988
|
requestId: newRequestId,
|
|
1970
1989
|
tokenizationSessionId: this.tokenizationSessionId,
|
|
1971
|
-
pubKey: this.pubKey,
|
|
1990
|
+
pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
|
|
1972
1991
|
firstName: pending.firstName,
|
|
1973
1992
|
lastName: pending.lastName,
|
|
1974
1993
|
fieldCount: pending.fieldCount,
|
|
@@ -2012,6 +2031,7 @@ class OzVault {
|
|
|
2012
2031
|
if (this.isRefreshableAuthError(errorCode, raw) && !bankPending.retried && this._storedFetchWaxKey) {
|
|
2013
2032
|
const resetCountAtRetry = this._resetCount;
|
|
2014
2033
|
this.refreshWaxKey().then(() => {
|
|
2034
|
+
var _a;
|
|
2015
2035
|
if (this._destroyed) {
|
|
2016
2036
|
bankPending.reject(new OzError('Vault destroyed during wax key refresh.'));
|
|
2017
2037
|
return;
|
|
@@ -2034,7 +2054,7 @@ class OzVault {
|
|
|
2034
2054
|
type: 'OZ_BANK_TOKENIZE',
|
|
2035
2055
|
requestId: newRequestId,
|
|
2036
2056
|
tokenizationSessionId: this.tokenizationSessionId,
|
|
2037
|
-
pubKey: this.pubKey,
|
|
2057
|
+
pubKey: (_a = this.pubKey) !== null && _a !== void 0 ? _a : '',
|
|
2038
2058
|
firstName: bankPending.firstName,
|
|
2039
2059
|
lastName: bankPending.lastName,
|
|
2040
2060
|
fieldCount: bankPending.fieldCount,
|
|
@@ -2235,7 +2255,7 @@ const OZ_KEY = Symbol('oz-elements');
|
|
|
2235
2255
|
const OzElements = vue.defineComponent({
|
|
2236
2256
|
name: 'OzElements',
|
|
2237
2257
|
props: {
|
|
2238
|
-
pubKey: { type: String,
|
|
2258
|
+
pubKey: { type: String, default: undefined },
|
|
2239
2259
|
sessionUrl: { type: String, default: undefined },
|
|
2240
2260
|
getSessionKey: { type: Function, default: undefined },
|
|
2241
2261
|
frameBaseUrl: { type: String, default: undefined },
|