@wopr-network/platform-core 1.42.3 → 1.44.0

package/src/billing/crypto/__tests__/key-server.test.ts

@@ -0,0 +1,262 @@
+import { describe, expect, it, vi } from "vitest";
+import type { ICryptoChargeRepository } from "../charge-store.js";
+import type { KeyServerDeps } from "../key-server.js";
+import { createKeyServerApp } from "../key-server.js";
+import type { IPaymentMethodStore } from "../payment-method-store.js";
+
+/** Create a mock db that supports transaction() by passing itself to the callback. */
+function createMockDb() {
+  const mockMethod = {
+    id: "btc",
+    type: "native",
+    token: "BTC",
+    chain: "bitcoin",
+    xpub: "xpub6CUGRUonZSQ4TWtTMmzXdrXDtypWKiKrhko4egpiMZbpiaQL2jkwSB1icqYh2cfDfVxdx4df189oLKnC5fSwqPfgyP3hooxujYzAu3fDVmz",
+    nextIndex: 1,
+    decimals: 8,
+    confirmations: 6,
+  };
+
+  const db = {
+    update: vi.fn().mockReturnValue({
+      set: vi.fn().mockReturnValue({
+        where: vi.fn().mockReturnValue({
+          returning: vi.fn().mockResolvedValue([mockMethod]),
+        }),
+      }),
+    }),
+    insert: vi.fn().mockReturnValue({
+      values: vi.fn().mockReturnValue({
+        onConflictDoNothing: vi.fn().mockResolvedValue({ rowCount: 1 }),
+      }),
+    }),
+    select: vi.fn().mockReturnValue({
+      from: vi.fn().mockReturnValue({
+        where: vi.fn().mockResolvedValue([]),
+      }),
+    }),
+    // transaction() passes itself as tx — mocks work the same way
+    transaction: vi.fn().mockImplementation(async (fn: (tx: unknown) => unknown) => fn(db)),
+  };
+  return db;
+}
+
+/** Minimal mock deps for key server tests. */
+function mockDeps(): KeyServerDeps & {
+  chargeStore: { [K in keyof ICryptoChargeRepository]: ReturnType<typeof vi.fn> };
+  methodStore: { [K in keyof IPaymentMethodStore]: ReturnType<typeof vi.fn> };
+} {
+  const chargeStore = {
+    getByReferenceId: vi.fn().mockResolvedValue({
+      referenceId: "btc:bc1q...",
+      status: "New",
+      depositAddress: "bc1q...",
+      chain: "bitcoin",
+      token: "BTC",
+      amountUsdCents: 5000,
+      creditedAt: null,
+    }),
+    createStablecoinCharge: vi.fn().mockResolvedValue(undefined),
+    create: vi.fn(),
+    updateStatus: vi.fn(),
+    markCredited: vi.fn(),
+    isCredited: vi.fn(),
+    getByDepositAddress: vi.fn(),
+    getNextDerivationIndex: vi.fn(),
+    listActiveDepositAddresses: vi.fn(),
+  };
+  const methodStore = {
+    listEnabled: vi.fn().mockResolvedValue([
+      {
+        id: "btc",
+        token: "BTC",
+        chain: "bitcoin",
+        decimals: 8,
+        displayName: "Bitcoin",
+        contractAddress: null,
+        confirmations: 6,
+      },
+      {
+        id: "base-usdc",
+        token: "USDC",
+        chain: "base",
+        decimals: 6,
+        displayName: "USDC on Base",
+        contractAddress: "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
+        confirmations: 12,
+      },
+    ]),
+    listAll: vi.fn(),
+    getById: vi.fn().mockResolvedValue({
+      id: "btc",
+      type: "native",
+      token: "BTC",
+      chain: "bitcoin",
+      decimals: 8,
+      displayName: "Bitcoin",
+      contractAddress: null,
+      confirmations: 6,
+      oracleAddress: "0x64c911996D3c6aC71f9b455B1E8E7266BcbD848F",
+      xpub: null,
+      displayOrder: 0,
+      enabled: true,
+      rpcUrl: null,
+    }),
+    listByType: vi.fn(),
+    upsert: vi.fn().mockResolvedValue(undefined),
+    setEnabled: vi.fn().mockResolvedValue(undefined),
+  };
+  return {
+    db: createMockDb() as never,
+    chargeStore: chargeStore as never,
+    methodStore: methodStore as never,
+    oracle: { getPrice: vi.fn().mockResolvedValue({ priceCents: 6_500_000, updatedAt: new Date() }) } as never,
+  };
+}
+
+describe("key-server routes", () => {
+  it("GET /chains returns enabled payment methods", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/chains");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body).toHaveLength(2);
+    expect(body[0].token).toBe("BTC");
+    expect(body[1].token).toBe("USDC");
