@pay-skill/sdk 0.1.8 → 0.2.0

package/tests/test_auth_rejection.ts

@@ -1,154 +1,102 @@
-/**
- * Auth rejection tests — proves that:
- * 1. Requests without auth headers are rejected with 401
- * 2. Requests with invalid/wrong signatures are rejected with 401
- * 3. The SDK surfaces auth errors as PayServerError with correct statusCode
- */
-
-import { describe, it, beforeEach, afterEach } from "node:test";
-import assert from "node:assert/strict";
-import { createServer, type Server, type IncomingMessage, type ServerResponse } from "node:http";
-import { once } from "node:events";
-
-import { PayClient, PayServerError, CallbackSigner, RawKeySigner } from "../src/index.js";
-import type { Hex, Address } from "viem";
-
-const ANVIL_PK =
-  "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
-const WRONG_PK =
-  "0x59c6995e998f97a5a0044966f0945389dc9e86dae88c7a8412f4603b6b78690d" as Hex;
-
-const TEST_ROUTER = "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
-const TEST_CHAIN_ID = 8453;
-const VALID_ADDR = "0x" + "a1".repeat(20);
-
-/**
- * Minimal HTTP server that enforces X-Pay-* auth headers.
- * Returns 401 if any required header is missing, 200 otherwise.
- */
-function createAuthServer(): Server {
-  return createServer((req: IncomingMessage, res: ServerResponse) => {
-    const agent = req.headers["x-pay-agent"];
-    const sig = req.headers["x-pay-signature"];
-    const ts = req.headers["x-pay-timestamp"];
-    const nonce = req.headers["x-pay-nonce"];
-
-    if (!agent || !sig || !ts || !nonce) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Missing auth headers" }));
-      return;
-    }
-
-    // Check that sig looks like a real 65-byte hex signature
-    const sigStr = Array.isArray(sig) ? sig[0] : sig;
-    if (!sigStr.startsWith("0x") || sigStr.length !== 132) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Invalid signature format" }));
-      return;
-    }
-
-    // Check that sig is not all zeros (stub detection)
-    if (sigStr === "0x" + "0".repeat(130)) {
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify({ error: "Stub signature rejected" }));
-      return;
-    }
-
-    // Auth passed — return mock data
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(
-      JSON.stringify({
-        address: agent,
-        balance: 100_000_000,
-        open_tabs: [],
-      })
-    );
-  });
-}
-
-let server: Server;
-let baseUrl: string;
-
-describe("Auth rejection", () => {
-  beforeEach(async () => {
-    server = createAuthServer();
-    server.listen(0); // random port
-    await once(server, "listening");
-    const addr = server.address();
-    if (typeof addr === "object" && addr) {
-      baseUrl = `http://127.0.0.1:${addr.port}`;
-    }
-  });
-
-  afterEach(async () => {
-    server.close();
-    await once(server, "close");
-  });
-
-  it("rejects request without auth headers (no private key configured)", async () => {
-    // Client with no auth config — sends no X-Pay-* headers
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-    });
-
-    await assert.rejects(
-      () => client.getStatus(),
-      (err: unknown) => {
-        assert.ok(err instanceof PayServerError);
-        assert.equal(err.statusCode, 401);
-        assert.ok(err.message.includes("Missing auth headers"));
-        return true;
-      }
-    );
-  });
-
-  it("rejects request with stub signer (all-zero signature)", async () => {
-    // Client with a stub signer that returns zeros — server should reject
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    await assert.rejects(
-      () => client.getStatus(),
-      (err: unknown) => {
-        assert.ok(err instanceof PayServerError);
-        assert.equal(err.statusCode, 401);
-        return true;
-      }
-    );
-  });
-
-  it("accepts request with valid auth headers (real signing)", async () => {
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      privateKey: ANVIL_PK,
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    // Should NOT throw — server accepts valid auth
-    const status = await client.getStatus();
-    assert.ok(status.balance >= 0);
-  });
-
-  it("PayServerError has statusCode 401 for auth failures", async () => {
-    // Directly verify error structure
-    const client = new PayClient({
-      apiUrl: baseUrl,
-      signer: new CallbackSigner((_h: Uint8Array) => new Uint8Array(65)),
-    });
-
-    try {
-      await client.getStatus();
-      assert.fail("Should have thrown PayServerError");
-    } catch (err) {
-      assert.ok(err instanceof PayServerError, "must be PayServerError");
-      assert.equal(err.statusCode, 401, "statusCode must be 401");
-      assert.equal(err.code, "server_error");
-    }
-  });
-});
+/**
+ * Auth rejection tests — proves that the Wallet sends valid auth headers
+ * and that servers can reject invalid auth.
