Skip to content

fix(apple-pay): forward last4 and network in webview onComplete#101

Merged
SanthoshCharanBolt merged 1 commit into
mainfrom
SanthoshCharan/apple-pay-webview-last4-network
Jul 3, 2026
Merged

fix(apple-pay): forward last4 and network in webview onComplete#101
SanthoshCharanBolt merged 1 commit into
mainfrom
SanthoshCharan/apple-pay-webview-last4-network

Conversation

@SanthoshCharanBolt

@SanthoshCharanBolt SanthoshCharanBolt commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description

ApplePayWebView's add-card-from-apple-wallet iframe already returns last4 and network on the tokenized card (AddCardFromAppleWalletSuccess.tokenTokenizeApplePayResult { token, expiry, last4, bin, network }), but ApplePayWebView.tsx only read bin and expiration out of that payload when building the ApplePayResult handed to the merchant's onComplete callback. last4 and network were silently dropped instead of being forwarded.

This only affects Apple Pay in webview mode. Native mode is unaffected — Apple's decrypted PassKit payload never contains last4 at the source (see #64), so there's nothing to forward there. Webview mode goes through Bolt's own tokenizer/iframe, which already computes last4, so the fix is purely to stop dropping it on the RN SDK side.

Changes:

  • ApplePayResult gains an optional last4 field (webview-only; documented as such).
  • ApplePayWebView.tsx now forwards last4 and network from the iframe's success message.
  • Updated ApplePayWebView.test.tsx to assert the new fields are forwarded.

Testing

  • Updated the existing envelope-unwrapping unit test to include last4/network in the mock iframe message and assert they reach onComplete.
  • Not yet run locally in this environment — please run the full suite (ApplePayWebView.test.tsx, ApplePay.test.tsx, WalletTypes.test.ts) plus typecheck/lint in CI before merging.
  • Opened as draft pending review and CI.

Security Review

Important

A security review is required for every PR in this repository to comply with PCI requirements.

  • I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

this PR forwards additional cardholder metadata (last4, network) that Bolt's tokenizer already computes and already sends to the RN app over the existing bridge channel; no new data is collected, transmitted, or stored, only an existing field is no longer dropped before reaching the merchant callback.

…mplete

The add-card-from-apple-wallet iframe already includes last4 and network
in its addCardFromApplePaySuccess token payload, but ApplePayWebView only
picked out bin/expiration when building the ApplePayResult passed to the
merchant's onComplete callback, silently dropping the rest.
@snyk-io

snyk-io Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Apple Pay webview mode callback payload forwarding by ensuring card metadata (last4, network) produced by the tokenizer iframe is not dropped before invoking the merchant onComplete callback.

Changes:

  • Extend ApplePayResult with an optional last4 field (documented as webview-only).
  • Forward last4 and network from the iframe success message in ApplePayWebView.
  • Update the existing ApplePayWebView envelope-unwrapping unit test to assert the new fields are forwarded.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
src/payments/types.ts Adds optional last4 to ApplePayResult with webview-only documentation.
src/payments/ApplePayWebView.tsx Forwards last4/network from the iframe success payload into the onComplete result.
src/tests/ApplePayWebView.test.tsx Updates the success-envelope test to include/expect last4 and network.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/payments/ApplePayWebView.tsx
@SanthoshCharanBolt SanthoshCharanBolt marked this pull request as ready for review July 3, 2026 08:02
@SanthoshCharanBolt SanthoshCharanBolt requested a review from a team as a code owner July 3, 2026 08:02
@SanthoshCharanBolt SanthoshCharanBolt merged commit 9f4e77d into main Jul 3, 2026
8 of 11 checks passed
@SanthoshCharanBolt SanthoshCharanBolt deleted the SanthoshCharan/apple-pay-webview-last4-network branch July 3, 2026 08:30
SanthoshCharanBolt added a commit that referenced this pull request Jul 8, 2026
### Description

Follow-up to #101 (already merged), which forwards `last4`/`network`
from the Apple Pay webview iframe to the merchant's `onComplete`
callback. The README's documented `ApplePayResult` shape was stale — it
never listed `network` (added in an earlier PR) and didn't get updated
for `last4` in #101, so the public docs undersold what the SDK actually
returns.

Changes:
- `ApplePayResult` type reference now lists `last4?` and `network?`,
with a note that `last4` is webview-mode only (native mode's decrypted
PassKit payload never carries it).
- Updated the `ApplePay` props table's `onComplete` description to
match.

### Testing

Docs-only change, no code touched.

### Security Review

> [!IMPORTANT]
> A security review is required for every PR in this repository to
comply with PCI requirements.

- [x] I have considered and reviewed security implications of this PR
and included the summary below.

#### Security Impact Summary

Docs-only change — no code, data handling, or security-relevant behavior
touched.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants