mppx 0.3.9 → 0.3.12

package/src/client/internal/Fetch.test.ts

@@ -268,6 +268,374 @@ describe('Fetch.from', () => {
   })
 })
 
+// Minimal mock method — createCredential is only invoked on the 402 retry path.
+const noopMethod = {
+  name: 'test',
+  intent: 'test',
+  context: undefined,
+  createCredential: async () => 'credential',
+} as any
+
+/** Builds a valid 402 response with a WWW-Authenticate header. */
+function make402(overrides?: { method?: string; intent?: string }) {
+  const method = overrides?.method ?? 'test'
+  const intent = overrides?.intent ?? 'test'
+  const request = btoa(JSON.stringify({ amount: '1' }))
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/, '')
+  const header = `Payment id="abc", realm="test", method="${method}", intent="${intent}", request="${request}"`
+  return new Response(null, {
+    status: 402,
+    headers: { 'WWW-Authenticate': header },
+  })
+}
+
+describe('Fetch.from: init passthrough (non-402)', () => {
+  test('passes unmodified init to underlying fetch for non-402 responses', async () => {
+    const receivedInits: (RequestInit | undefined)[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      receivedInits.push(init)
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const customInit = {
+      method: 'POST',
+      headers: { 'X-Custom': 'value' },
+      body: JSON.stringify({ data: 'test' }),
+    }
+
+    await fetch('https://example.com/ws-upgrade', customInit)
+
+    expect(receivedInits[0]).toBe(customInit)
+  })
+
+  test('preserves extra properties on init for non-402 responses', async () => {
+    const receivedInits: (RequestInit | undefined)[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      receivedInits.push(init)
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const customInit = {
+      method: 'GET',
+      headers: { Authorization: 'Bearer token123' },
+      signal: AbortSignal.timeout(5000),
+    }
+
+    await fetch('https://example.com/api', customInit)
+
+    const received = receivedInits[0]!
+    expect(received.method).toBe('GET')
+    expect((received.headers as Record<string, string>).Authorization).toBe('Bearer token123')
+    expect(received.signal).toBe(customInit.signal)
+  })
+
+  test('passes through undefined init', async () => {
+    const receivedInits: (RequestInit | undefined)[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      receivedInits.push(init)
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api')
+    expect(receivedInits[0]).toBeUndefined()
+  })
+
+  test('passes init with context through untouched', async () => {
+    const receivedInits: (RequestInit | undefined)[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      receivedInits.push(init)
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const customInit = { method: 'POST', context: { account: '0xabc' } }
+    await fetch('https://example.com/api', customInit as any)
+
+    expect(receivedInits[0]).toBe(customInit)
+  })
+
+  test('preserves object identity across all non-402 status codes', async () => {
+    for (const status of [200, 201, 204, 301, 400, 401, 403, 404, 500, 503]) {
+      const receivedInits: (RequestInit | undefined)[] = []
+      const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+        receivedInits.push(init)
+        return new Response(null, { status })
+      }
+
+      const fetch = Fetch.from({
+        fetch: mockFetch,
+        methods: [noopMethod],
+      })
+
+      const customInit = { method: 'GET' }
+      await fetch('https://example.com/api', customInit)
+      expect(receivedInits[0]).toBe(customInit)
+    }
+  })
+})
+
+describe('Fetch.from: 402 retry path', () => {
+  test('strips context from init on retry', async () => {
+    const calls: { init: RequestInit | undefined }[] = []
+    let callCount = 0
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api', {
+      method: 'POST',
+      context: { account: '0xabc' },
+    } as any)
+
+    expect(calls).toHaveLength(2)
+    const retryInit = calls[1]!.init as Record<string, unknown>
+    expect(retryInit).not.toHaveProperty('context')
+  })
+
+  test('adds Authorization header on retry', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api')
+
+    const retryInit = calls[1]!.init as Record<string, unknown>
+    const headers = retryInit.headers as Record<string, string>
+    expect(headers.Authorization).toBe('credential')
+  })
+
+  test('preserves existing headers on retry', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api', {
+      headers: { 'X-Custom': 'value', 'Content-Type': 'application/json' },
+    })
+
+    const retryInit = calls[1]!.init as Record<string, unknown>
+    const headers = retryInit.headers as Record<string, string>
+    expect(headers['X-Custom']).toBe('value')
+    expect(headers['Content-Type']).toBe('application/json')
+    expect(headers.Authorization).toBe('credential')
+  })
+
+  test('preserves method and other init properties on retry', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api', {
