mppx 0.5.7 → 0.5.8

package/src/tempo/internal/fee-payer.test.ts

@@ -2,11 +2,17 @@ import { encodeFunctionData } from 'viem'
 import { Abis, Addresses } from 'viem/tempo'
 import { describe, expect, test } from 'vp/test'
 
-import { callScopes, FeePayerValidationError, validateCalls } from './fee-payer.js'
+import {
+  callScopes,
+  FeePayerValidationError,
+  prepareSponsoredTransaction,
+  validateCalls,
+} from './fee-payer.js'
 import * as Selectors from './selectors.js'
 
 const details = { amount: '1', currency: '0x01', recipient: '0x02' }
 const bogus = '0x0000000000000000000000000000000000000001' as const
+const sponsor = { address: bogus, type: 'local' } as any
 
 describe('callScopes', () => {
   test('has 4 allowed patterns', () => {
@@ -241,3 +247,111 @@ describe('validateCalls', () => {
     ).toThrow('disallowed call pattern')
   })
 })
+
+describe('prepareSponsoredTransaction', () => {
+  const baseTransaction = {
+    accessList: [],
+    calls: [
+      {
+        data: encodeFunctionData({
+          abi: Abis.tip20,
+          functionName: 'transfer',
+          args: [bogus, 100n],
+        }),
+        to: bogus,
+      },
+    ],
+    chainId: 42431,
+    feeToken: bogus,
+    from: bogus,
+    gas: 150_000n,
+    maxFeePerGas: 1_000_000_000n,
+    maxPriorityFeePerGas: 1_000_000_000n,
+    nonce: 1n,
+    nonceKey: 1n,
+    signature: { r: 1n, s: 1n, yParity: 0 } as any,
+    validBefore: Math.floor(Date.now() / 1_000) + 300,
+  } as const
+
+  test('accepts bounded sponsored transaction fields', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: baseTransaction as any,
+      }),
+    ).not.toThrow()
+  })
+
+  test('drops unknown top-level fields from the sponsored transaction', () => {
+    const sponsored = prepareSponsoredTransaction({
+      account: sponsor,
+      chainId: 42431,
+      details,
+      expectedFeeToken: bogus,
+      transaction: { ...baseTransaction, unexpectedField: 'ignored' } as any,
+    }) as Record<string, unknown>
+
+    expect(sponsored.unexpectedField).toBeUndefined()
+  })
+
+  test('error: rejects excessive maxFeePerGas', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          maxFeePerGas: 200_000_000_000n,
+        } as any,
+      }),
+    ).toThrow('maxFeePerGas exceeds sponsor policy')
+  })
+
+  test('error: rejects combined gas and fee budget outside policy', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          gas: 1_500_000n,
+          maxFeePerGas: 10_000_000_000n,
+        } as any,
+      }),
+    ).toThrow('total fee budget exceeds sponsor policy')
+  })
+
+  test('error: rejects mismatched feeToken', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: '0x0000000000000000000000000000000000000002',
+        transaction: baseTransaction as any,
+      }),
+    ).toThrow('feeToken is not allowed')
+  })
+
+  test('error: rejects long-lived sponsored transactions', () => {
+    expect(() =>
+      prepareSponsoredTransaction({
+        account: sponsor,
+        chainId: 42431,
+        details,
+        expectedFeeToken: bogus,
+        transaction: {
+          ...baseTransaction,
+          validBefore: Math.floor(Date.now() / 1_000) + 3_600,
+        } as any,
+      }),
+    ).toThrow('validity window exceeds sponsor policy')
+  })
+})

package/src/tempo/internal/fee-payer.ts

@@ -1,7 +1,8 @@
 import type { TempoAddress } from 'ox/tempo'
 import { TxEnvelopeTempo } from 'ox/tempo'
+import type { Account } from 'viem'
 import { decodeFunctionData } from 'viem'
-import { Abis, Addresses } from 'viem/tempo'
+import { Abis, Addresses, Transaction } from 'viem/tempo'
 
 import * as TempoAddress_internal from './address.js'
 import * as Selectors from './selectors.js'
@@ -25,6 +26,14 @@ export const callScopes = [
   [Selectors.approve, Selectors.swapExactAmountOut, Selectors.transferWithMemo],
 ]
 
+const policy = {
+  maxGas: 2_000_000n,
+  maxFeePerGas: 100_000_000_000n,
+  maxPriorityFeePerGas: 10_000_000_000n,
+  maxTotalFee: 10_000_000_000_000_000n,
+  maxValidityWindowSeconds: 15 * 60,
+} as const
+
 /** Validates that a set of transaction calls matches an allowed fee-payer pattern. */
 export function validateCalls(
   calls: readonly { data?: `0x${string}` | undefined; to?: TempoAddress.Address | undefined }[],
@@ -69,6 +78,134 @@ export function validateCalls(
     throw new FeePayerValidationError('buy target is not the DEX', details)
 }
 