+  });
+
+  it("POST /address requires chain", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/address", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /address derives BTC address", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/address", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ chain: "btc" }),
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body.address).toMatch(/^bc1q/);
+    expect(body.index).toBe(0);
+    expect(body.chain).toBe("bitcoin");
+    expect(body.token).toBe("BTC");
+  });
+
+  it("GET /charges/:id returns charge status", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/charges/btc:bc1q...");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.chargeId).toBe("btc:bc1q...");
+    expect(body.status).toBe("New");
+  });
+
+  it("GET /charges/:id returns 404 for missing charge", async () => {
+    const deps = mockDeps();
+    (deps.chargeStore.getByReferenceId as ReturnType<typeof vi.fn>).mockResolvedValue(null);
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/charges/nonexistent");
+    expect(res.status).toBe(404);
+  });
+
+  it("POST /charges validates amountUsd", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/charges", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ chain: "btc", amountUsd: -10 }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /charges creates a charge", async () => {
+    const app = createKeyServerApp(mockDeps());
+    const res = await app.request("/charges", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ chain: "btc", amountUsd: 50 }),
+    });
+    expect(res.status).toBe(201);
+    const body = await res.json();
+    expect(body.address).toMatch(/^bc1q/);
+    expect(body.amountUsd).toBe(50);
+    expect(body.expiresAt).toBeTruthy();
+  });
+
+  it("GET /admin/next-path returns available path", async () => {
+    const deps = mockDeps();
+    deps.adminToken = "test-admin";
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/admin/next-path?coin_type=0", {
+      headers: { Authorization: "Bearer test-admin" },
+    });
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.path).toBe("m/44'/0'/0'");
+    expect(body.status).toBe("available");
+  });
+
+  it("DELETE /admin/chains/:id disables chain", async () => {
+    const deps = mockDeps();
+    deps.adminToken = "test-admin";
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/admin/chains/doge", {
+      method: "DELETE",
+      headers: { Authorization: "Bearer test-admin" },
+    });
+    expect(res.status).toBe(204);
+    expect(deps.methodStore.setEnabled).toHaveBeenCalledWith("doge", false);
+  });
+});
+
+describe("key-server auth", () => {
+  it("rejects unauthenticated request when serviceKey is set", async () => {
+    const deps = mockDeps();
+    deps.serviceKey = "sk-test-secret";
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/address", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ chain: "btc" }),
+    });
+    expect(res.status).toBe(401);
+  });
+
+  it("allows authenticated request with correct serviceKey", async () => {
+    const deps = mockDeps();
+    deps.serviceKey = "sk-test-secret";
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/address", {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Authorization: "Bearer sk-test-secret" },
+      body: JSON.stringify({ chain: "btc" }),
+    });
+    expect(res.status).toBe(201);
+  });
+
+  it("rejects admin route without adminToken", async () => {
+    const deps = mockDeps();
+    // no adminToken set — admin routes disabled
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/admin/next-path?coin_type=0");
+    expect(res.status).toBe(403);
+  });
+
+  it("allows admin route with correct adminToken", async () => {
+    const deps = mockDeps();
+    deps.adminToken = "admin-secret";
+    const app = createKeyServerApp(deps);
+    const res = await app.request("/admin/next-path?coin_type=0", {
+      headers: { Authorization: "Bearer admin-secret" },
+    });
+    expect(res.status).toBe(200);
+  });
+});

