mppx 0.4.7 → 0.4.8

package/src/server/Mppx.test.ts

@@ -1130,6 +1130,252 @@ describe('nested accessors', () => {
   })
 })
 
+describe('cross-route credential replay via scope binding flaw', () => {
+  // Method whose schema transform moves `amount`, `currency`, and `recipient`
+  // into `methodDetails`, removing them from the top-level request. This mirrors
+  // real-world methods (e.g. Tempo) that restructure fields via z.transform.
+  const transformingMethod = Method.from({
+    name: 'mock',
+    intent: 'charge',
+    schema: {
+      credential: {
+        payload: z.object({ token: z.string() }),
+      },
+      request: z.pipe(
+        z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+        z.transform(({ amount, currency, decimals, recipient }) => ({
+          methodDetails: { amount: String(Number(amount) * 10 ** decimals), currency, recipient },
+        })),
+      ),
+    },
+  })
+
+  function mockReceipt() {
+    return {
+      method: 'mock',
+      reference: 'tx-ref',
+      status: 'success' as const,
+      timestamp: new Date().toISOString(),
+    }
+  }
+
+  const serverMethod = Method.toServer(transformingMethod, {
+    async verify() {
+      return mockReceipt()
+    },
+  })
+
+  test('rejects cheap credential replayed at expensive route when schema transform moves scope fields', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route ($0.01)
+    const cheapHandle = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a credential from the cheap challenge
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present the cheap credential at the "expensive" route ($100)
+    const expensiveHandle = handler.charge({
+      amount: '100',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should be 402 (credential was for $0.01, not $100)
+    expect(result.status).toBe(402)
+  })
+
+  test('rejects credential with mismatched method field', async () => {
+    const otherMethod = Method.from({
+      name: 'other',
+      intent: 'charge',
+      schema: {
+        credential: { payload: z.object({ token: z.string() }) },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+      },
+    })
+
+    const otherServerMethod = Method.toServer(otherMethod, {
+      async verify() {
+        return mockReceipt()
+      },
+    })
+
+    const handler = Mppx.create({ methods: [serverMethod, otherServerMethod], realm, secretKey })
+
+    // Get challenge from mock/charge
+    const mockHandle = handler['mock/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const mockResult = await mockHandle(new Request('https://example.com/mock'))
+    expect(mockResult.status).toBe(402)
+    if (mockResult.status !== 402) throw new Error()
+
+    const mockChallenge = Challenge.fromResponse(mockResult.challenge)
+    const credential = Credential.from({
+      challenge: mockChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present mock/charge credential at other/charge route
+    const otherHandle = handler['other/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await otherHandle(
+      new Request('https://example.com/other', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should reject (credential was for method "mock", not "other")
+    expect(result.status).toBe(402)
+  })
+
+  test('rejects credential with mismatched intent field', async () => {
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: { payload: z.object({ token: z.string() }) },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          decimals: z.number(),
+          recipient: z.string(),
+        }),
+      },
+    })
+
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return mockReceipt()
+      },
+    })
+
+    const handler = Mppx.create({ methods: [serverMethod, sessionServerMethod], realm, secretKey })
+
+    // Get challenge from mock/charge
+    const chargeHandle = handler['mock/charge']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const chargeResult = await chargeHandle(new Request('https://example.com/charge'))
+    expect(chargeResult.status).toBe(402)
+    if (chargeResult.status !== 402) throw new Error()
+
+    const chargeChallenge = Challenge.fromResponse(chargeResult.challenge)
+    const credential = Credential.from({
+      challenge: chargeChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // Present charge credential at session route
+    const sessionHandle = handler['mock/session']({
+      amount: '1',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const result = await sessionHandle(
+      new Request('https://example.com/session', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should reject (credential was for intent "charge", not "session")
+    expect(result.status).toBe(402)
+  })
+
+  test('compose: rejects cheap credential replayed at expensive route when schema transform moves scope fields', async () => {
+    const handler = Mppx.create({ methods: [serverMethod], realm, secretKey })
+
+    const cheapHandle = handler.charge({
+      amount: '0.01',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+    const expensiveHandle = handler.charge({
+      amount: '100',
+      currency: '0x0000000000000000000000000000000000000001',
+      decimals: 6,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: '0x0000000000000000000000000000000000000002',
+    })
+
+    const composed = Mppx.compose(cheapHandle, expensiveHandle)
+
+    // Get challenge (pick the cheap one)
+    const firstResult = await composed(new Request('https://example.com/resource'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(firstResult.challenge)
+    const cheapChallenge = challenges[0]!
+
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { token: 'valid' },
+    })
+
+    // The composed handler should NOT route the cheap credential to the expensive handler
+    const result = await composed(
+      new Request('https://example.com/resource', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // If scope binding works, the credential should route to the cheap handler only.
+    // It should NOT match the expensive handler's canonical request.
+    // The result should be 200 (matched to cheap), not routed to expensive.
+    expect(result.status).toBe(200)
+  })
+})
+
 describe('withReceipt', () => {
   const mockCharge = Method.from({
     name: 'mock',

