npm - mppx - Versions diffs - 0.5.10 → 0.5.12 - Mend

mppx 0.5.10 → 0.5.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (104) hide show

package/CHANGELOG.md +14 -0
package/dist/cli/cli.d.ts.map +1 -1
package/dist/cli/cli.js +41 -16
package/dist/cli/cli.js.map +1 -1
package/dist/cli/config.d.ts +6 -4
package/dist/cli/config.d.ts.map +1 -1
package/dist/cli/config.js.map +1 -1
package/dist/cli/internal.d.ts +8 -0
package/dist/cli/internal.d.ts.map +1 -1
package/dist/cli/internal.js +33 -3
package/dist/cli/internal.js.map +1 -1
package/dist/cli/plugins/plugin.d.ts +2 -0
package/dist/cli/plugins/plugin.d.ts.map +1 -1
package/dist/cli/plugins/stripe.d.ts.map +1 -1
package/dist/cli/plugins/stripe.js +3 -0
package/dist/cli/plugins/stripe.js.map +1 -1
package/dist/cli/plugins/tempo.d.ts.map +1 -1
package/dist/cli/plugins/tempo.js +3 -0
package/dist/cli/plugins/tempo.js.map +1 -1
package/dist/client/Mppx.d.ts +10 -1
package/dist/client/Mppx.d.ts.map +1 -1
package/dist/client/Mppx.js +17 -5
package/dist/client/Mppx.js.map +1 -1
package/dist/client/Transport.d.ts +2 -0
package/dist/client/Transport.d.ts.map +1 -1
package/dist/client/Transport.js +11 -0
package/dist/client/Transport.js.map +1 -1
package/dist/client/internal/Fetch.d.ts +3 -0
package/dist/client/internal/Fetch.d.ts.map +1 -1
package/dist/client/internal/Fetch.js +65 -19
package/dist/client/internal/Fetch.js.map +1 -1
package/dist/internal/AcceptPayment.d.ts +72 -0
package/dist/internal/AcceptPayment.d.ts.map +1 -0
package/dist/internal/AcceptPayment.js +185 -0
package/dist/internal/AcceptPayment.js.map +1 -0
package/dist/mcp-sdk/client/McpClient.d.ts.map +1 -1
package/dist/mcp-sdk/client/McpClient.js +8 -4
package/dist/mcp-sdk/client/McpClient.js.map +1 -1
package/dist/server/Mppx.d.ts +1 -1
package/dist/server/Mppx.d.ts.map +1 -1
package/dist/server/Mppx.js +33 -24
package/dist/server/Mppx.js.map +1 -1
package/dist/server/Request.js +1 -1
package/dist/server/Request.js.map +1 -1
package/dist/stripe/internal/constants.d.ts +8 -0
package/dist/stripe/internal/constants.d.ts.map +1 -0
package/dist/stripe/internal/constants.js +8 -0
package/dist/stripe/internal/constants.js.map +1 -0
package/dist/stripe/server/Charge.d.ts.map +1 -1
package/dist/stripe/server/Charge.js +23 -5
package/dist/stripe/server/Charge.js.map +1 -1
package/dist/tempo/Proof.d.ts +12 -0
package/dist/tempo/Proof.d.ts.map +1 -0
package/dist/tempo/Proof.js +10 -0
package/dist/tempo/Proof.js.map +1 -0
package/dist/tempo/index.d.ts +1 -0
package/dist/tempo/index.d.ts.map +1 -1
package/dist/tempo/index.js +1 -0
package/dist/tempo/index.js.map +1 -1
package/dist/tempo/internal/fee-payer.d.ts.map +1 -1
package/dist/tempo/internal/fee-payer.js +5 -1
package/dist/tempo/internal/fee-payer.js.map +1 -1
package/dist/tempo/server/Charge.d.ts.map +1 -1
package/dist/tempo/server/Charge.js +62 -3
package/dist/tempo/server/Charge.js.map +1 -1
package/dist/tempo/server/internal/html.gen.d.ts +1 -1
package/dist/tempo/server/internal/html.gen.d.ts.map +1 -1
package/dist/tempo/server/internal/html.gen.js +1 -1
package/dist/tempo/server/internal/html.gen.js.map +1 -1
package/package.json +3 -3
package/src/cli/cli.test.ts +278 -0
package/src/cli/cli.ts +47 -16
package/src/cli/config.ts +10 -4
package/src/cli/internal.ts +59 -3
package/src/cli/plugins/plugin.ts +3 -0
package/src/cli/plugins/stripe.ts +3 -0
package/src/cli/plugins/tempo.ts +3 -0
package/src/client/Mppx.test-d.ts +33 -0
package/src/client/Mppx.test.ts +130 -1
package/src/client/Mppx.ts +35 -5
package/src/client/Transport.test.ts +88 -55
package/src/client/Transport.ts +13 -0
package/src/client/internal/Fetch.browser.test.ts +16 -13
package/src/client/internal/Fetch.test.ts +307 -10
package/src/client/internal/Fetch.ts +85 -19
package/src/internal/AcceptPayment.test.ts +211 -0
package/src/internal/AcceptPayment.ts +304 -0
package/src/mcp-sdk/client/McpClient.ts +11 -5
package/src/server/Mppx.test.ts +141 -44
package/src/server/Mppx.ts +43 -23
package/src/server/NodeListener.test.ts +78 -0
package/src/server/Request.ts +1 -1
package/src/stripe/internal/constants.ts +7 -0
package/src/stripe/server/Charge.ts +22 -4
package/src/tempo/Proof.test-d.ts +13 -0
package/src/tempo/Proof.test.ts +31 -0
package/src/tempo/Proof.ts +13 -0
package/src/tempo/client/SessionManager.test.ts +4 -7
package/src/tempo/index.ts +1 -0
package/src/tempo/internal/fee-payer.test.ts +1 -1
package/src/tempo/internal/fee-payer.ts +5 -1
package/src/tempo/server/Charge.test.ts +123 -0
package/src/tempo/server/Charge.ts +74 -1
package/src/tempo/server/internal/html.gen.ts +1 -1

