mppx 0.4.8 → 0.4.10

package/src/server/Mppx.test.ts

@@ -1,6 +1,6 @@
 import { Challenge, Credential, Method, z } from 'mppx'
 import { Mppx, Transport, tempo } from 'mppx/server'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 import { accounts, asset, client } from '~test/tempo/viem.js'
 
@@ -9,6 +9,7 @@ const secretKey = 'test-secret-key'
 
 const method = tempo({
   getClient: () => client,
+  account: accounts[0],
 })
 
 describe('create', () => {
@@ -180,6 +181,198 @@ describe('request handler', () => {
     expect(body.detail).toContain('does not match')
   })
 
+  test('topUp credential bypasses cross-route amount validation', async () => {
+    // Use a session method whose schema defines action: 'topUp'
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: {
+          payload: z.discriminatedUnion('action', [
+            z.object({ action: z.literal('open'), token: z.string() }),
+            z.object({ action: z.literal('topUp'), token: z.string() }),
+          ]),
+        },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          recipient: z.string(),
+        }),
+      },
+    })
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return {
+          status: 'settled',
+          method: 'mock',
+          timestamp: new Date().toISOString(),
+          reference: 'ref',
+        } as any
+      },
+    })
+    const handler = Mppx.create({ methods: [sessionServerMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route (simulates HEAD-obtained challenge)
+    const cheapHandle = handler['mock/session']({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a topUp credential from the cheap challenge (echoed from HEAD)
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'topUp', token: 'valid' },
+    })
+
+    // Present it at the "expensive" route — topUp should bypass amount check
+    const expensiveHandle = handler['mock/session']({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should NOT get 402 for amount mismatch — topUp bypasses the check.
+    // It will fail at a later stage (payload validation), but not with
+    // "does not match this route's requirements".
+    if (result.status === 402) {
+      const body = (await result.challenge.json()) as { detail?: string }
+      expect(body.detail).not.toContain('does not match')
+    }
+  })
+
+  test('voucher credential bypasses cross-route amount validation', async () => {
+    const sessionMethod = Method.from({
+      name: 'mock',
+      intent: 'session',
+      schema: {
+        credential: {
+          payload: z.discriminatedUnion('action', [
+            z.object({ action: z.literal('open'), token: z.string() }),
+            z.object({
+              action: z.literal('voucher'),
+              cumulativeAmount: z.string(),
+              signature: z.string(),
+            }),
+          ]),
+        },
+        request: z.object({
+          amount: z.string(),
+          currency: z.string(),
+          recipient: z.string(),
+        }),
+      },
+    })
+    const sessionServerMethod = Method.toServer(sessionMethod, {
+      async verify() {
+        return {
+          status: 'settled',
+          method: 'mock',
+          timestamp: new Date().toISOString(),
+          reference: 'ref',
+        } as any
+      },
+    })
+    const handler = Mppx.create({ methods: [sessionServerMethod], realm, secretKey })
+
+    // Get a challenge from the "cheap" route (simulates initial SSE request)
+    const cheapHandle = handler['mock/session']({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/chat'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Build a voucher credential echoing the original challenge — mid-stream
+    // the server may re-price (dynamic pricing), so the route's amount differs
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'voucher', cumulativeAmount: '500', signature: '0xabc' },
+    })
+
+    // Present it at the same route but with a higher price — voucher should
+    // bypass the cross-route amount check just like topUp does
+    const expensiveHandle = handler['mock/session']({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/chat', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Should NOT get 402 for amount mismatch — voucher bypasses the check.
+    if (result.status === 402) {
+      const body = (await result.challenge.json()) as { detail?: string }
+      expect(body.detail).not.toContain('does not match')
+    }
+  })
+
+  test('rejects charge credential with injected action: topUp (cross-route bypass attempt)', async () => {
+    const handler = Mppx.create({ methods: [method], realm, secretKey })
+
+    // Get a challenge from the "cheap" route
+    const cheapHandle = handler.charge({
+      amount: '1',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const cheapResult = await cheapHandle(new Request('https://example.com/cheap'))
+    expect(cheapResult.status).toBe(402)
+    if (cheapResult.status !== 402) throw new Error()
+
+    const cheapChallenge = Challenge.fromResponse(cheapResult.challenge)
+
+    // Malicious client injects action: 'topUp' into a regular charge credential
+    // to try to bypass the cross-route amount check
+    const credential = Credential.from({
+      challenge: cheapChallenge,
+      payload: { action: 'topUp', signature: '0x123', type: 'transaction' },
+    })
+
+    // Present it at the "expensive" route — should still be rejected
+    const expensiveHandle = handler.charge({
+      amount: '1000000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })
+    const result = await expensiveHandle(
+      new Request('https://example.com/expensive', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    // Injecting action: 'topUp' on a charge credential must not bypass
+    // the cross-route amount check. The credential should be rejected
+    // with "does not match" just like a normal charge credential would be.
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+    const body = (await result.challenge.json()) as { detail: string }
+    expect(body.detail).toContain('does not match')
+  })
+
   test('returns 402 when credential challenge is expired', async () => {
     const pastExpires = new Date(Date.now() - 60_000).toISOString()
 