package/src/server/Mppx.ts

@@ -329,19 +329,36 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
         }
 
         // Verify the credential's challenge matches this route's configured
-        // request. Prevents cross-route scope confusion where a credential
-        // issued for a cheap route is presented at an expensive route.
+        // method, intent, realm, and request. Prevents cross-route scope
+        // confusion where a credential issued for a cheap route (or different
+        // method/intent) is presented at an expensive route.
         // Note: we compare specific payment parameters rather than the full
         // request because the `request` hook may produce credential-dependent
         // output (e.g. `feePayer` differs between 402 and credential calls).
         {
+          for (const field of ['method', 'intent', 'realm'] as const) {
+            if (credential.challenge[field] !== challenge[field]) {
+              const response = await transport.respondChallenge({
+                challenge,
+                input,
+                error: new Errors.InvalidChallengeError({
+                  id: credential.challenge.id,
+                  reason: `credential ${field} does not match this route's requirements`,
+                }),
+              })
+              return { challenge: response, status: 402 }
+            }
+          }
+
           const routeReq = challenge.request as Record<string, unknown>
           const echoedReq = credential.challenge.request as Record<string, unknown>
+          const routeDetails = (routeReq.methodDetails ?? {}) as Record<string, unknown>
+          const echoedDetails = (echoedReq.methodDetails ?? {}) as Record<string, unknown>
           for (const field of ['amount', 'currency', 'recipient'] as const) {
+            const routeVal = routeReq[field] ?? routeDetails[field]
             if (
-              routeReq[field] !== undefined &&
-              echoedReq[field] !== undefined &&
-              String(routeReq[field]) !== String(echoedReq[field])
+              routeVal !== undefined &&
+              String(routeVal) !== String(echoedReq[field] ?? echoedDetails[field])
             ) {
               const response = await transport.respondChallenge({
                 challenge,
@@ -578,22 +595,24 @@ export function compose(
       if (credential) {
         const { method: credMethod, intent: credIntent } = credential.challenge
         const credReq = credential.challenge.request as Record<string, unknown>
+        const credDetails = (credReq.methodDetails ?? {}) as Record<string, unknown>
 
         // Filter by name+intent, then narrow by comparing stable request fields
         // from the echoed challenge against each handler's canonical request.
         // Uses the schema-parsed canonical form (not raw options) so that
         // transformed fields (e.g. amount with decimals) match correctly.
+        // Also checks inside methodDetails for fields moved there by transforms.
         const candidates = handlers.filter((h) => {
           const meta = (h as ConfiguredHandler)._internal
           if (!meta || meta.name !== credMethod || meta.intent !== credIntent) return false
           const canonical = meta._canonicalRequest
           if (!canonical) return true
+          const canonicalDetails = (canonical.methodDetails ?? {}) as Record<string, unknown>
           for (const field of ['amount', 'currency', 'recipient', 'chainId'] as const) {
-            const canonicalVal = canonical[field]
+            const canonicalVal = canonical[field] ?? canonicalDetails[field]
             if (
               canonicalVal !== undefined &&
-              credReq[field] !== undefined &&
-              String(canonicalVal) !== String(credReq[field])
+              String(canonicalVal) !== String(credReq[field] ?? credDetails[field])
             )
               return false
           }

