npm - bsv-x402 - Versions diffs - 0.2.0 → 0.4.1 - Mend

bsv-x402 0.2.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -26,7 +26,9 @@ __export(index_exports, {
   RateLimiter: () => RateLimiter,
   TIER_PRESETS: () => TIER_PRESETS,
   WalletTwoFactorProvider: () => WalletTwoFactorProvider,
+  constructBrc105Proof: () => constructBrc105Proof,
   createX402Fetch: () => createX402Fetch,
+  parseBrc105Challenge: () => parseBrc105Challenge,
   parseChallenge: () => parseChallenge,
   resolveSitePolicy: () => resolveSitePolicy,
   resolveSpendLimits: () => resolveSpendLimits,
@@ -34,6 +36,534 @@ __export(index_exports, {
 });
 module.exports = __toCommonJS(index_exports);
+// src/brc105-challenge.ts
+function parseBrc105Challenge(response) {
+  const version = response.headers.get("x-bsv-payment-version");
+  if (version === null) {
+    throw new Error("BRC-105: missing x-bsv-payment-version header");
+  }
+  if (version !== "1.0") {
+    throw new Error(`BRC-105: unsupported version "${version}", expected "1.0"`);
+  }
+  const satoshisRaw = response.headers.get("x-bsv-payment-satoshis-required");
+  if (satoshisRaw === null) {
+    throw new Error("BRC-105: missing x-bsv-payment-satoshis-required header");
+  }
+  const satoshisRequired = Number(satoshisRaw);
+  if (!Number.isFinite(satoshisRequired) || !Number.isInteger(satoshisRequired) || satoshisRequired <= 0) {
+    throw new Error("BRC-105: satoshis-required must be a positive integer");
+  }
+  const authIdentityKey = response.headers.get("x-bsv-auth-identity-key") || null;
+  const paymentIdentityKey = response.headers.get("x-bsv-payment-identity-key") || null;
+  const authenticated = authIdentityKey !== null && authIdentityKey.length > 0;
+  const serverIdentityKey = authIdentityKey || paymentIdentityKey;
+  if (serverIdentityKey === null || serverIdentityKey.length === 0) {
+    throw new Error("BRC-105: missing identity key (expected x-bsv-auth-identity-key or x-bsv-payment-identity-key)");
+  }
+  if (!/^0[23][0-9a-fA-F]{64}$/.test(serverIdentityKey)) {
+    throw new Error("BRC-105: identity key must be a 33-byte compressed public key (hex)");
+  }
+  const derivationPrefix = response.headers.get("x-bsv-payment-derivation-prefix");
+  if (derivationPrefix === null || derivationPrefix.length === 0) {
+    throw new Error("BRC-105: missing or empty x-bsv-payment-derivation-prefix header");
+  }
+  return {
+    version,
+    satoshisRequired,
+    serverIdentityKey,
+    derivationPrefix,
+    authenticated
+  };
+}
+// src/brc105-proof.ts
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function hexToBytes(hex) {
+  if (hex.length % 2 !== 0) throw new Error("Hex string must have even length");
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.slice(i, i + 2), 16);
+  }
+  return bytes;
+}
+function bytesToBase64(bytes) {
+  let binary = "";
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+function numberArrayToBase64(arr) {
+  return bytesToBase64(new Uint8Array(arr));
+}
+var RIPEMD160_CONSTANTS = {
+  // Round constants for left and right paths
+  KL: [0, 1518500249, 1859775393, 2400959708, 2840853838],
+  KR: [1352829926, 1548603684, 1836072691, 2053994217, 0],
+  // Message schedule (word index per step)
+  RL: [
+    0,
+    1,
+    2,
+    3,
+    4,
+    5,
+    6,
+    7,
+    8,
+    9,
+    10,
+    11,
+    12,
+    13,
+    14,
+    15,
+    7,
+    4,
+    13,
+    1,
+    10,
+    6,
+    15,
+    3,
+    12,
+    0,
+    9,
+    5,
+    2,
+    14,
+    11,
+    8,
+    3,
+    10,
+    14,
