mppx 0.5.10 → 0.5.12

package/src/server/Mppx.test.ts

@@ -127,6 +127,50 @@ describe('request handler', () => {
     expect(body.detail).not.toContain('rpc.example.com')
   })
 
+  test('returns 402 when challenge ID mismatch', async () => {
+    const wrongChallenge = Challenge.from({
+      id: 'wrong-id',
+      intent: 'charge',
+      method: 'tempo',
+      realm,
+      request: { amount: '1000', currency: asset, recipient: accounts[0].address },
+    })
+    const credential = Credential.from({
+      challenge: wrongChallenge,
+      payload: { signature: '0x123', type: 'transaction' },
+    })
+
+    const request = new Request('https://example.com/resource', {
+      headers: { Authorization: Credential.serialize(credential) },
+    })
+
+    const result = await Mppx.create({ methods: [method], realm, secretKey }).charge({
+      amount: '1000',
+      currency: asset,
+      expires: new Date(Date.now() + 60_000).toISOString(),
+      recipient: accounts[0].address,
+    })(request)
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const body = (await result.challenge.json()) as object
+    expect({
+      ...body,
+      challengeId: '[challengeId]',
+      instance: '[instance]',
+    }).toMatchInlineSnapshot(`
+      {
+        "challengeId": "[challengeId]",
+        "detail": "Challenge "wrong-id" is invalid: challenge was not issued by this server.",
+        "instance": "[instance]",
+        "status": 402,
+        "title": "Invalid Challenge",
+        "type": "https://paymentauth.org/problems/invalid-challenge",
+      }
+    `)
+  })
+
   test('captures each transport request once and threads the verified envelope additively', async () => {
     const requestMethod = Method.from({
       name: 'mock',
@@ -232,50 +276,6 @@ describe('request handler', () => {
     expect(receiptEnvelope?.challenge.id).toBe(credential.challenge.id)
   })
 
-  test('returns 402 when challenge ID mismatch', async () => {
-    const wrongChallenge = Challenge.from({
-      id: 'wrong-id',
-      intent: 'charge',
-      method: 'tempo',
-      realm,
-      request: { amount: '1000', currency: asset, recipient: accounts[0].address },
-    })
-    const credential = Credential.from({
-      challenge: wrongChallenge,
-      payload: { signature: '0x123', type: 'transaction' },
-    })
-
-    const request = new Request('https://example.com/resource', {
-      headers: { Authorization: Credential.serialize(credential) },
-    })
-
-    const result = await Mppx.create({ methods: [method], realm, secretKey }).charge({
-      amount: '1000',
-      currency: asset,
-      expires: new Date(Date.now() + 60_000).toISOString(),
-      recipient: accounts[0].address,
-    })(request)
-
-    expect(result.status).toBe(402)
-    if (result.status !== 402) throw new Error()
-
-    const body = (await result.challenge.json()) as object
-    expect({
-      ...body,
-      challengeId: '[challengeId]',
-      instance: '[instance]',
-    }).toMatchInlineSnapshot(`
-      {
-        "challengeId": "[challengeId]",
-        "detail": "Challenge "wrong-id" is invalid: challenge was not issued by this server.",
-        "instance": "[instance]",
-        "status": 402,
-        "title": "Invalid Challenge",
-        "type": "https://paymentauth.org/problems/invalid-challenge",
-      }
-    `)
-  })
-
   test('returns 402 when credential is from a different route (cross-route scope confusion)', async () => {
     const handler = Mppx.create({ methods: [method], realm, secretKey })
 
@@ -982,6 +982,103 @@ describe('compose', () => {
     expect(wwwAuth).toContain('method="beta"')
   })
 