+      method: 'PUT',
+      body: JSON.stringify({ data: 'test' }),
+      credentials: 'include',
+      mode: 'cors',
+    })
+
+    const retryInit = calls[1]!.init as Record<string, unknown>
+    expect(retryInit.method).toBe('PUT')
+    expect(retryInit.body).toBe(JSON.stringify({ data: 'test' }))
+    expect(retryInit.credentials).toBe('include')
+    expect(retryInit.mode).toBe('cors')
+  })
+
+  test('handles undefined init on 402 retry', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api')
+
+    expect(calls).toHaveLength(2)
+    const retryInit = calls[1]!.init as Record<string, unknown>
+    expect(retryInit.headers).toEqual({ Authorization: 'credential' })
+  })
+
+  test('throws when no matching method for 402 challenge', async () => {
+    const mockFetch: typeof globalThis.fetch = async () =>
+      make402({ method: 'stripe', intent: 'charge' })
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await expect(fetch('https://example.com/api')).rejects.toThrow(
+      'No method found for "stripe.charge"',
+    )
+  })
+
+  test('retries exactly once — does not loop on repeated 402', async () => {
+    let callCount = 0
+    const mockFetch: typeof globalThis.fetch = async () => {
+      callCount++
+      return make402()
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const response = await fetch('https://example.com/api')
+    expect(callCount).toBe(2)
+    expect(response.status).toBe(402)
+  })
+})
+
+describe('Fetch.from: 402 retry headers normalization', () => {
+  test('preserves headers when passed as a Headers instance', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const headers = new Headers({ 'X-Custom': 'value', 'Content-Type': 'application/json' })
+    await fetch('https://example.com/api', { headers })
+
+    const retryHeaders = (calls[1]!.init as Record<string, unknown>).headers as Record<
+      string,
+      string
+    >
+    expect(retryHeaders['x-custom']).toBe('value')
+    expect(retryHeaders['content-type']).toBe('application/json')
+    expect(retryHeaders.Authorization).toBe('credential')
+  })
+
+  test('preserves headers when passed as array of tuples', async () => {
+    let callCount = 0
+    const calls: { init: RequestInit | undefined }[] = []
+    const mockFetch: typeof globalThis.fetch = async (_input, init) => {
+      calls.push({ init })
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    await fetch('https://example.com/api', {
+      headers: [
+        ['X-Custom', 'value'],
+        ['Accept', 'application/json'],
+      ],
+    })
+
+    const retryHeaders = (calls[1]!.init as Record<string, unknown>).headers as Record<
+      string,
+      string
+    >
+    expect(retryHeaders['X-Custom']).toBe('value')
+    expect(retryHeaders.Accept).toBe('application/json')
+    expect(retryHeaders.Authorization).toBe('credential')
+  })
+})
+
+describe('Fetch.from: input passthrough', () => {
+  test('passes URL input through on both initial and retry calls', async () => {
+    let callCount = 0
+    const receivedInputs: (RequestInfo | URL)[] = []
+    const mockFetch: typeof globalThis.fetch = async (input, _init) => {
+      receivedInputs.push(input)
+      callCount++
+      if (callCount === 1) return make402()
+      return new Response('OK', { status: 200 })
+    }
+
+    const fetch = Fetch.from({
+      fetch: mockFetch,
+      methods: [noopMethod],
+    })
+
+    const url = new URL('https://example.com/resource')
+    await fetch(url)
+
+    expect(receivedInputs[0]).toBe(url)
+    expect(receivedInputs[1]).toBe(url)
+  })
+})
+
 describe('Fetch.polyfill', () => {
   test('default', async () => {
     Fetch.polyfill({
@@ -313,3 +681,45 @@ describe('Fetch.polyfill', () => {
     Fetch.restore()
   })
 })
+
+describe('Fetch.polyfill / restore', () => {
+  test('restore is a no-op when polyfill was never called', () => {
+    const before = globalThis.fetch
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(before)
+  })
+
+  test('restore reverts to original fetch', () => {
+    const originalFetch = globalThis.fetch
+
+    Fetch.polyfill({ methods: [noopMethod] })
+    expect(globalThis.fetch).not.toBe(originalFetch)
+
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(originalFetch)
+  })
+
+  test('stacked polyfill calls preserve the true original fetch', () => {
+    const originalFetch = globalThis.fetch
+
+    Fetch.polyfill({ methods: [noopMethod] })
+    const firstPolyfill = globalThis.fetch
+
+    Fetch.polyfill({ methods: [noopMethod] })
+    expect(globalThis.fetch).not.toBe(firstPolyfill)
+
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(originalFetch)
+  })
+
+  test('double restore does not clobber fetch', () => {
+    const originalFetch = globalThis.fetch
+
+    Fetch.polyfill({ methods: [noopMethod] })
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(originalFetch)
+
+    Fetch.restore()
+    expect(globalThis.fetch).toBe(originalFetch)
+  })
+})