+    4,
+    9,
+    15,
+    8,
+    1,
+    2,
+    7,
+    0,
+    6,
+    13,
+    11,
+    5,
+    12,
+    1,
+    9,
+    11,
+    10,
+    0,
+    8,
+    12,
+    4,
+    13,
+    3,
+    7,
+    15,
+    14,
+    5,
+    6,
+    2,
+    4,
+    0,
+    5,
+    9,
+    7,
+    12,
+    2,
+    10,
+    14,
+    1,
+    3,
+    8,
+    11,
+    6,
+    15,
+    13
+  ],
+  RR: [
+    5,
+    14,
+    7,
+    0,
+    9,
+    2,
+    11,
+    4,
+    13,
+    6,
+    15,
+    8,
+    1,
+    10,
+    3,
+    12,
+    6,
+    11,
+    3,
+    7,
+    0,
+    13,
+    5,
+    10,
+    14,
+    15,
+    8,
+    12,
+    4,
+    9,
+    1,
+    2,
+    15,
+    5,
+    1,
+    3,
+    7,
+    14,
+    6,
+    9,
+    11,
+    8,
+    12,
+    2,
+    10,
+    0,
+    4,
+    13,
+    8,
+    6,
+    4,
+    1,
+    3,
+    11,
+    15,
+    0,
+    5,
+    12,
+    2,
+    13,
+    9,
+    7,
+    10,
+    14,
+    12,
+    15,
+    10,
+    4,
+    1,
+    5,
+    8,
+    7,
+    6,
+    2,
+    13,
+    14,
+    0,
+    3,
+    9,
+    11
+  ],
+  // Rotation amounts
+  SL: [
+    11,
+    14,
+    15,
+    12,
+    5,
+    8,
+    7,
+    9,
+    11,
+    13,
+    14,
+    15,
+    6,
+    7,
+    9,
+    8,
+    7,
+    6,
+    8,
+    13,
+    11,
+    9,
+    7,
+    15,
+    7,
+    12,
+    15,
+    9,
+    11,
+    7,
+    13,
+    12,
+    11,
+    13,
+    6,
+    7,
+    14,
+    9,
+    13,
+    15,
+    14,
+    8,
+    13,
+    6,
+    5,
+    12,
+    7,
+    5,
+    11,
+    12,
+    14,
+    15,
+    14,
+    15,
+    9,
+    8,
+    9,
+    14,
+    5,
+    6,
+    8,
+    6,
+    5,
+    12,
+    9,
+    15,
+    5,
+    11,
+    6,
+    8,
+    13,
+    12,
+    5,
+    12,
+    13,
+    14,
+    11,
+    8,
+    5,
+    6
+  ],
+  SR: [
+    8,
+    9,
+    9,
+    11,
+    13,
+    15,
+    15,
+    5,
+    7,
+    7,
+    8,
+    11,
+    14,
+    14,
+    12,
+    6,
+    9,
+    13,
+    15,
+    7,
+    12,
+    8,
+    9,
+    11,
+    7,
+    7,
+    12,
+    7,
+    6,
+    15,
+    13,
+    11,
+    9,
+    7,
+    15,
+    11,
+    8,
+    6,
+    6,
+    14,
+    12,
+    13,
+    5,
+    14,
+    13,
+    13,
+    7,
+    5,
+    15,
+    5,
+    8,
+    11,
+    14,
+    14,
+    6,
+    14,
+    6,
+    9,
+    12,
+    9,
+    12,
+    5,
+    15,
+    8,
+    8,
+    5,
+    12,
+    9,
+    12,
+    5,
+    14,
+    6,
+    8,
+    13,
+    6,
+    5,
+    15,
+    13,
+    11,
+    11
+  ]
+};
+function rotl32(x, n) {
+  return (x << n | x >>> 32 - n) >>> 0;
+}
+function f(j, x, y, z) {
+  if (j < 16) return (x ^ y ^ z) >>> 0;
+  if (j < 32) return (x & y | ~x & z) >>> 0;
+  if (j < 48) return ((x | ~y) ^ z) >>> 0;
+  if (j < 64) return (x & z | y & ~z) >>> 0;
+  return (x ^ (y | ~z)) >>> 0;
+}
+function ripemd160(message) {
+  const msgLen = message.length;
+  const bitLen = msgLen * 8;
+  const padLen = (55 - msgLen % 64 + 64) % 64 + 1;
+  const padded = new Uint8Array(msgLen + padLen + 8);
+  padded.set(message);
+  padded[msgLen] = 128;
+  const view = new DataView(padded.buffer);
+  view.setUint32(padded.length - 8, bitLen >>> 0, true);
+  view.setUint32(padded.length - 4, bitLen / 4294967296 >>> 0, true);
+  let h0 = 1732584193;
+  let h1 = 4023233417;
+  let h2 = 2562383102;
+  let h3 = 271733878;
+  let h4 = 3285377520;
+  const { KL, KR, RL, RR, SL, SR } = RIPEMD160_CONSTANTS;
+  for (let offset = 0; offset < padded.length; offset += 64) {
+    const w = new Uint32Array(16);
+    for (let i = 0; i < 16; i++) {
