bsv-x402 0.2.0 → 0.3.0

package/dist/index.js

@@ -1,3 +1,524 @@
+// src/brc105-challenge.ts
+function parseBrc105Challenge(response) {
+  const version = response.headers.get("x-bsv-payment-version");
+  if (version === null) {
+    throw new Error("BRC-105: missing x-bsv-payment-version header");
+  }
+  if (version !== "1.0") {
+    throw new Error(`BRC-105: unsupported version "${version}", expected "1.0"`);
+  }
+  const satoshisRaw = response.headers.get("x-bsv-payment-satoshis-required");
+  if (satoshisRaw === null) {
+    throw new Error("BRC-105: missing x-bsv-payment-satoshis-required header");
+  }
+  const satoshisRequired = Number(satoshisRaw);
+  if (!Number.isFinite(satoshisRequired) || !Number.isInteger(satoshisRequired) || satoshisRequired <= 0) {
+    throw new Error("BRC-105: satoshis-required must be a positive integer");
+  }
+  const serverIdentityKey = response.headers.get("x-bsv-auth-identity-key");
+  if (serverIdentityKey === null || serverIdentityKey.length === 0) {
+    throw new Error("BRC-105: missing or empty x-bsv-auth-identity-key header");
+  }
+  if (!/^0[23][0-9a-fA-F]{64}$/.test(serverIdentityKey)) {
+    throw new Error("BRC-105: x-bsv-auth-identity-key must be a 33-byte compressed public key (hex)");
+  }
+  const derivationPrefix = response.headers.get("x-bsv-payment-derivation-prefix");
+  if (derivationPrefix === null || derivationPrefix.length === 0) {
+    throw new Error("BRC-105: missing or empty x-bsv-payment-derivation-prefix header");
+  }
+  return {
+    version,
+    satoshisRequired,
+    serverIdentityKey,
+    derivationPrefix
+  };
+}
+
+// src/brc105-proof.ts
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes(hex) {
+  if (hex.length % 2 !== 0) throw new Error("Hex string must have even length");
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+function numberArrayToBase64(arr) {
+  return bytesToBase64(new Uint8Array(arr));
+}
+var RIPEMD160_CONSTANTS = {
+  // Round constants for left and right paths
+  KL: [0, 1518500249, 1859775393, 2400959708, 2840853838],
+  KR: [1352829926, 1548603684, 1836072691, 2053994217, 0],
+  // Message schedule (word index per step)
+  RL: [
+    0,
+    1,
+    2,
+    3,
+    4,
+    5,
+    6,
+    7,
+    8,
+    9,
+    10,
+    11,
+    12,
+    13,
+    14,
+    15,
+    7,
+    4,
+    13,
+    1,
+    10,
+    6,
+    15,
+    3,
+    12,
+    0,
+    9,
+    5,
+    2,
+    14,
+    11,
+    8,
+    3,
+    10,
+    14,
+    4,
+    9,
+    15,
+    8,
+    1,
+    2,
+    7,
+    0,
+    6,
+    13,
+    11,
+    5,
+    12,
+    1,
+    9,
+    11,
+    10,
+    0,
+    8,
+    12,
+    4,
+    13,
+    3,
+    7,
+    15,
+    14,
+    5,
+    6,
+    2,
+    4,
+    0,
+    5,
+    9,
+    7,
+    12,
+    2,
+    10,
+    14,
+    1,
+    3,
+    8,
+    11,
+    6,
+    15,
+    13
+  ],
+  RR: [
+    5,
+    14,
+    7,
+    0,
+    9,
+    2,
+    11,
+    4,
+    13,
+    6,
+    15,
+    8,
+    1,
+    10,
+    3,
+    12,
+    6,
+    11,
+    3,
+    7,
+    0,
+    13,
+    5,
+    10,
+    14,
+    15,
+    8,
+    12,
+    4,
+    9,
+    1,
+    2,
+    15,
+    5,
+    1,
+    3,
+    7,
+    14,
+    6,
+    9,
+    11,
+    8,
+    12,
+    2,
+    10,
+    0,
+    4,
+    13,
+    8,
+    6,
+    4,
+    1,
+    3,
+    11,
+    15,
+    0,
+    5,
+    12,
+    2,
+    13,
+    9,
+    7,
+    10,
+    14,
+    12,
+    15,
+    10,
+    4,
+    1,
+    5,
+    8,
+    7,
+    6,
+    2,
+    13,
+    14,
+    0,
+    3,
+    9,
+    11
+  ],
+  // Rotation amounts
+  SL: [
+    11,
+    14,
+    15,
+    12,
+    5,
+    8,
+    7,
+    9,
+    11,
+    13,
+    14,
+    15,
+    6,
+    7,
+    9,
+    8,
+    7,
+    6,
+    8,
+    13,
+    11,
+    9,
+    7,
+    15,
+    7,
+    12,
+    15,
+    9,
+    11,
+    7,
+    13,
+    12,
+    11,