package/src/client/internal/Fetch.ts

@@ -31,11 +31,15 @@ export function from<const methods extends readonly Method.AnyClient[]>(
   const { fetch = globalThis.fetch, methods, onChallenge } = config
 
   return async (input, init) => {
-    const { context, ...fetchInit } = init ?? {}
-    const response = await fetch(input, fetchInit)
+    // Pass init through untouched to preserve object identity for non-402 responses.
+    const response = await fetch(input, init)
 
     if (response.status !== 402) return response
 
+    // Only extract context for payment handling after confirming 402.
+    const context = (init as Record<string, unknown> | undefined)?.context
+    const { context: _, ...fetchInit } = (init ?? {}) as Record<string, unknown>
+
     const challenge = Challenge.fromResponse(response)
 
     const mi = methods.find((m) => m.name === challenge.method && m.intent === challenge.intent)
@@ -55,7 +59,7 @@ export function from<const methods extends readonly Method.AnyClient[]>(
     return fetch(input, {
       ...fetchInit,
       headers: {
-        ...fetchInit.headers,
+        ...normalizeHeaders(fetchInit.headers),
         Authorization: credential,
       },
     })
@@ -64,9 +68,9 @@ export function from<const methods extends readonly Method.AnyClient[]>(
 
 /** Union of all context types from all methods that have context schemas. */
 type AnyContextFor<methods extends readonly Method.AnyClient[]> = {
-  [K in keyof methods]: methods[K] extends Method.Client<any, infer contextSchema>
-    ? contextSchema extends z.ZodMiniType
-      ? z.input<contextSchema>
+  [K in keyof methods]: NonNullable<methods[K]['context']> extends infer ctx
+    ? ctx extends z.ZodMiniType
+      ? z.input<ctx>
       : undefined
     : undefined
 }[number]
@@ -123,7 +127,7 @@ export declare namespace from {
 export function polyfill<const methods extends readonly Method.AnyClient[]>(
   config: polyfill.Config<methods>,
 ): void {
-  originalFetch = globalThis.fetch
+  if (!originalFetch) originalFetch = globalThis.fetch
   globalThis.fetch = from(config) as typeof globalThis.fetch
 }
 
@@ -153,6 +157,20 @@ export function restore(): void {
   }
 }
 
+/** @internal Normalizes headers to a plain object for spreading. */
+function normalizeHeaders(headers: unknown): Record<string, string> {
+  if (!headers) return {}
+  if (headers instanceof Headers) {
+    const result: Record<string, string> = {}
+    headers.forEach((value, key) => {
+      result[key] = value
+    })
+    return result
+  }
+  if (Array.isArray(headers)) return Object.fromEntries(headers)
+  return headers as Record<string, string>
+}
+
 /** @internal */
 async function resolveCredential(
   challenge: Challenge.Challenge,

package/src/internal/constantTimeEqual.ts

@@ -1,7 +1,8 @@
+import { createHash, timingSafeEqual } from 'node:crypto'
+
 /** Constant-time string comparison to prevent timing attacks. */
 export function constantTimeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false
-  let result = 0
-  for (let i = 0; i < a.length; i++) result |= a.charCodeAt(i) ^ b.charCodeAt(i)
-  return result === 0
+  const hashA = createHash('sha256').update(a).digest()
+  const hashB = createHash('sha256').update(b).digest()
+  return timingSafeEqual(hashA, hashB)
 }

package/src/internal/env.test.ts

@@ -9,8 +9,8 @@ describe('Env.get', () => {
     expect(Env.get('realm')).toBe('MPP Payment')
   })
 
-  test('returns default secretKey when MPP_SECRET_KEY is not set', () => {
-    expect(Env.get('secretKey')).toBe('tmp')
+  test('returns undefined when MPP_SECRET_KEY is not set', () => {
+    expect(Env.get('secretKey')).toBeUndefined()
   })
 
   test('returns MPP_SECRET_KEY when set', () => {

package/src/internal/env.ts

@@ -17,13 +17,12 @@ const variables = {
 /** Fallback values when no environment variable is set. */
 const defaults = {
   realm: 'MPP Payment',
-  secretKey: 'tmp',
-} as const satisfies Record<keyof typeof variables, string>
+} as const satisfies Partial<Record<keyof typeof variables, string>>
 
 /**
  * Resolves a configuration value from environment variables.
  *
- * Checks platform-specific env vars in order, falling back to a default.
+ * Checks platform-specific env vars in order, falling back to a default if one exists.
  *
  * @example
  * ```ts
@@ -31,12 +30,12 @@ const defaults = {
  * Env.get('secretKey') // e.g. value of MPP_SECRET_KEY
  * ```
  */
-export function get(key: keyof typeof variables): string {
+export function get(key: keyof typeof variables): string | undefined {
   for (const name of variables[key]) {
     const value = read(name)
     if (value) return value
   }
-  return defaults[key]
+  return (defaults as Record<string, string | undefined>)[key]
 }
 
