@pulsebyshiga/collect-js 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +54 -41
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,18 +1,20 @@
|
|
|
1
1
|
# @pulsebyshiga/collect-js
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
iframe
|
|
5
|
-
|
|
3
|
+
Drop Pulse's embedded payment experience into any web page. `collect-js` mounts a
|
|
4
|
+
Pulse-controlled iframe and gives you a small, fully-typed API around it — you keep the
|
|
5
|
+
page, the layout, and the brand; Pulse owns the payment surface. The session token,
|
|
6
|
+
deposit addresses, QR codes, and order data never enter your DOM.
|
|
6
7
|
|
|
7
|
-
|
|
8
|
-
|
|
8
|
+
Framework-agnostic and dependency-free. The [React](https://www.npmjs.com/package/@pulsebyshiga/collect-react)
|
|
9
|
+
and [React Native](https://www.npmjs.com/package/@pulsebyshiga/collect-react-native) SDKs build on it.
|
|
10
|
+
|
|
11
|
+
> **Pre-release (0.2.0).** The public API may still change.
|
|
9
12
|
|
|
10
13
|
## Requirements
|
|
11
14
|
|
|
12
|
-
- Any framework or none — the loader
|
|
13
|
-
- ESM (`import`)
|
|
14
|
-
- A session token (`cs_*`) minted by your backend with [`@pulsebyshiga/node`](
|
|
15
|
-
secret keys never reach the browser
|
|
15
|
+
- Any framework, or none — the loader has zero runtime dependencies.
|
|
16
|
+
- A modern browser with ES2019 support. Ships an ESM build (`import`) and a script-tag IIFE build.
|
|
17
|
+
- A session token (`cs_*`) minted by your backend with [`@pulsebyshiga/node`](https://www.npmjs.com/package/@pulsebyshiga/node). Your secret key never reaches the browser.
|
|
16
18
|
|
|
17
19
|
## Installation
|
|
18
20
|
|
|
@@ -20,43 +22,51 @@ session token, and order data never enter your DOM. You own the layout, chrome,
|
|
|
20
22
|
npm install @pulsebyshiga/collect-js
|
|
21
23
|
```
|
|
22
24
|
|
|
23
|
-
|
|
25
|
+
No bundler? Load the IIFE build from a script tag — it exposes a global `PulseCollect`:
|
|
24
26
|
|
|
25
27
|
```html
|
|
26
28
|
<script src="https://embed.pulse.shiga.io/v1/collect.iife.js"></script>
|
|
27
29
|
<script>
|
|
28
|
-
|
|
30
|
+
const handle = PulseCollect.mount(document.getElementById('pay'), { sessionToken });
|
|
29
31
|
</script>
|
|
30
32
|
```
|
|
31
33
|
|
|
32
|
-
##
|
|
34
|
+
## Quickstart
|
|
35
|
+
|
|
36
|
+
Mint a single-order session token on your backend, pass it to the browser, and mount:
|
|
33
37
|
|
|
34
38
|
```ts
|
|
35
39
|
import { PulseCollect } from '@pulsebyshiga/collect-js';
|
|
36
40
|
|
|
37
41
|
const handle = PulseCollect.mount(document.getElementById('pay'), {
|
|
38
|
-
sessionToken, // cs_* from your backend
|
|
42
|
+
sessionToken, // cs_* from your backend — never a secret key
|
|
39
43
|
theme: { primaryColor: '#083a9a', fontFamily: 'YourFont, sans-serif' },
|
|
40
|
-
|
|
41
|
-
onSuccess: (orderId) => showFunded(orderId), // UX only — credit off the webhook
|
|
44
|
+
onSuccess: (orderId) => showFunded(orderId), // UX signal only — credit off the webhook
|
|
42
45
|
onError: (code, message) => report(code, message),
|
|
43
46
|
});
|
|
44
47
|
|
|
45
|
-
// later
|
|
48
|
+
// later — on route change, modal close, unmount:
|
|
46
49
|
handle.unmount();
|
|
47
50
|
```
|
|
48
51
|
|
|
49
|
-
By default the
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
52
|
+
By default the embed walks the user through **Select asset → Choose network → Pay**, and
|
|
53
|
+
reports every transition through your callbacks. Pass `flow: "direct"` to skip selection and
|
|
54
|
+
render the single payment view for the asset and network chosen at session creation.
|
|
55
|
+
|
|
56
|
+
## How it works
|
|
57
|
+
|
|
58
|
+
1. Your backend creates a collection session and gets a `cs_*` token ([`@pulsebyshiga/node`](https://www.npmjs.com/package/@pulsebyshiga/node)).
|
|
59
|
+
2. You hand that token to the browser and call `PulseCollect.mount(target, { sessionToken })`.
|
|
60
|
+
3. The loader renders a sandboxed, Pulse-hosted iframe inside `target` and connects a typed `postMessage` bridge.
|
|
61
|
+
4. The user pays inside the iframe; you receive `onReady`, `onStatusChange`, `onSuccess`, and `onError` events.
|
|
62
|
+
5. You credit the user from the signed `disbursement.completed` **webhook** — never from a client-side callback, which can be spoofed.
