mppx 0.3.12 → 0.3.14

package/src/client/internal/Fetch.test.ts

@@ -552,66 +552,6 @@ describe('Fetch.from: 402 retry path', () => {
   })
 })
 
-describe('Fetch.from: 402 retry headers normalization', () => {
-  test('preserves headers when passed as a Headers instance', async () => {
-    let callCount = 0
-    const calls: { init: RequestInit | undefined }[] = []
-    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
-      calls.push({ init })
-      callCount++
-      if (callCount === 1) return make402()
-      return new Response('OK', { status: 200 })
-    }
-
-    const fetch = Fetch.from({
-      fetch: mockFetch,
-      methods: [noopMethod],
-    })
-
-    const headers = new Headers({ 'X-Custom': 'value', 'Content-Type': 'application/json' })
-    await fetch('https://example.com/api', { headers })
-
-    const retryHeaders = (calls[1]!.init as Record<string, unknown>).headers as Record<
-      string,
-      string
-    >
-    expect(retryHeaders['x-custom']).toBe('value')
-    expect(retryHeaders['content-type']).toBe('application/json')
-    expect(retryHeaders.Authorization).toBe('credential')
-  })
-
-  test('preserves headers when passed as array of tuples', async () => {
-    let callCount = 0
-    const calls: { init: RequestInit | undefined }[] = []
-    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
-      calls.push({ init })
-      callCount++
-      if (callCount === 1) return make402()
-      return new Response('OK', { status: 200 })
-    }
-
-    const fetch = Fetch.from({
-      fetch: mockFetch,
-      methods: [noopMethod],
-    })
-
-    await fetch('https://example.com/api', {
-      headers: [
-        ['X-Custom', 'value'],
-        ['Accept', 'application/json'],
-      ],
-    })
-
-    const retryHeaders = (calls[1]!.init as Record<string, unknown>).headers as Record<
-      string,
-      string
-    >
-    expect(retryHeaders['X-Custom']).toBe('value')
-    expect(retryHeaders.Accept).toBe('application/json')
-    expect(retryHeaders.Authorization).toBe('credential')
-  })
-})
-
 describe('Fetch.from: input passthrough', () => {
   test('passes URL input through on both initial and retry calls', async () => {
     let callCount = 0
@@ -722,4 +662,20 @@ describe('Fetch.polyfill / restore', () => {
     Fetch.restore()
     expect(globalThis.fetch).toBe(originalFetch)
   })
+
+  test('restore is a no-op when fetch was replaced externally after polyfill', () => {
+    const originalFetch = globalThis.fetch
+    const externalFetch = vi.fn(
+      async (_input: RequestInfo | URL, _init?: RequestInit) =>
+        new Response('external', { status: 200 }),
+    ) as unknown as typeof globalThis.fetch
+
+    Fetch.polyfill({ methods: [noopMethod] })
+    globalThis.fetch = externalFetch
+
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(externalFetch)
+
+    globalThis.fetch = originalFetch
+  })
 })

package/src/client/internal/Fetch.ts

@@ -2,6 +2,15 @@ import * as Challenge from '../../Challenge.js'
 import type * as Method from '../../Method.js'
 import type * as z from '../../zod.js'
 
+// We tag wrappers with a global symbol so we can recognize wrappers created by mppx,
+// even across multiple module instances/bundles. This lets restore() avoid clobbering
+// an unrelated fetch installed by user code or another library.
+const MPPX_FETCH_WRAPPER = Symbol.for('mppx.fetch.wrapper')
+
+type WrappedFetch = typeof globalThis.fetch & {
+  [MPPX_FETCH_WRAPPER]?: typeof globalThis.fetch
+}
+
 let originalFetch: typeof globalThis.fetch | undefined
 
 /**
@@ -29,10 +38,13 @@ export function from<const methods extends readonly Method.AnyClient[]>(
   config: from.Config<methods>,
 ): from.Fetch<methods> {
   const { fetch = globalThis.fetch, methods, onChallenge } = config
+  // Always operate on the true underlying fetch to avoid wrapper-on-wrapper stacking,
+  // which can duplicate retries and make restore semantics fragile.
+  const baseFetch = unwrapFetch(fetch)
 
