moltspay 0.9.1 → 0.9.3

package/.env.example

@@ -23,6 +23,15 @@ FACILITATOR_PRIMARY=cdp
 # Options: failover | cheapest | fastest | random | roundrobin
 FACILITATOR_STRATEGY=failover
 
+# ===========================================
+# Proxy Endpoint (v0.9.2+)
+# ===========================================
+# IP whitelist for /proxy endpoint (comma-separated)
+# Used by external services like moltspay-creators to delegate payment handling
+# If not set, /proxy endpoint is disabled (secure by default)
+# Example: 127.0.0.1,::1,203.0.113.50
+PROXY_ALLOWED_IPS=127.0.0.1,::1
+
 # ===========================================
 # CDP Facilitator (Coinbase)
 # ===========================================

package/dist/cli/index.js

@@ -985,6 +985,7 @@ var MoltsPayServer = class {
       console.log(`[MoltsPay] Endpoints:`);
       console.log(`  GET  /services     - List available services`);
       console.log(`  POST /execute      - Execute service (x402 payment)`);
+      console.log(`  POST /proxy        - Proxy payment for external services`);
       console.log(`  GET  /health       - Health check (incl. facilitators)`);
     });
   }
@@ -1014,6 +1015,15 @@ var MoltsPayServer = class {
         const paymentHeader = req.headers[PAYMENT_HEADER2];
         return await this.handleExecute(body, paymentHeader, res);
       }
+      if (url.pathname === "/proxy" && req.method === "POST") {
+        const clientIP = req.headers["x-real-ip"] || req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "";
+        if (!this.isProxyAllowed(clientIP)) {
+          return this.sendJson(res, 403, { error: "Forbidden: IP not allowed" });
+        }
+        const body = await this.readBody(req);
+        const paymentHeader = req.headers[PAYMENT_HEADER2];
+        return await this.handleProxy(body, paymentHeader, res);
+      }
       this.sendJson(res, 404, { error: "Not found" });
     } catch (err) {
       console.error("[MoltsPay] Error:", err);
@@ -1223,6 +1233,217 @@ var MoltsPayServer = class {
     res.writeHead(status, headers);
     res.end(JSON.stringify(data, null, 2));
   }
+  /**
+   * Check if IP is allowed for /proxy endpoint
+   */
+  isProxyAllowed(clientIP) {
+    const allowedIPs = process.env.PROXY_ALLOWED_IPS?.split(",").map((ip) => ip.trim()) || [];
+    if (allowedIPs.length === 0) {
+      console.log(`[MoltsPay] /proxy denied: no PROXY_ALLOWED_IPS configured`);
+      return false;
+    }
+    const normalizedIP = clientIP === "::1" ? "127.0.0.1" : clientIP.replace("::ffff:", "");
+    const allowed = allowedIPs.includes(normalizedIP) || allowedIPs.includes(clientIP);
+    if (!allowed) {
+      console.log(`[MoltsPay] /proxy denied for IP: ${clientIP} (normalized: ${normalizedIP})`);
+    }
+    return allowed;
+  }
+  /**
+   * POST /proxy - Handle payment for external services (moltspay-creators)
+   * 
+   * This endpoint allows other services to delegate x402 payment handling.
+   * It does NOT execute any skill - just handles payment verification/settlement.
+   * 
+   * Request body:
+   *   { wallet, amount, currency, chain, memo, serviceId, description }
+   * 
+   * Without X-Payment header: returns 402 with payment requirements
+   * With X-Payment header: verifies payment and returns result
+   */
+  async handleProxy(body, paymentHeader, res) {
+    const { wallet, amount, currency, chain, memo, serviceId, description } = body;
+    if (!wallet || !amount) {
+      return this.sendJson(res, 400, { error: "Missing required fields: wallet, amount" });
+    }
+    if (!/^0x[a-fA-F0-9]{40}$/.test(wallet)) {
+      return this.sendJson(res, 400, { error: "Invalid wallet address format" });
+    }
+    const amountNum = parseFloat(amount);
+    if (isNaN(amountNum) || amountNum <= 0) {
+      return this.sendJson(res, 400, { error: "Invalid amount" });
+    }
+    const proxyConfig = {
+      id: serviceId || "proxy",
+      name: description || "Proxy Payment",
+      description: description || "",
+      price: amountNum,
+      currency: currency || "USDC",
+      function: "",
+      // Not used
+      input: {},
+      output: {}
+    };
+    const requirements = this.buildProxyPaymentRequirements(proxyConfig, wallet);
+    if (!paymentHeader) {
+      return this.sendProxyPaymentRequired(proxyConfig, wallet, memo, res);
+    }
+    let payment;
+    try {
+      const decoded = Buffer.from(paymentHeader, "base64").toString("utf-8");
+      payment = JSON.parse(decoded);
+    } catch {
+      return this.sendJson(res, 400, { error: "Invalid X-Payment header" });
+    }
+    if (payment.x402Version !== X402_VERSION3) {
+      return this.sendJson(res, 402, { error: `Unsupported x402 version: ${payment.x402Version}` });
+    }
+    const scheme = payment.accepted?.scheme || payment.scheme;
+    const network = payment.accepted?.network || payment.network;
+    if (scheme !== "exact") {
+      return this.sendJson(res, 402, { error: `Unsupported scheme: ${scheme}` });
+    }
+    if (network !== this.networkId) {
+      return this.sendJson(res, 402, { error: `Network mismatch: expected ${this.networkId}, got ${network}` });
