mpp-rb 0.1.1 → 0.1.3

data/lib/mpp/server/verify.rb

@@ -15,14 +15,40 @@ module Mpp
       # Verify a payment credential or generate a new challenge.
       #
       # Returns Challenge (payment required) or [Credential, Receipt] (verified).
-      sig { params(authorization: T.nilable(String), intent: T.untyped, request: T::Hash[String, T.untyped], realm: String, secret_key: String, method: T.nilable(String), description: T.nilable(String), meta: T.nilable(T::Hash[String, T.untyped]), expires: T.nilable(String)).returns(T.untyped) }
+      sig { params(authorization: T.nilable(String), intent: T.untyped, request: T::Hash[String, T.untyped], realm: String, secret_key: String, method: T.nilable(String), description: T.nilable(String), meta: T.nilable(T::Hash[String, T.untyped]), expires: T.nilable(String), events: T.nilable(Mpp::Events::Dispatcher), body: T.untyped).returns(T.untyped) }
       def verify_or_challenge(authorization:, intent:, request:, realm:, secret_key:,
-        method: nil, description: nil, meta: nil, expires: nil)
+        method: nil, description: nil, meta: nil, expires: nil, events: nil, body: nil)
         method_name = method || "tempo"
         request = Mpp::Units.transform_units(request)
+        dispatcher = events
+        events_enabled = dispatcher&.has_handlers?
+        method_context = events_enabled ? {name: method_name, intent: intent.name} : nil
 
-        new_challenge = Kernel.lambda {
-          create_challenge(method_name, intent.name, request, realm, secret_key, description, meta, expires)
+        new_challenge = Kernel.lambda { |credential = nil, error = nil, submitted_challenge = nil|
+          challenge = create_challenge(method_name, intent.name, request, realm, secret_key, description, meta, expires, body)
+          if error && dispatcher&.has_handlers?(Mpp::Events::PAYMENT_FAILED)
+            emit_payment_failed(
+              dispatcher: dispatcher,
+              challenge: challenge,
+              credential: credential,
+              error: error,
+              method: T.must(method_context),
+              request: request,
+              retry_challenge: challenge,
+              submitted_challenge: submitted_challenge
+            )
+          end
+          if dispatcher&.has_handlers?(Mpp::Events::CHALLENGE_CREATED)
+            emit_challenge_created(
+              dispatcher: dispatcher,
+              challenge: challenge,
+              credential: credential,
+              error: error,
+              method: T.must(method_context),
+              request: request
+            )
+          end
+          challenge
         }
 
         return new_challenge.call if authorization.nil?
@@ -32,8 +58,8 @@ module Mpp
 
         begin
           credential = Mpp::Credential.from_authorization(payment_scheme)
-        rescue Mpp::ParseError
-          return new_challenge.call
+        rescue Mpp::ParseError => e
+          return new_challenge.call(nil, Mpp::MalformedCredentialError.new(reason: e.message))
         end
 
         # Stateless challenge verification
@@ -41,8 +67,8 @@ module Mpp
         begin
           echo_request = echo.request.empty? ? {} : Mpp::Parsing.b64_decode(echo.request)
           echo_opaque = (echo.opaque && !T.must(echo.opaque).empty?) ? Mpp::Parsing.b64_decode(echo.opaque) : nil
-        rescue Mpp::ParseError
-          return new_challenge.call
+        rescue Mpp::ParseError => e
+          return new_challenge.call(credential, Mpp::MalformedCredentialError.new(reason: e.message), echo)
         end
 
         expected_id = Mpp.generate_challenge_id(
@@ -55,54 +81,120 @@ module Mpp
           digest: echo.digest,
           opaque: echo_opaque
         )
-        return new_challenge.call unless Mpp.secure_compare(echo.id, expected_id)
+        unless Mpp.secure_compare(echo.id, expected_id)
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "challenge id mismatch"),
+            echo
+          )
+        end
 
         # Assert echoed fields match server's values
-        return new_challenge.call unless echo.realm == realm && echo.method == method_name && echo.intent == intent.name
+        unless echo.realm == realm && echo.method == method_name && echo.intent == intent.name
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "challenge binding mismatch"),
+            echo
+          )
+        end
 
         # Assert echoed request matches server's current request
-        return new_challenge.call unless echo_request == request
+        unless echo_request == request
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "request mismatch"),
+            echo
+          )
+        end
 
-        return new_challenge.call unless echo_opaque == meta
+        unless echo_opaque == meta
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "metadata mismatch"),
+            echo
+          )
+        end
 
-        # Reject expired challenges as defense-in-depth
-        if echo.expires
-          begin
-            expires_dt = Time.iso8601(T.must(echo.expires).gsub("Z", "+00:00"))
-            return new_challenge.call if expires_dt < Time.now.utc
-          rescue ArgumentError
-            # If we can't parse, continue to stricter check below
-          end
+        unless body_digest_matches?(echo, body)
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "body digest mismatch"),
+            echo
+          )
         end
 
