Skip to content

fix(payment): PI-4517 skip messages from wrong sources for the Access… #3065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 7, 2025
Merged

fix(payment): PI-4517 skip messages from wrong sources for the Access… #3065

merged 1 commit into from
Nov 7, 2025

Conversation

@vitalii-koshovyi
Copy link
Contributor

@vitalii-koshovyi vitalii-koshovyi commented Nov 7, 2025
edited
Loading

… Worldpay

What/Why?

Skip post messages from wrong sources for the Access Worldpay 3ds check. Due to the issue with react dev tools extention.

Rollout/Rollback

Revert this PR

Testing

Non 3ds

Screen.Recording.2025-11-07.at.16.53.02.mov

3ds frictionless

Screen.Recording.2025-11-07.at.16.56.03.mov

3ds challenged

Screen.Recording.2025-11-07.at.16.59.13.mov

@vitalii-koshovyi vitalii-koshovyi requested a review from a team as a code owner November 7, 2025 13:14
@vitalii-koshovyi vitalii-koshovyi marked this pull request as draft November 7, 2025 13:14
@vitalii-koshovyi vitalii-koshovyi changed the title fix(payment): PI-4517 skim messages from wrong sources for the Access… fix(payment): PI-4517 skip messages from wrong sources for the Access… Nov 7, 2025
@vitalii-koshovyi vitalii-koshovyi marked this pull request as ready for review November 7, 2025 15:03
sentry[bot]
sentry bot reviewed Nov 7, 2025
View reviewed changes
packages/worldpayaccess-integration/src/worldpayaccess-payment-strategy.ts
Comment on lines +73 to +75
const messageEventListener = async (event: MessageEvent) => {
if (event.origin !== 'https://centinelapistag.cardinalcommerce.com') {
return;
Copy link

@sentry sentry bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Promise hangs indefinitely if only wrong-origin MessageEvents are received, due to missing timeout.
Severity: CRITICAL | Confidence: 1.00

🔍 Detailed Analysis

The Promise created within worldpayaccess-payment-strategy.ts at lines 73-75 will never resolve or reject if messageEventListener receives only MessageEvent objects where event.origin does not match 'https://centinelapistag.cardinalcommerce.com'. The if condition at line 75 causes the listener to return early without settling the promise, leading to an indefinite hang. This occurs when non-matching origin messages, such as those from browser extensions, are the only messages received, preventing the legitimate message from the correct origin from ever being processed.

💡 Suggested Fix

Implement a timeout mechanism for the Promise at lines 73-75. This could involve setTimeout with a reject fallback, Promise.race to introduce a timeout, or an AbortController to cancel the listener after a reasonable duration (e.g., 30-60 seconds) if no valid message arrives.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location:
packages/worldpayaccess-integration/src/worldpayaccess-payment-strategy.ts#L73-L75

Potential issue: The `Promise` created within `worldpayaccess-payment-strategy.ts` at
lines 73-75 will never resolve or reject if `messageEventListener` receives only
`MessageEvent` objects where `event.origin` does not match
'https://centinelapistag.cardinalcommerce.com'. The `if` condition at line 75 causes the
listener to return early without settling the promise, leading to an indefinite hang.
This occurs when non-matching origin messages, such as those from browser extensions,
are the only messages received, preventing the legitimate message from the correct
origin from ever being processed.

Did we get this right? 👍 / 👎 to inform future reviews.

Copy link
Contributor Author

@vitalii-koshovyi vitalii-koshovyi Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided do not add auto-resolve promise, because it can produce issues with longer responses from Cardinal.

@vitalii-koshovyi vitalii-koshovyi merged commit b4a9a4a into bigcommerce:master Nov 7, 2025
4 checks passed
@vitalii-koshovyi vitalii-koshovyi mentioned this pull request Nov 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PavlenkoM PavlenkoM PavlenkoM approved these changes

@serhii-tkachenko serhii-tkachenko serhii-tkachenko approved these changes

+1 more reviewer

@sentry sentry[bot] sentry[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vitalii-koshovyi @PavlenkoM @serhii-tkachenko