moltspay 1.4.1 → 1.6.0

package/dist/server/index.js

@@ -263,6 +263,9 @@ var CDPFacilitator = class extends BaseFacilitator {
   }
 };
 
+// src/facilitators/tempo.ts
+var import_ethers = require("ethers");
+
 // src/chains/index.ts
 var CHAINS = {
   // ============ Mainnet ============
@@ -432,15 +435,38 @@ var CHAINS = {
 
 // src/facilitators/tempo.ts
 var TRANSFER_EVENT_TOPIC = "0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef";
+var TIP20_PERMIT_ABI = [
+  "function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s)",
+  "function transferFrom(address from, address to, uint256 value) returns (bool)"
+];
 var TempoFacilitator = class extends BaseFacilitator {
   name = "tempo";
   displayName = "Tempo Testnet";
   supportedNetworks = ["eip155:42431"];
   // Tempo Moderato
   rpcUrl;
+  settlerWallet = null;
   constructor() {
     super();
     this.rpcUrl = CHAINS.tempo_moderato.rpc;
+    const settlerKey = process.env.TEMPO_SETTLER_KEY;
+    if (settlerKey) {
+      try {
+        const provider = new import_ethers.ethers.JsonRpcProvider(this.rpcUrl);
+        this.settlerWallet = new import_ethers.ethers.Wallet(settlerKey, provider);
+      } catch (err) {
+        console.warn("[TempoFacilitator] Invalid TEMPO_SETTLER_KEY, permit settlement disabled:", err);
+        this.settlerWallet = null;
+      }
+    }
+  }
+  /**
+   * Settler EOA address advertised to clients via `X-Payment-Required.extra.tempoSpender`.
+   * Web Client uses this as the `spender` field in the signed EIP-2612 Permit.
+   * Returns null if no TEMPO_SETTLER_KEY is configured — permit settlement unavailable.
+   */
+  getSpenderAddress() {
+    return this.settlerWallet?.address ?? null;
   }
   async healthCheck() {
     const start = Date.now();
@@ -466,6 +492,44 @@ var TempoFacilitator = class extends BaseFacilitator {
     }
   }
   async verify(paymentPayload, requirements) {
+    const inner = paymentPayload.payload;
+    if (inner && "permit" in inner && inner.permit) {
+      return this.verifyPermit(inner, requirements);
+    }
+    return this.verifyTxHash(paymentPayload, requirements);
+  }
+  /**
+   * Structural validation of an EIP-2612 permit payload. Does NOT submit
+   * anything on-chain — actual submission happens in settlePermit().
+   */
+  async verifyPermit(payload, requirements) {
+    if (!this.settlerWallet) {
+      return { valid: false, error: "Permit settlement not configured (TEMPO_SETTLER_KEY missing)" };
+    }
+    const p = payload.permit;
+    if (!p || !p.owner || !p.spender || !p.value || !p.deadline) {
+      return { valid: false, error: "Invalid permit payload: missing fields" };
+    }
+    if (p.spender.toLowerCase() !== this.settlerWallet.address.toLowerCase()) {
+      return {
+        valid: false,
+        error: `Permit spender ${p.spender} does not match configured settler ${this.settlerWallet.address}`
+      };
+    }
+    const deadline = BigInt(p.deadline);
+    const now = BigInt(Math.floor(Date.now() / 1e3));
+    if (deadline <= now) {
+      return { valid: false, error: "Permit deadline has expired" };
+    }
+    if (BigInt(p.value) < BigInt(requirements.amount || "0")) {
+      return {
+        valid: false,
+        error: `Permit value ${p.value} is less than required ${requirements.amount}`
+      };
+    }
+    return { valid: true, details: { scheme: "permit", owner: p.owner } };
+  }
+  async verifyTxHash(paymentPayload, requirements) {
     try {
       const tempoPayload = paymentPayload.payload;
       if (!tempoPayload?.txHash) {
@@ -523,7 +587,11 @@ var TempoFacilitator = class extends BaseFacilitator {
     }
   }
   async settle(paymentPayload, requirements) {
-    const verifyResult = await this.verify(paymentPayload, requirements);
+    const inner = paymentPayload.payload;
+    if (inner && "permit" in inner && inner.permit) {
+      return this.settlePermit(inner, requirements);
+    }
+    const verifyResult = await this.verifyTxHash(paymentPayload, requirements);
     if (!verifyResult.valid) {
       return { success: false, error: verifyResult.error };
     }
@@ -534,6 +602,52 @@ var TempoFacilitator = class extends BaseFacilitator {
       status: "settled"
     };
   }
+  /**
+   * EIP-2612 permit settlement path. Submits two transactions on Tempo:
+   *   1. pathUSD.permit(owner, spender=settler, value, deadline, v, r, s)
+   *   2. pathUSD.transferFrom(owner, payTo, value)
+   *
+   * The settler EOA pays Tempo gas (via the TIP-20 `feeToken` mechanism — no
+   * native tTEMPO required; any held TIP-20 token balance covers fees).