package/src/tempo/server/Charge.test.ts CHANGED Viewed

@@ -25,6 +25,11 @@ import { signVoucher } from '../session/Voucher.js'
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
+type ProofAccessKeyContext = {
+  accessKey: ReturnType<typeof Account.fromSecp256k1>
+  rootAccount: (typeof accounts)[number]
+}
 const server = Mppx_server.create({
   methods: [
     tempo_server.charge({
@@ -2114,6 +2119,124 @@ describe('tempo', () => {
       httpServer.close()
     })
+    for (const testCase of [
+      {
+        name: 'accepts proof signed by an authorized access key for the root source',
+        expectedStatus: 200,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an unauthorized access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+      },
+      {
+        name: 'rejects proof signed by a revoked access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+          await fundAccount({ address: rootAccount.address, token: asset })
+          await Actions.accessKey.revokeSync(client, {
+            account: rootAccount,
+            accessKey,
+            feeToken: asset,
+          })
+        },
+      },
+      {
+        name: 'rejects proof signed by an expired access key for the root source',
+        expectedDetail: 'Proof signature does not match source.',
+        expectedStatus: 402,
+        async prepare({ accessKey, rootAccount }: ProofAccessKeyContext) {
+          await Actions.accessKey.authorizeSync(client, {
+            account: rootAccount,
+            accessKey,
+            expiry: Math.floor(Date.now() / 1000) + 10,
+            feeToken: asset,
+          })
+          const metadata = await Actions.accessKey.getMetadata(client, {
+            account: rootAccount.address,
+            accessKey,
+          })
+          const originalNow = Date.now
+          Date.now = () => (Number(metadata.expiry) + 5) * 1000
+          return () => {
+            Date.now = originalNow
+          }
+        },
+      },
+    ] as const) {
+      test(`behavior: ${testCase.name}`, async () => {
+        const rootAccount = accounts[1]
+        const accessKey = Account.fromSecp256k1(Secp256k1.randomPrivateKey(), {
+          access: rootAccount,
+        })
+        let cleanup: (() => void) | undefined
+        let httpServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
+        try {
+          const maybeCleanup = await testCase.prepare?.({ accessKey, rootAccount })
+          cleanup = typeof maybeCleanup === 'function' ? maybeCleanup : undefined
+          httpServer = await Http.createServer(async (req, res) => {
+            const result = await Mppx_server.toNodeListener(
+              server.charge({ amount: '0', decimals: 6 }),
+            )(req, res)
+            if (result.status === 402) return
+            res.end('OK')
+          })
+          const response1 = await fetch(httpServer.url)
+          expect(response1.status).toBe(402)
+          const challenge = Challenge.fromResponse(response1, {
+            methods: [tempo_client.charge()],
+          })
+          const signature = await signTypedData(client, {
+            account: accessKey,
+            domain: Proof.domain(chain.id),
+            types: Proof.types,
+            primaryType: 'Proof',
+            message: Proof.message(challenge.id),
+          })
+          const credential = Credential.from({
+            challenge,
+            payload: { signature, type: 'proof' as const },
+            source: `did:pkh:eip155:${chain.id}:${rootAccount.address}`,
+          })
+          const response2 = await fetch(httpServer.url, {
+            headers: { Authorization: Credential.serialize(credential) },
+          })
+          expect(response2.status).toBe(testCase.expectedStatus)
+          if (testCase.expectedDetail) {
+            const body = (await response2.json()) as { detail: string }
+            expect(body.detail).toContain(testCase.expectedDetail)
+          }
+        } finally {
+          cleanup?.()
+          httpServer?.close()
+        }
+      })
+    }
     test('behavior: rejects replayed proof credential when store is configured', async () => {
       const replayStore = Store.memory()
       const server_ = Mppx_server.create({

