moltspay 0.9.0 → 0.9.2

package/.env.example

@@ -1,10 +1,55 @@
 # MoltsPay Server Configuration
 # Copy to ~/.moltspay/.env or ./.env and fill in values
 
-# Network: true = Base mainnet, false = Base Sepolia testnet
+# ===========================================
+# Network Configuration
+# ===========================================
+# true = Base mainnet, false = Base Sepolia testnet
 USE_MAINNET=true
 
-# CDP API Credentials (required for mainnet)
-# Get from: https://portal.cdp.coinbase.com/
+# ===========================================
+# Facilitator Selection (v0.9.0+)
+# ===========================================
+# Primary facilitator to use
+# Available: cdp
+# Coming soon: chaoschain, questflow
+FACILITATOR_PRIMARY=cdp
+
+# Fallback facilitators (comma-separated, optional)
+# Example: chaoschain,questflow
+# FACILITATOR_FALLBACK=
+
+# Selection strategy when multiple facilitators available
+# Options: failover | cheapest | fastest | random | roundrobin
+FACILITATOR_STRATEGY=failover
+
+# ===========================================
+# Proxy Endpoint (v0.9.2+)
+# ===========================================
+# IP whitelist for /proxy endpoint (comma-separated)
+# Used by external services like moltspay-creators to delegate payment handling
+# If not set, /proxy endpoint is disabled (secure by default)
+# Example: 127.0.0.1,::1,203.0.113.50
+PROXY_ALLOWED_IPS=127.0.0.1,::1
+
+# ===========================================
+# CDP Facilitator (Coinbase)
+# ===========================================
+# Required for mainnet. Get credentials from:
+# https://portal.cdp.coinbase.com/
 CDP_API_KEY_ID=
 CDP_API_KEY_SECRET=
+
+# ===========================================
+# ChaosChain Facilitator (Coming Soon)
+# ===========================================
+# https://github.com/ChaosChain/chaoschain-x402
+# CHAOSCHAIN_ENDPOINT=https://x402.chaoschain.io
+# CHAOSCHAIN_API_KEY=
+
+# ===========================================
+# Questflow Facilitator (Coming Soon)
+# ===========================================
+# https://facilitator.questflow.ai/
+# QUESTFLOW_ENDPOINT=https://facilitator.questflow.ai
+# QUESTFLOW_API_KEY=

