fix(android): fix Google Pay crash — Activity context and ActivityEventListener (#49)

### Description

Fix two bugs that caused Google Pay to crash and a third that sent the
wrong auth header when fetching the Bolt APM config.

**1. `PaymentsClient` created with wrong context
(`GooglePayModule.kt`)**
`Wallet.getPaymentsClient()` was called with `reactApplicationContext`
(the Application context). The Google Pay SDK needs an `Activity`
context to attach the payment sheet to a window — hence `Tried to show
an alert while not attached to an Activity`.

**2. `onActivityResult` never received (`GooglePayModule.kt`)**
`GooglePayModule` never registered as an `ActivityEventListener`, so the
result from the Google Pay sheet was silently swallowed and the pending
`Promise` would hang forever. The module now implements
`ActivityEventListener` and registers itself in `init{}` — no changes to
`MainActivity` required.

**3. Wrong header when fetching APM config (`GoogleWallet.tsx`)**
The `fetchGooglePayAPMConfig` request used `merchant_token` as the
header name instead of the correct `x-publishable-key`, causing the
config fetch to fail before the payment sheet could even be shown.

### Testing

- [ ] Tap Google Pay button on Android — payment sheet opens without
crash
- [ ] Complete a Google Pay payment — `onComplete` callback fires with
token + billing address
- [ ] Cancel/dismiss the Google Pay sheet — `onError` callback fires
with `CANCELLED`
- [ ] Cold-start the app and tap Google Pay immediately — no
`NO_ACTIVITY` rejection

### Security Review

> [!IMPORTANT]
> A security review is required for every PR in this repository to
comply with PCI requirements.

- [x] I have considered and reviewed security implications of this PR
and included the summary below.

#### Security Impact Summary

No new data flows or secrets introduced. The `x-publishable-key` header
fix corrects which key is sent to the Bolt APM config endpoint — the key
itself was already present in the original code, just under the wrong
header name. The Activity context change only affects where Google Pay's
system UI is anchored; no payment data handling is altered.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: RhysAtBolt

android/src/main/java/com/boltreactnativesdk/GooglePayModule.kt

@@ -1,6 +1,8 @@
 package com.boltreactnativesdk
 
 import android.app.Activity
+import android.content.Intent
+import com.facebook.react.bridge.ActivityEventListener
 import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.bridge.ReactContextBaseJavaModule
@@ -27,7 +29,12 @@ import java.net.URL
  * and passed down in the config JSON.
  */
 class GooglePayModule(reactContext: ReactApplicationContext) :
-    ReactContextBaseJavaModule(reactContext) {
+    ReactContextBaseJavaModule(reactContext),
+    ActivityEventListener {
+
+    init {
+        reactContext.addActivityEventListener(this)
+    }
 
     companion object {
         const val NAME = "BoltGooglePay"
@@ -36,26 +43,48 @@ class GooglePayModule(reactContext: ReactApplicationContext) :
 
     override fun getName(): String = NAME
 
-    private var paymentsClient: PaymentsClient? = null
     private var pendingPromise: Promise? = null
     private var pendingPublishableKey: String = ""
     private var pendingBaseUrl: String = ""
 
-    private fun getPaymentsClient(): PaymentsClient {
-        if (paymentsClient == null) {
-            val walletOptions = Wallet.WalletOptions.Builder()
-                .setEnvironment(WalletConstants.ENVIRONMENT_TEST)
-                .build()
-            paymentsClient = Wallet.getPaymentsClient(reactApplicationContext, walletOptions)
+    private fun getPaymentsClient(activity: Activity, walletEnv: Int): PaymentsClient {
+        val walletOptions = Wallet.WalletOptions.Builder()
+            .setEnvironment(walletEnv)
+            .build()
+        return Wallet.getPaymentsClient(activity, walletOptions)
+    }
+
+    /**
+     * Maps the JS-side googlePayEnvironment string ("PRODUCTION" | "TEST") to
+     * the matching WalletConstants value. Defaults to ENVIRONMENT_TEST so that
+     * staging / sandbox traffic never hits the production Google Pay endpoint.
+     */
+    private fun walletEnvFromConfig(configJson: String): Int {
+        return try {
+            if (JSONObject(configJson).optString("googlePayEnvironment") == "PRODUCTION")
+                WalletConstants.ENVIRONMENT_PRODUCTION
+            else
+                WalletConstants.ENVIRONMENT_TEST
+        } catch (e: Exception) {
+            WalletConstants.ENVIRONMENT_TEST
         }
-        return paymentsClient!!
+    }
+
+    override fun invalidate() {
+        reactApplicationContext.removeActivityEventListener(this)
+        super.invalidate()
     }
 