+    13,
+    6,
+    7,
+    14,
+    9,
+    13,
+    15,
+    14,
+    8,
+    13,
+    6,
+    5,
+    12,
+    7,
+    5,
+    11,
+    12,
+    14,
+    15,
+    14,
+    15,
+    9,
+    8,
+    9,
+    14,
+    5,
+    6,
+    8,
+    6,
+    5,
+    12,
+    9,
+    15,
+    5,
+    11,
+    6,
+    8,
+    13,
+    12,
+    5,
+    12,
+    13,
+    14,
+    11,
+    8,
+    5,
+    6
+  ],
+  SR: [
+    8,
+    9,
+    9,
+    11,
+    13,
+    15,
+    15,
+    5,
+    7,
+    7,
+    8,
+    11,
+    14,
+    14,
+    12,
+    6,
+    9,
+    13,
+    15,
+    7,
+    12,
+    8,
+    9,
+    11,
+    7,
+    7,
+    12,
+    7,
+    6,
+    15,
+    13,
+    11,
+    9,
+    7,
+    15,
+    11,
+    8,
+    6,
+    6,
+    14,
+    12,
+    13,
+    5,
+    14,
+    13,
+    13,
+    7,
+    5,
+    15,
+    5,
+    8,
+    11,
+    14,
+    14,
+    6,
+    14,
+    6,
+    9,
+    12,
+    9,
+    12,
+    5,
+    15,
+    8,
+    8,
+    5,
+    12,
+    9,
+    12,
+    5,
+    14,
+    6,
+    8,
+    13,
+    6,
+    5,
+    15,
+    13,
+    11,
+    11
+  ]
+};
+function rotl32(x, n) {
+  return (x << n | x >>> 32 - n) >>> 0;
+}
+function f(j, x, y, z) {
+  if (j < 16) return (x ^ y ^ z) >>> 0;
+  if (j < 32) return (x & y | ~x & z) >>> 0;
+  if (j < 48) return ((x | ~y) ^ z) >>> 0;
+  if (j < 64) return (x & z | y & ~z) >>> 0;
+  return (x ^ (y | ~z)) >>> 0;
+}
+function ripemd160(message) {
+  const msgLen = message.length;
+  const bitLen = msgLen * 8;
+  const padLen = (55 - msgLen % 64 + 64) % 64 + 1;
+  const padded = new Uint8Array(msgLen + padLen + 8);
+  padded.set(message);
+  padded[msgLen] = 128;
+  const view = new DataView(padded.buffer);
+  view.setUint32(padded.length - 8, bitLen >>> 0, true);
+  view.setUint32(padded.length - 4, bitLen / 4294967296 >>> 0, true);
+  let h0 = 1732584193;
+  let h1 = 4023233417;
+  let h2 = 2562383102;
+  let h3 = 271733878;
+  let h4 = 3285377520;
+  const { KL, KR, RL, RR, SL, SR } = RIPEMD160_CONSTANTS;
+  for (let offset = 0; offset < padded.length; offset += 64) {
+    const w = new Uint32Array(16);
+    for (let i = 0; i < 16; i++) {
+      w[i] = view.getUint32(offset + i * 4, true);
+    }
+    let al = h0, bl = h1, cl = h2, dl = h3, el = h4;
+    let ar = h0, br = h1, cr = h2, dr = h3, er = h4;
+    for (let j = 0; j < 80; j++) {
+      const round = j >>> 4;
+      let t2 = al + f(j, bl, cl, dl) + w[RL[j]] + KL[round] >>> 0;
+      t2 = rotl32(t2, SL[j]) + el >>> 0;
+      al = el;
+      el = dl;
+      dl = rotl32(cl, 10);
+      cl = bl;
+      bl = t2;
+      t2 = ar + f(79 - j, br, cr, dr) + w[RR[j]] + KR[round] >>> 0;
+      t2 = rotl32(t2, SR[j]) + er >>> 0;
+      ar = er;
+      er = dr;
+      dr = rotl32(cr, 10);
+      cr = br;
+      br = t2;
+    }
+    const t = h1 + cl + dr >>> 0;
+    h1 = h2 + dl + er >>> 0;
+    h2 = h3 + el + ar >>> 0;
+    h3 = h4 + al + br >>> 0;
+    h4 = h0 + bl + cr >>> 0;
+    h0 = t;
+  }
+  const digest = new Uint8Array(20);
+  const dv = new DataView(digest.buffer);
+  dv.setUint32(0, h0, true);
+  dv.setUint32(4, h1, true);
+  dv.setUint32(8, h2, true);
+  dv.setUint32(12, h3, true);
+  dv.setUint32(16, h4, true);
+  return digest;
+}
+async function hash160(data) {
+  const sha256 = new Uint8Array(await crypto.subtle.digest("SHA-256", data));
+  return ripemd160(sha256);
+}
+async function pubkeyToP2PKHLockingScript(pubkeyHex) {
+  const pubkeyBytes = hexToBytes(pubkeyHex);
+  const pubkeyHash = await hash160(pubkeyBytes);
+  return `76a914${bytesToHex(pubkeyHash)}88ac`;
+}
+async function createDerivationSuffix(wallet) {
+  const randomBytes = new Uint8Array(16);
+  crypto.getRandomValues(randomBytes);
+  const firstHalf = Array.from(randomBytes);
+  const keyID = new TextDecoder().decode(randomBytes);
+  const { hmac } = await wallet.createHmac({