package/src/billing/crypto/btc/watcher.ts

@@ -14,6 +14,8 @@ export interface BtcWatcherOpts {
   oracle: IPriceOracle;
   /** Required — BTC has no block cursor, so txid dedup must be persisted. */
   cursorStore: IWatcherCursorStore;
+  /** Override chain identity for cursor namespace (default: config.network). Prevents txid collisions across BTC/LTC/DOGE. */
+  chainId?: string;
 }
 
 interface ReceivedByAddress {
@@ -39,7 +41,7 @@ export class BtcWatcher {
     this.minConfirmations = opts.config.confirmations;
     this.oracle = opts.oracle;
     this.cursorStore = opts.cursorStore;
-    this.watcherId = `btc:${opts.config.network}`;
+    this.watcherId = `btc:${opts.chainId ?? opts.config.network}`;
   }
 
   /** Update the set of watched addresses. */

package/src/billing/crypto/charge-store.ts

@@ -17,6 +17,9 @@ export interface CryptoChargeRecord {
   token: string | null;
   depositAddress: string | null;
   derivationIndex: number | null;
+  callbackUrl: string | null;
+  expectedAmount: string | null;
+  receivedAmount: string | null;
 }
 
 export interface CryptoDepositChargeInput {
@@ -27,6 +30,9 @@ export interface CryptoDepositChargeInput {
   token: string;
   depositAddress: string;
   derivationIndex: number;
+  callbackUrl?: string;
+  /** Expected crypto amount in native base units (sats for BTC, base units for ERC20). */
+  expectedAmount?: string;
 }
 
 export interface ICryptoChargeRepository {
@@ -50,7 +56,7 @@ export interface ICryptoChargeRepository {
 /**
  * Manages crypto charge records in PostgreSQL.
  *
- * Each charge maps a BTCPay invoice ID to a tenant and tracks
+ * Each charge maps a deposit address to a tenant and tracks
  * the payment lifecycle (New → Processing → Settled/Expired/Invalid).
  *
  * amountUsdCents stores the requested amount in USD cents (integer).
@@ -92,6 +98,9 @@ export class DrizzleCryptoChargeRepository implements ICryptoChargeRepository {
       token: row.token ?? null,
       depositAddress: row.depositAddress ?? null,
       derivationIndex: row.derivationIndex ?? null,
+      callbackUrl: row.callbackUrl ?? null,
+      expectedAmount: row.expectedAmount ?? null,
+      receivedAmount: row.receivedAmount ?? null,
     };
   }
 
@@ -146,6 +155,9 @@ export class DrizzleCryptoChargeRepository implements ICryptoChargeRepository {
       token: input.token,
       depositAddress: input.depositAddress.toLowerCase(),
       derivationIndex: input.derivationIndex,
+      callbackUrl: input.callbackUrl,
+      expectedAmount: input.expectedAmount,
+      receivedAmount: "0",
     });
   }
 

package/src/billing/crypto/client.test.ts

@@ -1,132 +1,104 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { BTCPayClient, loadCryptoConfig } from "./client.js";
-
-describe("BTCPayClient", () => {
-  it("createInvoice sends correct request and returns id + checkoutLink", async () => {
-    const mockResponse = { id: "inv-001", checkoutLink: "https://btcpay.example.com/i/inv-001" };
-    const fetchSpy = vi
-      .spyOn(globalThis, "fetch")
-      .mockResolvedValue(new Response(JSON.stringify(mockResponse), { status: 200 }));
-
-    const client = new BTCPayClient({
-      apiKey: "test-key",
-      baseUrl: "https://btcpay.example.com",
-      storeId: "store-abc",
-    });
-
-    const result = await client.createInvoice({
-      amountUsd: 25,
-      orderId: "order-123",
-      buyerEmail: "test@example.com",
-    });
+import { CryptoServiceClient, loadCryptoConfig } from "./client.js";
 
-    expect(result.id).toBe("inv-001");
-    expect(result.checkoutLink).toBe("https://btcpay.example.com/i/inv-001");
+describe("CryptoServiceClient", () => {
+  afterEach(() => vi.restoreAllMocks());
 
-    expect(fetchSpy).toHaveBeenCalledOnce();
-    const [url, opts] = fetchSpy.mock.calls[0];
-    expect(url).toBe("https://btcpay.example.com/api/v1/stores/store-abc/invoices");
-    expect(opts?.method).toBe("POST");
+  it("deriveAddress sends POST /address with chain", async () => {
+    const mockResponse = { address: "bc1q...", index: 42, chain: "bitcoin", token: "BTC" };
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(mockResponse), { status: 201 }));
 