package/dist/cli/index.js

@@ -945,8 +945,9 @@ var MoltsPayServer = class {
     this.useMainnet = process.env.USE_MAINNET?.toLowerCase() === "true";
     this.networkId = this.useMainnet ? "eip155:8453" : "eip155:84532";
     const facilitatorConfig = options.facilitators || {
-      primary: "cdp",
-      strategy: "failover",
+      primary: process.env.FACILITATOR_PRIMARY || "cdp",
+      fallback: process.env.FACILITATOR_FALLBACK?.split(",").filter(Boolean),
+      strategy: process.env.FACILITATOR_STRATEGY || "failover",
       config: {
         cdp: { useMainnet: this.useMainnet }
       }
@@ -984,6 +985,7 @@ var MoltsPayServer = class {
       console.log(`[MoltsPay] Endpoints:`);
       console.log(`  GET  /services     - List available services`);
       console.log(`  POST /execute      - Execute service (x402 payment)`);
+      console.log(`  POST /proxy        - Proxy payment for external services`);
       console.log(`  GET  /health       - Health check (incl. facilitators)`);
     });
   }
@@ -1013,6 +1015,15 @@ var MoltsPayServer = class {
         const paymentHeader = req.headers[PAYMENT_HEADER2];
         return await this.handleExecute(body, paymentHeader, res);
       }
+      if (url.pathname === "/proxy" && req.method === "POST") {
+        const clientIP = req.headers["x-real-ip"] || req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "";
+        if (!this.isProxyAllowed(clientIP)) {
+          return this.sendJson(res, 403, { error: "Forbidden: IP not allowed" });
+        }
+        const body = await this.readBody(req);
+        const paymentHeader = req.headers[PAYMENT_HEADER2];
+        return await this.handleProxy(body, paymentHeader, res);
+      }
       this.sendJson(res, 404, { error: "Not found" });
     } catch (err) {
       console.error("[MoltsPay] Error:", err);
@@ -1222,6 +1233,156 @@ var MoltsPayServer = class {
     res.writeHead(status, headers);
     res.end(JSON.stringify(data, null, 2));
   }
+  /**
+   * Check if IP is allowed for /proxy endpoint
+   */
+  isProxyAllowed(clientIP) {
+    const allowedIPs = process.env.PROXY_ALLOWED_IPS?.split(",").map((ip) => ip.trim()) || [];
+    if (allowedIPs.length === 0) {
+      console.log(`[MoltsPay] /proxy denied: no PROXY_ALLOWED_IPS configured`);
+      return false;
+    }
+    const normalizedIP = clientIP === "::1" ? "127.0.0.1" : clientIP.replace("::ffff:", "");
+    const allowed = allowedIPs.includes(normalizedIP) || allowedIPs.includes(clientIP);
+    if (!allowed) {
+      console.log(`[MoltsPay] /proxy denied for IP: ${clientIP} (normalized: ${normalizedIP})`);
+    }
+    return allowed;
+  }
+  /**
+   * POST /proxy - Handle payment for external services (moltspay-creators)
+   * 
+   * This endpoint allows other services to delegate x402 payment handling.
+   * It does NOT execute any skill - just handles payment verification/settlement.
+   * 
+   * Request body:
+   *   { wallet, amount, currency, chain, memo, serviceId, description }
+   * 
+   * Without X-Payment header: returns 402 with payment requirements
+   * With X-Payment header: verifies payment and returns result
+   */
+  async handleProxy(body, paymentHeader, res) {
+    const { wallet, amount, currency, chain, memo, serviceId, description } = body;
+    if (!wallet || !amount) {
+      return this.sendJson(res, 400, { error: "Missing required fields: wallet, amount" });
+    }
+    if (!/^0x[a-fA-F0-9]{40}$/.test(wallet)) {
+      return this.sendJson(res, 400, { error: "Invalid wallet address format" });
+    }
+    const amountNum = parseFloat(amount);
+    if (isNaN(amountNum) || amountNum <= 0) {
+      return this.sendJson(res, 400, { error: "Invalid amount" });
+    }
+    const proxyConfig = {
+      id: serviceId || "proxy",
+      name: description || "Proxy Payment",
+      description: description || "",
+      price: amountNum,
+      currency: currency || "USDC",
+      function: "",
+      // Not used
+      input: {},
+      output: {}
+    };
+    const requirements = this.buildProxyPaymentRequirements(proxyConfig, wallet);
+    if (!paymentHeader) {
+      return this.sendProxyPaymentRequired(proxyConfig, wallet, memo, res);
+    }
+    let payment;
+    try {
+      const decoded = Buffer.from(paymentHeader, "base64").toString("utf-8");
+      payment = JSON.parse(decoded);
+    } catch {
+      return this.sendJson(res, 400, { error: "Invalid X-Payment header" });
+    }
+    if (payment.x402Version !== X402_VERSION3) {
+      return this.sendJson(res, 402, { error: `Unsupported x402 version: ${payment.x402Version}` });
+    }
+    const scheme = payment.accepted?.scheme || payment.scheme;
+    const network = payment.accepted?.network || payment.network;
+    if (scheme !== "exact") {
+      return this.sendJson(res, 402, { error: `Unsupported scheme: ${scheme}` });
+    }
+    if (network !== this.networkId) {
+      return this.sendJson(res, 402, { error: `Network mismatch: expected ${this.networkId}, got ${network}` });
+    }
+    console.log(`[MoltsPay] /proxy: Verifying payment for ${wallet}...`);
+    const verifyResult = await this.registry.verify(payment, requirements);
+    if (!verifyResult.valid) {
+      return this.sendJson(res, 402, {
+        success: false,
+        error: `Payment verification failed: ${verifyResult.error}`,
+        facilitator: verifyResult.facilitator
+      });
+    }
+    console.log(`[MoltsPay] /proxy: Verified by ${verifyResult.facilitator}`);
+    console.log(`[MoltsPay] /proxy: Settling payment...`);
+    let settlement = null;
+    try {
+      settlement = await this.registry.settle(payment, requirements);
+      console.log(`[MoltsPay] /proxy: Payment settled by ${settlement.facilitator}: ${settlement.transaction || "pending"}`);
+    } catch (err) {
+      console.error("[MoltsPay] /proxy: Settlement failed:", err.message);
+      return this.sendJson(res, 500, {
+        success: false,
+        error: `Settlement failed: ${err.message}`
+      });
+    }
+    this.sendJson(res, 200, {
+      success: true,
+      verified: true,
+      settled: settlement?.success || false,
+      txHash: settlement?.transaction,
+      paidTo: wallet,
+      amount: amountNum,
+      currency: currency || "USDC",
+      facilitator: settlement?.facilitator,
+      memo
+    });
+  }
+  /**
+   * Build payment requirements for proxy endpoint (uses provided wallet)
+   */
+  buildProxyPaymentRequirements(config, wallet) {
+    const amountInUnits = Math.floor(config.price * 1e6).toString();
+    const usdcAddress = USDC_ADDRESSES[this.networkId];
+    return {
+      scheme: "exact",
+      network: this.networkId,
+      asset: usdcAddress,
+      amount: amountInUnits,
+      payTo: wallet,
+      // Use provided wallet, not manifest
+      maxTimeoutSeconds: 300,
+      extra: USDC_DOMAIN
+    };
+  }
+  /**
+   * Return 402 with x402 payment requirements for proxy endpoint
+   */
+  sendProxyPaymentRequired(config, wallet, memo, res) {
+    const requirements = this.buildProxyPaymentRequirements(config, wallet);
+    const paymentRequired = {
+      x402Version: X402_VERSION3,
+      accepts: [requirements],
+      resource: {
+        url: `/proxy`,
+        description: `${config.name} - $${config.price} ${config.currency}`,
+        mimeType: "application/json",
+        memo
+      }
+    };
+    const encoded = Buffer.from(JSON.stringify(paymentRequired)).toString("base64");
+    res.writeHead(402, {
+      "Content-Type": "application/json",
+      [PAYMENT_REQUIRED_HEADER2]: encoded
+    });
+    res.end(JSON.stringify({
+      error: "Payment required",
+      message: `Payment requires $${config.price} ${config.currency}`,
+      x402: paymentRequired
+    }, null, 2));
+  }
 };
 
 // src/cli/index.ts