@pandait.tech/payment-nuvei 0.2.0 → 0.2.1

package/dist/handlers/index.cjs

@@ -922,7 +922,43 @@ function createWebhookHandler(deps) {
 }
 
 // src/handlers/3ds-callback.ts
+function pickCres(src) {
+  for (const key of Object.keys(src)) {
+    const k = key.toLowerCase();
+    if (k === "cres" || k === "cres_value" || k === "cresvalue" || k === "value" || k === "param.value" || k === "paramvalue") {
+      const v = src[key];
+      if (typeof v === "string" && v.length > 0) return v;
+    }
+  }
+  return src.cres || src.CRes || src.CRES || src.value || "";
+}
+function transStatusFromCres(cres, logger) {
+  try {
+    const base64 = cres.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = base64.length % 4;
+    const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
+    const decoded = JSON.parse(
+      Buffer.from(padded, "base64").toString("utf-8")
+    );
+    if (decoded && typeof decoded.transStatus === "string") {
+      return decoded.transStatus;
+    }
+  } catch (e) {
+    logger.warn(
+      "[3ds-callback] Could not decode CRES payload:",
+      e instanceof Error ? e.message : e
+    );
+  }
+  return null;
+}
+function paramsToObject(params) {
+  const obj = {};
+  for (const [k, v] of params.entries()) obj[k] = v;
+  return obj;
+}
 function buildCompletionPage(orderId, transStatus) {
+  const safeOrderId = String(orderId).replace(/[^a-zA-Z0-9_-]/g, "");
+  const safeTransStatus = String(transStatus).replace(/[^a-zA-Z0-9]/g, "");
   const html = `<!DOCTYPE html>
 <html><head><meta charset="utf-8"><title>3DS Verification</title></head>
 <body>
@@ -930,8 +966,8 @@ function buildCompletionPage(orderId, transStatus) {
 (function() {
   var message = {
     type: "3DS_COMPLETE",
-    orderId: "${orderId}",
-    transStatus: "${transStatus}"
+    orderId: "${safeOrderId}",
+    transStatus: "${safeTransStatus}"
   };
   try {
     if (window.parent && window.parent !== window) {
@@ -954,46 +990,68 @@ Verificando autenticaci&oacute;n...
 function create3dsCallbackHandler(deps) {
   const logger = deps.logger ?? console;
   const { db } = deps.firebase;
-  async function storeCres(orderId, cres) {
-    if (orderId && cres) {
-      try {
-        await db.collection("orders").doc(orderId).update({
-          threeDSCres: cres,
-          updatedAt: /* @__PURE__ */ new Date()
-        });
-      } catch (err) {
-        logger.error("Failed to store cres on order:", err);
+  async function persist(orderId, cres, transStatus) {
+    if (!orderId) return;
+    try {
+      const ref = db.collection("orders").doc(orderId);
+      const snap = await ref.get();
+      const status = snap.data()?.status;
+      if (!snap.exists || status !== "3ds-pending") {
+        logger.warn(
+          "[3ds-callback] rejected: order not in 3ds-pending state",
+          { orderId, status }
+        );
+        return;
       }
+      const update = { updatedAt: /* @__PURE__ */ new Date() };
+      if (cres) update.threeDSCres = cres;
+      if (transStatus) update.threeDSTransStatus = transStatus;
+      await ref.update(update);
+    } catch (err) {
+      logger.error("[3ds-callback] failed to store cres on order:", err);
     }
   }
+  function resolveTransStatus(cres, fallback) {
+    if (cres) {
+      const fromCres = transStatusFromCres(cres, logger);
+      if (fromCres) return fromCres;
+    }
+    return fallback;
+  }
   const POST = async function POST2(request) {
-    const { searchParams } = new URL(request.url);
-    const orderId = searchParams.get("orderId") || "";
+    const orderId = new URL(request.url).searchParams.get("orderId") || "";
     let transStatus = "U";
     let cres = "";
     try {
       const contentType = request.headers.get("content-type") || "";
+      const raw = await request.text();
       if (contentType.includes("application/x-www-form-urlencoded")) {
-        const text = await request.text();
-        const params = new URLSearchParams(text);
-        transStatus = params.get("transStatus") || "U";
-        cres = params.get("cres") || params.get("CRes") || "";
+        const obj = paramsToObject(new URLSearchParams(raw));
+        transStatus = obj.transStatus || obj.TransStatus || "U";
+        cres = pickCres(obj);
       } else {
-        const body = await request.json();
-        transStatus = body.transStatus || "U";
-        cres = body.cres || body.CRes || "";
+        try {
+          const body = JSON.parse(raw);
+          transStatus = body.transStatus || body.TransStatus || "U";
+          cres = pickCres(body);
+        } catch {
+        }
+      }
+      if (!cres && raw) {
+        cres = pickCres(paramsToObject(new URLSearchParams(raw)));
       }
     } catch {
     }
-    await storeCres(orderId, cres);
+    transStatus = resolveTransStatus(cres, transStatus);
+    await persist(orderId, cres, transStatus);
     return buildCompletionPage(orderId, transStatus);
   };
   const GET = async function GET2(request) {
-    const { searchParams } = new URL(request.url);
-    const orderId = searchParams.get("orderId") || "";
-    const transStatus = searchParams.get("transStatus") || "Y";
-    const cres = searchParams.get("cres") || searchParams.get("CRes") || "";
-    await storeCres(orderId, cres);
+    const params = new URL(request.url).searchParams;
+    const orderId = params.get("orderId") || "";
+    const cres = params.get("cres") || params.get("CRes") || params.get("value") || "";
+    const transStatus = resolveTransStatus(cres, params.get("transStatus") || "Y");
+    await persist(orderId, cres, transStatus);
     return buildCompletionPage(orderId, transStatus);
   };
   return { POST, GET };