+  test('filters compose challenges using Accept-Payment', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'beta/charge' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges).toHaveLength(1)
+    expect(challenges[0]?.method).toBe('beta')
+  })
+
+  test('orders compose challenges by Accept-Payment q-value', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'beta/charge;q=0.9, alpha/charge;q=0.3' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['beta', 'alpha'])
+  })
+
+  test('applies a specific Accept-Payment opt-out before broader wildcards', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'alpha/*;q=1, alpha/charge;q=0, beta/*;q=0.5' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges).toHaveLength(1)
+    expect(challenges[0]?.method).toBe('beta')
+  })
+
+  test('falls back to all compose challenges when Accept-Payment has no matches', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'gamma/charge' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['alpha', 'beta'])
+  })
+
+  test('falls back to all compose challenges when Accept-Payment is invalid', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      [betaMethod, challengeOpts],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'not a valid header' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges.map((challenge) => challenge.method)).toEqual(['alpha', 'beta'])
+  })
+
   test('dispatches to matching handler when credential matches alpha', async () => {
     const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
 

package/src/server/Mppx.ts

@@ -5,8 +5,9 @@ import * as Challenge from '../Challenge.js'
 import * as Credential from '../Credential.js'
 import * as Errors from '../Errors.js'
 import * as Expires from '../Expires.js'
+import * as AcceptPayment from '../internal/AcceptPayment.js'
 import * as Env from '../internal/env.js'
-import * as Method from '../Method.js'
+import type * as Method from '../Method.js'
 import * as PaymentRequest from '../PaymentRequest.js'
 import type * as Receipt from '../Receipt.js'
 import type * as z from '../zod.js'
@@ -447,22 +448,22 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
           withReceipt<response>(response?: response) {
             if (managementResponse) {
               return transport.respondReceipt({
+                challengeId: credential.challenge.id,
                 credential,
                 envelope,
                 input,
                 receipt: receiptData,
                 response: managementResponse as never,
-                challengeId: credential.challenge.id,
               }) as response
             }
             if (!response) throw new Error('withReceipt() requires a response argument')
             return transport.respondReceipt({
+              challengeId: credential.challenge.id,
               credential,
               envelope,
               input,
               receipt: receiptData,
               response: response as never,
-              challengeId: credential.challenge.id,
             }) as response
           },
         }
@@ -883,38 +884,58 @@ export function compose(
     // No credential — call all handlers and merge 402 challenges.
     const results = await Promise.all(handlers.map((h) => h(input)))
 
-    // Merge WWW-Authenticate headers from all 402 responses.
-    const mergedHeaders = new Headers()
-    mergedHeaders.set('Cache-Control', 'no-store')
-
-    for (const result of results) {
-      if (result.status !== 402) continue
-      const response = result.challenge as Response
-      const wwwAuth = response.headers.get('WWW-Authenticate')
-      if (wwwAuth) mergedHeaders.append('WWW-Authenticate', wwwAuth)
-    }
-
-    // Collect html-enabled handlers and their challenges
-    const htmlEntries = (() => {
+    const challengeEntries = (() => {
       const entries: {
         handler: ConfiguredHandler
         challenge: Challenge.Challenge
+        result: Extract<MethodFn.Response<Transport.Http>, { status: 402 }>
       }[] = []
+
       for (let i = 0; i < handlers.length; i++) {
-        const meta = (handlers[i] as ConfiguredHandler)._internal
-        if (!meta?.html) continue
         const result = results[i]
         if (result?.status !== 402) continue
-        const wwwAuth = result.challenge.headers.get('WWW-Authenticate')
+
+        const response = result.challenge as Response
+        const wwwAuth = response.headers.get('WWW-Authenticate')
         if (!wwwAuth) continue
+
         entries.push({
           handler: handlers[i] as ConfiguredHandler,
           challenge: Challenge.deserialize(wwwAuth),
+          result,
         })
       }
-      return entries
+
+      const acceptPayment = input.headers.get('Accept-Payment')
+      if (!acceptPayment) return entries
+
+      try {
+        const ranked = AcceptPayment.rank(
+          entries.map((entry) => entry.challenge),
+          AcceptPayment.parse(acceptPayment),
+        )
+        if (ranked.length === 0) return entries
+
+        const entriesById = new Map(entries.map((entry) => [entry.challenge.id, entry] as const))
+        return ranked.map((challenge) => entriesById.get(challenge.id)!)
+      } catch {
+        return entries
+      }
     })()
 