+    data: firstHalf,
+    protocolID: [2, "server hmac"],
+    keyID,
+    counterparty: "self"
+  });
+  const nonceBytes = [...firstHalf, ...hmac];
+  return numberArrayToBase64(nonceBytes);
+}
+async function constructBrc105Proof(challenge, wallet) {
+  const derivationSuffix = await createDerivationSuffix(wallet);
+  const keyID = `${challenge.derivationPrefix} ${derivationSuffix}`;
+  const { publicKey: derivedPublicKey } = await wallet.getPublicKey({
+    protocolID: [2, "3241645161d8"],
+    keyID,
+    counterparty: challenge.serverIdentityKey
+  });
+  const lockingScript = await pubkeyToP2PKHLockingScript(derivedPublicKey);
+  const result = await wallet.createAction({
+    description: "BRC-105 payment",
+    outputs: [{
+      satoshis: challenge.satoshisRequired,
+      lockingScript,
+      description: "BRC-105 payment output",
+      customInstructions: JSON.stringify({
+        derivationPrefix: challenge.derivationPrefix,
+        derivationSuffix,
+        payee: challenge.serverIdentityKey
+      })
+    }],
+    options: {
+      randomizeOutputs: false
+    }
+  });
+  let transactionBase64;
+  if (result.tx && Array.isArray(result.tx) && result.tx.length > 0) {
+    transactionBase64 = numberArrayToBase64(result.tx);
+  } else if (result.rawTx && typeof result.rawTx === "string" && result.rawTx.length > 0) {
+    transactionBase64 = bytesToBase64(hexToBytes(result.rawTx));
+  } else {
+    throw new Error("Wallet returned no transaction data (neither tx nor rawTx)");
+  }
+  return {
+    derivationPrefix: challenge.derivationPrefix,
+    derivationSuffix,
+    transaction: transactionBase64,
+    txid: result.txid
+  };
+}
+
 // src/challenge.ts
 function parseChallenge(header) {
   let parsed;
@@ -214,28 +735,29 @@ var RateLimiter = class {
     this.broken = state?.circuitBroken ?? false;
     this.now = now ?? Date.now;
   }
-  check(challenge, origin) {
+  check(request, origin) {
     if (this.broken) {
       return { action: "block", reason: "Circuit breaker tripped \u2014 call resetLimits() to clear", severity: "trip" };
     }
-    if (!Number.isFinite(challenge.amount) || !Number.isInteger(challenge.amount) || challenge.amount <= 0) {
+    const amount = request.amount;
+    if (!Number.isFinite(amount) || !Number.isInteger(amount) || amount <= 0) {
       return { action: "block", reason: "Invalid transaction amount rejected", severity: "reject" };
     }
-    if (challenge.amount > BFG_PER_TX_CEILING_SATOSHIS) {
+    if (amount > BFG_PER_TX_CEILING_SATOSHIS) {
       return { action: "block", reason: `Exceeds BFG per-tx ceiling (${BFG_PER_TX_CEILING_SATOSHIS} sats)`, severity: "reject" };
     }
     const dayAgo = this.now() - WINDOW_MS.day;
     const dailyTotal = this.sumSatoshis(dayAgo);
-    if (dailyTotal + challenge.amount > BFG_DAILY_CEILING_SATOSHIS) {
+    if (dailyTotal + amount > BFG_DAILY_CEILING_SATOSHIS) {
       return { action: "block", reason: `Exceeds BFG daily ceiling (${BFG_DAILY_CEILING_SATOSHIS} sats)`, severity: "trip" };
     }
-    if (challenge.amount > this.limits.perTxMaxSatoshis) {
+    if (amount > this.limits.perTxMaxSatoshis) {
       return { action: "block", reason: `Exceeds per-tx limit (${this.limits.perTxMaxSatoshis} sats)`, severity: "reject" };
     }
     const isCustomSite = this.hasCustomPolicy(origin);
     const effectiveLimits = this.effectiveWindows(origin);
     const effectivePerTx = this.effectivePerTxMax(origin);
-    if (effectivePerTx !== void 0 && challenge.amount > effectivePerTx) {
+    if (effectivePerTx !== void 0 && amount > effectivePerTx) {
       return { action: "block", reason: `Exceeds per-tx limit for ${origin} (${effectivePerTx} sats)`, severity: "reject" };
     }
     let yellowLight;
@@ -244,19 +766,19 @@ var RateLimiter = class {