+export function prepareSponsoredTransaction(parameters: {
+  account: Account
+  challengeExpires?: string | undefined
+  chainId: number
+  details: Record<string, string>
+  expectedFeeToken?: TempoAddress.Address | undefined
+  now?: Date | undefined
+  transaction: ReturnType<(typeof Transaction)['deserialize']>
+}) {
+  const {
+    account,
+    challengeExpires,
+    chainId,
+    details,
+    expectedFeeToken,
+    now = new Date(),
+    transaction,
+  } = parameters
+
+  const {
+    accessList,
+    calls,
+    chainId: transactionChainId,
+    feeToken,
+    from,
+    gas,
+    maxFeePerGas,
+    maxPriorityFeePerGas,
+    nonce,
+    nonceKey,
+    signature,
+    validAfter,
+    validBefore,
+  } = transaction
+
+  const fail = (reason: string, extra: Record<string, string> = {}) => {
+    throw new FeePayerValidationError(reason, { ...details, ...extra })
+  }
+
+  if (transactionChainId !== chainId)
+    fail('fee-sponsored transaction chainId does not match challenge', {
+      chainId: String(transactionChainId),
+    })
+
+  if (gas === undefined || gas <= 0n) fail('fee-sponsored transaction must declare gas')
+  if (gas > policy.maxGas)
+    fail('fee-sponsored transaction gas exceeds sponsor policy', {
+      gas: gas.toString(),
+    })
+
+  if (maxFeePerGas === undefined || maxFeePerGas <= 0n)
+    fail('fee-sponsored transaction must declare maxFeePerGas')
+  if (maxFeePerGas > policy.maxFeePerGas)
+    fail('fee-sponsored transaction maxFeePerGas exceeds sponsor policy', {
+      maxFeePerGas: maxFeePerGas.toString(),
+    })
+
+  const maxTotalFee = gas * maxFeePerGas
+  if (maxTotalFee > policy.maxTotalFee)
+    fail('fee-sponsored transaction total fee budget exceeds sponsor policy', {
+      gas: gas.toString(),
+      maxFeePerGas: maxFeePerGas.toString(),
+      totalFee: maxTotalFee.toString(),
+    })
+
+  if (maxPriorityFeePerGas !== undefined && maxPriorityFeePerGas > maxFeePerGas)
+    fail('fee-sponsored transaction maxPriorityFeePerGas exceeds maxFeePerGas', {
+      maxFeePerGas: maxFeePerGas.toString(),
+      maxPriorityFeePerGas: maxPriorityFeePerGas.toString(),
+    })
+  if (maxPriorityFeePerGas !== undefined && maxPriorityFeePerGas > policy.maxPriorityFeePerGas)
+    fail('fee-sponsored transaction maxPriorityFeePerGas exceeds sponsor policy', {
+      maxPriorityFeePerGas: maxPriorityFeePerGas.toString(),
+    })
+
+  if (nonceKey === undefined) fail('fee-sponsored transaction must use an expiring nonce')
+  if (validBefore === undefined)
+    fail('fee-sponsored transaction must declare validBefore for the expiring nonce')
+
+  const nowSeconds = Math.floor(now.getTime() / 1_000)
+  if (validBefore <= nowSeconds)
+    fail('fee-sponsored transaction has already expired', {
+      validBefore: String(validBefore),
+    })
+
+  const challengeExpirySeconds = challengeExpires
+    ? Math.floor(new Date(challengeExpires).getTime() / 1_000)
+    : undefined
+  const maxValidBefore = Math.min(
+    nowSeconds + policy.maxValidityWindowSeconds,
+    challengeExpirySeconds ? challengeExpirySeconds + 60 : Number.MAX_SAFE_INTEGER,
+  )
+  if (validBefore > maxValidBefore)
+    fail('fee-sponsored transaction validity window exceeds sponsor policy', {
+      validBefore: String(validBefore),
+    })
+
+  if (feeToken !== undefined) {
+    if (typeof feeToken !== 'string') fail('fee-sponsored transaction feeToken is invalid')
+    if (expectedFeeToken && !TempoAddress_internal.isEqual(feeToken, expectedFeeToken))
+      fail('fee-sponsored transaction feeToken is not allowed', {
+        feeToken,
+      })
+  }
+
+  return {
+    accessList,
+    account,
+    calls,
+    chainId: transactionChainId,
+    feePayer: account,
+    ...(feeToken ? { feeToken } : {}),
+    ...(from ? { from } : {}),
+    gas,
+    ...(nonce !== undefined ? { nonce } : {}),
+    maxFeePerGas,
+    ...(maxPriorityFeePerGas !== undefined ? { maxPriorityFeePerGas } : {}),
+    nonceKey,
+    ...(signature ? { signature } : {}),
+    type: 'tempo' as const,
+    ...(validAfter !== undefined ? { validAfter } : {}),
+    validBefore,
+  } satisfies ReturnType<(typeof Transaction)['deserialize']> & {
+    account: Account
+    feePayer: Account
+  }
+}
+
 export class FeePayerValidationError extends Error {
   override readonly name = 'FeePayerValidationError'
 