+      w[i] = view.getUint32(offset + i * 4, true);
+    }
+    let al = h0, bl = h1, cl = h2, dl = h3, el = h4;
+    let ar = h0, br = h1, cr = h2, dr = h3, er = h4;
+    for (let j = 0; j < 80; j++) {
+      const round = j >>> 4;
+      let t2 = al + f(j, bl, cl, dl) + w[RL[j]] + KL[round] >>> 0;
+      t2 = rotl32(t2, SL[j]) + el >>> 0;
+      al = el;
+      el = dl;
+      dl = rotl32(cl, 10);
+      cl = bl;
+      bl = t2;
+      t2 = ar + f(79 - j, br, cr, dr) + w[RR[j]] + KR[round] >>> 0;
+      t2 = rotl32(t2, SR[j]) + er >>> 0;
+      ar = er;
+      er = dr;
+      dr = rotl32(cr, 10);
+      cr = br;
+      br = t2;
+    }
+    const t = h1 + cl + dr >>> 0;
+    h1 = h2 + dl + er >>> 0;
+    h2 = h3 + el + ar >>> 0;
+    h3 = h4 + al + br >>> 0;
+    h4 = h0 + bl + cr >>> 0;
+    h0 = t;
+  }
+  const digest = new Uint8Array(20);
+  const dv = new DataView(digest.buffer);
+  dv.setUint32(0, h0, true);
+  dv.setUint32(4, h1, true);
+  dv.setUint32(8, h2, true);
+  dv.setUint32(12, h3, true);
+  dv.setUint32(16, h4, true);
+  return digest;
+}
+async function hash160(data) {
+  const sha256 = new Uint8Array(await crypto.subtle.digest("SHA-256", data));
+  return ripemd160(sha256);
+}
+async function pubkeyToP2PKHLockingScript(pubkeyHex) {
+  const pubkeyBytes = hexToBytes(pubkeyHex);
+  const pubkeyHash = await hash160(pubkeyBytes);
+  return `76a914${bytesToHex(pubkeyHash)}88ac`;
+}
+async function createDerivationSuffix(wallet) {
+  const randomBytes = new Uint8Array(16);
+  crypto.getRandomValues(randomBytes);
+  const firstHalf = Array.from(randomBytes);
+  const keyID = new TextDecoder().decode(randomBytes);
+  const { hmac } = await wallet.createHmac({
+    data: firstHalf,
+    protocolID: [2, "server hmac"],
+    keyID,
+    counterparty: "self"
+  });
+  const nonceBytes = [...firstHalf, ...hmac];
+  return numberArrayToBase64(nonceBytes);
+}
+async function constructBrc105Proof(challenge, wallet, origin) {
+  const { publicKey: clientIdentityKey } = await wallet.getPublicKey({ identityKey: true });
+  const derivationSuffix = await createDerivationSuffix(wallet);
+  const keyID = `${challenge.derivationPrefix} ${derivationSuffix}`;
+  const { publicKey: derivedPublicKey } = await wallet.getPublicKey({
+    protocolID: [2, "3241645161d8"],
+    keyID,
+    counterparty: challenge.serverIdentityKey
+  });
+  const lockingScript = await pubkeyToP2PKHLockingScript(derivedPublicKey);
+  const description = origin ? `Payment for request to ${origin}` : "BRC-105 payment";
+  const result = await wallet.createAction({
+    description,
+    outputs: [{
+      satoshis: challenge.satoshisRequired,
+      lockingScript,
+      outputDescription: "HTTP request payment",
+      customInstructions: JSON.stringify({
+        derivationPrefix: challenge.derivationPrefix,
+        derivationSuffix,
+        payee: challenge.serverIdentityKey
+      })
+    }],
+    options: {
+      randomizeOutputs: false
+    }
+  });
+  let transactionBase64;
+  if (result.tx && Array.isArray(result.tx) && result.tx.length > 0) {
+    transactionBase64 = numberArrayToBase64(result.tx);
+  } else if (result.rawTx && typeof result.rawTx === "string" && result.rawTx.length > 0) {
+    transactionBase64 = bytesToBase64(hexToBytes(result.rawTx));
+  } else {
+    throw new Error("Wallet returned no transaction data (neither tx nor rawTx)");
+  }
+  return {
+    derivationPrefix: challenge.derivationPrefix,
+    derivationSuffix,
+    transaction: transactionBase64,
+    clientIdentityKey,
+    txid: result.txid