+   */
+  async settlePermit(payload, requirements) {
+    if (!this.settlerWallet) {
+      return { success: false, error: "Permit settlement not configured (TEMPO_SETTLER_KEY missing)" };
+    }
+    if (!requirements.asset || !requirements.payTo) {
+      return { success: false, error: "Missing asset or payTo in requirements" };
+    }
+    const verifyResult = await this.verifyPermit(payload, requirements);
+    if (!verifyResult.valid) {
+      return { success: false, error: verifyResult.error };
+    }
+    const token = new import_ethers.ethers.Contract(requirements.asset, TIP20_PERMIT_ABI, this.settlerWallet);
+    const p = payload.permit;
+    try {
+      const permitTx = await token.permit(
+        p.owner,
+        p.spender,
+        p.value,
+        p.deadline,
+        p.v,
+        p.r,
+        p.s
+      );
+      await permitTx.wait();
+      const transferTx = await token.transferFrom(p.owner, requirements.payTo, p.value);
+      await transferTx.wait();
+      return {
+        success: true,
+        transaction: transferTx.hash,
+        status: "settled"
+      };
+    } catch (err) {
+      return {
+        success: false,
+        error: `Tempo permit settlement failed: ${err.message}`
+      };
+    }
+  }
   async getTransactionReceipt(txHash) {
     const response = await fetch(this.rpcUrl, {
       method: "POST",
@@ -776,12 +890,12 @@ var BNBFacilitator = class extends BaseFacilitator {
     return this.spenderAddress;
   }
   async getServerAddress() {
-    const { ethers } = await import("ethers");
-    const wallet = new ethers.Wallet(this.serverPrivateKey);
+    const { ethers: ethers2 } = await import("ethers");
+    const wallet = new ethers2.Wallet(this.serverPrivateKey);
     return wallet.address;
   }
   async recoverIntentSigner(intent, chainId) {
-    const { ethers } = await import("ethers");
+    const { ethers: ethers2 } = await import("ethers");
     const domain = {
       ...EIP712_DOMAIN,
       chainId
@@ -795,7 +909,7 @@ var BNBFacilitator = class extends BaseFacilitator {
       nonce: intent.nonce,
       deadline: intent.deadline
     };
-    const recoveredAddress = ethers.verifyTypedData(
+    const recoveredAddress = ethers2.verifyTypedData(
       domain,
       INTENT_TYPES,
       message,
@@ -839,10 +953,10 @@ var BNBFacilitator = class extends BaseFacilitator {
     return result.result || "0x0";
   }
   async executeTransferFrom(from, to, amount, token, rpcUrl) {
-    const { ethers } = await import("ethers");
-    const provider = new ethers.JsonRpcProvider(rpcUrl);
-    const wallet = new ethers.Wallet(this.serverPrivateKey, provider);
-    const tokenContract = new ethers.Contract(token, [
+    const { ethers: ethers2 } = await import("ethers");
+    const provider = new ethers2.JsonRpcProvider(rpcUrl);
+    const wallet = new ethers2.Wallet(this.serverPrivateKey, provider);
+    const tokenContract = new ethers2.Contract(token, [
       "function transferFrom(address from, address to, uint256 amount) returns (bool)"
     ], wallet);
     const tx = await tokenContract.transferFrom(from, to, amount);
@@ -1389,9 +1503,13 @@ var TOKEN_DOMAINS = {
     USDT: { name: "(PoS) Tether USD", version: "2" }
   },
   // Tempo Moderato testnet - TIP-20 stablecoins
+  // Domain names verified against on-chain DOMAIN_SEPARATOR values on 2026-04-21.
+  // See docs/TEMPO-WEB-SUPPORT.md Section 2 and test/server/tempo-domain.test.ts.
+  // All 4 Tempo TIP-20 tokens (pathUSD / AlphaUSD / BetaUSD / ThetaUSD) use
+  // the token symbol with first letter capitalized + version "1".
   "eip155:42431": {
-    USDC: { name: "pathUSD", version: "1" },
-    USDT: { name: "alphaUSD", version: "1" }
+    USDC: { name: "PathUSD", version: "1" },
+    USDT: { name: "AlphaUSD", version: "1" }
   },
   // BNB Smart Chain mainnet
   "eip155:56": {
@@ -1560,13 +1678,62 @@ var MoltsPayServer = class {
     });
   }
   /**
-   * Handle incoming request
+   * Apply CORS response headers according to the `cors` option.
+   *
+   * Default (`cors` unset or `true`): `Access-Control-Allow-Origin: *`. Matches 1.5.x behavior
+   * and works for every browser client whose origin does not need to send cookies.