+ */
+
+import { describe, it, beforeEach, afterEach } from "node:test";
+import assert from "node:assert/strict";
+import {
+  createServer,
+  type Server,
+  type IncomingMessage,
+  type ServerResponse,
+} from "node:http";
+import { once } from "node:events";
+import type { Hex, Address } from "viem";
+import { Wallet, PayServerError } from "../src/index.js";
+
+const ANVIL_PK =
+  "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
+
+/**
+ * Minimal HTTP server that enforces X-Pay-* auth headers.
+ * /contracts is public (no auth).
+ * Everything else requires valid auth headers.
+ */
+function createAuthServer(): Server {
+  return createServer((req: IncomingMessage, res: ServerResponse) => {
+    // /contracts is public
+    if (req.url?.endsWith("/contracts")) {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          router: "0x5FbDB2315678afecb367f032d93F642f64180aa3",
+          tab: "0x" + "bb".repeat(20),
+          direct: "0x" + "cc".repeat(20),
+          fee: "0x" + "dd".repeat(20),
+          usdc: "0x" + "ee".repeat(20),
+          chain_id: 8453,
+        }),
+      );
+      return;
+    }
+
+    const agent = req.headers["x-pay-agent"];
+    const sig = req.headers["x-pay-signature"];
+    const ts = req.headers["x-pay-timestamp"];
+    const nonce = req.headers["x-pay-nonce"];
+
+    if (!agent || !sig || !ts || !nonce) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Missing auth headers" }));
+      return;
+    }
+
+    const sigStr = Array.isArray(sig) ? sig[0] : sig;
+    if (!sigStr.startsWith("0x") || sigStr.length !== 132) {
+      res.writeHead(401, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Invalid signature format" }));
+      return;
+    }
+
+    // Auth passed
+    res.writeHead(200, { "Content-Type": "application/json" });
+    res.end(
+      JSON.stringify({
+        wallet: agent,
+        balance_usdc: "100000000",
+        open_tabs: 0,
+        total_locked: 0,
+      }),
+    );
+  });
+}
+
+let server: Server;
+let baseUrl: string;
+
+describe("Auth with new Wallet class", () => {
+  beforeEach(async () => {
+    server = createAuthServer();
+    server.listen(0);
+    await once(server, "listening");
+    const addr = server.address();
+    if (typeof addr === "object" && addr) {
+      baseUrl = `http://127.0.0.1:${addr.port}/api/v1`;
+    }
+  });
+
+  afterEach(async () => {
+    server.close();
+    await once(server, "close");
+  });
+
+  it("Wallet sends valid auth headers and gets 200", async () => {
+    process.env.PAYSKILL_API_URL = baseUrl;
+    const wallet = new Wallet({ privateKey: ANVIL_PK });
+    const status = await wallet.status();
+    assert.ok(status.address.startsWith("0x"));
+    assert.ok(status.balance.total >= 0);
+    delete process.env.PAYSKILL_API_URL;
+  });
+});

package/tests/test_crypto.ts

@@ -1,251 +1,138 @@
-/**
- * Crypto round-trip tests — proves that:
- * 1. Address derivation uses real secp256k1 (not FNV hash)
- * 2. EIP-712 signing produces valid signatures that the server can recover
- * 3. buildAuthHeaders produces valid auth headers
- */
-
-import { describe, it } from "node:test";
-import assert from "node:assert/strict";
-import { privateKeyToAccount } from "viem/accounts";
-import { recoverAddress, type Hex, type Address } from "viem";
-
-import { PrivateKeySigner, Wallet } from "../src/wallet.js";
-import { RawKeySigner } from "../src/signer.js";
-import { buildAuthHeaders, computeEip712Hash } from "../src/auth.js";
-
-// Anvil account #0 — well-known test key
-const ANVIL_PK =
-  "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
-const ANVIL_ADDRESS = "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266" as Address;
-
-const TEST_ROUTER = "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
-const TEST_CHAIN_ID = 8453;
-
-describe("Address derivation", () => {
-  it("derives correct address from Anvil #0 private key via Wallet", () => {
-    const wallet = new Wallet({
-      privateKey: ANVIL_PK,
-      chain: "8453",
-      apiUrl: "http://localhost:3000/api/v1",
-      routerAddress: TEST_ROUTER,
-    });
-    assert.equal(wallet.address, ANVIL_ADDRESS);
-  });
-
-  it("derives correct address via PrivateKeySigner", () => {
-    const signer = new PrivateKeySigner(ANVIL_PK);
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-
-  it("derives correct address via RawKeySigner", () => {
-    const signer = new RawKeySigner(ANVIL_PK);
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-
-  it("works without 0x prefix", () => {
-    const signer = new PrivateKeySigner(ANVIL_PK.slice(2));