+    }
+    console.log(`[MoltsPay] /proxy: Verifying payment for ${wallet}...`);
+    const verifyResult = await this.registry.verify(payment, requirements);
+    if (!verifyResult.valid) {
+      return this.sendJson(res, 402, {
+        success: false,
+        error: `Payment verification failed: ${verifyResult.error}`,
+        facilitator: verifyResult.facilitator
+      });
+    }
+    console.log(`[MoltsPay] /proxy: Verified by ${verifyResult.facilitator}`);
+    const { execute, service, params } = body;
+    if (execute && service) {
+      console.log(`[MoltsPay] /proxy: Executing skill first (pay on success): ${service}`);
+      const skill = this.skills.get(service);
+      if (!skill) {
+        console.log(`[MoltsPay] /proxy: Service not found: ${service} - NOT settling`);
+        return this.sendJson(res, 404, {
+          success: false,
+          paymentSettled: false,
+          error: `Service not found: ${service}`
+        });
+      }
+      let result;
+      try {
+        result = await skill.handler(params || {});
+        console.log(`[MoltsPay] /proxy: Skill succeeded, now settling payment...`);
+      } catch (err) {
+        console.error(`[MoltsPay] /proxy: Skill failed: ${err.message} - NOT settling`);
+        return this.sendJson(res, 500, {
+          success: false,
+          paymentSettled: false,
+          error: `Service execution failed: ${err.message}`
+        });
+      }
+      let settlement2 = null;
+      try {
+        settlement2 = await this.registry.settle(payment, requirements);
+        console.log(`[MoltsPay] /proxy: Payment settled by ${settlement2.facilitator}: ${settlement2.transaction || "pending"}`);
+      } catch (err) {
+        console.error("[MoltsPay] /proxy: Settlement failed:", err.message);
+        return this.sendJson(res, 200, {
+          success: true,
+          verified: true,
+          settled: false,
+          settlementError: err.message,
+          from: payment.payload?.authorization?.from,
+          // Buyer's wallet address
+          paidTo: wallet,
+          amount: amountNum,
+          currency: currency || "USDC",
+          memo,
+          result
+        });
+      }
+      return this.sendJson(res, 200, {
+        success: true,
+        verified: true,
+        settled: settlement2?.success || false,
+        txHash: settlement2?.transaction,
+        from: payment.payload?.authorization?.from,
+        // Buyer's wallet address
+        paidTo: wallet,
+        amount: amountNum,
+        currency: currency || "USDC",
+        facilitator: settlement2?.facilitator,
+        memo,
+        result
+      });
+    }
+    console.log(`[MoltsPay] /proxy: Settling payment (no execution)...`);
+    let settlement = null;
+    try {
+      settlement = await this.registry.settle(payment, requirements);
+      console.log(`[MoltsPay] /proxy: Payment settled by ${settlement.facilitator}: ${settlement.transaction || "pending"}`);
+    } catch (err) {
+      console.error("[MoltsPay] /proxy: Settlement failed:", err.message);
+      return this.sendJson(res, 500, {
+        success: false,
+        error: `Settlement failed: ${err.message}`
+      });
+    }
+    this.sendJson(res, 200, {
+      success: true,
+      verified: true,
+      settled: settlement?.success || false,
+      txHash: settlement?.transaction,
+      from: payment.payload?.authorization?.from,
+      // Buyer's wallet address
+      paidTo: wallet,
+      amount: amountNum,
+      currency: currency || "USDC",
+      facilitator: settlement?.facilitator,
+      memo
+    });
+  }
+  /**
+   * Build payment requirements for proxy endpoint (uses provided wallet)
+   */
+  buildProxyPaymentRequirements(config, wallet) {
+    const amountInUnits = Math.floor(config.price * 1e6).toString();
+    const usdcAddress = USDC_ADDRESSES[this.networkId];
+    return {
+      scheme: "exact",
+      network: this.networkId,
+      asset: usdcAddress,
+      amount: amountInUnits,
+      payTo: wallet,
+      // Use provided wallet, not manifest
+      maxTimeoutSeconds: 300,
+      extra: USDC_DOMAIN
+    };
+  }
+  /**
+   * Return 402 with x402 payment requirements for proxy endpoint
+   */
+  sendProxyPaymentRequired(config, wallet, memo, res) {
+    const requirements = this.buildProxyPaymentRequirements(config, wallet);
+    const paymentRequired = {
+      x402Version: X402_VERSION3,
+      accepts: [requirements],
+      resource: {
+        url: `/proxy`,
+        description: `${config.name} - $${config.price} ${config.currency}`,
+        mimeType: "application/json",
+        memo
+      }
+    };
+    const encoded = Buffer.from(JSON.stringify(paymentRequired)).toString("base64");
+    res.writeHead(402, {
+      "Content-Type": "application/json",
+      [PAYMENT_REQUIRED_HEADER2]: encoded
+    });
+    res.end(JSON.stringify({
+      error: "Payment required",
+      message: `Payment requires $${config.price} ${config.currency}`,
+      x402: paymentRequired
+    }, null, 2));
+  }
 };
 
 // src/cli/index.ts