+   *
+   * `cors: false`: emit no CORS headers. Same-origin only.
+   * `cors: string[]`: origin allowlist — echo the origin back iff it matches.
+   * `cors: CorsOptions`: full control (allowlist + credentials + maxAge).
+   *
+   * The required-for-Web response headers are always exposed when CORS is active:
+   * `X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt`.
    */
-  async handleRequest(req, res) {
-    res.setHeader("Access-Control-Allow-Origin", "*");
+  applyCorsHeaders(req, res) {
+    const cors = this.options.cors;
+    if (cors === false) {
+      return;
+    }
+    const requestOrigin = req.headers.origin ?? "*";
+    if (cors === void 0 || cors === true) {
+      this.writeCorsHeaders(res, "*");
+      return;
+    }
+    if (Array.isArray(cors)) {
+      if (cors.includes(requestOrigin)) {
+        this.writeCorsHeaders(res, requestOrigin);
+        res.setHeader("Vary", "Origin");
+      }
+      return;
+    }
+    const opt = cors;
+    const isAllowed = typeof opt.origins === "function" ? opt.origins(requestOrigin) : opt.origins.includes(requestOrigin);
+    if (!isAllowed) {
+      return;
+    }
+    this.writeCorsHeaders(res, requestOrigin);
+    res.setHeader("Vary", "Origin");
+    if (opt.credentials) {
+      res.setHeader("Access-Control-Allow-Credentials", "true");
+    }
+    const maxAge = opt.maxAge ?? 600;
+    res.setHeader("Access-Control-Max-Age", String(maxAge));
+  }
+  writeCorsHeaders(res, origin) {
+    res.setHeader("Access-Control-Allow-Origin", origin);
     res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
     res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-Payment, Authorization");
-    res.setHeader("Access-Control-Expose-Headers", "X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt");
+    res.setHeader(
+      "Access-Control-Expose-Headers",
+      "X-Payment-Required, X-Payment-Response, WWW-Authenticate, Payment-Receipt"
+    );
+  }
+  /**
+   * Handle incoming request
+   */
+  async handleRequest(req, res) {
+    this.applyCorsHeaders(req, res);
     if (req.method === "OPTIONS") {
       res.writeHead(204);
       res.end();
@@ -1789,6 +1956,14 @@ var MoltsPayServer = class {
         console.log(`[MoltsPay] Payment settled by ${settlement.facilitator}: ${settlement.transaction || "pending"}`);
       } catch (err) {
         console.error("[MoltsPay] Settlement failed:", err.message);
+        settlement = { success: false, error: err.message, facilitator: "none" };
+      }
+      if (!settlement?.success) {
+        return this.sendJson(res, 402, {
+          error: "Payment settlement failed",
+          message: settlement?.error || "Settlement returned no success state",
+          facilitator: settlement?.facilitator
+        });
       }
     }
     const responseHeaders = {};
@@ -2043,7 +2218,7 @@ var MoltsPayServer = class {
     }
     const scheme = payment.accepted?.scheme || payment.scheme;
     const network = payment.accepted?.network || payment.network || this.networkId;
-    if (scheme !== "exact") {
+    if (scheme !== "exact" && scheme !== "permit") {
       return { valid: false, error: `Unsupported scheme: ${scheme}` };
     }
     if (!this.isNetworkAccepted(network)) {
@@ -2065,8 +2240,10 @@ var MoltsPayServer = class {
     const tokenAddresses = TOKEN_ADDRESSES[selectedNetwork] || {};
     const tokenAddress = tokenAddresses[selectedToken];
     const tokenDomain = getTokenDomain(selectedNetwork, selectedToken);
+    const isTempo = selectedNetwork === "eip155:42431";
+    const scheme = isTempo ? "permit" : "exact";
     const requirements = {
-      scheme: "exact",
+      scheme,
       network: selectedNetwork,
       asset: tokenAddress,
       amount: amountInUnits,
@@ -2094,6 +2271,16 @@ var MoltsPayServer = class {
         };
       }
     }
+    if (isTempo) {
+      const tempoFacilitator = this.registry.get("tempo");
+      const tempoSpender = tempoFacilitator?.getSpenderAddress?.();
+      if (tempoSpender) {
+        requirements.extra = {
+          ...requirements.extra || {},
+          tempoSpender
+        };
+      }
+    }
     return requirements;
   }
   /**
@@ -2228,7 +2415,7 @@ var MoltsPayServer = class {
     }
     const scheme = payment.accepted?.scheme || payment.scheme;
     const network = payment.accepted?.network || payment.network;
-    if (scheme !== "exact") {
+    if (scheme !== "exact" && scheme !== "permit") {
       return this.sendJson(res, 402, { error: `Unsupported scheme: ${scheme}` });
     }
     const expectedNetwork = chain ? CHAIN_TO_NETWORK[chain] || this.networkId : this.networkId;