@thecryptodonkey/toll-booth 3.2.1 → 3.2.2

package/dist/adapters/express.js

@@ -162,6 +162,7 @@ export function createExpressMiddleware(engineOrConfig, upstreamArg) {
         }
         catch (err) {
             // Distinguish upstream network errors from programming errors
+            setSensitiveHeaders(res);
             if (err instanceof TypeError && (err.message.includes('fetch') || err.message.includes('network'))) {
                 res.status(502).json({ error: 'Upstream unavailable' });
             }

package/dist/adapters/hono.js

@@ -7,9 +7,44 @@ import { handleNwcPay } from '../core/nwc-pay.js';
 import { handleCashuRedeem } from '../core/cashu-redeem.js';
 import { applySecurityHeaders, appendVary, parseForwardedIp } from './proxy-headers.js';
 const MAX_BODY_BYTES = 65_536;
+/**
+ * Reads the request body as text with a streaming byte limit.
+ * Aborts mid-stream when the limit is exceeded, preventing memory
+ * exhaustion from large chunked requests without a Content-Length header.
+ */
+async function readBodyTextWithinLimit(c, maxBytes) {
+    const body = c.req.raw.body;
+    if (!body)
+        return '';
+    const reader = body.getReader();
+    const decoder = new TextDecoder();
+    let totalBytes = 0;
+    let text = '';
+    try {
+        while (true) {
+            const { done, value } = await reader.read();
+            if (done)
+                break;
+            totalBytes += value.byteLength;
+            if (totalBytes > maxBytes) {
+                await reader.cancel();
+                return undefined;
+            }
+            text += decoder.decode(value, { stream: true });
+        }
+        return text + decoder.decode();
+    }
+    catch {
+        return undefined;
+    }
+    finally {
+        reader.releaseLock();
+    }
+}
 /**
  * Parses request body as JSON with a size limit.
  * Returns undefined on oversized, empty, or malformed bodies.
+ * Uses streaming reads to abort early on large chunked payloads.
  */
 async function safeParseJson(c, maxBytes = MAX_BODY_BYTES) {
     const contentLength = c.req.header('content-length');
@@ -19,8 +54,8 @@ async function safeParseJson(c, maxBytes = MAX_BODY_BYTES) {
             return undefined;
     }
     try {
-        const text = await c.req.text();
-        if (new TextEncoder().encode(text).byteLength > maxBytes)
+        const text = await readBodyTextWithinLimit(c, maxBytes);
+        if (text === undefined)
             return undefined;
         if (!text.trim())
             return {};
@@ -44,6 +79,12 @@ async function safeParseJson(c, maxBytes = MAX_BODY_BYTES) {
  */
 export function createHonoTollBooth(config) {
     const { engine } = config;
+    // Warn when free-tier is enabled without trustProxy or getClientIp
+    if (engine.freeTier && !config.trustProxy && !config.getClientIp) {
+        console.error('[toll-booth] WARNING: freeTier enabled without trustProxy in Hono adapter. ' +
+            'All clients will share the 0.0.0.0 IP bucket. ' +
+            'Set trustProxy: true or provide a getClientIp callback.');
+    }
     const authMiddleware = async (c, next) => {
         const req = c.req.raw;
         const ip = config.getClientIp?.(c)

package/dist/adapters/proxy-headers.js

@@ -39,6 +39,7 @@ export function applySecurityHeaders(headers) {
     headers.set('X-Frame-Options', 'DENY');
     headers.set('Referrer-Policy', 'no-referrer');
     headers.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
+    headers.set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; form-action 'none'; frame-ancestors 'none'");
     return headers;
 }
 export function appendVary(headers, value) {
@@ -58,11 +59,14 @@ export function appendVary(headers, value) {
  * via crafted X-Forwarded-For headers.
  */
 const IPV4_RE = /^(\d{1,3}\.){3}\d{1,3}$/;
-const IPV6_RE = /^[0-9a-fA-F:]+$/;
+const IPV6_RE = /^[0-9a-fA-F:]{2,45}$/;
 export function isPlausibleIp(value) {
     if (!value || value.length > 45)
         return false;
-    return IPV4_RE.test(value) || IPV6_RE.test(value);
+    if (IPV4_RE.test(value))
+        return true;
+    // IPv6 must contain at least one colon
+    return IPV6_RE.test(value) && value.includes(':');
 }
 /**
  * Extracts and validates the client IP from an X-Forwarded-For header value.