-  return async (input, init) => {
+  const wrappedFetch = async (input: RequestInfo | URL, init?: from.RequestInit<methods>) => {
     // Pass init through untouched to preserve object identity for non-402 responses.
-    const response = await fetch(input, init)
+    const response = await baseFetch(input, init)
 
     if (response.status !== 402) return response
 
@@ -55,15 +67,18 @@ export function from<const methods extends readonly Method.AnyClient[]>(
         })
       : undefined
     const credential = onChallengeCredential ?? (await resolveCredential(challenge, mi, context))
+    validateCredentialHeaderValue(credential)
 
-    return fetch(input, {
+    return baseFetch(input, {
       ...fetchInit,
-      headers: {
-        ...normalizeHeaders(fetchInit.headers),
-        Authorization: credential,
-      },
+      headers: withAuthorizationHeader(fetchInit.headers, credential),
     })
   }
+
+  // Record the wrapped target so future polyfill() / restore() calls can detect origin
+  // and safely unwrap only mppx-installed wrappers.
+  ;(wrappedFetch as WrappedFetch)[MPPX_FETCH_WRAPPER] = baseFetch
+  return wrappedFetch as from.Fetch<methods>
 }
 
 /** Union of all context types from all methods that have context schemas. */
@@ -127,8 +142,14 @@ export declare namespace from {
 export function polyfill<const methods extends readonly Method.AnyClient[]>(
   config: polyfill.Config<methods>,
 ): void {
+  // Defensive guard for runtimes/tests where fetch might be non-configurable.
+  const descriptor = Object.getOwnPropertyDescriptor(globalThis, 'fetch')
+  if (!descriptor || (!descriptor.writable && !descriptor.set)) {
+    throw new Error('globalThis.fetch is not writable')
+  }
+
   if (!originalFetch) originalFetch = globalThis.fetch
-  globalThis.fetch = from(config) as typeof globalThis.fetch
+  globalThis.fetch = from({ ...config, fetch: globalThis.fetch }) as typeof globalThis.fetch
 }
 