+    // Merge WWW-Authenticate headers from all 402 responses.
+    const mergedHeaders = new Headers()
+    mergedHeaders.set('Cache-Control', 'no-store')
+
+    for (const entry of challengeEntries) {
+      const response = entry.result.challenge as Response
+      const wwwAuth = response.headers.get('WWW-Authenticate')
+      if (wwwAuth) mergedHeaders.append('WWW-Authenticate', wwwAuth)
+    }
+
+    // Collect html-enabled handlers and their challenges
+    const htmlEntries = challengeEntries.filter((entry) => entry.handler._internal?.html)
+
     const wantsHtml = input.headers.get('Accept')?.includes('text/html')
     if (wantsHtml && htmlEntries.length > 0) {
       const { theme, text } = Html.resolveOptions(
@@ -962,10 +983,9 @@ export function compose(
 
     // Non-HTML fallback: use first handler's body
     let body: string | null = null
-    for (const result of results) {
-      if (result.status !== 402) continue
+    for (const entry of challengeEntries) {
       if (!body) {
-        const response = result.challenge as Response
+        const response = entry.result.challenge as Response
         const contentType = response.headers.get('Content-Type')
         if (contentType) mergedHeaders.set('Content-Type', contentType)
         body = await response.text()

package/src/server/NodeListener.test.ts

@@ -1,3 +1,6 @@
+import { EventEmitter } from 'node:events'
+import type { IncomingMessage, ServerResponse } from 'node:http'
+
 import { NodeListener, Request } from 'mppx/server'
 import { afterEach, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
@@ -6,6 +9,63 @@ let server: Awaited<ReturnType<typeof Http.createServer>> | undefined
 
 afterEach(() => server?.close())
 
+function createMockRequest(options: {
+  method?: string
+  url?: string
+  rawHeaders?: string[]
+}): [
+  IncomingMessage,
+  ServerResponse & { body: Buffer[]; headers?: Record<string, string | string[]> },
+] {
+  type MockResponse = ServerResponse & {
+    body: Buffer[]
+    headers?: Record<string, string | string[]>
+  }
+
+  const rawHeaders = options.rawHeaders ?? []
+  const headers = Object.fromEntries(
+    rawHeaders.reduce<[string, string][]>((acc, value, index, values) => {
+      if (index % 2 === 0 && values[index + 1]) acc.push([value.toLowerCase(), values[index + 1]!])
+      return acc
+    }, []),
+  )
+  const req = Object.assign(new EventEmitter(), {
+    method: options.method ?? 'GET',
+    url: options.url ?? '/',
+    headers,
+    rawHeaders,
+    socket: {},
+  }) as unknown as IncomingMessage
+
+  const res = Object.assign(new EventEmitter(), {
+    req,
+    body: [] as Buffer[],
+    writeHead(
+      this: MockResponse,
+      _statusCode: number,
+      statusMessageOrHeaders?: string | Record<string, string | string[]>,
+      headersMaybe?: Record<string, string | string[]>,
+    ) {
+      this.headers =
+        typeof statusMessageOrHeaders === 'string'
+          ? (headersMaybe ?? {})
+          : (statusMessageOrHeaders ?? {})
+      return this
+    },
+    write(this: MockResponse, chunk: Uint8Array | string) {
+      this.body.push(Buffer.from(chunk))
+      return true
+    },
+    end(this: MockResponse, chunk?: Uint8Array | string) {
+      if (chunk) this.body.push(Buffer.from(chunk))
+      this.emit('finish')
+      return this
+    },
+  }) as unknown as MockResponse
+
+  return [req, res]
+}
+
 describe('sendResponse', () => {
   test('writes status and headers', async () => {
     server = await Http.createServer(async (_, res) => {
@@ -185,4 +245,22 @@ describe('toNodeListener', () => {
     const response = await fetch(server.url)
     expect(await response.text()).toBe('abc')
   })
+
+  test('routes malformed host header URL parsing errors through onError', async () => {
+    const [req, res] = createMockRequest({
+      rawHeaders: ['Host', 'a, b'],
+    })
+    const onError = vi.fn((error: unknown) => {
+      return new Response(error instanceof TypeError ? 'bad host' : 'unexpected', {
+        status: 500,
+        headers: { 'Content-Type': 'text/plain' },
+      })
+    })
+    const handler = Request.toNodeListener(async () => new Response('ok'), { onError })
+
+    await expect(Promise.resolve(handler(req, res))).resolves.toBeUndefined()
+    expect(onError).toHaveBeenCalledTimes(1)
+    expect(onError.mock.calls[0]![0]).toBeInstanceOf(TypeError)
+    expect(Buffer.concat(res.body).toString()).toBe('bad host')
+  })
 })