package/src/server/Mppx.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, ServerResponse } from 'node:http'
+
 import * as Challenge from '../Challenge.js'
 import * as Credential from '../Credential.js'
 import * as Errors from '../Errors.js'
@@ -335,6 +336,13 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
         // Note: we compare specific payment parameters rather than the full
         // request because the `request` hook may produce credential-dependent
         // output (e.g. `feePayer` differs between 402 and credential calls).
+        //
+        // Skip this check for topUp and voucher actions: the route's
+        // `request` hook may produce a different amount because these
+        // requests carry no application body (e.g. no model field for
+        // dynamic pricing). The credential echoes a challenge obtained
+        // from the original request which had the correct amount; the
+        // on-chain voucher signature is the real validation.
         {
           for (const field of ['method', 'intent', 'realm'] as const) {
             if (credential.challenge[field] !== challenge[field]) {
@@ -350,25 +358,36 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
             }
           }
 
-          const routeReq = challenge.request as Record<string, unknown>
-          const echoedReq = credential.challenge.request as Record<string, unknown>
-          const routeDetails = (routeReq.methodDetails ?? {}) as Record<string, unknown>
-          const echoedDetails = (echoedReq.methodDetails ?? {}) as Record<string, unknown>
-          for (const field of ['amount', 'currency', 'recipient'] as const) {
-            const routeVal = routeReq[field] ?? routeDetails[field]
-            if (
-              routeVal !== undefined &&
-              String(routeVal) !== String(echoedReq[field] ?? echoedDetails[field])
-            ) {
-              const response = await transport.respondChallenge({
-                challenge,
-                input,
-                error: new Errors.InvalidChallengeError({
-                  id: credential.challenge.id,
-                  reason: `credential ${field} does not match this route's requirements`,
-                }),
-              })
-              return { challenge: response, status: 402 }
+          // Use safeParse (not raw payload) so only methods whose schema
+          // defines `action` can trigger the skip. Without this, a client
+          // could inject `action: 'topUp'` on a charge credential to bypass
+          // the amount check. Zod strips unknown keys, so charge payloads
+          // (which don't define `action`) will have it removed.
+          const parsed = method.schema.credential.payload.safeParse(credential.payload)
+          const action = parsed.success
+            ? (parsed.data as Record<string, unknown>)?.action
+            : undefined
+          if (action !== 'topUp' && action !== 'voucher') {
+            const routeReq = challenge.request as Record<string, unknown>
+            const echoedReq = credential.challenge.request as Record<string, unknown>
+            const routeDetails = (routeReq.methodDetails ?? {}) as Record<string, unknown>
+            const echoedDetails = (echoedReq.methodDetails ?? {}) as Record<string, unknown>
+            for (const field of ['amount', 'currency', 'recipient'] as const) {
+              const routeVal = routeReq[field] ?? routeDetails[field]
+              if (
+                routeVal !== undefined &&
+                String(routeVal) !== String(echoedReq[field] ?? echoedDetails[field])
+              ) {
+                const response = await transport.respondChallenge({
+                  challenge,
+                  input,
+                  error: new Errors.InvalidChallengeError({
+                    id: credential.challenge.id,
+                    reason: `credential ${field} does not match this route's requirements`,
+                  }),
+                })
+                return { challenge: response, status: 402 }
+              }
             }
           }
         }