package/src/tempo/internal/address.ts

@@ -0,0 +1,6 @@
+// TODO: Add `isEqual` to `TempoAddress`.
+import type { TempoAddress } from 'ox/tempo'
+
+export function isEqual(a: TempoAddress.Address, b: TempoAddress.Address) {
+  return a.toLowerCase() === b.toLowerCase()
+}

package/src/tempo/internal/auto-swap.ts

@@ -1,7 +1,7 @@
 import type { Address, Client } from 'viem'
-import { isAddressEqual } from 'viem'
 import { readContract } from 'viem/actions'
 import { Actions, Addresses } from 'viem/tempo'
+import * as TempoAddress from './address.js'
 import * as defaults from './defaults.js'
 
 /** Basis-point denominator (100% = 10 000 bps). */
@@ -26,7 +26,7 @@ export async function findCalls(
 ): Promise<findCalls.ReturnType> {
   const { account, amountOut, tokenOut, tokenIn, slippage } = parameters
 
-  const candidates = tokenIn.filter((t) => !isAddressEqual(t, tokenOut))
+  const candidates = tokenIn.filter((t) => !TempoAddress.isEqual(t, tokenOut))
 
   const balanceResults = await Promise.allSettled([
     readContract(client, Actions.token.getBalance.call({ account, token: tokenOut }) as never),
@@ -108,7 +108,7 @@ export function resolve(
   const tokenIn = value.tokenIn
     ? [
         ...value.tokenIn,
-        ...defaultCurrencies.filter((d) => !value.tokenIn!.some((c) => isAddressEqual(c, d))),
+        ...defaultCurrencies.filter((d) => !value.tokenIn!.some((c) => TempoAddress.isEqual(c, d))),
       ]
     : defaultCurrencies
   return {

package/src/tempo/internal/fee-payer.ts

@@ -1,7 +1,18 @@
-import { decodeFunctionData, isAddressEqual } from 'viem'
+import type { TempoAddress } from 'ox/tempo'
+import { TxEnvelopeTempo } from 'ox/tempo'
+import { decodeFunctionData } from 'viem'
 import { Abis, Addresses } from 'viem/tempo'
+import * as TempoAddress_internal from './address.js'
 import * as Selectors from './selectors.js'
 
+/** Returns true if the serialized transaction has a Tempo envelope prefix. */
+export function isTempoTransaction(serialized: string | undefined): boolean {
+  return (
+    serialized?.startsWith(TxEnvelopeTempo.serializedType) === true ||
+    serialized?.startsWith(TxEnvelopeTempo.feePayerMagic) === true
+  )
+}
+
 /**
  * Allowed call patterns for fee-payer sponsored transactions.
  * Each inner array is an ordered list of function selectors.
@@ -15,7 +26,7 @@ export const callScopes = [
 
 /** Validates that a set of transaction calls matches an allowed fee-payer pattern. */
 export function validateCalls(
-  calls: readonly { data?: `0x${string}` | undefined; to?: `0x${string}` | undefined }[],
+  calls: readonly { data?: `0x${string}` | undefined; to?: TempoAddress.Address | undefined }[],
   details: Record<string, string>,
 ) {
   const callSelectors = calls.map((c) => c.data?.slice(0, 10))
@@ -31,11 +42,14 @@ export function validateCalls(
   const approveCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.approve)
   if (approveCall) {
     const { args } = decodeFunctionData({ abi: Abis.tip20, data: approveCall.data! })
-    if (!isAddressEqual((args as [`0x${string}`])[0]!, Addresses.stablecoinDex))
+    if (!TempoAddress_internal.isEqual((args as [`0x${string}`])[0]!, Addresses.stablecoinDex))
       throw new FeePayerValidationError('approve spender is not the DEX', details)
   }
   const buyCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.swapExactAmountOut)
-  if (buyCall && (!buyCall.to || !isAddressEqual(buyCall.to, Addresses.stablecoinDex)))
+  if (
+    buyCall &&
+    (!buyCall.to || !TempoAddress_internal.isEqual(buyCall.to, Addresses.stablecoinDex))
+  )
     throw new FeePayerValidationError('buy target is not the DEX', details)
 }