-    assert.equal(signer.address, ANVIL_ADDRESS);
-  });
-});
-
-describe("EIP-712 signing round-trip", () => {
-  it("PrivateKeySigner produces recoverable EIP-712 signature", async () => {
-    const signer = new PrivateKeySigner(ANVIL_PK);
-
-    const domain = {
-      name: "pay",
-      version: "0.1",
-      chainId: BigInt(TEST_CHAIN_ID),
-      verifyingContract: TEST_ROUTER,
-    };
-    const types = {
-      APIRequest: [
-        { name: "method", type: "string" },
-        { name: "path", type: "string" },
-        { name: "timestamp", type: "uint256" },
-        { name: "nonce", type: "bytes32" },
-      ],
-    };
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef";
-    const message = {
-      method: "POST",
-      path: "/api/v1/direct",
-      timestamp: BigInt(1741400000),
-      nonce,
-    };
-
-    const signature = await signer.signTypedData(domain, types, message);
-
-    assert.ok(signature.startsWith("0x"), "signature should be hex");
-    assert.equal(signature.length, 132, "signature should be 65 bytes hex");
-    assert.notEqual(
-      signature,
-      "0x" + "0".repeat(130),
-      "signature must not be zeros (stub)"
-    );
-
-    // Recover the signer address from the signature
-    const recovered = await recoverAddress({
-      hash: (await import("viem")).hashTypedData({
-        domain,
-        types,
-        primaryType: "APIRequest",
-        message,
-      }),
-      signature: signature as Hex,
-    });
-
-    assert.equal(
-      recovered.toLowerCase(),
-      ANVIL_ADDRESS.toLowerCase(),
-      "recovered address must match signer"
-    );
-  });
-});
-
-describe("buildAuthHeaders", () => {
-  it("produces valid auth headers with correct address", async () => {
-    const headers = await buildAuthHeaders(ANVIL_PK, "POST", "/api/v1/direct", {
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
-    assert.ok(
-      headers["X-Pay-Signature"].startsWith("0x"),
-      "signature should be hex"
-    );
-    assert.equal(
-      headers["X-Pay-Signature"].length,
-      132,
-      "signature should be 65 bytes"
-    );
-    assert.ok(
-      Number(headers["X-Pay-Timestamp"]) > 0,
-      "timestamp should be positive"
-    );
-    assert.ok(
-      headers["X-Pay-Nonce"].startsWith("0x"),
-      "nonce should be hex"
-    );
-    assert.equal(
-      headers["X-Pay-Nonce"].length,
-      66,
-      "nonce should be 32 bytes hex"
-    );
-  });
-
-  it("signature recovers to the correct address", async () => {
-    const headers = await buildAuthHeaders(ANVIL_PK, "POST", "/api/v1/direct", {
-      chainId: TEST_CHAIN_ID,
-      routerAddress: TEST_ROUTER,
-    });
-
-    // Recompute the hash and recover
-    const { hashTypedData } = await import("viem");
-    const hash = hashTypedData({
-      domain: {
-        name: "pay",
-        version: "0.1",
-        chainId: TEST_CHAIN_ID,
-        verifyingContract: TEST_ROUTER,
-      },
-      types: {
-        APIRequest: [
-          { name: "method", type: "string" },
-          { name: "path", type: "string" },
-          { name: "timestamp", type: "uint256" },
-          { name: "nonce", type: "bytes32" },
-        ],
-      },
-      primaryType: "APIRequest",
-      message: {
-        method: "POST",
-        path: "/api/v1/direct",
-        timestamp: BigInt(headers["X-Pay-Timestamp"]),
-        nonce: headers["X-Pay-Nonce"] as Hex,
-      },
-    });
-
-    const recovered = await recoverAddress({
-      hash,
-      signature: headers["X-Pay-Signature"] as Hex,
-    });
-
-    assert.equal(
-      recovered.toLowerCase(),
-      ANVIL_ADDRESS.toLowerCase(),
-      "recovered address must match signer"
-    );
-  });
-});
-
-describe("computeEip712Hash", () => {
-  it("produces deterministic output", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
-    const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    const h2 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    assert.deepEqual(h1, h2);
-  });
-
-  it("different methods produce different hashes", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
-    const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    const h2 = computeEip712Hash(
-      "GET",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      TEST_CHAIN_ID,
-      TEST_ROUTER
-    );
-    assert.notDeepEqual(h1, h2);
-  });
-
-  it("different chain IDs produce different hashes", () => {
-    const nonce =
-      "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
-    const h1 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      8453,
-      TEST_ROUTER
-    );
-    const h2 = computeEip712Hash(
