fix: user gesture fix for trustpay applepay

[ArushKapoorJuspay]

Type of Change

• Bugfix
• New feature
• Enhancement
• Refactoring
• Dependency updates
• Documentation
• CI/CD

Description

Added user gesture handler flow change

How did you test it?

Opened TrustPay ApplePay till the payment sheet is getting opened and confirm call is being made

Checklist

• I ran npm run re:build
• I reviewed submitted code
• I added unit tests for my changes where possible

[semanticdiff-com]

Review changes with  

[github-actions]

🚫 Missing Linked Issue

Hi 👋 This pull request does not appear to be linked to any open issue yet.

Linking your PR to an issue helps keep the project tidy and ensures the issue is closed automatically.

✔️ How to fix this

• Add a keyword like Fixes #123 or Closes #456 to your PR description or a commit message.
• Or link it manually using the "Linked issues" panel in the PR sidebar.

✅ Tip: You can link multiple issues.
🚫 Note: If only one issue is linked, it must be open for this check to pass.

Once linked, this check will pass automatically on your next push or when you re-run the workflow.

Thanks for helping maintainers! 🙌

[XyneSpaces]

Automated Review Summary

This PR fixes the user gesture issue for TrustPay Apple Pay by deferring the /confirm call until onvalidatemerchant. The approach is sound but has some implementation concerns.

🔴 Critical Issues

1. Race Condition in Message Passing

• File: src/hyper-loader/ApplePayInterceptor.res
• Issue: Deferring /confirm until onvalidatemerchant creates a timing window:
  1. Iframe sends APPLE_PAY_BUTTON_CLICKED to parent
  2. Parent creates ApplePaySession synchronously
  3. onvalidatemerchant fires → parent messages iframe → iframe calls /confirm
  4. Risk: If network latency causes /confirm to complete after onpaymentauthorized fires, the payment token may be lost
• Fix: Add a session state machine to track validating → confirmed → authorized transitions and queue the onpaymentauthorized event until confirmation completes.

🟡 Medium Priority Issues

2. Memory Leaks from Event Listeners

• File: src/hyper-loader/ApplePayInterceptor.res (316 lines)
• Issue: Event listeners for message events from parent iframe may not be removed on:
  • Session abortion
  • Component unmount
  • Payment cancellation
• Fix: Ensure cleanup function is exposed and called by Elements.res:

let cleanup = () => {
  Window.removeEventListener("message", messageHandler)
  session->abort()
}

3. CSP Compliance

• Files: src/hyper-loader/ApplePayInterceptor.res, src/hyper-loader/Elements.res
• Issue: postMessage communication between iframe and parent must use specific targetOrigin.
• Fix: Verify:
  • postMessage calls use explicit origin (not *)
  • The SDK verifies event.origin matches expected HYPERSWITCH_CLIENT_URL
• Risk: Wildcard origins violate strict CSP policies merchants may have.

🟢 Low Priority Issues

4. Type Safety in ReScript

• File: src/hyper-loader/ApplePayInterceptor.res
• Issue: Verify proper typing for ApplePaySession constructor arguments and message payloads.
• Fix: Define explicit variant types:

type applePayMessage = 
  | ApplePayButtonClicked
  | ValidateMerchant({validationURL: string})
  | ConfirmRequest({paymentData: JSON.t})

5. Timeout Handling

• File: src/Utilities/ApplePayHelpers.res
• Issue: If /confirm takes > 30 seconds, ApplePaySession will timeout.
• Fix: Ensure error handling calls session.abort() and propagates USER_GESTURE_TIMEOUT error.

6. Feature Flag Gating & State Reset

• File: src/Utilities/PaymentHelpers.res
• Issue: The isTrustpayInterceptorConfirm flag should:
  • Only be true when connector is TrustPay AND Apple Pay flow is active
  • Reset to false after payment completion/failure to prevent state leakage
• Risk: Flag not being reset could affect non-TrustPay Apple Pay flows.

✅ Positive Patterns to Verify

Aspect	Expected Implementation
Cross-browser	typeof window.ApplePaySession !== "undefined" check
Cleanup	session.oncancel handler removes all listeners
Error propagation	postMessage errors bubble to hyper.confirmPayment() rejection

Summary

Severity	Count	Issues
🔴 Critical	1	Race condition in confirm/authorized sequence
🟡 Medium	2	Memory leaks, CSP wildcard origins
🟢 Low	3	Type safety, timeout handling, flag gating

Key Recommendation: The fix correctly addresses the core user gesture issue, but ensure the async /confirm call doesn't race with onpaymentauthorized by implementing a promise queue or state gate.