         # Verify echoed request parameters match endpoint's expected request
         request.each do |key, value|
-          return new_challenge.call unless echo_request[key] == value
+          unless echo_request[key] == value
+            return new_challenge.call(
+              credential,
+              Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "request field #{key} mismatch"),
+              echo
+            )
+          end
         end
 
         # Enforce challenge expiry - fail closed
-        return new_challenge.call unless echo.expires
+        unless echo.expires
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "missing expiry"),
+            echo
+          )
+        end
 
         begin
           expires_dt = Time.iso8601(T.must(echo.expires).gsub("Z", "+00:00"))
         rescue ArgumentError
-          return new_challenge.call
+          return new_challenge.call(
+            credential,
+            Mpp::InvalidChallengeError.new(challenge_id: echo.id, reason: "invalid expiry"),
+            echo
+          )
+        end
+        if expires_dt < Time.now.utc
+          return new_challenge.call(credential, Mpp::PaymentExpiredError.new(expires: echo.expires), echo)
         end
-        return new_challenge.call if expires_dt < Time.now.utc
 
-        receipt = intent.verify(credential, request)
+        begin
+          receipt = intent.verify(credential, request)
+        rescue => e
+          if dispatcher&.has_handlers?(Mpp::Events::PAYMENT_FAILED)
+            emit_payment_failed(
+              dispatcher: dispatcher,
+              challenge: echo,
+              credential: credential,
+              error: e,
+              method: T.must(method_context),
+              request: request,
+              submitted_challenge: echo
+            )
+          end
+          Kernel.raise
+        end
+        if dispatcher&.has_handlers?(Mpp::Events::PAYMENT_SUCCESS)
+          emit_payment_success(
+            dispatcher: dispatcher,
+            challenge: echo,
+            credential: credential,
+            method: T.must(method_context),
+            receipt: receipt,
+            request: request
+          )
+        end
         [credential, receipt]
       end
 
-      sig { params(method: String, intent_name: String, request: T::Hash[String, T.untyped], realm: String, secret_key: String, description: T.nilable(String), meta: T.nilable(T::Hash[String, T.untyped]), expires: T.nilable(String)).returns(Mpp::Challenge) }
+      sig { params(method: String, intent_name: String, request: T::Hash[String, T.untyped], realm: String, secret_key: String, description: T.nilable(String), meta: T.nilable(T::Hash[String, T.untyped]), expires: T.nilable(String), body: T.untyped).returns(Mpp::Challenge) }
       def create_challenge(method, intent_name, request, realm, secret_key,
-        description = nil, meta = nil, expires = nil)
+        description = nil, meta = nil, expires = nil, body = nil)
         expires = nil if expires && !expires.is_a?(String)
 
         if expires.nil?
           expires_dt = Time.now.utc + (DEFAULT_EXPIRES_MINUTES * 60)
           expires = expires_dt.strftime("%Y-%m-%dT%H:%M:%S.%LZ")
         end
+        digest = body.nil? ? nil : Mpp::BodyDigest.compute(body)
 
         Mpp::Challenge.create(
           secret_key: secret_key,
@@ -111,11 +203,22 @@ module Mpp
           intent: intent_name,
           request: request,
           expires: expires,
+          digest: digest,
           description: description,
           meta: meta
         )
       end
 