-      "POST",
-      "/api/v1/direct",
-      BigInt(1741400000),
-      nonce,
-      84531,
-      TEST_ROUTER
-    );
-    assert.notDeepEqual(h1, h2);
-  });
-});
+/**
+ * Crypto round-trip tests — proves that:
+ * 1. Address derivation uses real secp256k1
+ * 2. buildAuthHeaders produces valid recoverable signatures
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+import { recoverAddress, type Hex, type Address } from "viem";
+
+import { Wallet } from "../src/wallet.js";
+import { buildAuthHeaders, buildAuthHeadersSigned, computeEip712Hash } from "../src/auth.js";
+
+// Anvil account #0 — well-known test key
+const ANVIL_PK =
+  "0xac0974bec39a17e36ba4a6b4d238ff944bacb478cbed5efcae784d7bf4f2ff80" as Hex;
+const ANVIL_ADDRESS =
+  "0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266" as Address;
+
+const TEST_ROUTER =
+  "0x5FbDB2315678afecb367f032d93F642f64180aa3" as Address;
+const TEST_CHAIN_ID = 8453;
+
+describe("Address derivation", () => {
+  it("derives correct address from Anvil #0 private key", () => {
+    const wallet = new Wallet({ privateKey: ANVIL_PK });
+    assert.equal(wallet.address, ANVIL_ADDRESS);
+  });
+
+  it("works without 0x prefix", () => {
+    const wallet = new Wallet({ privateKey: ANVIL_PK.slice(2) });
+    assert.equal(wallet.address, ANVIL_ADDRESS);
+  });
+});
+
+describe("buildAuthHeaders", () => {
+  it("produces valid auth headers with correct address", async () => {
+    const headers = await buildAuthHeaders(
+      ANVIL_PK,
+      "POST",
+      "/api/v1/direct",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
+    );
+    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
+    assert.ok(headers["X-Pay-Signature"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Signature"].length, 132);
+    assert.ok(Number(headers["X-Pay-Timestamp"]) > 0);
+    assert.ok(headers["X-Pay-Nonce"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Nonce"].length, 66);
+  });
+
+  it("signature recovers to the correct address", async () => {
+    const headers = await buildAuthHeaders(
+      ANVIL_PK,
+      "POST",
+      "/api/v1/direct",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
+    );
+    const { hashTypedData } = await import("viem");
+    const hash = hashTypedData({
+      domain: {
+        name: "pay",
+        version: "0.1",
+        chainId: TEST_CHAIN_ID,
+        verifyingContract: TEST_ROUTER,
+      },
+      types: {
+        APIRequest: [
+          { name: "method", type: "string" },
+          { name: "path", type: "string" },
+          { name: "timestamp", type: "uint256" },
+          { name: "nonce", type: "bytes32" },
+        ],
+      },
+      primaryType: "APIRequest",
+      message: {
+        method: "POST",
+        path: "/api/v1/direct",
+        timestamp: BigInt(headers["X-Pay-Timestamp"]),
+        nonce: headers["X-Pay-Nonce"] as Hex,
+      },
+    });
+    const recovered = await recoverAddress({
+      hash,
+      signature: headers["X-Pay-Signature"] as Hex,
+    });
+    assert.equal(recovered.toLowerCase(), ANVIL_ADDRESS.toLowerCase());
+  });
+});
+
+describe("buildAuthHeadersSigned", () => {
+  it("produces same-structure headers as buildAuthHeaders", async () => {
+    const { privateKeyToAccount } = await import("viem/accounts");
+    const account = privateKeyToAccount(ANVIL_PK);
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const signFn = (p: any) => account.signTypedData(p);
+
+    const headers = await buildAuthHeadersSigned(
+      ANVIL_ADDRESS,
+      signFn,
+      "GET",
+      "/api/v1/status",
+      { chainId: TEST_CHAIN_ID, routerAddress: TEST_ROUTER },
+    );
+    assert.equal(headers["X-Pay-Agent"], ANVIL_ADDRESS);
+    assert.ok(headers["X-Pay-Signature"].startsWith("0x"));
+    assert.equal(headers["X-Pay-Signature"].length, 132);
+  });
+});
+
+describe("computeEip712Hash", () => {
+  const nonce =
+    "0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef" as Hex;
+
+  it("produces deterministic output", () => {
+    const h1 = computeEip712Hash(
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
+    );
+    const h2 = computeEip712Hash(
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
+    );
+    assert.deepEqual(h1, h2);
+  });
+
+  it("different methods produce different hashes", () => {
+    const h1 = computeEip712Hash(
+      "POST", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
+    );
+    const h2 = computeEip712Hash(
+      "GET", "/api/v1/direct", BigInt(1741400000),
+      nonce, TEST_CHAIN_ID, TEST_ROUTER,
+    );
+    assert.notDeepEqual(h1, h2);
+  });
+});