       const windowEntries = this.entriesInWindow(cutoff, isCustomSite ? origin : void 0);
       const totalSats = windowEntries.reduce((sum, e) => sum + e.satoshis, 0);
       const totalTx = windowEntries.length;
-      if (totalSats + challenge.amount > wl.maxSatoshis) {
+      if (totalSats + amount > wl.maxSatoshis) {
         return { action: "block", reason: `Exceeds ${wl.window} sats limit (${wl.maxSatoshis})`, severity: "window" };
       }
       if (totalTx + 1 > wl.maxTransactions) {
         return { action: "block", reason: `Exceeds ${wl.window} tx count limit (${wl.maxTransactions})`, severity: "window" };
       }
-      if (this.limits.yellowLightThreshold < 1 && !yellowLight && totalSats + challenge.amount > wl.maxSatoshis * this.limits.yellowLightThreshold) {
+      if (this.limits.yellowLightThreshold < 1 && !yellowLight && totalSats + amount > wl.maxSatoshis * this.limits.yellowLightThreshold) {
         yellowLight = {
           origin,
           currentSpend: totalSats,
           limit: wl.maxSatoshis,
           window: wl.window,
-          challenge
+          challenge: request
         };
       }
     }
@@ -531,6 +1053,8 @@ function createX402Fetch(config = {}) {
   const storage = config.storage ?? new LocalStorageAdapter();
   const twoFactor = config.twoFactorProvider;
   const constructProof = config.proofConstructor ?? defaultConstructProof;
+  const brc105ProofConstructor = config.brc105ProofConstructor;
+  const brc105Wallet = config.brc105Wallet;
   const nowFn = config.now ?? Date.now;
   const mutex = createMutex();
   const needs2fa = limits.require2fa;
@@ -552,76 +1076,135 @@ function createX402Fetch(config = {}) {
     await storage.save(rl.getState());
     await storage.saveSitePolicies(limits.sitePolicies);
   }
-  const fetchFn = async function x402Fetch2(input, init) {
-    const response = await fetch(input, init);
-    if (response.status !== 402) return response;
-    const challengeHeader = response.headers.get("X402-Challenge");
-    if (!challengeHeader) return response;
-    let challenge;
-    try {
-      challenge = parseChallenge(challengeHeader);
-    } catch {
-      return response;
-    }
-    const origin = extractOrigin(input);
+  async function handlePaymentFlow(originalResponse, input, init, origin, amount, protocol, buildProof, retryWithProof, makeLedgerEntry) {
     return mutex(async () => {
       const rl = await ensureInitialised();
       const sitePolicy = await resolveSitePolicy(origin, limits, twoFactor);
-      if (sitePolicy.action === "block") return response;
+      if (sitePolicy.action === "block") return originalResponse;
       if (!limits.sitePolicies[origin]) {
         limits.sitePolicies[origin] = sitePolicy;
         await storage.saveSitePolicies(limits.sitePolicies);
       }
-      const result = rl.check(challenge, origin);
+      const spendCheckable = { amount, origin, protocol };
+      const result = rl.check(spendCheckable, origin);
       if (result.action === "block") {
         if (result.severity === "trip") {
           rl.trip();
           await persist(rl);
           config.onLimitReached?.(result.reason);
-          return response;
+          return originalResponse;
         }
         if (result.severity === "window" && twoFactor) {
           config.onLimitReached?.(result.reason);
           const override = await twoFactor.verify({
             type: "limit-override",
-            amount: challenge.amount,
+            amount,
             origin,
             reason: result.reason
           });
           if (override) {
           } else {
-            return response;
+            return originalResponse;
           }
         } else {
           config.onLimitReached?.(result.reason);
-          return response;
+          return originalResponse;
         }
       }
       if (result.action === "yellow-light") {