-    const headers = opts?.headers as Record<string, string>;
-    expect(headers.Authorization).toBe("token test-key");
-    expect(headers["Content-Type"]).toBe("application/json");
+    const client = new CryptoServiceClient({ baseUrl: "http://localhost:3100" });
+    const result = await client.deriveAddress("btc");
 
-    const body = JSON.parse(opts?.body as string);
-    expect(body.amount).toBe("25");
-    expect(body.currency).toBe("USD");
-    expect(body.metadata.orderId).toBe("order-123");
-    expect(body.metadata.buyerEmail).toBe("test@example.com");
-    expect(body.checkout.speedPolicy).toBe("MediumSpeed");
+    expect(result.address).toBe("bc1q...");
+    expect(result.index).toBe(42);
 
-    fetchSpy.mockRestore();
+    const [url, opts] = vi.mocked(fetch).mock.calls[0];
+    expect(url).toBe("http://localhost:3100/address");
+    expect(opts?.method).toBe("POST");
+    expect(JSON.parse(opts?.body as string)).toEqual({ chain: "btc" });
   });
 
-  it("createInvoice includes redirectURL when provided", async () => {
-    const fetchSpy = vi.spyOn(globalThis, "fetch").mockResolvedValue(
-      new Response(JSON.stringify({ id: "inv-002", checkoutLink: "https://btcpay.example.com/i/inv-002" }), {
-        status: 200,
-      }),
-    );
-
-    const client = new BTCPayClient({ apiKey: "k", baseUrl: "https://btcpay.example.com", storeId: "s" });
-    await client.createInvoice({ amountUsd: 10, orderId: "o", redirectURL: "https://app.example.com/success" });
+  it("createCharge sends POST /charges", async () => {
+    const mockResponse = {
+      chargeId: "btc:bc1q...",
+      address: "bc1q...",
+      chain: "btc",
+      token: "BTC",
+      amountUsd: 50,
+      derivationIndex: 42,
+      expiresAt: "2026-03-20T04:00:00Z",
+    };
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(mockResponse), { status: 201 }));
+
+    const client = new CryptoServiceClient({
+      baseUrl: "http://localhost:3100",
+      serviceKey: "sk-test",
+      tenantId: "tenant-1",
+    });
+    const result = await client.createCharge({ chain: "btc", amountUsd: 50 });
 
-    const body = JSON.parse(fetchSpy.mock.calls[0][1]?.body as string);
-    expect(body.checkout.redirectURL).toBe("https://app.example.com/success");
+    expect(result.chargeId).toBe("btc:bc1q...");
+    expect(result.address).toBe("bc1q...");
 
-    fetchSpy.mockRestore();
+    const [, opts] = vi.mocked(fetch).mock.calls[0];
+    const headers = opts?.headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Bearer sk-test");
+    expect(headers["X-Tenant-Id"]).toBe("tenant-1");
   });
 
-  it("createInvoice throws on non-ok response", async () => {
-    const fetchSpy = vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response("Unauthorized", { status: 401 }));
+  it("getCharge sends GET /charges/:id", async () => {
+    const mockResponse = { chargeId: "btc:bc1q...", status: "confirmed" };
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(mockResponse), { status: 200 }));
 
-    const client = new BTCPayClient({ apiKey: "bad-key", baseUrl: "https://btcpay.example.com", storeId: "s" });
-    await expect(client.createInvoice({ amountUsd: 10, orderId: "o" })).rejects.toThrow(
-      "BTCPay createInvoice failed (401)",
-    );
+    const client = new CryptoServiceClient({ baseUrl: "http://localhost:3100" });
+    const result = await client.getCharge("btc:bc1q...");
 
-    fetchSpy.mockRestore();
+    expect(result.status).toBe("confirmed");
+    expect(vi.mocked(fetch).mock.calls[0][0]).toBe("http://localhost:3100/charges/btc%3Abc1q...");
   });
 