 /** Reads a single environment variable, probing available runtime APIs. */

package/src/middlewares/express.test.ts

@@ -21,6 +21,8 @@ function createServer(app: express.Express) {
   })
 }
 
+const secretKey = 'test-secret-key'
+
 describe('charge', () => {
   const mppx = Mppx.create({
     methods: [
@@ -30,6 +32,7 @@ describe('charge', () => {
         recipient: accounts[0].address,
       }),
     ],
+    secretKey,
   })
 
   const { fetch } = Mppx_client.create({
@@ -99,6 +102,7 @@ describe('session', () => {
           escrowContract,
         }),
       ],
+      secretKey,
     })
 
     const app = express()
@@ -125,6 +129,7 @@ describe('session', () => {
           feePayer: accounts[0],
         }),
       ],
+      secretKey,
     })
 
     const { fetch } = Mppx_client.create({

package/src/middlewares/hono.test.ts

@@ -21,6 +21,8 @@ function createServer(app: Hono) {
   })
 }
 
+const secretKey = 'test-secret-key'
+
 describe('charge', () => {
   const mppx = Mppx.create({
     methods: [
@@ -30,6 +32,7 @@ describe('charge', () => {
         recipient: accounts[0].address,
       }),
     ],
+    secretKey,
   })
 
   const { fetch } = Mppx_client.create({
@@ -92,6 +95,7 @@ describe('session', () => {
           escrowContract,
         }),
       ],
+      secretKey,
     })
 
     const app = new Hono()
@@ -118,6 +122,7 @@ describe('session', () => {
           feePayer: accounts[0],
         }),
       ],
+      secretKey,
     })
 
     const { fetch } = Mppx_client.create({

package/src/middlewares/internal/mppx.ts

@@ -23,8 +23,11 @@ export function wrap<mppx extends Mppx.Mppx<any, any>, handler>(
 ): Wrap<mppx, handler> {
   const result: Record<string, unknown> = { ...mppx }
   for (const mi of mppx.methods as readonly Method.AnyServer[]) {
-    const methodFn = (mppx as any)[mi.intent]
-    result[mi.intent] = (options: any) => wrapper(methodFn, options)
+    const key = `${mi.name}/${mi.intent}`
+    const methodFn = (mppx as any)[key]
+    result[key] = (options: any) => wrapper(methodFn, options)
+    // Also set shorthand intent key if Mppx registered it (no collision)
+    if ((mppx as any)[mi.intent]) result[mi.intent] = (options: any) => wrapper(methodFn, options)
   }
   return result as never
 }

package/src/middlewares/nextjs.test.ts

@@ -33,6 +33,8 @@ function createServer(handler: (request: Request) => Promise<Response> | Respons
   })
 }
 
+const secretKey = 'test-secret-key'
+
 describe('charge', () => {
   const mppx = Mppx.create({
     methods: [
@@ -42,6 +44,7 @@ describe('charge', () => {
         recipient: accounts[0].address,
       }),
     ],
+    secretKey,
   })
 
   const { fetch } = Mppx_client.create({
@@ -106,6 +109,7 @@ describe('session', () => {
           escrowContract,
         }),
       ],
+      secretKey,
     })
 
     const handler = mppx.session({ amount: '1', unitType: 'token' })(() =>
@@ -131,6 +135,7 @@ describe('session', () => {
           feePayer: accounts[0],
         }),
       ],
+      secretKey,
     })
 
     const { fetch } = Mppx_client.create({

package/src/proxy/Proxy.test.ts

@@ -9,6 +9,8 @@ import * as Service from './Service.js'
 import { anthropic } from './services/anthropic.js'
 import { openai } from './services/openai.js'
 
+const secretKey = 'test-secret-key'
+
 const mppx_server = Mppx_server.create({
   methods: [
     tempo_server({
@@ -18,6 +20,7 @@ const mppx_server = Mppx_server.create({
       feePayer: true,
     }),
   ],
+  secretKey,
 })
 
 const mppx_client = Mppx_client.create({

package/src/proxy/services/openai.test.ts

@@ -10,6 +10,8 @@ import { openai } from './openai.js'
 const apiKey = process.env.VITE_OPENAI_API_KEY
 if (!apiKey) console.warn('OPENAI_API_KEY not set — openai proxy tests will be skipped')
 
+const secretKey = 'test-secret-key'
+
 const mppx_server = Mppx_server.create({
   methods: [
     tempo_server({
@@ -18,6 +20,7 @@ const mppx_server = Mppx_server.create({
       getClient: () => client,
     }),
   ],
+  secretKey,
 })
 
 const mppx_client = Mppx_client.create({