+  };
+}
 // src/challenge.ts
 function parseChallenge(header) {
   let parsed;
@@ -250,28 +780,29 @@ var RateLimiter = class {
     this.broken = state?.circuitBroken ?? false;
     this.now = now ?? Date.now;
   }
-  check(challenge, origin) {
+  check(request, origin) {
     if (this.broken) {
       return { action: "block", reason: "Circuit breaker tripped \u2014 call resetLimits() to clear", severity: "trip" };
     }
-    if (!Number.isFinite(challenge.amount) || !Number.isInteger(challenge.amount) || challenge.amount <= 0) {
+    const amount = request.amount;
+    if (!Number.isFinite(amount) || !Number.isInteger(amount) || amount <= 0) {
       return { action: "block", reason: "Invalid transaction amount rejected", severity: "reject" };
     }
-    if (challenge.amount > BFG_PER_TX_CEILING_SATOSHIS) {
+    if (amount > BFG_PER_TX_CEILING_SATOSHIS) {
       return { action: "block", reason: `Exceeds BFG per-tx ceiling (${BFG_PER_TX_CEILING_SATOSHIS} sats)`, severity: "reject" };
     }
     const dayAgo = this.now() - WINDOW_MS.day;
     const dailyTotal = this.sumSatoshis(dayAgo);
-    if (dailyTotal + challenge.amount > BFG_DAILY_CEILING_SATOSHIS) {
+    if (dailyTotal + amount > BFG_DAILY_CEILING_SATOSHIS) {
       return { action: "block", reason: `Exceeds BFG daily ceiling (${BFG_DAILY_CEILING_SATOSHIS} sats)`, severity: "trip" };
     }
-    if (challenge.amount > this.limits.perTxMaxSatoshis) {
+    if (amount > this.limits.perTxMaxSatoshis) {
       return { action: "block", reason: `Exceeds per-tx limit (${this.limits.perTxMaxSatoshis} sats)`, severity: "reject" };
     }
     const isCustomSite = this.hasCustomPolicy(origin);
     const effectiveLimits = this.effectiveWindows(origin);
     const effectivePerTx = this.effectivePerTxMax(origin);
-    if (effectivePerTx !== void 0 && challenge.amount > effectivePerTx) {
+    if (effectivePerTx !== void 0 && amount > effectivePerTx) {
       return { action: "block", reason: `Exceeds per-tx limit for ${origin} (${effectivePerTx} sats)`, severity: "reject" };
     }
     let yellowLight;
@@ -280,19 +811,19 @@ var RateLimiter = class {
       const windowEntries = this.entriesInWindow(cutoff, isCustomSite ? origin : void 0);
       const totalSats = windowEntries.reduce((sum, e) => sum + e.satoshis, 0);
       const totalTx = windowEntries.length;
-      if (totalSats + challenge.amount > wl.maxSatoshis) {
+      if (totalSats + amount > wl.maxSatoshis) {
         return { action: "block", reason: `Exceeds ${wl.window} sats limit (${wl.maxSatoshis})`, severity: "window" };
       }
       if (totalTx + 1 > wl.maxTransactions) {
         return { action: "block", reason: `Exceeds ${wl.window} tx count limit (${wl.maxTransactions})`, severity: "window" };
       }
-      if (this.limits.yellowLightThreshold < 1 && !yellowLight && totalSats + challenge.amount > wl.maxSatoshis * this.limits.yellowLightThreshold) {
+      if (this.limits.yellowLightThreshold < 1 && !yellowLight && totalSats + amount > wl.maxSatoshis * this.limits.yellowLightThreshold) {
         yellowLight = {
           origin,
           currentSpend: totalSats,
           limit: wl.maxSatoshis,
           window: wl.window,
-          challenge
+          challenge: request
         };
       }
     }
@@ -567,6 +1098,8 @@ function createX402Fetch(config = {}) {
   const storage = config.storage ?? new LocalStorageAdapter();
   const twoFactor = config.twoFactorProvider;
   const constructProof = config.proofConstructor ?? defaultConstructProof;