package/src/server/NodeListener.test.ts

@@ -1,5 +1,5 @@
 import { NodeListener, Request } from 'mppx/server'
-import { afterEach, describe, expect, test } from 'vitest'
+import { afterEach, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 
 let server: Awaited<ReturnType<typeof Http.createServer>> | undefined

package/src/server/Request.test.ts

@@ -1,7 +1,8 @@
 import { EventEmitter } from 'node:events'
 import type { IncomingMessage, ServerResponse } from 'node:http'
+
 import { Request } from 'mppx/server'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
 
 function createMockRequest(options: {
   method?: string

package/src/server/Request.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, RequestListener, ServerResponse } from 'node:http'
+
 import * as FetchServer from '@remix-run/node-fetch-server'
 
 export type FetchHandler = (request: Request) => Promise<Response> | Response

package/src/server/Response.test.ts

@@ -1,6 +1,7 @@
 import { Challenge } from 'mppx'
 import { Response } from 'mppx/server'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import * as Errors from '../Errors.js'
 
 const challenge = Challenge.from({

package/src/server/Transport.test.ts

@@ -1,7 +1,8 @@
 import { Challenge, Credential, Mcp, Receipt } from 'mppx'
 import { Transport } from 'mppx/server'
 import { Methods } from 'mppx/tempo'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import { BadRequestError, ChannelClosedError } from '../Errors.js'
 
 const realm = 'api.example.com'

package/src/stripe/Charge.integration.test.ts

@@ -1,7 +1,7 @@
 import { Challenge, Credential, Receipt } from 'mppx'
 import { Mppx as Mppx_client, stripe as stripe_client } from 'mppx/client'
 import { Mppx as Mppx_server, stripe as stripe_server } from 'mppx/server'
-import { afterEach, describe, expect, test } from 'vitest'
+import { afterEach, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 
 const stripeSecretKey = process.env.VITE_STRIPE_SECRET_KEY

package/src/stripe/Methods.test.ts

@@ -1,5 +1,5 @@
 import { Methods } from 'mppx/stripe'
-import { describe, expect, expectTypeOf, test } from 'vitest'
+import { describe, expect, expectTypeOf, test } from 'vp/test'
 
 describe('charge', () => {
   test('has correct name and intent', () => {

package/src/stripe/Methods.ts

@@ -1,4 +1,5 @@
 import { parseUnits } from 'viem'
+
 import * as Method from '../Method.js'
 import * as z from '../zod.js'
 

package/src/stripe/client/Charge.test.ts

@@ -1,7 +1,8 @@
 import { Challenge, Credential } from 'mppx'
 import { Mppx, stripe } from 'mppx/client'
 import { Mppx as Mppx_server, stripe as stripe_server } from 'mppx/server'
-import { describe, expect, test, vi } from 'vitest'
+import { describe, expect, test, vi } from 'vp/test'
+
 import type { StripeJs } from '../internal/types.js'
 import { charge as clientCharge_ } from './Charge.js'
 

package/src/stripe/server/Charge.test.ts

@@ -1,7 +1,8 @@
 import { Challenge, Credential } from 'mppx'
 import { Mppx, stripe } from 'mppx/server'
-import { afterEach, describe, expect, test, vi } from 'vitest'
+import { afterEach, describe, expect, test, vi } from 'vp/test'
 import * as Http from '~test/Http.js'
+
 import type { StripeClient } from '../internal/types.js'
 
 const realm = 'api.example.com'

package/src/tempo/Attribution.test.ts

@@ -1,5 +1,6 @@
 import { Bytes, Hash, Hex } from 'ox'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import * as Attribution from './Attribution.js'
 
 describe('Attribution', () => {

package/src/tempo/Methods.test.ts

@@ -1,5 +1,5 @@
 import { Methods } from 'mppx/tempo'
-import { describe, expect, expectTypeOf, test } from 'vitest'
+import { describe, expect, expectTypeOf, test } from 'vp/test'
 
 describe('charge', () => {
   test('has correct name and intent', () => {

package/src/tempo/Methods.ts

@@ -1,5 +1,6 @@
 import type { Account } from 'viem'
 import { parseUnits } from 'viem'
+
 import * as Method from '../Method.js'
 import * as z from '../zod.js'
 

package/src/tempo/client/ChannelOps.test.ts

@@ -2,9 +2,13 @@ import { Hex } from 'ox'
 import { type Address, createClient } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
 import { Addresses } from 'viem/tempo'
-import { beforeAll, describe, expect, test } from 'vitest'
+import { beforeAll, describe, expect, test } from 'vp/test'
+import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
 import { accounts, asset, chain, client, fundAccount, http } from '~test/tempo/viem.js'
+
+const isLocalnet = nodeEnv === 'localnet'
+
 import type { Challenge } from '../../Challenge.js'
 import * as Credential from '../../Credential.js'
 import {
@@ -165,7 +169,7 @@ describe('createClosePayload', () => {
   })
 })
 