 export declare namespace polyfill {
@@ -151,7 +172,9 @@ export declare namespace polyfill {
  * ```
  */
 export function restore(): void {
-  if (originalFetch) {
+  // Only restore if the current fetch is still an mppx wrapper.
+  // If app code replaced fetch after polyfill(), we must not overwrite it.
+  if (originalFetch && isWrappedFetch(globalThis.fetch)) {
     globalThis.fetch = originalFetch
     originalFetch = undefined
   }
@@ -171,6 +194,40 @@ function normalizeHeaders(headers: unknown): Record<string, string> {
   return headers as Record<string, string>
 }
 
+/** @internal */
+function withAuthorizationHeader(headers: unknown, credential: string): Record<string, string> {
+  const normalized = normalizeHeaders(headers)
+  // Remove any existing Authorization header regardless of casing to avoid
+  // duplicate/conflicting credentials on retry.
+  for (const key of Object.keys(normalized)) {
+    if (key.toLowerCase() === 'authorization') delete normalized[key]
+  }
+  normalized.Authorization = credential
+  return normalized
+}
+
+/** @internal */
+function unwrapFetch(fetch: typeof globalThis.fetch): typeof globalThis.fetch {
+  let current = fetch as WrappedFetch
+  while (current[MPPX_FETCH_WRAPPER]) {
+    current = current[MPPX_FETCH_WRAPPER] as WrappedFetch
+  }
+  return current as typeof globalThis.fetch
+}
+
+/** @internal */
+function isWrappedFetch(fetch: typeof globalThis.fetch): fetch is WrappedFetch {
+  return Boolean((fetch as WrappedFetch)[MPPX_FETCH_WRAPPER])
+}
+
+/** @internal */
+function validateCredentialHeaderValue(credential: string): void {
+  if (!credential.trim()) throw new Error('Credential header value must be non-empty')
+  if (credential.includes('\r') || credential.includes('\n')) {
+    throw new Error('Credential header value contains illegal newline characters')
+  }
+}
+
 /** @internal */
 async function resolveCredential(
   challenge: Challenge.Challenge,

package/src/internal/constantTimeEqual.ts

@@ -1,8 +1,10 @@
-import { createHash, timingSafeEqual } from 'node:crypto'
+import { Hash, Hex } from 'ox'
 
 /** Constant-time string comparison to prevent timing attacks. */
 export function constantTimeEqual(a: string, b: string): boolean {
-  const hashA = createHash('sha256').update(a).digest()
-  const hashB = createHash('sha256').update(b).digest()
-  return timingSafeEqual(hashA, hashB)
+  const hashA = Hash.sha256(Hex.fromString(a))
+  const hashB = Hash.sha256(Hex.fromString(b))
+  let result = 0
+  for (let i = 0; i < hashA.length; i++) result |= hashA.charCodeAt(i) ^ hashB.charCodeAt(i)
+  return result === 0
 }

package/src/mcp-sdk/client/McpClient.test.ts

@@ -157,11 +157,11 @@ describe('McpClient.wrap', () => {
     const challenge = Challenge.fromMethod(tempo_server.charge({ getClient: () => testClient }), {
       realm,
       secretKey,
+      expires: new Date(Date.now() + 60_000).toISOString(),
       request: {
         amount: '1',
         currency: asset,
         decimals: 6,
-        expires: new Date(Date.now() + 60_000).toISOString(),
         recipient: accounts[0].address,
       },
     })

package/src/server/Mppx.ts

@@ -2,6 +2,7 @@ import type { IncomingMessage, ServerResponse } from 'node:http'
 import * as Challenge from '../Challenge.js'
 import type * as Credential from '../Credential.js'
 import * as Errors from '../Errors.js'
+import * as Expires from '../Expires.js'
 import * as Env from '../internal/env.js'
 import type * as Method from '../Method.js'
 import type * as Receipt from '../Receipt.js'
@@ -173,7 +174,8 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
     return Object.assign(
       async (input: Transport.InputOf): Promise<MethodFn.Response> => {
         const { description, meta, ...rest } = options
-        const expires = 'expires' in options ? (options.expires as string | undefined) : undefined
+        const expires =
+          'expires' in options ? (options.expires as string | undefined) : Expires.minutes(5)
 
         // Merge defaults with per-request options
         const merged = { ...defaults, ...rest }

package/src/server/Transport.test.ts

@@ -10,12 +10,12 @@ const secretKey = 'test-secret-key'
 const challenge = Challenge.fromMethod(Methods.charge, {
   realm,
   secretKey,
+  expires: '2025-01-01T00:00:00.000Z',
   request: {
     amount: '1000',
     currency: '0x20c0000000000000000000000000000000000001',
     decimals: 6,
     recipient: '0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00',
-    expires: '2025-01-01T00:00:00.000Z',
   },
 })
 
@@ -43,14 +43,13 @@ describe('http', () => {
         {
           "challenge": {
             "expires": "2025-01-01T00:00:00.000Z",
-            "id": "4XKyFaMO73Ypu-wOofzu3F8pRIt8vb7zxmWB2GgHAsE",
+            "id": "QNLtjAvrKKR0VlEGSIowhULqcGlCDU4fjrP-O7js8XE",