|
|
53
63
|
|
|
54
64
|
## API
|
|
55
65
|
|
|
56
66
|
### `PulseCollect.mount(target, options) → EmbedHandle`
|
|
57
67
|
|
|
58
68
|
Creates the iframe inside `target` and wires the message bridge. Returns
|
|
59
|
-
`{ iframe, unmount() }`. Throws if `sessionToken` is missing or not a `cs_*` token.
|
|
69
|
+
`{ iframe, unmount() }`. Throws if `sessionToken` is missing or is not a `cs_*` token.
|
|
60
70
|
|
|
61
71
|
### Options
|
|
62
72
|
|
|
@@ -84,13 +94,13 @@ Creates the iframe inside `target` and wires the message bridge. Returns
|
|
|
84
94
|
| `onQuoteRefreshed` | `(lockedUntil)` | A new quote window was locked. |
|
|
85
95
|
| `onError` | `(code, message)` | Load, session, or action failures (e.g. `embed_load_timeout`, `session_load_failed`). |
|
|
86
96
|
|
|
87
|
-
Status values
|
|
97
|
+
**Status values:** `loading`, `awaiting_payment`, `deposit_detected`, `deposit_confirmed`,
|
|
88
98
|
`converting`, `completed`, `underpaid`, `overpaid`, `wrong_chain`, `expired`, `failed`.
|
|
89
99
|
|
|
90
100
|
## Theming
|
|
91
101
|
|
|
92
|
-
|
|
93
|
-
|
|
102
|
+
Every token is optional; unset tokens fall back to your dashboard configuration, then to the
|
|
103
|
+
design defaults.
|
|
94
104
|
|
|
95
105
|
| Token | Applies to |
|
|
96
106
|
| ------------------------------ | ------------------------------------------------------------------------------------ |
|
|
@@ -116,33 +126,36 @@ Override any user-facing string via `strings`: `title`, `subtitle`, `heroLabel`,
|
|
|
116
126
|
|
|
117
127
|
## Server-driven configuration
|
|
118
128
|
|
|
119
|
-
Networks, assets, theme, copy, attribution, and default flow can also be set once in the
|
|
120
|
-
Pulse dashboard (`partner_config`); the embed applies them with no code change. Precedence
|
|
121
|
-
|
|
122
|
-
narrow: a mount cannot re-enable what the dashboard disabled, and the server rejects
|
|
123
|
-
|
|
129
|
+
Networks, assets, theme, copy, attribution, and the default flow can also be set once in the
|
|
130
|
+
Pulse dashboard (`partner_config`); the embed applies them with no code change. Precedence is
|
|
131
|
+
_defaults ← dashboard ← mount options_ — except the network and asset lists, which only ever
|
|
132
|
+
narrow: a mount cannot re-enable what the dashboard disabled, and the server rejects disabled
|
|
133
|
+
values at session creation and re-selection.
|
|
124
134
|
|
|
125
135
|
## Security model
|
|
126
136
|
|
|
127
|
-
- The session token travels in the URL **fragment** — it is never sent to
|
|
128
|
-
|
|
129
|
-
- Messages are accepted only from the embed's origin and window; everything else is ignored.
|
|
137
|
+
- The session token travels in the URL **fragment** — it is never sent to a server in a request line, and never stored in logs.
|
|
138
|
+
- Messages are accepted only from the embed's own origin and window; everything else is ignored.
|
|
130
139
|
- The iframe runs with a least-privilege `sandbox` (no top navigation, no downloads).
|
|
131
|
-
-
|
|
140
|
+
- Your `sk_*` key and any user PII stay on your backend — this package needs neither.
|
|
132
141
|
|
|
133
142
|
## Advanced
|
|
134
143
|
|
|
135
|
-
- **`buildEmbedSrc(options)`** — returns the embed URL
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
144
|
+
- **`buildEmbedSrc(options)`** — returns the embed URL and origin without mounting; used by the React Native wrapper, and handy for Tier B (full-page, `layout=page`) links.
|
|
145
|
+
- **`formatFiat(amount, currency)` / `formatAsset(amount)`** — the embed's own formatters, exported so surrounding partner UI renders amounts identically.
|
|
146
|
+
|
|
147
|
+
## TypeScript
|
|
148
|
+
|
|
149
|
+
Written in TypeScript and ships its own type definitions — `MountOptions`, `EmbedHandle`,
|
|
150
|
+
`EmbedTheme`, `EmbedStrings`, and the status/event unions are all exported. No `@types`
|
|
151
|
+
package needed.
|
|
139
152
|
|
|
140
153
|
## Related packages
|
|
141
154
|
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
155
|
+
- [`@pulsebyshiga/collect-react`](https://www.npmjs.com/package/@pulsebyshiga/collect-react) — React bindings.
|
|
156
|
+
- [`@pulsebyshiga/collect-react-native`](https://www.npmjs.com/package/@pulsebyshiga/collect-react-native) — React Native bindings.
|
|
157
|
+
- [`@pulsebyshiga/node`](https://www.npmjs.com/package/@pulsebyshiga/node) — backend SDK: sessions, orders, and webhook verification.
|
|
145
158
|
|
|
146
159
|
## License
|
|
147
160
|
|
|
148
|
-
|
|
161
|
+
MIT © Shiga Digital
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pulsebyshiga/collect-js",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.1",
|
|
4
4
|
"description": "Tier A embed loader — mounts Pulse Collect payment components into a partner page via a sandboxed iframe and a typed postMessage bridge",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"author": "Shiga Digital",
|