+  const brc105ProofConstructor = config.brc105ProofConstructor;
+  const brc105Wallet = config.brc105Wallet;
   const nowFn = config.now ?? Date.now;
   const mutex = createMutex();
   const needs2fa = limits.require2fa;
@@ -588,76 +1121,150 @@ function createX402Fetch(config = {}) {
     await storage.save(rl.getState());
     await storage.saveSitePolicies(limits.sitePolicies);
   }
-  const fetchFn = async function x402Fetch2(input, init) {
-    const response = await fetch(input, init);
-    if (response.status !== 402) return response;
-    const challengeHeader = response.headers.get("X402-Challenge");
-    if (!challengeHeader) return response;
-    let challenge;
-    try {
-      challenge = parseChallenge(challengeHeader);
-    } catch {
-      return response;
-    }
-    const origin = extractOrigin(input);
+  async function handlePaymentFlow(originalResponse, input, init, origin, amount, protocol, buildProof, retryWithProof, makeLedgerEntry) {
     return mutex(async () => {
       const rl = await ensureInitialised();
       const sitePolicy = await resolveSitePolicy(origin, limits, twoFactor);
-      if (sitePolicy.action === "block") return response;
+      if (sitePolicy.action === "block") return originalResponse;
       if (!limits.sitePolicies[origin]) {
         limits.sitePolicies[origin] = sitePolicy;
         await storage.saveSitePolicies(limits.sitePolicies);
       }
-      const result = rl.check(challenge, origin);
+      const spendCheckable = { amount, origin, protocol };
+      const result = rl.check(spendCheckable, origin);
       if (result.action === "block") {
         if (result.severity === "trip") {
           rl.trip();
           await persist(rl);
           config.onLimitReached?.(result.reason);
-          return response;
+          return originalResponse;
         }
         if (result.severity === "window" && twoFactor) {
           config.onLimitReached?.(result.reason);
           const override = await twoFactor.verify({
             type: "limit-override",
-            amount: challenge.amount,
+            amount,
             origin,
             reason: result.reason
           });
           if (override) {
           } else {
-            return response;
+            return originalResponse;
           }
         } else {
           config.onLimitReached?.(result.reason);
-          return response;
+          return originalResponse;
         }
       }
       if (result.action === "yellow-light") {
         const proceed = config.onYellowLight ? await config.onYellowLight(result.detail) : false;
-        if (!proceed) return response;
+        if (!proceed) return originalResponse;
       }
-      if (limits.require2fa.onHighValueTx && challenge.amount > limits.require2fa.highValueThreshold) {
-        if (!twoFactor) return response;
+      if (limits.require2fa.onHighValueTx && amount > limits.require2fa.highValueThreshold) {
+        if (!twoFactor) return originalResponse;
         const verified = await twoFactor.verify({
           type: "high-value-tx",
-          amount: challenge.amount,
+          amount,
           origin
         });
-        if (!verified) return response;
+        if (!verified) return originalResponse;
       }
-      const proof = await constructProof(challenge);
-      rl.record({
-        timestamp: nowFn(),
-        origin,
-        satoshis: challenge.amount,
-        txid: proof.txid
-      });
+      let proof;
+      try {
+        proof = await buildProof();