-  it("getInvoice sends correct request", async () => {
-    const fetchSpy = vi.spyOn(globalThis, "fetch").mockResolvedValue(
-      new Response(JSON.stringify({ id: "inv-001", status: "Settled", amount: "25", currency: "USD" }), {
-        status: 200,
-      }),
-    );
+  it("listChains sends GET /chains", async () => {
+    const mockResponse = [{ id: "btc", token: "BTC", chain: "bitcoin", decimals: 8 }];
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response(JSON.stringify(mockResponse), { status: 200 }));
 
-    const client = new BTCPayClient({ apiKey: "k", baseUrl: "https://btcpay.example.com", storeId: "store-abc" });
-    const result = await client.getInvoice("inv-001");
+    const client = new CryptoServiceClient({ baseUrl: "http://localhost:3100" });
+    const result = await client.listChains();
+
+    expect(result).toHaveLength(1);
+    expect(result[0].token).toBe("BTC");
+  });
 
-    expect(result.status).toBe("Settled");
-    expect(fetchSpy.mock.calls[0][0]).toBe("https://btcpay.example.com/api/v1/stores/store-abc/invoices/inv-001");
+  it("throws on non-ok response", async () => {
+    vi.spyOn(globalThis, "fetch").mockResolvedValue(new Response("Not found", { status: 404 }));
 
-    fetchSpy.mockRestore();
+    const client = new CryptoServiceClient({ baseUrl: "http://localhost:3100" });
+    await expect(client.getCharge("missing")).rejects.toThrow("CryptoService getCharge failed (404)");
   });
 });
 
 describe("loadCryptoConfig", () => {
   beforeEach(() => {
-    delete process.env.BTCPAY_API_KEY;
-    delete process.env.BTCPAY_BASE_URL;
-    delete process.env.BTCPAY_STORE_ID;
+    delete process.env.CRYPTO_SERVICE_URL;
+    delete process.env.CRYPTO_SERVICE_KEY;
+    delete process.env.TENANT_ID;
   });
 
-  afterEach(() => {
-    vi.unstubAllEnvs();
-  });
-
-  it("returns null when BTCPAY_API_KEY is missing", () => {
-    vi.stubEnv("BTCPAY_BASE_URL", "https://btcpay.test");
-    vi.stubEnv("BTCPAY_STORE_ID", "store-1");
-    expect(loadCryptoConfig()).toBeNull();
-  });
-
-  it("returns null when BTCPAY_BASE_URL is missing", () => {
-    vi.stubEnv("BTCPAY_API_KEY", "test-key");
-    vi.stubEnv("BTCPAY_STORE_ID", "store-1");
-    expect(loadCryptoConfig()).toBeNull();
-  });
-
-  it("returns null when BTCPAY_STORE_ID is missing", () => {
-    vi.stubEnv("BTCPAY_API_KEY", "test-key");
-    vi.stubEnv("BTCPAY_BASE_URL", "https://btcpay.test");
-    expect(loadCryptoConfig()).toBeNull();
-  });
+  afterEach(() => vi.unstubAllEnvs());
 
-  it("returns config when all env vars are set", () => {
-    vi.stubEnv("BTCPAY_API_KEY", "test-key");
-    vi.stubEnv("BTCPAY_BASE_URL", "https://btcpay.test");
-    vi.stubEnv("BTCPAY_STORE_ID", "store-1");
+  it("returns config when CRYPTO_SERVICE_URL is set", () => {
+    vi.stubEnv("CRYPTO_SERVICE_URL", "http://10.120.0.5:3100");
+    vi.stubEnv("CRYPTO_SERVICE_KEY", "sk-test");
+    vi.stubEnv("TENANT_ID", "tenant-1");
     expect(loadCryptoConfig()).toEqual({
-      apiKey: "test-key",
-      baseUrl: "https://btcpay.test",
-      storeId: "store-1",
+      baseUrl: "http://10.120.0.5:3100",
+      serviceKey: "sk-test",
+      tenantId: "tenant-1",
     });
   });
 
-  it("returns null when all env vars are missing", () => {
+  it("returns null when CRYPTO_SERVICE_URL is missing", () => {
     expect(loadCryptoConfig()).toBeNull();
   });
 });