package/dist/backends/nwc.js

@@ -46,6 +46,9 @@ export function nwcBackend(config) {
             return { bolt11: tx.invoice, paymentHash: tx.payment_hash };
         },
         async checkInvoice(paymentHash) {
+            if (!/^[0-9a-f]{64}$/.test(paymentHash)) {
+                return { paid: false };
+            }
             const nwc = await getClient();
             try {
                 const tx = await nwc.lookupInvoice({ payment_hash: paymentHash });

package/dist/core/toll-booth.js

@@ -160,13 +160,24 @@ export function createTollBooth(config) {
                         }
                         // Track estimated cost with currency for reconciliation
                         if (result.paymentId) {
-                            // Evict stale entries
+                            // Evict stale entries; if still at cap, drop oldest entries
                             if (estimatedCosts.size >= MAX_ESTIMATED_COSTS) {
                                 const now = Date.now();
                                 for (const [key, entry] of estimatedCosts) {
                                     if (now - entry.ts > MAX_AGE_MS)
                                         estimatedCosts.delete(key);
                                 }
+                                // Force-evict oldest entries if still at capacity
+                                if (estimatedCosts.size >= MAX_ESTIMATED_COSTS) {
+                                    const overflow = estimatedCosts.size - MAX_ESTIMATED_COSTS + 1;
+                                    let evicted = 0;
+                                    for (const key of estimatedCosts.keys()) {
+                                        if (evicted >= overflow)
+                                            break;
+                                        estimatedCosts.delete(key);
+                                        evicted++;
+                                    }
+                                }
                             }
                             estimatedCosts.set(result.paymentId, { cost, ts: Date.now(), currency: result.currency });
                         }

package/dist/core/x402-rail.js

@@ -50,9 +50,10 @@ export function createX402Rail(config) {
                 if (!result.valid) {
                     return { authenticated: false, paymentId: result.txHash || '', mode: 'per-request', currency: 'usd' };
                 }
-                // Credit mode: persist balance to storage (mirrors L402 rail's settleWithCredit)
+                // Credit mode: persist balance to storage (mirrors L402 rail's settleWithCredit).
+                // Use the txHash as the settlement secret since x402 has no preimage equivalent.
                 if (creditMode && storage && !storage.isSettled(result.txHash)) {
-                    storage.settleWithCredit(result.txHash, result.amount, undefined, 'usd');
+                    storage.settleWithCredit(result.txHash, result.amount, result.txHash, 'usd');
                 }
                 const creditBalance = creditMode && storage
                     ? storage.balance(result.txHash, 'usd')

package/dist/free-tier.js

@@ -1,13 +1,17 @@
 // src/free-tier.ts
 /** Maximum number of distinct IPs tracked before new IPs are denied. */
 const MAX_TRACKED_IPS = 100_000;
-/** Plausible IP format check to prevent arbitrary strings filling the tracking map. */
+/**
+ * Validates that a string is a plausible IP address or IP hash.
+ * More permissive than the proxy-headers version because the toll-booth
+ * engine passes hashIp() output (32-char hex) to freeTier.check().
+ */
 const IPV4_RE = /^(\d{1,3}\.){3}\d{1,3}$/;
-const IPV6_RE = /^[0-9a-fA-F:]+$/;
-function isPlausibleIp(value) {
-    if (!value || value.length > 45)
+const HEX_OR_IPV6_RE = /^[0-9a-fA-F:]{2,64}$/;
+function isPlausibleIpOrHash(value) {
+    if (!value || value.length > 64)
         return false;
-    return IPV4_RE.test(value) || IPV6_RE.test(value);
+    return IPV4_RE.test(value) || HEX_OR_IPV6_RE.test(value);
 }
 export class FreeTier {
     requestsPerDay;
@@ -25,7 +29,7 @@ export class FreeTier {
     }
     check(ip, _cost) {
         // Reject non-IP strings to prevent arbitrary values filling the tracking map
-        if (!isPlausibleIp(ip)) {
+        if (!isPlausibleIpOrHash(ip)) {
             return { allowed: false, remaining: 0 };
         }
         const today = new Date().toISOString().slice(0, 10); // YYYY-MM-DD
@@ -66,7 +70,7 @@ export class CreditFreeTier {
     }
     check(ip, cost) {
         // Reject non-IP strings to prevent arbitrary values filling the tracking map
-        if (!isPlausibleIp(ip)) {
+        if (!isPlausibleIpOrHash(ip)) {
             return { allowed: false, remaining: 0 };
         }
         const today = new Date().toISOString().slice(0, 10); // YYYY-MM-DD

package/dist/storage/memory.js

@@ -161,6 +161,7 @@ export function memoryStorage() {
             for (const [hash, inv] of invoices) {
                 if (inv.createdAt < cutoff && !claims.has(hash)) {
                     invoices.delete(hash);
+                    invoiceIps.delete(hash);
                     pruned++;
                 }
             }

package/dist/storage/sqlite.js

@@ -364,14 +364,14 @@ export function sqliteStorage(config) {
             const result = stmtPruneInvoices.run(maxAgeSecs);
             return result.changes;
         },
-        pruneStaleRecords(maxAgeMs) {
+        pruneStaleRecords: db.transaction((maxAgeMs) => {
             const maxAgeSecs = Math.floor(maxAgeMs / 1000);
             let total = 0;
             total += stmtPruneZeroCredits.run(maxAgeSecs).changes;
             total += stmtPruneSettlements.run(maxAgeSecs).changes;
             total += stmtPruneClaims.run(maxAgeSecs).changes;
             return total;
-        },
+        }),
         close() {
             db.close();
         },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thecryptodonkey/toll-booth",
-  "version": "3.2.1",
+  "version": "3.2.2",
   "type": "module",
   "description": "Monetise any API with HTTP 402 payments. Payment-rail agnostic middleware for Express, Hono, Deno, Bun, and Workers.",
   "license": "MIT",