npm - moltspay - Versions diffs - 0.9.1 → 0.9.3 - Mend

moltspay 0.9.1 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/cli/index.mjs CHANGED Viewed

@@ -962,6 +962,7 @@ var MoltsPayServer = class {
       console.log(`[MoltsPay] Endpoints:`);
       console.log(`  GET  /services     - List available services`);
       console.log(`  POST /execute      - Execute service (x402 payment)`);
+      console.log(`  POST /proxy        - Proxy payment for external services`);
       console.log(`  GET  /health       - Health check (incl. facilitators)`);
     });
   }
@@ -991,6 +992,15 @@ var MoltsPayServer = class {
         const paymentHeader = req.headers[PAYMENT_HEADER2];
         return await this.handleExecute(body, paymentHeader, res);
       }
+      if (url.pathname === "/proxy" && req.method === "POST") {
+        const clientIP = req.headers["x-real-ip"] || req.headers["x-forwarded-for"]?.split(",")[0]?.trim() || req.socket.remoteAddress || "";
+        if (!this.isProxyAllowed(clientIP)) {
+          return this.sendJson(res, 403, { error: "Forbidden: IP not allowed" });
+        }
+        const body = await this.readBody(req);
+        const paymentHeader = req.headers[PAYMENT_HEADER2];
+        return await this.handleProxy(body, paymentHeader, res);
+      }
       this.sendJson(res, 404, { error: "Not found" });
     } catch (err) {
       console.error("[MoltsPay] Error:", err);
@@ -1200,6 +1210,217 @@ var MoltsPayServer = class {
     res.writeHead(status, headers);
     res.end(JSON.stringify(data, null, 2));
   }
+  /**
+   * Check if IP is allowed for /proxy endpoint
+   */
+  isProxyAllowed(clientIP) {
+    const allowedIPs = process.env.PROXY_ALLOWED_IPS?.split(",").map((ip) => ip.trim()) || [];
+    if (allowedIPs.length === 0) {
+      console.log(`[MoltsPay] /proxy denied: no PROXY_ALLOWED_IPS configured`);
+      return false;
+    }
+    const normalizedIP = clientIP === "::1" ? "127.0.0.1" : clientIP.replace("::ffff:", "");
+    const allowed = allowedIPs.includes(normalizedIP) || allowedIPs.includes(clientIP);
+    if (!allowed) {
+      console.log(`[MoltsPay] /proxy denied for IP: ${clientIP} (normalized: ${normalizedIP})`);
+    }
+    return allowed;
+  }
+  /**
+   * POST /proxy - Handle payment for external services (moltspay-creators)
+   *
+   * This endpoint allows other services to delegate x402 payment handling.
+   * It does NOT execute any skill - just handles payment verification/settlement.
+   *
+   * Request body:
+   *   { wallet, amount, currency, chain, memo, serviceId, description }
+   *
+   * Without X-Payment header: returns 402 with payment requirements
+   * With X-Payment header: verifies payment and returns result
+   */
+  async handleProxy(body, paymentHeader, res) {
+    const { wallet, amount, currency, chain, memo, serviceId, description } = body;
+    if (!wallet || !amount) {
+      return this.sendJson(res, 400, { error: "Missing required fields: wallet, amount" });
+    }
+    if (!/^0x[a-fA-F0-9]{40}$/.test(wallet)) {
+      return this.sendJson(res, 400, { error: "Invalid wallet address format" });
+    }
+    const amountNum = parseFloat(amount);
+    if (isNaN(amountNum) || amountNum <= 0) {
+      return this.sendJson(res, 400, { error: "Invalid amount" });
+    }
+    const proxyConfig = {
+      id: serviceId || "proxy",
+      name: description || "Proxy Payment",
+      description: description || "",
+      price: amountNum,
+      currency: currency || "USDC",
+      function: "",
+      // Not used
+      input: {},
+      output: {}
+    };
+    const requirements = this.buildProxyPaymentRequirements(proxyConfig, wallet);
+    if (!paymentHeader) {
+      return this.sendProxyPaymentRequired(proxyConfig, wallet, memo, res);
+    }
+    let payment;
+    try {
+      const decoded = Buffer.from(paymentHeader, "base64").toString("utf-8");
+      payment = JSON.parse(decoded);
+    } catch {
+      return this.sendJson(res, 400, { error: "Invalid X-Payment header" });
+    }
+    if (payment.x402Version !== X402_VERSION3) {
+      return this.sendJson(res, 402, { error: `Unsupported x402 version: ${payment.x402Version}` });
+    }
+    const scheme = payment.accepted?.scheme || payment.scheme;
+    const network = payment.accepted?.network || payment.network;
+    if (scheme !== "exact") {
+      return this.sendJson(res, 402, { error: `Unsupported scheme: ${scheme}` });
+    }
+    if (network !== this.networkId) {
+      return this.sendJson(res, 402, { error: `Network mismatch: expected ${this.networkId}, got ${network}` });
+    }
+    console.log(`[MoltsPay] /proxy: Verifying payment for ${wallet}...`);
+    const verifyResult = await this.registry.verify(payment, requirements);
+    if (!verifyResult.valid) {
+      return this.sendJson(res, 402, {