+      sig { params(echo: Mpp::ChallengeEcho, body: T.untyped).returns(T::Boolean) }
+      def body_digest_matches?(echo, body)
+        if body.nil?
+          return echo.digest.nil?
+        end
+        return false unless echo.digest
+
+        Mpp::BodyDigest.verify(T.must(echo.digest), body)
+      end
+
       sig { params(header: String).returns(T.nilable(String)) }
       def extract_payment_scheme(header)
         header.split(",").each do |scheme|
@@ -124,6 +227,49 @@ module Mpp
         end
         nil
       end
+
+      sig { params(dispatcher: T.nilable(Mpp::Events::Dispatcher), challenge: T.untyped, credential: T.untyped, error: T.untyped, method: T::Hash[Symbol, T.untyped], request: T::Hash[String, T.untyped]).void }
+      def emit_challenge_created(dispatcher:, challenge:, credential:, error:, method:, request:)
+        return unless dispatcher&.has_handlers?(Mpp::Events::CHALLENGE_CREATED)
+
+        payload = {
+          challenge: challenge,
+          method: method,
+          request: request
+        }
+        payload[:credential] = credential unless credential.nil?
+        payload[:error] = error unless error.nil?
+        dispatcher.emit(Mpp::Events::CHALLENGE_CREATED, payload)
+      end
+
+      sig { params(dispatcher: Mpp::Events::Dispatcher, challenge: T.untyped, credential: T.untyped, error: T.untyped, method: T::Hash[Symbol, T.untyped], request: T::Hash[String, T.untyped], retry_challenge: T.untyped, submitted_challenge: T.untyped).void }
+      def emit_payment_failed(dispatcher:, challenge:, credential:, error:, method:, request:, retry_challenge: nil, submitted_challenge: nil)
+        return unless dispatcher.has_handlers?(Mpp::Events::PAYMENT_FAILED)
+
+        payload = {
+          challenge: challenge,
+          credential: credential,
+          error: error,
+          method: method,
+          request: request
+        }
+        payload[:retry_challenge] = retry_challenge unless retry_challenge.nil?
+        payload[:submitted_challenge] = submitted_challenge unless submitted_challenge.nil?
+        dispatcher.emit(Mpp::Events::PAYMENT_FAILED, payload)
+      end
+
+      sig { params(dispatcher: Mpp::Events::Dispatcher, challenge: T.untyped, credential: T.untyped, method: T::Hash[Symbol, T.untyped], receipt: T.untyped, request: T::Hash[String, T.untyped]).void }
+      def emit_payment_success(dispatcher:, challenge:, credential:, method:, receipt:, request:)
+        return unless dispatcher.has_handlers?(Mpp::Events::PAYMENT_SUCCESS)
+
+        dispatcher.emit(Mpp::Events::PAYMENT_SUCCESS, {
+          challenge: challenge,
+          credential: credential,
+          method: method,
+          receipt: receipt,
+          request: request
+        })
+      end
     end
   end
 end

data/lib/mpp/version.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Mpp
-  VERSION = "0.1.1"
+  VERSION = "0.1.3"
 end

data/lib/mpp.rb

@@ -19,6 +19,7 @@ module Mpp
   autoload :Json, "mpp/json"
   autoload :BodyDigest, "mpp/body_digest"
   autoload :Expires, "mpp/expires"
+  autoload :Events, "mpp/events"
   autoload :Units, "mpp/units"
   autoload :MemoryStore, "mpp/store"
 
@@ -39,9 +40,9 @@ module Mpp
     autoload :MCP, "mpp/extensions/mcp"
   end
 
-  sig { params(method: T.untyped, realm: T.untyped, secret_key: T.untyped).returns(T.untyped) }
-  def self.create(method:, realm: nil, secret_key: nil)
-    Server::MppHandler.create(method: method, realm: realm, secret_key: secret_key)
+  sig { params(method: T.untyped, realm: T.untyped, secret_key: T.untyped, events: T.nilable(Mpp::Events::Dispatcher)).returns(T.untyped) }
+  def self.create(method:, realm: nil, secret_key: nil, events: nil)
+    Server::MppHandler.create(method: method, realm: realm, secret_key: secret_key, events: events)
   end
 
   # Error hierarchy
@@ -57,6 +58,7 @@ module Mpp
   autoload :PaymentActionRequiredError, "mpp/errors"
   autoload :BadRequestError, "mpp/errors"
   autoload :VerificationError, "mpp/errors"
+  autoload :TransactionPendingError, "mpp/errors"
   autoload :ParseError, "mpp/errors"
   autoload :InsufficientBalanceError, "mpp/errors"
   autoload :InvalidSignatureError, "mpp/errors"

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: mpp-rb
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.3
 platform: ruby
 authors:
 - Stripe
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-23 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -26,7 +25,6 @@ dependencies:
         version: '0.3'
 description: Ruby SDK for the Machine Payments Protocol (MPP) — an HTTP 402 Payment
   Authentication scheme.
-email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -43,6 +41,7 @@ files:
 - lib/mpp/client/transport.rb
 - lib/mpp/credential.rb
 - lib/mpp/errors.rb
+- lib/mpp/events.rb
 - lib/mpp/expires.rb
 - lib/mpp/extensions/mcp.rb
 - lib/mpp/extensions/mcp/capabilities.rb
@@ -63,6 +62,7 @@ files:
 - lib/mpp/methods/tempo/client_method.rb
 - lib/mpp/methods/tempo/defaults.rb
 - lib/mpp/methods/tempo/fee_payer_envelope.rb
+- lib/mpp/methods/tempo/fee_payer_policy.rb
 - lib/mpp/methods/tempo/intents.rb
 - lib/mpp/methods/tempo/keychain.rb
 - lib/mpp/methods/tempo/proof.rb
@@ -89,7 +89,6 @@ licenses:
 metadata:
   rubygems_mfa_required: 'true'
   source_code_uri: https://github.com/stripe/mpp-rb
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -104,8 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: HTTP 402 Payment Authentication for Ruby
 test_files: []