             "intent": "charge",
             "method": "tempo",
             "realm": "api.example.com",
             "request": {
               "amount": "1000000000",
               "currency": "0x20c0000000000000000000000000000000000001",
-              "expires": "2025-01-01T00:00:00.000Z",
               "recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00",
             },
           },
@@ -93,7 +92,7 @@ describe('http', () => {
         {
           "headers": {
             "cache-control": "no-store",
-            "www-authenticate": "Payment id="4XKyFaMO73Ypu-wOofzu3F8pRIt8vb7zxmWB2GgHAsE", realm="api.example.com", method="tempo", intent="charge", request="eyJhbW91bnQiOiIxMDAwMDAwMDAwIiwiY3VycmVuY3kiOiIweDIwYzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEiLCJleHBpcmVzIjoiMjAyNS0wMS0wMVQwMDowMDowMC4wMDBaIiwicmVjaXBpZW50IjoiMHg3NDJkMzVDYzY2MzRDMDUzMjkyNWEzYjg0NEJjOWU3NTk1ZjhmRTAwIn0", expires="2025-01-01T00:00:00.000Z"",
+            "www-authenticate": "Payment id="QNLtjAvrKKR0VlEGSIowhULqcGlCDU4fjrP-O7js8XE", realm="api.example.com", method="tempo", intent="charge", request="eyJhbW91bnQiOiIxMDAwMDAwMDAwIiwiY3VycmVuY3kiOiIweDIwYzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEiLCJyZWNpcGllbnQiOiIweDc0MmQzNUNjNjYzNEMwNTMyOTI1YTNiODQ0QmM5ZTc1OTVmOGZFMDAifQ", expires="2025-01-01T00:00:00.000Z"",
           },
           "status": 402,
         }
@@ -183,14 +182,13 @@ describe('mcp', () => {
         {
           "challenge": {
             "expires": "2025-01-01T00:00:00.000Z",
-            "id": "4XKyFaMO73Ypu-wOofzu3F8pRIt8vb7zxmWB2GgHAsE",
+            "id": "QNLtjAvrKKR0VlEGSIowhULqcGlCDU4fjrP-O7js8XE",
             "intent": "charge",
             "method": "tempo",
             "realm": "api.example.com",
             "request": {
               "amount": "1000000000",
               "currency": "0x20c0000000000000000000000000000000000001",
-              "expires": "2025-01-01T00:00:00.000Z",
               "recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00",
             },
           },
@@ -221,14 +219,13 @@ describe('mcp', () => {
               "challenges": [
                 {
                   "expires": "2025-01-01T00:00:00.000Z",
-                  "id": "4XKyFaMO73Ypu-wOofzu3F8pRIt8vb7zxmWB2GgHAsE",
+                  "id": "QNLtjAvrKKR0VlEGSIowhULqcGlCDU4fjrP-O7js8XE",
                   "intent": "charge",
                   "method": "tempo",
                   "realm": "api.example.com",
                   "request": {
                     "amount": "1000000000",
                     "currency": "0x20c0000000000000000000000000000000000001",
-                    "expires": "2025-01-01T00:00:00.000Z",
                     "recipient": "0x742d35Cc6634C0532925a3b844Bc9e7595f8fE00",
                   },
                 },
@@ -262,7 +259,7 @@ describe('mcp', () => {
           "result": {
             "_meta": {
               "org.paymentauth/receipt": {
-                "challengeId": "4XKyFaMO73Ypu-wOofzu3F8pRIt8vb7zxmWB2GgHAsE",
+                "challengeId": "QNLtjAvrKKR0VlEGSIowhULqcGlCDU4fjrP-O7js8XE",
                 "method": "tempo",
                 "reference": "0xtxhash",
                 "status": "success",

package/src/stripe/Methods.ts

@@ -1,5 +1,4 @@
 import { parseUnits } from 'viem'
-import * as Expires from '../Expires.js'
 import * as Method from '../Method.js'
 import * as z from '../zod.js'
 
@@ -24,7 +23,6 @@ export const charge = Method.from({
         currency: z.string(),
         decimals: z.number(),
         description: z.optional(z.string()),
-        expires: z._default(z.datetime(), () => Expires.minutes(5)),
         externalId: z.optional(z.string()),
         metadata: z.optional(z.record(z.string(), z.string())),
         networkId: z.string(),

package/src/stripe/client/Charge.ts

@@ -66,8 +66,8 @@ export function charge(parameters: charge.Parameters) {
         )
       }
 
-      const expiresAt = challenge.request.expires
-        ? Math.floor(new Date(challenge.request.expires as string).getTime() / 1000)
+      const expiresAt = challenge.expires
+        ? Math.floor(new Date(challenge.expires).getTime() / 1000)
         : Math.floor(Date.now() / 1000) + 3600
 
       const spt = await createToken({

package/src/stripe/server/Charge.ts

@@ -66,8 +66,8 @@ export function charge<const parameters extends charge.Parameters>(parameters: p
       const { challenge } = credential
       const { request } = challenge
 
-      if (request.expires && new Date(request.expires) < new Date())
-        throw new PaymentExpiredError({ expires: request.expires })
+      if (challenge.expires && new Date(challenge.expires) < new Date())
+        throw new PaymentExpiredError({ expires: challenge.expires })
 