package/src/tempo/server/AtomicStore.test-d.ts

@@ -0,0 +1,34 @@
+import { expectTypeOf, test } from 'vp/test'
+
+import { tempo } from '../../server/index.js'
+import * as Store from '../../Store.js'
+
+test('tempo.charge store parameter requires AtomicStore', () => {
+  type ChargeParameters = NonNullable<Parameters<typeof tempo.charge>[0]>
+  expectTypeOf<ChargeParameters['store']>().toEqualTypeOf<Store.AtomicStore | undefined>()
+
+  const nonAtomic = Store.from({
+    get: async () => null,
+    put: async () => {},
+    delete: async () => {},
+  })
+
+  // @ts-expect-error — charge replay protection requires AtomicStore
+  tempo.charge({ store: nonAtomic })
+  tempo.charge({ store: Store.memory() })
+})
+
+test('tempo.session store parameter requires AtomicStore', () => {
+  type SessionParameters = NonNullable<Parameters<typeof tempo.session>[0]>
+  expectTypeOf<SessionParameters['store']>().toEqualTypeOf<Store.AtomicStore | undefined>()
+
+  const nonAtomic = Store.from({
+    get: async () => null,
+    put: async () => {},
+    delete: async () => {},
+  })
+
+  // @ts-expect-error — session state updates require AtomicStore
+  tempo.session({ store: nonAtomic })
+  tempo.session({ store: Store.memory() })
+})

package/src/tempo/server/Charge.test.ts

@@ -1019,6 +1019,76 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: rejects concurrent replay of the same transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+
+      const challenge1 = Challenge.fromResponse(challengeResponse1, {
+        methods: [tempo_client.charge()],
+      })
+      const challenge2 = Challenge.fromResponse(challengeResponse2, {
+        methods: [tempo_client.charge()],
+      })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        memo: Attribution.encode({ challengeId: challenge1.id, serverId: realm }) as Hex.Hex,
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+
+      const credential1 = Credential.serialize(
+        Credential.from({
+          challenge: challenge1,
+          payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        }),
+      )
+      const credential2 = Credential.serialize(
+        Credential.from({
+          challenge: challenge2,
+          payload: { hash: receipt.transactionHash, type: 'hash' as const },
+        }),
+      )
+
+      const [resA, resB] = await Promise.all([
+        fetch(httpServer.url, { headers: { Authorization: credential1 } }),
+        fetch(httpServer.url, { headers: { Authorization: credential2 } }),
+      ])
+
+      expect([resA.status, resB.status].sort()).toEqual([200, 402])
+
+      httpServer.close()
+    })
+
     test('behavior: rejects malleable variants with different feePayerSignature', async () => {
       const dedupStore = Store.memory()
       const dedupServer = Mppx_server.create({
@@ -2105,6 +2175,64 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: rejects concurrent replay of the same proof credential', async () => {
+      const replayStore = Store.memory()
+      const server_ = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: replayStore,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          server_.charge({ amount: '0', decimals: 6 }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+
+      const signature = await signTypedData(client, {
+        account: accounts[1],
+        domain: Proof.domain(chain.id),
+        types: Proof.types,
+        primaryType: 'Proof',
+        message: Proof.message(challenge.id),
+      })
+
+      const credential = Credential.serialize(
+        Credential.from({
+          challenge,
+          payload: { signature, type: 'proof' as const },
+          source: `did:pkh:eip155:${chain.id}:${accounts[1].address}`,
+        }),
+      )
+
+      const [resA, resB] = await Promise.all([
+        fetch(httpServer.url, { headers: { Authorization: credential } }),
+        fetch(httpServer.url, { headers: { Authorization: credential } }),
+      ])
+
+      expect([resA.status, resB.status].sort()).toEqual([200, 402])
+
+      httpServer.close()
+    })
+
     test('behavior: shared store rejects proof replay across server instances', async () => {
       const replayStore = Store.memory()
       const serverA = Mppx_server.create({