package/src/server/Request.ts

@@ -32,9 +32,9 @@ export function toNodeListener(
     })
 
   return (async (req: IncomingMessage, res: ServerResponse) => {
-    const request = fromNodeListener(req, res, options)
     let response: Response
     try {
+      const request = fromNodeListener(req, res, options)
       response = await handler(request)
     } catch (error) {
       try {

package/src/stripe/internal/constants.ts

@@ -0,0 +1,7 @@
+/**
+ * Stripe API version with `.preview` suffix.
+ *
+ * Required for `shared_payment_granted_token` (SPTs are in private preview).
+ * Bump this when upgrading to a newer Stripe API version.
+ */
+export const stripePreviewVersion = '2026-02-25.preview'

package/src/stripe/server/Charge.ts

@@ -5,6 +5,7 @@ import type { LooseOmit, OneOf } from '../../internal/types.js'
 import * as Method from '../../Method.js'
 import type * as Html from '../../server/internal/html/config.ts'
 import type * as z from '../../zod.js'
+import { stripePreviewVersion } from '../internal/constants.js'
 import type {
   StripeClient,
   CreatePaymentMethodFromElements,
@@ -202,13 +203,16 @@ async function createWithClient(parameters: {
         // `shared_payment_granted_token` is not yet in the Stripe SDK types (SPTs are in private preview).
         shared_payment_granted_token: spt,
       } as any,
-      { idempotencyKey: `mppx_${challenge.id}_${spt}` },
+      { idempotencyKey: `mppx_${challenge.id}_${spt}`, apiVersion: stripePreviewVersion },
     )
     // https://docs.stripe.com/error-low-level#idempotency
     const replayed = result.lastResponse?.headers?.['idempotent-replayed'] === 'true'
     return { id: result.id, status: result.status, replayed }
-  } catch {
-    throw new VerificationFailedError({ reason: 'Stripe PaymentIntent failed' })
+  } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error)
+    throw new VerificationFailedError({
+      reason: `Stripe PaymentIntent failed: ${detail}`,
+    })
   }
 }
 
@@ -240,11 +244,25 @@ async function createWithSecretKey(parameters: {
       Authorization: `Basic ${btoa(`${secretKey}:`)}`,
       'Content-Type': 'application/x-www-form-urlencoded',
       'Idempotency-Key': `mppx_${challenge.id}_${spt}`,
+      'Stripe-Version': stripePreviewVersion,
     },
     body,
   })
 
-  if (!response.ok) throw new VerificationFailedError({ reason: 'Stripe PaymentIntent failed' })
+  if (!response.ok) {
+    const body = await response.text().catch(() => '')
+    const detail = (() => {
+      try {
+        const parsed = JSON.parse(body) as { error?: { message?: string } }
+        return parsed.error?.message ?? body
+      } catch {
+        return body
+      }
+    })()
+    throw new VerificationFailedError({
+      reason: `Stripe PaymentIntent failed: ${detail}`,
+    })
+  }
   // https://docs.stripe.com/error-low-level#idempotency
   const replayed = response.headers.get('idempotent-replayed') === 'true'
   const result = (await response.json()) as { id: string; status: string }

package/src/tempo/Proof.test-d.ts

@@ -0,0 +1,13 @@
+import { expectTypeOf, test } from 'vp/test'
+
+import { Proof } from './index.js'
+
+test('Proof exports public proof source helpers', () => {
+  expectTypeOf(Proof.proofSource).toEqualTypeOf<
+    (parameters: { address: string; chainId: number }) => string
+  >()
+
+  expectTypeOf(Proof.parseProofSource).toEqualTypeOf<
+    (source: string) => { address: `0x${string}`; chainId: number } | null
+  >()
+})

