diff --git a/CLAUDE.md b/CLAUDE.md index 7c6dd4d..9dfa8aa 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -4,9 +4,9 @@ Guidance for AI assistants working in this repository. ## Project -`@godigitizer/sumit-react` — React component (``), checkout state hook (`useSumitCheckout`), and Next.js route helpers (`createSumitChargeRoute`, `createSumitWebhookRoute`) for SUMIT / OfficeGuy / Upay payments. +`sumit-react` — React component (``), checkout state hook (`useSumitCheckout`), and Next.js route helpers (`createSumitChargeRoute`, `createSumitWebhookRoute`) for SUMIT / OfficeGuy / Upay payments. -Companion package: [`@godigitizer/sumit-api`](https://github.com/Digitizers/sumit-api) (peer dependency). +Companion package: [`sumit-api`](https://github.com/Digitizers/sumit-api) (peer dependency). ## Architecture @@ -34,7 +34,7 @@ This package handles payments. Three rules: 2. **Webhook verification is constant-time AND length-independent.** `verifySumitSharedSecret` hashes both the candidate and the secret to a fixed-length digest before comparing — a length-dependent path leaks the secret's byte-length via response timing. 3. **Tokenization is single-flight.** `` uses a synchronous `useRef` guard so two rapid submits cannot both fire `CreateToken` (a stale-closure on `useState` would let the second slip through). -All payloads forwarded to clients pass through `redactSumitPayload` from `@godigitizer/sumit-api`. +All payloads forwarded to clients pass through `redactSumitPayload` from `sumit-api`. ## Workflow diff --git a/README.md b/README.md index 6ca6d7c..6ad7d8d 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,12 @@ -# @godigitizer/sumit-react +# sumit-react -[![npm](https://img.shields.io/npm/v/@godigitizer/sumit-react.svg)](https://www.npmjs.com/package/@godigitizer/sumit-react) -[![types](https://img.shields.io/npm/types/@godigitizer/sumit-react.svg)](https://www.npmjs.com/package/@godigitizer/sumit-react) -[![license](https://img.shields.io/npm/l/@godigitizer/sumit-react.svg)](LICENSE) +[![npm](https://img.shields.io/npm/v/sumit-react.svg)](https://www.npmjs.com/package/sumit-react) +[![types](https://img.shields.io/npm/types/sumit-react.svg)](https://www.npmjs.com/package/sumit-react) +[![license](https://img.shields.io/npm/l/sumit-react.svg)](LICENSE) [![react](https://img.shields.io/badge/react-%E2%89%A518-61DAFB?logo=react&logoColor=white)](package.json) [![next](https://img.shields.io/badge/next.js-app%20router-000000?logo=next.js&logoColor=white)](https://nextjs.org) -> React components and Next.js route helpers for [SUMIT / OfficeGuy / Upay](https://sumit.co.il) payments. The companion to [`@godigitizer/sumit-api`](https://github.com/Digitizers/sumit-api). +> React components and Next.js route helpers for [SUMIT / OfficeGuy / Upay](https://sumit.co.il) payments. The companion to [`sumit-api`](https://github.com/Digitizers/sumit-api). Ship a working SUMIT checkout flow in a React or Next.js app with two files: a Client Component and a route handler. @@ -38,7 +38,7 @@ Ship a working SUMIT checkout flow in a React or Next.js app with two files: a C ## Install ```bash -pnpm add @godigitizer/sumit-react @godigitizer/sumit-api +pnpm add sumit-react sumit-api ``` `react` (and optionally `next`) are peer dependencies of your app. SUMIT's `payments.js` is loaded from `https://app.sumit.co.il/scripts/payments.js` at runtime. @@ -50,7 +50,7 @@ pnpm add @godigitizer/sumit-react @godigitizer/sumit-api ```tsx "use client"; -import { SumitCheckout, useSumitCheckout } from "@godigitizer/sumit-react/client"; +import { SumitCheckout, useSumitCheckout } from "sumit-react/client"; export function Checkout() { const checkout = useSumitCheckout(); @@ -100,7 +100,7 @@ The component renders the inputs SUMIT expects (`og-ccnum`, `og-expmonth`, `og-e ```ts // app/api/sumit/charge/route.ts -import { createSumitChargeRoute } from "@godigitizer/sumit-react/next"; +import { createSumitChargeRoute } from "sumit-react/next"; export const POST = createSumitChargeRoute({ companyId: Number(process.env.SUMIT_COMPANY_ID), @@ -118,7 +118,7 @@ What the handler does: | Step | Behaviour | | --------- | -------------------------------------------------------------------------------------------------------- | | Validate | Checks the JSON body shape (`singleUseToken`, `customer`, `item`). | -| Build | Calls `buildRecurringChargePayload` from `@godigitizer/sumit-api`. | +| Build | Calls `buildRecurringChargePayload` from `sumit-api`. | | Send | `POST`s to `https://api.sumit.co.il/billing/recurring/charge/`. | | Normalize | Calls `normalizeRecurringChargeResponse`. | | Respond | `200` success, `402` declined, `400` bad input, `502` upstream failure — sensitive fields **redacted**. | @@ -129,7 +129,7 @@ What the handler does: ```ts // app/api/sumit/webhook/route.ts -import { createSumitWebhookRoute, verifySumitSharedSecret } from "@godigitizer/sumit-react/next"; +import { createSumitWebhookRoute, verifySumitSharedSecret } from "sumit-react/next"; export const POST = createSumitWebhookRoute({ verify: verifySumitSharedSecret(process.env.SUMIT_WEBHOOK_SECRET!), @@ -173,14 +173,14 @@ Header verification is preferred because query strings are commonly stored in ac | **Server credential leakage** | The full `apiKey` lives only in `createSumitChargeRoute`; `./client` and `./next` are separate exports so client bundles cannot transitively pull the server secret. | | **Webhook spoofing** | `verifySumitSharedSecret` checks the `x-sumit-secret` header by default and hashes both the candidate and the secret to a fixed 32-byte digest before comparing — the comparison is constant-time **and** length-independent, so response timing leaks neither secret content nor secret length. Query-string secrets are opt-in only because URLs commonly land in logs. | | **Double-submit / token reuse** | `` uses a synchronous ref guard so two rapid submits cannot both fire `CreateToken` (single-use tokens are exactly that — single-use). | -| **Logging sensitive data** | Every event the route helpers return passes through `redactSumitPayload` from `@godigitizer/sumit-api`. | +| **Logging sensitive data** | Every event the route helpers return passes through `redactSumitPayload` from `sumit-api`. | --- ## API surface ```ts -// from @godigitizer/sumit-react/client +// from sumit-react/client SumitCheckout(props): JSX.Element props.companyId, apiPublicKey, environment?, language? props.requireCvv?, requireCitizenId? @@ -190,7 +190,7 @@ useSumitCheckout(): { ref, status, error, token, submit, reset, handleToken, han loadSumitPayments(env?): Promise createSingleUseToken(settings): Promise -// from @godigitizer/sumit-react/next +// from sumit-react/next createSumitChargeRoute(config): (request: Request) => Promise createSumitWebhookRoute(config): (request: Request) => Promise verifySumitSharedSecret(secret, options?): SumitWebhookVerifier @@ -200,7 +200,7 @@ verifySumitSharedSecret(secret, options?): SumitWebhookVerifier ## Local development -This package has `@godigitizer/sumit-api` as a peer dependency. While `sumit-api` is being published to npm, the dev dependency in this repo points at `file:../sumit-api`, so cloning both repos as siblings is the supported local setup: +This package has `sumit-api` as a peer dependency. While `sumit-api` is being published to npm, the dev dependency in this repo points at `file:../sumit-api`, so cloning both repos as siblings is the supported local setup: ```text ~/code/ @@ -217,7 +217,7 @@ pnpm test # vitest run pnpm build # tsc → dist/ ``` -Once `@godigitizer/sumit-api` is published, the dev dependency will switch to a regular semver range and CI will install it from the registry. +Once `sumit-api` is published, the dev dependency will switch to a regular semver range and CI will install it from the registry. --- diff --git a/package.json b/package.json index 932d8f6..a2bf864 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "name": "@godigitizer/sumit-react", + "name": "sumit-react", "version": "0.1.1", "description": "React components and Next.js route helpers for SUMIT/OfficeGuy/Upay payments.", "license": "MIT", @@ -48,11 +48,11 @@ "typecheck": "tsc --noEmit" }, "peerDependencies": { - "@godigitizer/sumit-api": ">=0.1.0", + "sumit-api": ">=0.1.0", "react": ">=18.0.0" }, "devDependencies": { - "@godigitizer/sumit-api": "file:../sumit-api", + "sumit-api": "file:../sumit-api", "@testing-library/react": "^16.1.0", "@types/node": "^20.19.35", "@types/react": "^19.0.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index c474b01..3580155 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,9 +8,6 @@ importers: .: devDependencies: - '@godigitizer/sumit-api': - specifier: file:../sumit-api - version: file:../sumit-api '@testing-library/react': specifier: ^16.1.0 version: 16.3.2(@testing-library/dom@10.4.1)(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5) @@ -29,6 +26,9 @@ importers: react-dom: specifier: ^19.0.0 version: 19.2.5(react@19.2.5) + sumit-api: + specifier: file:../sumit-api + version: file:../sumit-api typescript: specifier: ^5 version: 5.9.3 @@ -59,9 +59,6 @@ packages: '@emnapi/wasi-threads@1.2.1': resolution: {integrity: sha512-uTII7OYF+/Mes/MrcIOYp5yOtSMLBWSIoLPpcgwipoiKbli6k322tcoFsxoIIxPDqW01SQGAgko4EzZi2BNv2w==} - '@godigitizer/sumit-api@file:../sumit-api': - resolution: {directory: ../sumit-api, type: directory} - '@jridgewell/sourcemap-codec@1.5.5': resolution: {integrity: sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==} @@ -455,6 +452,9 @@ packages: std-env@4.1.0: resolution: {integrity: sha512-Rq7ybcX2RuC55r9oaPVEW7/xu3tj8u4GeBYHBWCychFtzMIr86A7e3PPEBPT37sHStKX3+TiX/Fr/ACmJLVlLQ==} + sumit-api@file:../sumit-api: + resolution: {directory: ../sumit-api, type: directory} + tinybench@2.9.0: resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==} @@ -606,8 +606,6 @@ snapshots: tslib: 2.8.1 optional: true - '@godigitizer/sumit-api@file:../sumit-api': {} - '@jridgewell/sourcemap-codec@1.5.5': {} '@napi-rs/wasm-runtime@1.1.4(@emnapi/core@1.10.0)(@emnapi/runtime@1.10.0)': @@ -921,6 +919,8 @@ snapshots: std-env@4.1.0: {} + sumit-api@file:../sumit-api: {} + tinybench@2.9.0: {} tinyexec@1.1.2: {} diff --git a/src/next/createChargeRoute.ts b/src/next/createChargeRoute.ts index f33100e..87d9a7a 100644 --- a/src/next/createChargeRoute.ts +++ b/src/next/createChargeRoute.ts @@ -2,12 +2,12 @@ import { buildRecurringChargePayload, normalizeRecurringChargeResponse, redactSumitPayload, -} from "@godigitizer/sumit-api"; +} from "sumit-api"; import type { BuildRecurringChargePayloadParams, NormalizedSumitEvent, SumitCurrency, -} from "@godigitizer/sumit-api"; +} from "sumit-api"; const DEFAULT_BASE_URL = "https://api.sumit.co.il"; const DEFAULT_PATH = "/billing/recurring/charge/"; diff --git a/src/next/createWebhookRoute.ts b/src/next/createWebhookRoute.ts index 87702a5..7401f7e 100644 --- a/src/next/createWebhookRoute.ts +++ b/src/next/createWebhookRoute.ts @@ -1,5 +1,5 @@ -import { normalizeSumitIncomingPayload, redactSumitPayload } from "@godigitizer/sumit-api"; -import type { NormalizedSumitEvent } from "@godigitizer/sumit-api"; +import { normalizeSumitIncomingPayload, redactSumitPayload } from "sumit-api"; +import type { NormalizedSumitEvent } from "sumit-api"; export type SumitWebhookVerifier = (request: Request) => boolean | Promise;