     @ReactMethod
     fun isReadyToPay(configJson: String, promise: Promise) {
+        val activity = reactApplicationContext.currentActivity
+        if (activity == null) {
+            promise.resolve(false)
+            return
+        }
         try {
             val isReadyToPayRequest = IsReadyToPayRequest.fromJson(buildIsReadyToPayRequest().toString())
-            getPaymentsClient().isReadyToPay(isReadyToPayRequest)
+            getPaymentsClient(activity, walletEnvFromConfig(configJson)).isReadyToPay(isReadyToPayRequest)
                 .addOnCompleteListener { task ->
                     promise.resolve(task.isSuccessful && task.result == true)
                 }
@@ -77,12 +106,15 @@ class GooglePayModule(reactContext: ReactApplicationContext) :
 
             val activity = reactApplicationContext.currentActivity
             if (activity == null) {
+                pendingPromise = null
+                pendingPublishableKey = ""
+                pendingBaseUrl = ""
                 promise.reject("NO_ACTIVITY", "No current activity")
                 return
             }
 
             AutoResolveHelper.resolveTask(
-                getPaymentsClient().loadPaymentData(request),
+                getPaymentsClient(activity, walletEnvFromConfig(configJson)).loadPaymentData(request),
                 activity,
                 LOAD_PAYMENT_DATA_REQUEST_CODE
             )
@@ -91,11 +123,20 @@ class GooglePayModule(reactContext: ReactApplicationContext) :
         }
     }
 
+    // ActivityEventListener — receives onActivityResult forwarded by React Native
+    override fun onActivityResult(activity: Activity, requestCode: Int, resultCode: Int, data: Intent?) {
+        if (requestCode == LOAD_PAYMENT_DATA_REQUEST_CODE) {
+            val paymentData = data?.let { PaymentData.getFromIntent(it) }
+            handlePaymentResult(resultCode, paymentData)
+        }
+    }
+
+    override fun onNewIntent(intent: Intent) {}
+
     /**
-     * Called from the Activity's onActivityResult.
      * Processes the Google Pay payment data and tokenizes via Bolt.
      */
-    fun handlePaymentResult(resultCode: Int, paymentData: PaymentData?) {
+    private fun handlePaymentResult(resultCode: Int, paymentData: PaymentData?) {
         val promise = pendingPromise ?: return
         pendingPromise = null
 

src/__tests__/CreditCard.test.tsx

@@ -73,6 +73,11 @@ describe('Bolt', () => {
     bolt.configureOnPageStyles(newStyles);
     expect(bolt.getOnPageStyles()).toEqual(newStyles);
   });
+
+  it('should return X-Publishable-Key header from apiHeaders()', () => {
+    const bolt = new Bolt({ publishableKey: 'pk_test_abc' });
+    expect(bolt.apiHeaders()).toEqual({ 'X-Publishable-Key': 'pk_test_abc' });
+  });
 });
 
 describe('CreditCard', () => {

src/__tests__/GoogleWallet.test.tsx

@@ -1,5 +1,6 @@
 import { Platform } from 'react-native';
 import type { GooglePayConfig, GooglePayButtonType } from '../payments/types';
+import { fetchGooglePayAPMConfig } from '../payments/googlePayApi';
 
