Fix: Handle intent:// deep links in checkout

[tuanndpersonal-lab]

Summary

• Fixes deep link handling for intent:// scheme URIs in CheckoutEventProcessor
• Uses Intent.parseUri() with URI_INTENT_SCHEME to properly parse intent://...#Intent;...;end; URIs instead of treating them as plain ACTION_VIEW intents
• Adds proper error handling with logging for both intent parsing and activity launch failures

Context

The current implementation creates a basic ACTION_VIEW intent for all deep links, which doesn't handle Android's intent:// URI scheme. This scheme is commonly used by payment providers (e.g., open banking apps) to launch specific activities. By using Intent.parseUri(), the SDK can now correctly resolve and launch these intents.

Test plan

• Verify standard https:// deep links still work correctly
• Test with intent:// scheme URIs from payment providers (open banking flows)
• Verify error logging when an unresolvable intent is encountered

🤖 Generated with Claude Code

[tuanndpersonal-lab]

I have signed the CLA!

[tuanndpersonal-lab]

I have signed the CLA!

[kiftio]

Thanks for opening the PR.

Our team has chatted about this, and we have a concern around potentially introducing an intent scheme hijacking vulnerability, where a crafted intent:// URI in checkout could do various things like launch arbitrary private activities, pass arbitrary extras, trigger actions other than ACTION_VIEW, etc.

Some of this could likely be mitigated via using IntentSanitizer to limit actions, and categories.

But, our thoughts at the moment, are that merchants and partners can override onCheckoutLinkClicked() to implement this, calling back to super if needed. Merchant's overriding this function would have a little more control to do things like whitelisting the domains for the payment providers they're using (e.g. via allowDataWithAuthority ) which it'd be difficult to do centrally in the library for every merchant/provider.

We may revisit that if we see broader demand.

[tuanndpersonal-lab]

Thanks for opening the PR.

Our team has chatted about this, and we have a concern around potentially introducing an intent scheme hijacking vulnerability, where a crafted intent:// URI in checkout could do various things like launch arbitrary private activities, pass arbitrary extras, trigger actions other than ACTION_VIEW, etc.

Some of this could likely be mitigated via using IntentSanitizer to limit actions, and categories.

But, our thoughts at the moment, are that merchants and partners can override onCheckoutLinkClicked() to implement this, calling back to super if needed. Merchant's overriding this function would have a little more control to do things like whitelisting the domains for the payment providers they're using (e.g. via allowDataWithAuthority ) which it'd be difficult to do centrally in the library for every merchant/provider.

We may revisit that if we see broader demand.

Hi, I’m currently using checkout-sheet-kit-react-native. While debugging and implementing a workaround for my specific case, I identified that I now have access to the onCheckoutLinkClicked context. Based on this, I’ve updated the code in the React Native SDK.

You can find the changes here:
Shopify/checkout-sheet-kit-react-native#466