feat: expose showBillingZIPField config for PCI-sandboxed postal code input#30
Merged
feat: expose showBillingZIPField config for PCI-sandboxed postal code input#30
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
arstiefel
force-pushed
the
feat-add-native-postalcode
branch
from
9f96b18 to
42c460f
Compare
arstiefel
changed the title
arstiefel
force-pushed
the
feat-add-native-postalcode
branch
from
42c460f to
cfae386
Compare
RhysAtBolt
approved these changes
Mar 18, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an SDK-level configuration flag to expose Storm’s PCI-sandboxed postal code field within the credit card input iframe, and wires it through the existing SetConfig bridge message. Also updates the example app and supporting docs/CI labeling.
Changes:
- Add
showBillingZIPField?: booleantoCreditCard.useController()options and include it in theSetConfigpayload sent on frame initialization. - Update example app to enable the postal code field for manual verification.
- Add/adjust unit test and update implementation plan + CI workflow job naming.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/payments/useCreditCardController.ts |
Adds showBillingZIPField option and forwards it via SetConfig. |
src/__tests__/useCreditCardController.test.ts |
Adds a unit test intended to validate showBillingZIPField messaging behavior. |
example/src/App.tsx |
Enables showBillingZIPField: true in the demo Add Card screen. |
example/ios/Podfile.lock |
Updates example iOS pod lockfile for the SDK version bump. |
IMPLEMENTATION_PLAN.md |
Updates plan/status notes for postal code field work and other checklist items. |
.github/workflows/main-release.yml |
Adds a clearer display name for the reusable CI job. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
arstiefel
force-pushed
the
feat-add-native-postalcode
branch
from
9d69ee1 to
0d6c4f7
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a showBillingZIPField option to the Credit Card controller so the Storm iframe can render its PCI-sandboxed postal code field, and includes related bridge/3DS adjustments plus example/test updates.
Changes:
- Expose
showBillingZIPField?: booleanonCreditCard.useController()and forward it viaSetConfig. - Update 3DS bridge message handling/payload shapes and add additional message forwarding + navigation allowances for subframes.
- Update unit tests, example app configuration, workflow labeling, and implementation plan docs.
Reviewed changes
Copilot reviewed 9 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/payments/useCreditCardController.ts | Adds showBillingZIPField option and forwards it in SetConfig on frame init. |
| src/tests/useCreditCardController.test.ts | Adds a test intended to validate showBillingZIPField behavior (currently not exercising hook wiring). |
| example/src/App.tsx | Enables showBillingZIPField: true in the example Add Card screen for manual verification. |
| src/payments/useThreeDSecure.tsx | Adjusts 3DS message parsing and changes outbound message payload shapes. |
| src/tests/useThreeDSecure.test.tsx | Updates tests to match the new 3DS payload/message shapes. |
| src/bridge/injectedBridge.ts | Forwards real DOM message events to captured listeners (sub-iframe support). |
| src/bridge/BoltPaymentWebView.tsx | Allows sub-frame navigations; keeps top-frame navigation restricted (but see comment re: isTopFrame). |
| .github/workflows/main-release.yml | Adds a job display name for the reusable CI workflow. |
| example/ios/Podfile.lock | Bumps example pod lock to BoltReactNativeSdk (0.2.0). |
| IMPLEMENTATION_PLAN.md | Updates plan/status notes, including postal-code phase documentation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
arstiefel
force-pushed
the
feat-add-native-postalcode
branch
5 times, most recently
from
4195d66 to
dc4b360
Compare
arstiefel
force-pushed
the
feat-add-native-postalcode
branch
from
dc4b360 to
1470f68
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a
showBillingZIPFieldconfig option toCreditCard.useController()that enables Storm's existing PCI-sandboxed postal code field inside the credit card input iframe. When enabled, the SDK sends the flag in theSetConfigmessage onFrameInitialized, causing Storm's iframe to renderCardPostalFieldalongside the card fields. Also restructures the 3DS message payloads (FetchReferenceIDandTriggerAuthWithConfig) to nest credit card and config data under dedicated sub-objects, matching Storm's expected message shapes. Fixes sub-iframe navigation handling in the WebView (Cardinal Commerce DDC, 3DS step-up challenges) and adds a forwarding mechanism in the injected bridge so real DOMpostMessageevents from sub-iframes reach captured listeners. Includes minor CI workflow labeling and implementation plan updates.Testing
useCreditCardController.test.tsverifies thatSetConfigcarriesshowBillingZIPField: truewhen configured.useThreeDSecure.test.tsxcover the restructuredFetchReferenceIDpayload (nestedcreditCardobject),TriggerAuthWithConfig(nestedconfigobject),VerificationIDResultusingsuccessfield instead ofreferenceID, and a new test forResulterror propagation when the DDC JWT call fails (error code 1010).showBillingZIPField: truefor manual verification on device.Security Review
Important
A security review is required for every PR in this repository to comply with PCI requirements.
Security Impact Summary
This PR deliberately keeps postal code collection inside the PCI-sandboxed iframe, consistent with Storm's existing architecture. The
showBillingZIPFieldflag is passed via the existingSetConfigmessage channel — no new network calls, storage, or data pathways are introduced. The sub-iframe navigation change (BoltPaymentWebView.tsx) allows non-top-frame navigations (e.g., Cardinal Commerce DDC form submissions, 3DS step-up challenges) while continuing to restrict top-level navigation to the Bolt domain. The injected bridge forwarding only passes through non-bridge DOM events to captured listeners — bridge envelopes are explicitly skipped. The 3DS message restructuring is a shape change only (nesting fields undercreditCardandconfigkeys); no new data is sent. The example app's publishable key was swapped to a 3DS-enabled staging key for testing purposes.