 /**
  * Tests for the GoogleWallet component logic.
@@ -34,8 +35,10 @@ jest.mock('../native/NativeGooglePayButton', () => ({
 jest.mock('../client/useBolt', () => ({
   useBolt: () => ({
     publishableKey: 'pk_test_123',
+    environment: 'production' as const,
     baseUrl: 'https://connect.bolt.com',
     apiUrl: 'https://api.bolt.com',
+    apiHeaders: () => ({ 'X-Publishable-Key': 'pk_test_123' }),
   }),
 }));
 
@@ -199,3 +202,45 @@ describe('GoogleWallet', () => {
     });
   });
 });
+
+describe('fetchGooglePayAPMConfig', () => {
+  let mockFetch: jest.Mock;
+
+  beforeEach(() => {
+    mockFetch = jest.fn();
+    global.fetch = mockFetch;
+  });
+
+  it('sends the provided headers to the APM config endpoint', async () => {
+    mockFetch.mockResolvedValue({
+      ok: true,
+      json: () => Promise.resolve(mockAPMConfig),
+    });
+
+    await fetchGooglePayAPMConfig('https://api.bolt.com', {
+      'X-Publishable-Key': 'pk_test_abc',
+    });
+
+    expect(mockFetch).toHaveBeenCalledWith(
+      'https://api.bolt.com/v1/apm_config/googlepay',
+      expect.objectContaining({
+        method: 'GET',
+        headers: { 'X-Publishable-Key': 'pk_test_abc' },
+      })
+    );
+  });
+
+  it('throws when the response is not ok', async () => {
+    mockFetch.mockResolvedValue({
+      ok: false,
+      status: 401,
+      statusText: 'Unauthorized',
+    });
+
+    await expect(
+      fetchGooglePayAPMConfig('https://api.bolt.com', {
+        'X-Publishable-Key': 'bad_key',
+      })
+    ).rejects.toThrow('Failed to fetch Google Pay config: 401 Unauthorized');
+  });
+});

src/client/Bolt.ts

@@ -22,6 +22,7 @@ const API_URLS: Record<string, string> = {
 
 export class Bolt {
   public readonly publishableKey: string;
+  public readonly environment: 'production' | 'sandbox' | 'staging';
   public readonly baseUrl: string;
   public readonly apiUrl: string;
   public readonly language: string;
@@ -34,6 +35,7 @@ export class Bolt {
 
     const env = config.environment ?? 'production';
     this.publishableKey = config.publishableKey;
+    this.environment = env;
     this.baseUrl = ENVIRONMENT_URLS[env] ?? ENVIRONMENT_URLS.production!;
     this.apiUrl = API_URLS[env] ?? API_URLS.production!;
     this.language = config.language ?? 'en';
@@ -52,4 +54,14 @@ export class Bolt {
   getOnPageStyles(): Styles | undefined {
     return this.onPageStyles;
   }
+
+  /**
+   * Returns the standard HTTP headers required for Bolt REST API calls.
+   * Centralised here so every API caller uses a consistent header name.
+   */
+  apiHeaders(): Record<string, string> {
+    return {
+      'X-Publishable-Key': this.publishableKey,
+    };
+  }
 }

src/payments/GoogleWallet.tsx

@@ -12,6 +12,9 @@ import type {
 } from './types';
 import { startSpan, SpanStatusCode } from '../telemetry/tracer';
 import { BoltAttributes } from '../telemetry/attributes';
+import { fetchGooglePayAPMConfig } from './googlePayApi';
+
+export { fetchGooglePayAPMConfig };
 
 // Conditional require: Metro inlines Platform.OS and eliminates the dead branch at bundle
 // time, so NativeGooglePayButton (which calls codegenNativeComponent) is never loaded on
@@ -32,31 +35,6 @@ export interface GoogleWalletProps {
   borderRadius?: number;
 }
 