-describe('createOpenPayload', () => {
+describe.runIf(isLocalnet)('createOpenPayload', () => {
   const payer = accounts[2]
   const payee = accounts[1].address
   const currency = asset
@@ -249,7 +253,7 @@ describe('createOpenPayload', () => {
   })
 })
 
-describe('tryRecoverChannel', () => {
+describe.runIf(isLocalnet)('tryRecoverChannel', () => {
   const payer = accounts[3]
   const payee = accounts[1].address
   const currency = asset

package/src/tempo/client/ChannelOps.ts

@@ -15,6 +15,7 @@ import {
 } from 'viem'
 import { prepareTransactionRequest, signTransaction } from 'viem/actions'
 import { Abis } from 'viem/tempo'
+
 import type { Challenge } from '../../Challenge.js'
 import * as Credential from '../../Credential.js'
 import * as defaults from '../internal/defaults.js'

package/src/tempo/client/Charge.ts

@@ -3,6 +3,7 @@ import type { Address } from 'viem'
 import { prepareTransactionRequest, sendCallsSync, signTransaction } from 'viem/actions'
 import { tempo as tempo_chain } from 'viem/chains'
 import { Actions } from 'viem/tempo'
+
 import * as Credential from '../../Credential.js'
 import * as Method from '../../Method.js'
 import * as Account from '../../viem/Account.js'

package/src/tempo/client/Session.test.ts

@@ -1,9 +1,13 @@
 import { type Address, createClient, type Hex, http } from 'viem'
 import { privateKeyToAccount } from 'viem/accounts'
 import { Addresses } from 'viem/tempo'
-import { beforeAll, describe, expect, test } from 'vitest'
+import { beforeAll, describe, expect, test } from 'vp/test'
+import { nodeEnv } from '~test/config.js'
 import { deployEscrow, openChannel } from '~test/tempo/session.js'
 import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
+
+const isLocalnet = nodeEnv === 'localnet'
+
 import * as Challenge from '../../Challenge.js'
 import * as Credential from '../../Credential.js'
 import { chainId, escrowContract as escrowContractDefaults } from '../internal/defaults.js'
@@ -200,7 +204,7 @@ describe('session (pure)', () => {
   })
 })
 
-describe('session (on-chain)', () => {
+describe.runIf(isLocalnet)('session (on-chain)', () => {
   const payer = accounts[2]
   const payee = accounts[1].address
   let escrowContract: Address

package/src/tempo/client/Session.ts

@@ -1,6 +1,7 @@
 import type { Hex } from 'ox'
 import { type Address, parseUnits, type Account as viem_Account } from 'viem'
 import { tempo as tempo_chain } from 'viem/chains'
+
 import type * as Challenge from '../../Challenge.js'
 import * as Method from '../../Method.js'
 import * as Account from '../../viem/Account.js'

package/src/tempo/client/SessionManager.test.ts

@@ -1,5 +1,6 @@
 import type { Hex } from 'viem'
-import { describe, expect, test, vi } from 'vitest'
+import { describe, expect, test, vi } from 'vp/test'
+
 import * as Challenge from '../../Challenge.js'
 import { formatNeedVoucherEvent, parseEvent } from '../session/Sse.js'
 import type { NeedVoucherEvent, SessionReceipt } from '../session/Types.js'
@@ -207,6 +208,33 @@ describe('Session', () => {
     })
   })
 