       const parsed = Methods.charge.schema.credential.payload.safeParse(credential.payload)
       if (!parsed.success) throw new Error('Invalid credential payload: missing or malformed spt')

package/src/tempo/Methods.test.ts

@@ -82,3 +82,25 @@ describe('charge', () => {
     expect(result.success).toBe(false)
   })
 })
+
+describe('session', () => {
+  test('has correct name and intent', () => {
+    expect(Methods.session.intent).toBe('session')
+    expect(Methods.session.name).toBe('tempo')
+  })
+
+  test('schema: encodes minVoucherDelta in base units', () => {
+    const request = Methods.session.schema.request.parse({
+      amount: '1',
+      currency: '0x20c0000000000000000000000000000000000001',
+      decimals: 6,
+      escrowContract: '0x1234567890abcdef1234567890abcdef12345678',
+      minVoucherDelta: '0.1',
+      recipient: '0x1234567890abcdef1234567890abcdef12345678',
+      unitType: 'token',
+    })
+
+    expect(request.amount).toBe('1000000')
+    expect(request.methodDetails?.minVoucherDelta).toBe('100000')
+  })
+})

package/src/tempo/Methods.ts

@@ -1,6 +1,5 @@
 import type { Account } from 'viem'
 import { parseUnits } from 'viem'
-import * as Expires from '../Expires.js'
 import * as Method from '../Method.js'
 import * as z from '../zod.js'
 
@@ -26,7 +25,6 @@ export const charge = Method.from({
         currency: z.string(),
         decimals: z.number(),
         description: z.optional(z.string()),
-        expires: z._default(z.datetime(), () => Expires.minutes(5)),
         externalId: z.optional(z.string()),
         feePayer: z.optional(
           z.pipe(
@@ -137,7 +135,9 @@ export const session = Method.from({
           methodDetails: {
             escrowContract,
             ...(channelId !== undefined && { channelId }),
-            ...(minVoucherDelta !== undefined && { minVoucherDelta }),
+            ...(minVoucherDelta !== undefined && {
+              minVoucherDelta: parseUnits(minVoucherDelta, decimals).toString(),
+            }),
             ...(chainId !== undefined && { chainId }),
             ...(feePayer !== undefined && { feePayer }),
           },

package/src/tempo/client/Charge.ts

@@ -1,6 +1,6 @@
 import type * as Hex from 'ox/Hex'
 import type { Address } from 'viem'
-import { prepareTransactionRequest, signTransaction } from 'viem/actions'
+import { prepareTransactionRequest, sendCallsSync, signTransaction } from 'viem/actions'
 import { tempo as tempo_chain } from 'viem/chains'
 import { Actions } from 'viem/tempo'
 import * as Credential from '../../Credential.js'
@@ -39,6 +39,7 @@ export function charge(parameters: charge.Parameters = {}) {
     context: z.object({
       account: z.optional(z.custom<Account.getResolver.Parameters['account']>()),
       autoSwap: z.optional(z.custom<charge.AutoSwap>()),
+      mode: z.optional(z.enum(['push', 'pull'])),
     }),
 
     async createCredential({ challenge, context }) {
@@ -46,6 +47,9 @@ export function charge(parameters: charge.Parameters = {}) {
       const client = await getClient({ chainId })
       const account = getAccount(client, context)
 
+      const mode =
+        context?.mode ?? parameters.mode ?? (account.type === 'json-rpc' ? 'push' : 'pull')
+
       const { request } = challenge
       const { amount, methodDetails } = request
       const currency = request.currency as Address
@@ -79,6 +83,21 @@ export function charge(parameters: charge.Parameters = {}) {
 
       const calls = [...(swapCalls ?? []), transferCall]
 
+      if (mode === 'push') {
+        const { receipts } = await sendCallsSync(client, {
+          account,
+          calls: calls as never,
+          experimental_fallback: true,
+        })
+        const hash = receipts?.[0]?.transactionHash
+        if (!hash) throw new Error('No transaction receipt returned.')
+        return Credential.serialize({
+          challenge,
+          payload: { hash, type: 'hash' },
+          source: `did:pkh:eip155:${chainId}:${account.address}`,
+        })
+      }
+
       const prepared = await prepareTransactionRequest(client, {
         account,
         calls,
@@ -111,6 +130,15 @@ export declare namespace charge {
     autoSwap?: AutoSwap | undefined
     /** Client identifier used to derive the client fingerprint in attribution memos. */
     clientId?: string | undefined
+    /**
+     * Controls how the charge transaction is submitted.
+     *
+     * - `'push'`: Client broadcasts the transaction and sends the tx hash to the server.
+     * - `'pull'`: Client signs the transaction and sends the serialized tx to the server for broadcast.
+     *
+     * @default `'push'` for JSON-RPC accounts, `'pull'` for local accounts.
+     */
+    mode?: 'push' | 'pull' | undefined
   } & Account.getResolver.Parameters &