package/src/tempo/Proof.test.ts

@@ -0,0 +1,31 @@
+import { describe, expect, test } from 'vp/test'
+
+import * as tempo from './index.js'
+
+describe('tempo.Proof', () => {
+  test('proofSource constructs a did:pkh:eip155 source', () => {
+    expect(
+      tempo.Proof.proofSource({
+        address: '0xAbCdEf1234567890AbCdEf1234567890AbCdEf12',
+        chainId: 42431,
+      }),
+    ).toBe('did:pkh:eip155:42431:0xAbCdEf1234567890AbCdEf1234567890AbCdEf12')
+  })
+
+  test('parseProofSource parses a valid did:pkh:eip155 source', () => {
+    expect(
+      tempo.Proof.parseProofSource(
+        'did:pkh:eip155:42431:0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141',
+      ),
+    ).toEqual({
+      address: '0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141',
+      chainId: 42431,
+    })
+  })
+
+  test('parseProofSource rejects invalid source values', () => {
+    expect(
+      tempo.Proof.parseProofSource('did:pkh:eip155:01:0xa5cc3c03994db5b0d9ba5e4f6d2efbd9f213b141'),
+    ).toBe(null)
+  })
+})

package/src/tempo/Proof.ts

@@ -0,0 +1,13 @@
+import type { Address } from 'viem'
+
+import * as Proof_internal from './internal/proof.js'
+
+/** Constructs the canonical `did:pkh:eip155` source DID for Tempo proof credentials. */
+export function proofSource(parameters: { address: string; chainId: number }): string {
+  return Proof_internal.proofSource(parameters)
+}
+
+/** Parses a Tempo proof credential source DID into its chain ID and wallet address. */
+export function parseProofSource(source: string): { address: Address; chainId: number } | null {
+  return Proof_internal.parseProofSource(source)
+}

package/src/tempo/client/SessionManager.test.ts

@@ -225,13 +225,10 @@ describe('Session', () => {
         // drain
       }
 
-      const calledHeaders = (mockFetch.mock.calls[0]![1] as RequestInit).headers as Record<
-        string,
-        string
-      >
-      expect(calledHeaders['content-type']).toBe('application/json')
-      expect(calledHeaders['x-custom']).toBe('value')
-      expect(calledHeaders.Accept).toBe('text/event-stream')
+      const calledHeaders = new Headers((mockFetch.mock.calls[0]![1] as RequestInit).headers)
+      expect(calledHeaders.get('content-type')).toBe('application/json')
+      expect(calledHeaders.get('x-custom')).toBe('value')
+      expect(calledHeaders.get('accept')).toBe('text/event-stream')
     })
   })
 

package/src/tempo/index.ts

@@ -1,2 +1,3 @@
+export * as Proof from './Proof.js'
 export * as Methods from './Methods.js'
 export * as Session from './session/index.js'

package/src/tempo/internal/fee-payer.test.ts

@@ -322,7 +322,7 @@ describe('prepareSponsoredTransaction', () => {
         transaction: {
           ...baseTransaction,
           gas: 1_500_000n,
-          maxFeePerGas: 10_000_000_000n,
+          maxFeePerGas: 50_000_000_000n,
         } as any,
       }),
     ).toThrow('total fee budget exceeds sponsor policy')

package/src/tempo/internal/fee-payer.ts

@@ -26,11 +26,15 @@ export const callScopes = [
   [Selectors.approve, Selectors.swapExactAmountOut, Selectors.transferWithMemo],
 ]
 
+/**
+ * maxTotalFee must be high enough to cover `transferWithMemo` and
+ * swap transactions at peak gas prices. Bumped from 0.01 ETH in #327.
+ */
 const policy = {
   maxGas: 2_000_000n,
   maxFeePerGas: 100_000_000_000n,
   maxPriorityFeePerGas: 10_000_000_000n,
-  maxTotalFee: 10_000_000_000_000_000n,
+  maxTotalFee: 50_000_000_000_000_000n,
   maxValidityWindowSeconds: 15 * 60,
 } as const