+        success: false,
+        error: `Payment verification failed: ${verifyResult.error}`,
+        facilitator: verifyResult.facilitator
+      });
+    }
+    console.log(`[MoltsPay] /proxy: Verified by ${verifyResult.facilitator}`);
+    const { execute, service, params } = body;
+    if (execute && service) {
+      console.log(`[MoltsPay] /proxy: Executing skill first (pay on success): ${service}`);
+      const skill = this.skills.get(service);
+      if (!skill) {
+        console.log(`[MoltsPay] /proxy: Service not found: ${service} - NOT settling`);
+        return this.sendJson(res, 404, {
+          success: false,
+          paymentSettled: false,
+          error: `Service not found: ${service}`
+        });
+      }
+      let result;
+      try {
+        result = await skill.handler(params || {});
+        console.log(`[MoltsPay] /proxy: Skill succeeded, now settling payment...`);
+      } catch (err) {
+        console.error(`[MoltsPay] /proxy: Skill failed: ${err.message} - NOT settling`);
+        return this.sendJson(res, 500, {
+          success: false,
+          paymentSettled: false,
+          error: `Service execution failed: ${err.message}`
+        });
+      }
+      let settlement2 = null;
+      try {
+        settlement2 = await this.registry.settle(payment, requirements);
+        console.log(`[MoltsPay] /proxy: Payment settled by ${settlement2.facilitator}: ${settlement2.transaction || "pending"}`);
+      } catch (err) {
+        console.error("[MoltsPay] /proxy: Settlement failed:", err.message);
+        return this.sendJson(res, 200, {
+          success: true,
+          verified: true,
+          settled: false,
+          settlementError: err.message,
+          from: payment.payload?.authorization?.from,
+          // Buyer's wallet address
+          paidTo: wallet,
+          amount: amountNum,
+          currency: currency || "USDC",
+          memo,
+          result
+        });
+      }
+      return this.sendJson(res, 200, {
+        success: true,
+        verified: true,
+        settled: settlement2?.success || false,
+        txHash: settlement2?.transaction,
+        from: payment.payload?.authorization?.from,
+        // Buyer's wallet address
+        paidTo: wallet,
+        amount: amountNum,
+        currency: currency || "USDC",
+        facilitator: settlement2?.facilitator,
+        memo,
+        result
+      });
+    }
+    console.log(`[MoltsPay] /proxy: Settling payment (no execution)...`);
+    let settlement = null;
+    try {
+      settlement = await this.registry.settle(payment, requirements);
+      console.log(`[MoltsPay] /proxy: Payment settled by ${settlement.facilitator}: ${settlement.transaction || "pending"}`);
+    } catch (err) {
+      console.error("[MoltsPay] /proxy: Settlement failed:", err.message);
+      return this.sendJson(res, 500, {
+        success: false,
+        error: `Settlement failed: ${err.message}`
+      });
+    }
+    this.sendJson(res, 200, {
+      success: true,
+      verified: true,
+      settled: settlement?.success || false,
+      txHash: settlement?.transaction,
+      from: payment.payload?.authorization?.from,
+      // Buyer's wallet address
+      paidTo: wallet,
+      amount: amountNum,
+      currency: currency || "USDC",
+      facilitator: settlement?.facilitator,
+      memo
+    });
+  }
+  /**
+   * Build payment requirements for proxy endpoint (uses provided wallet)
+   */
+  buildProxyPaymentRequirements(config, wallet) {
+    const amountInUnits = Math.floor(config.price * 1e6).toString();
+    const usdcAddress = USDC_ADDRESSES[this.networkId];
+    return {
+      scheme: "exact",
+      network: this.networkId,
+      asset: usdcAddress,
+      amount: amountInUnits,
+      payTo: wallet,
+      // Use provided wallet, not manifest
+      maxTimeoutSeconds: 300,
+      extra: USDC_DOMAIN
+    };
+  }
+  /**
+   * Return 402 with x402 payment requirements for proxy endpoint
+   */
+  sendProxyPaymentRequired(config, wallet, memo, res) {
+    const requirements = this.buildProxyPaymentRequirements(config, wallet);
+    const paymentRequired = {
+      x402Version: X402_VERSION3,
+      accepts: [requirements],
+      resource: {
+        url: `/proxy`,
+        description: `${config.name} - $${config.price} ${config.currency}`,
+        mimeType: "application/json",
+        memo
+      }
+    };
+    const encoded = Buffer.from(JSON.stringify(paymentRequired)).toString("base64");
+    res.writeHead(402, {
+      "Content-Type": "application/json",
+      [PAYMENT_REQUIRED_HEADER2]: encoded
+    });
+    res.end(JSON.stringify({
+      error: "Payment required",
+      message: `Payment requires $${config.price} ${config.currency}`,
+      x402: paymentRequired
+    }, null, 2));
+  }
 };
 // src/cli/index.ts