     Client.getResolver.Parameters
 }

package/src/tempo/server/Charge.test.ts

@@ -30,6 +30,17 @@ const server = Mppx_server.create({
 describe('tempo', () => {
   describe('intent: charge; type: hash', () => {
     test('default', async () => {
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'push',
+            getClient: () => client,
+          }),
+        ],
+      })
+
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
           server.charge({ amount: '1', decimals: 6 }),
@@ -38,43 +49,15 @@ describe('tempo', () => {
         res.end('OK')
       })
 
-      const response = await fetch(httpServer.url)
-      expect(response.status).toBe(402)
-
-      const challenge = Challenge.fromResponse(response, {
-        methods: [tempo_client.charge()],
-      })
-      const request = challenge.request
-      expect(request.methodDetails?.chainId).toBe(chain.id)
-
-      const memo = Attribution.encode({ serverId: challenge.realm })
-
-      const { receipt } = await Actions.token.transferSync(client, {
-        account: accounts[1],
-        amount: BigInt(request.amount),
-        memo,
-        to: request.recipient as Hex.Hex,
-        token: request.currency as Hex.Hex,
-      })
-      const hash = receipt.transactionHash
-
-      const credential = Credential.from({
-        challenge,
-        payload: { hash, type: 'hash' as const },
-      })
-
-      {
-        const response = await fetch(httpServer.url, {
-          headers: { Authorization: Credential.serialize(credential) },
-        })
-        expect(response.status).toBe(200)
+      const response = await mppx.fetch(httpServer.url)
+      expect(response.status).toBe(200)
 
-        const receipt = Receipt.fromResponse(response)
-        expect({
-          ...receipt,
-          reference: '[reference]',
-          timestamp: '[timestamp]',
-        }).toMatchInlineSnapshot(`
+      const receipt = Receipt.fromResponse(response)
+      expect({
+        ...receipt,
+        reference: '[reference]',
+        timestamp: '[timestamp]',
+      }).toMatchInlineSnapshot(`
             {
               "method": "tempo",
               "reference": "[reference]",
@@ -82,7 +65,6 @@ describe('tempo', () => {
               "timestamp": "[timestamp]",
             }
           `)
-      }
 
       httpServer.close()
     })
@@ -92,6 +74,17 @@ describe('tempo', () => {
       const overrideCurrency = asset
       const overrideExpires = new Date(Date.now() + 60_000).toISOString()
 
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'push',
+            getClient: () => client,
+          }),
+        ],
+      })
+
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
           server.charge({
@@ -105,42 +98,11 @@ describe('tempo', () => {
         res.end('OK')
       })
 
-      const response = await fetch(httpServer.url)
-      expect(response.status).toBe(402)
-
-      const challenge = Challenge.fromResponse(response, {
-        methods: [tempo_client.charge()],
-      })
-      const request = challenge.request
-      expect(request.recipient).toBe(overrideRecipient)
-      expect(request.currency).toBe(overrideCurrency)
-      expect(request.expires).toBe(overrideExpires)
-
-      const memo = Attribution.encode({ serverId: challenge.realm })
-
-      const { receipt } = await Actions.token.transferSync(client, {
-        account: accounts[1],
-        amount: BigInt(request.amount),
-        memo,
-        to: request.recipient as Hex.Hex,
-        token: request.currency as Hex.Hex,
-      })
-      const hash = receipt.transactionHash
-
-      const credential = Credential.from({
-        challenge,
-        payload: { hash, type: 'hash' as const },
-      })
-
-      {
-        const response = await fetch(httpServer.url, {
-          headers: { Authorization: Credential.serialize(credential) },
-        })
-        expect(response.status).toBe(200)
+      const response = await mppx.fetch(httpServer.url)
+      expect(response.status).toBe(200)
 
-        const receipt = Receipt.fromResponse(response)
-        expect(receipt.status).toBe('success')
-      }
+      const receipt = Receipt.fromResponse(response)
+      expect(receipt.status).toBe('success')
 
       httpServer.close()
     })

package/src/tempo/server/Charge.ts

@@ -103,7 +103,8 @@ export function charge<const parameters extends charge.Parameters>(
       const client = await getClient({ chainId })
 
       const { request: challengeRequest } = challenge
-      const { amount, expires, methodDetails } = challengeRequest
+      const { amount, methodDetails } = challengeRequest
+      const expires = challenge.expires
 
       const currency = challengeRequest.currency as `0x${string}`
       const recipient = challengeRequest.recipient as `0x${string}`