+  describe('.sse() headers normalization', () => {
+    test('preserves Headers instance properties when passed as headers', async () => {
+      const mockFetch = vi.fn().mockResolvedValue(makeSseResponse(['event: message\ndata: ok\n\n']))
+
+      const s = sessionManager({
+        account: '0x0000000000000000000000000000000000000001',
+        fetch: mockFetch as typeof globalThis.fetch,
+      })
+
+      const iterable = await s.sse('https://api.example.com/stream', {
+        headers: new Headers({ 'Content-Type': 'application/json', 'X-Custom': 'value' }),
+      })
+
+      for await (const _ of iterable) {
+        // drain
+      }
+
+      const calledHeaders = (mockFetch.mock.calls[0]![1] as RequestInit).headers as Record<
+        string,
+        string
+      >
+      expect(calledHeaders['content-type']).toBe('application/json')
+      expect(calledHeaders['x-custom']).toBe('value')
+      expect(calledHeaders.Accept).toBe('text/event-stream')
+    })
+  })
+
   describe('.close()', () => {
     test('is no-op when not opened', async () => {
       const mockFetch = vi.fn()

package/src/tempo/client/SessionManager.ts

@@ -1,5 +1,6 @@
 import type { Hex } from 'ox'
 import type { Address } from 'viem'
+
 import type * as Challenge from '../../Challenge.js'
 import * as Fetch from '../../client/internal/Fetch.js'
 import type * as Account from '../../viem/Account.js'
@@ -157,7 +158,7 @@ export function sessionManager(parameters: sessionManager.Parameters): SessionMa
       const sseInit = {
         ...fetchInit,
         headers: {
-          ...fetchInit.headers,
+          ...Fetch.normalizeHeaders(fetchInit.headers),
           Accept: 'text/event-stream',
         },
         ...(signal ? { signal } : {}),

package/src/tempo/internal/auto-swap.test.ts

@@ -1,5 +1,6 @@
 import type { Address } from 'viem'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import { defaultCurrencies, InsufficientFundsError, resolve } from './auto-swap.js'
 
 describe('defaultCurrencies', () => {

package/src/tempo/internal/auto-swap.ts

@@ -1,6 +1,7 @@
 import type { Address, Client } from 'viem'
 import { readContract } from 'viem/actions'
 import { Actions, Addresses } from 'viem/tempo'
+
 import * as TempoAddress from './address.js'
 import * as defaults from './defaults.js'
 

package/src/tempo/internal/defaults.test.ts

@@ -1,4 +1,5 @@
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import {
   chainId,
   currency,

package/src/tempo/internal/fee-payer.test.ts

@@ -1,6 +1,7 @@
 import { encodeFunctionData } from 'viem'
 import { Abis, Addresses } from 'viem/tempo'
-import { describe, expect, test } from 'vitest'
+import { describe, expect, test } from 'vp/test'
+
 import { callScopes, FeePayerValidationError, validateCalls } from './fee-payer.js'
 import * as Selectors from './selectors.js'
 

package/src/tempo/internal/fee-payer.ts

@@ -2,6 +2,7 @@ import type { TempoAddress } from 'ox/tempo'
 import { TxEnvelopeTempo } from 'ox/tempo'
 import { decodeFunctionData } from 'viem'
 import { Abis, Addresses } from 'viem/tempo'
+
 import * as TempoAddress_internal from './address.js'
 import * as Selectors from './selectors.js'
 

package/src/tempo/server/Charge.test.ts

@@ -7,10 +7,11 @@ import { Handler } from 'tempo.ts/server'
 import { createClient, custom, encodeFunctionData, parseUnits } from 'viem'
 import { getTransactionReceipt, prepareTransactionRequest, signTransaction } from 'viem/actions'
 import { Abis, Account, Actions, Addresses, Secp256k1, Tick, Transaction } from 'viem/tempo'
-import { beforeAll, describe, expect, test } from 'vitest'
+import { beforeAll, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 import { closeChannelOnChain, deployEscrow, openChannel } from '~test/tempo/session.js'
 import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
+
 import * as Store from '../../Store.js'
 import * as Attribution from '../Attribution.js'
 import { signVoucher } from '../session/Voucher.js'

package/src/tempo/server/Charge.ts

@@ -9,6 +9,7 @@ import {
 } from 'viem/actions'
 import { tempo as tempo_chain } from 'viem/chains'
 import { Abis, Transaction } from 'viem/tempo'
+
 import { PaymentExpiredError } from '../../Errors.js'
 import type { LooseOmit } from '../../internal/types.js'
 import * as Method from '../../Method.js'