package/src/tempo/server/Charge.ts CHANGED Viewed

@@ -1,6 +1,8 @@
+import * as SignatureEnvelope from 'ox/tempo/SignatureEnvelope'
 import {
   decodeFunctionData,
   formatUnits,
+  hashTypedData,
   keccak256,
   parseEventLogs,
   type TransactionReceipt,
@@ -227,7 +229,21 @@ export function charge<const parameters extends charge.Parameters>(
             message: Proof.message(challenge.id),
             signature: payload.signature as `0x${string}`,
           })
-          if (!valid) throw new MismatchError('Proof signature does not match source.', {})
+          if (!valid) {
+            const proofSigner = recoverAuthorizedProofSigner({
+              chainId: resolvedChainId,
+              challengeId: challenge.id,
+              signature: payload.signature as `0x${string}`,
+              sourceAddress: source.address,
+            })
+            const authorized = proofSigner
+              ? await isActiveAccessKey(client, {
+                  accessKey: proofSigner,
+                  account: source.address,
+                })
+              : false
+            if (!authorized) throw new MismatchError('Proof signature does not match source.', {})
+          }
           if (proofStore && !(await markProofUsed(proofStore, challenge.id))) {
             throw new VerificationFailedError({ reason: 'Proof credential has already been used' })
@@ -651,6 +667,63 @@ async function markProofUsed(
   })
 }
+function recoverAuthorizedProofSigner(parameters: {
+  chainId: number
+  challengeId: string
+  signature: `0x${string}`
+  sourceAddress: `0x${string}`
+}): `0x${string}` | null {
+  const { chainId, challengeId, signature, sourceAddress } = parameters
+  try {
+    const envelope = SignatureEnvelope.from(signature)
+    const proofHash = hashTypedData({
+      domain: Proof.domain(chainId),
+      types: Proof.types,
+      primaryType: 'Proof',
+      message: Proof.message(challengeId),
+    })
+    if (envelope.type === 'keychain') {
+      if (!TempoAddress.isEqual(envelope.userAddress, sourceAddress)) return null
+      const keychainPayload =
+        envelope.version === 'v2'
+          ? keccak256(`0x04${proofHash.slice(2)}${sourceAddress.slice(2)}` as `0x${string}`)
+          : proofHash
+      const signer = SignatureEnvelope.extractAddress({
+        payload: keychainPayload,
+        signature: envelope.inner,
+      })
+      const valid = SignatureEnvelope.verify(envelope.inner, {
+        address: signer,
+        payload: keychainPayload,
+      })
+      if (!valid) return null
+      return signer
+    }
+    return SignatureEnvelope.extractAddress({ payload: proofHash, signature: envelope })
+  } catch {
+    return null
+  }
+}
+async function isActiveAccessKey(
+  client: Awaited<ReturnType<ReturnType<typeof Client.getResolver>>>,
+  parameters: { account: `0x${string}`; accessKey: `0x${string}` },
+): Promise<boolean> {
+  try {
+    const metadata = await Actions.accessKey.getMetadata(client, parameters)
+    const nowSeconds = BigInt(Math.floor(Date.now() / 1000))
+    return !metadata.isRevoked && metadata.expiry > nowSeconds
+  } catch {
+    return false
+  }
+}
 /** @internal */
 function toReceipt(receipt: TransactionReceipt) {
   const { status, transactionHash } = receipt