-/**
- * Fetch Google Pay configuration from Bolt's API.
- * The config includes tokenization spec, merchant ID, and merchant name
- * so the developer doesn't need to provide them.
- */
-const fetchGooglePayAPMConfig = async (
-  apiUrl: string,
-  publishableKey: string
-): Promise<GooglePayAPMConfigResponse> => {
-  const response = await fetch(`${apiUrl}/v1/apm_config/googlepay`, {
-    method: 'GET',
-    headers: {
-      merchant_token: publishableKey,
-    },
-  });
-
-  if (!response.ok) {
-    throw new Error(
-      `Failed to fetch Google Pay config: ${response.status} ${response.statusText}`
-    );
-  }
-
-  return response.json();
-};
-
 /**
  * <GoogleWallet /> — renders a native Google Pay button that triggers the
  * native PaymentsClient payment sheet via the BoltGooglePay TurboModule.
@@ -82,7 +60,7 @@ export const GoogleWallet = ({
   useEffect(() => {
     if (Platform.OS !== 'android') return;
 
-    fetchGooglePayAPMConfig(bolt.apiUrl, bolt.publishableKey)
+    fetchGooglePayAPMConfig(bolt.apiUrl, bolt.apiHeaders())
       .then(setApmConfigResponse)
       .catch((err) => {
         onError?.(
@@ -91,7 +69,7 @@ export const GoogleWallet = ({
             : new Error('Failed to fetch Google Pay config')
         );
       });
-  }, [bolt.apiUrl, bolt.publishableKey, onError]);
+  }, [bolt, onError]);
 
   // Check Google Pay readiness once we have the APM config
   useEffect(() => {
@@ -102,12 +80,13 @@ export const GoogleWallet = ({
 
     const nativeConfig = buildNativeConfig(
       config,
-      apmConfigResponse.bolt_config
+      apmConfigResponse.bolt_config,
+      bolt.environment
     );
     NativeGooglePay.isReadyToPay(JSON.stringify(nativeConfig))
       .then(setAvailable)
       .catch(() => setAvailable(false));
-  }, [config, apmConfigResponse]);
+  }, [config, apmConfigResponse, bolt.environment]);
 
   const handlePress = useCallback(async () => {
     if (!NativeGooglePay || !apmConfigResponse) {
@@ -123,7 +102,8 @@ export const GoogleWallet = ({
     try {
       const nativeConfig = buildNativeConfig(
         config,
-        apmConfigResponse.bolt_config
+        apmConfigResponse.bolt_config,
+        bolt.environment
       );
       const resultJson = await NativeGooglePay.requestPayment(
         JSON.stringify(nativeConfig),
@@ -166,7 +146,8 @@ export const GoogleWallet = ({
  */
 const buildNativeConfig = (
   config: GooglePayConfig,
-  apmConfig: GooglePayAPMConfig
+  apmConfig: GooglePayAPMConfig,
+  environment: 'production' | 'sandbox' | 'staging'
 ) => {
   return {
     // From Bolt API
@@ -181,5 +162,7 @@ const buildNativeConfig = (
     totalPriceLabel: config.label,
     billingAddressFormat:
       config.billingAddressCollectionFormat === 'none' ? 'NONE' : 'FULL',
+    // Tells the native module which Google Pay environment to use
+    googlePayEnvironment: environment === 'production' ? 'PRODUCTION' : 'TEST',
   };
 };

src/payments/googlePayApi.ts

@@ -0,0 +1,27 @@
+import type { GooglePayAPMConfigResponse } from './types';
+
+/**
+ * Fetch Google Pay configuration from Bolt's API.
+ * The config includes tokenization spec, merchant ID, and merchant name
+ * so the developer doesn't need to provide them.
+ *
+ * Extracted into its own module so it can be imported and tested independently
+ * of the platform-specific GoogleWallet component files.
+ */
+export const fetchGooglePayAPMConfig = async (
+  apiUrl: string,
+  headers: Record<string, string>
+): Promise<GooglePayAPMConfigResponse> => {
+  const response = await fetch(`${apiUrl}/v1/apm_config/googlepay`, {
+    method: 'GET',
+    headers,
+  });
+
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch Google Pay config: ${response.status} ${response.statusText}`
+    );
+  }
+
+  return response.json();
+};