         const proceed = config.onYellowLight ? await config.onYellowLight(result.detail) : false;
-        if (!proceed) return response;
+        if (!proceed) return originalResponse;
       }
-      if (limits.require2fa.onHighValueTx && challenge.amount > limits.require2fa.highValueThreshold) {
-        if (!twoFactor) return response;
+      if (limits.require2fa.onHighValueTx && amount > limits.require2fa.highValueThreshold) {
+        if (!twoFactor) return originalResponse;
         const verified = await twoFactor.verify({
           type: "high-value-tx",
-          amount: challenge.amount,
+          amount,
           origin
         });
-        if (!verified) return response;
+        if (!verified) return originalResponse;
       }
-      const proof = await constructProof(challenge);
-      rl.record({
-        timestamp: nowFn(),
-        origin,
-        satoshis: challenge.amount,
-        txid: proof.txid
-      });
+      let proof;
+      try {
+        proof = await buildProof();
+      } catch {
+        return originalResponse;
+      }
+      rl.record(makeLedgerEntry(proof));
       await persist(rl);
-      const headers = new Headers(init?.headers);
-      headers.set("X402-Proof", JSON.stringify(proof));
-      return fetch(input, { ...init, headers });
+      return retryWithProof(proof);
     });
+  }
+  const fetchFn = async function x402Fetch2(input, init) {
+    const response = await fetch(input, init);
+    if (response.status !== 402) return response;
+    const origin = extractOrigin(input);
+    const challengeHeader = response.headers.get("X402-Challenge");
+    if (challengeHeader) {
+      let challenge;
+      try {
+        challenge = parseChallenge(challengeHeader);
+      } catch {
+        return response;
+      }
+      return handlePaymentFlow(
+        response,
+        input,
+        init,
+        origin,
+        challenge.amount,
+        "x402",
+        async () => constructProof(challenge),
+        (proof) => {
+          const headers = new Headers(init?.headers);
+          headers.set("X402-Proof", JSON.stringify(proof));
+          return fetch(input, { ...init, headers });
+        },
+        (proof) => ({
+          timestamp: nowFn(),
+          origin,
+          satoshis: challenge.amount,
+          txid: proof.txid
+        })
+      );
+    }
+    const brc105Version = response.headers.get("x-bsv-payment-version");
+    if (brc105Version) {
+      if (!brc105ProofConstructor && !brc105Wallet) return response;
+      let brc105Challenge;
+      try {
+        brc105Challenge = parseBrc105Challenge(response);
+      } catch {
+        return response;
+      }
+      return handlePaymentFlow(
+        response,
+        input,
+        init,
+        origin,
+        brc105Challenge.satoshisRequired,
+        "brc105",
+        async () => {
+          if (brc105ProofConstructor) {
+            return brc105ProofConstructor(brc105Challenge);
+          }
+          return constructBrc105Proof(brc105Challenge, brc105Wallet);
+        },
+        (proof) => {
+          const headers = new Headers(init?.headers);
+          headers.set("x-bsv-payment", JSON.stringify(proof));
+          return fetch(input, { ...init, headers });
+        },
+        (proof) => ({
+          timestamp: nowFn(),
+          origin,
+          satoshis: brc105Challenge.satoshisRequired,
+          txid: proof.txid,
+          protocol: "brc105"
+        })
+      );
+    }
+    return response;
   };
   fetchFn.resetLimits = async () => {
     const rl = await ensureInitialised();
@@ -725,7 +1308,9 @@ export {
   RateLimiter,
   TIER_PRESETS,
   WalletTwoFactorProvider,
+  constructBrc105Proof,
   createX402Fetch,
+  parseBrc105Challenge,
   parseChallenge,
   resolveSitePolicy,
   resolveSpendLimits,