+      } catch (err) {
+        console.error(`[x402] Proof construction failed (${protocol}):`, err);
+        config.onProofError?.(err, protocol);
+        return originalResponse;
+      }
+      rl.record(makeLedgerEntry(proof));
       await persist(rl);
-      const headers = new Headers(init?.headers);
-      headers.set("X402-Proof", JSON.stringify(proof));
-      return fetch(input, { ...init, headers });
+      const maxAttempts = 3;
+      for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+        try {
+          return await retryWithProof(proof);
+        } catch (err) {
+          if (attempt >= maxAttempts) {
+            console.error(`[x402] Paid request failed after ${maxAttempts} attempts (${protocol}):`, err);
+            return originalResponse;
+          }
+          await new Promise((r) => setTimeout(r, 250 * Math.pow(2, attempt)));
+        }
+      }
+      return originalResponse;
     });
+  }
+  const fetchFn = async function x402Fetch2(input, init) {
+    const response = await fetch(input, init);
+    if (response.status !== 402) return response;
+    const origin = extractOrigin(input);
+    const challengeHeader = response.headers.get("X402-Challenge");
+    if (challengeHeader) {
+      let challenge;
+      try {
+        challenge = parseChallenge(challengeHeader);
+      } catch {
+        return response;
+      }
+      return handlePaymentFlow(
+        response,
+        input,
+        init,
+        origin,
+        challenge.amount,
+        "x402",
+        async () => constructProof(challenge),
+        (proof) => {
+          const headers = new Headers(init?.headers);
+          headers.set("X402-Proof", JSON.stringify(proof));
+          return fetch(input, { ...init, headers });
+        },
+        (proof) => ({
+          timestamp: nowFn(),
+          origin,
+          satoshis: challenge.amount,
+          txid: proof.txid
+        })
+      );
+    }
+    const brc105Version = response.headers.get("x-bsv-payment-version");
+    if (brc105Version) {
+      if (!brc105ProofConstructor && !brc105Wallet) return response;
+      let brc105Challenge;
+      try {
+        brc105Challenge = parseBrc105Challenge(response);
+      } catch {
+        return response;
+      }
+      return handlePaymentFlow(
+        response,
+        input,
+        init,
+        origin,
+        brc105Challenge.satoshisRequired,
+        "brc105",
+        async () => {
+          if (brc105ProofConstructor) {
+            return brc105ProofConstructor(brc105Challenge);
+          }
+          return constructBrc105Proof(brc105Challenge, brc105Wallet, origin);
+        },
+        (proof) => {
+          const headers = new Headers(init?.headers);
+          headers.set("x-bsv-payment", JSON.stringify(proof));
+          headers.set("x-bsv-auth-identity-key", proof.clientIdentityKey);
+          return fetch(input, { ...init, headers });
+        },
+        (proof) => ({
+          timestamp: nowFn(),
+          origin,
+          satoshis: brc105Challenge.satoshisRequired,
+          txid: proof.txid,
+          protocol: "brc105"
+        })
+      );
+    }
+    return response;
   };
   fetchFn.resetLimits = async () => {
     const rl = await ensureInitialised();
@@ -762,7 +1369,9 @@ Allow this payment of ${action.amount} sats to ${action.origin}?`;
   RateLimiter,
   TIER_PRESETS,
   WalletTwoFactorProvider,
+  constructBrc105Proof,
   createX402Fetch,
+  parseBrc105Challenge,
   parseChallenge,
   resolveSitePolicy,
   resolveSpendLimits,