npm - mppx - Versions diffs - 0.6.12 → 0.6.14 - Mend

mppx 0.6.12 → 0.6.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/CHANGELOG.md +14 -0
package/dist/cli/plugins/tempo.d.ts.map +1 -1
package/dist/cli/plugins/tempo.js +24 -1
package/dist/cli/plugins/tempo.js.map +1 -1
package/dist/middlewares/express.d.ts.map +1 -1
package/dist/middlewares/express.js +22 -0
package/dist/middlewares/express.js.map +1 -1
package/dist/tempo/client/SessionManager.d.ts.map +1 -1
package/dist/tempo/client/SessionManager.js +26 -1
package/dist/tempo/client/SessionManager.js.map +1 -1
package/dist/tempo/internal/fee-payer.d.ts +11 -1
package/dist/tempo/internal/fee-payer.d.ts.map +1 -1
package/dist/tempo/internal/fee-payer.js +71 -6
package/dist/tempo/internal/fee-payer.js.map +1 -1
package/dist/tempo/server/Charge.d.ts.map +1 -1
package/dist/tempo/server/Charge.js +53 -10
package/dist/tempo/server/Charge.js.map +1 -1
package/dist/tempo/server/Session.d.ts.map +1 -1
package/dist/tempo/server/Session.js +80 -29
package/dist/tempo/server/Session.js.map +1 -1
package/dist/tempo/server/internal/html.gen.d.ts +1 -1
package/dist/tempo/server/internal/html.gen.d.ts.map +1 -1
package/dist/tempo/server/internal/html.gen.js +1 -1
package/dist/tempo/server/internal/html.gen.js.map +1 -1
package/dist/tempo/server/internal/request-body.d.ts +1 -1
package/dist/tempo/server/internal/request-body.d.ts.map +1 -1
package/dist/tempo/server/internal/request-body.js +3 -0
package/dist/tempo/server/internal/request-body.js.map +1 -1
package/dist/tempo/server/internal/transport.d.ts +7 -0
package/dist/tempo/server/internal/transport.d.ts.map +1 -1
package/dist/tempo/server/internal/transport.js +16 -0
package/dist/tempo/server/internal/transport.js.map +1 -1
package/dist/tempo/session/Chain.d.ts +1 -0
package/dist/tempo/session/Chain.d.ts.map +1 -1
package/dist/tempo/session/Chain.js +28 -11
package/dist/tempo/session/Chain.js.map +1 -1
package/dist/tempo/session/ChannelStore.d.ts.map +1 -1
package/dist/tempo/session/ChannelStore.js +6 -0
package/dist/tempo/session/ChannelStore.js.map +1 -1
package/dist/tempo/session/Sse.d.ts +1 -0
package/dist/tempo/session/Sse.d.ts.map +1 -1
package/dist/tempo/session/Sse.js +34 -12
package/dist/tempo/session/Sse.js.map +1 -1
package/package.json +1 -1
package/src/cli/plugins/tempo.ts +28 -1
package/src/middlewares/express.test.ts +27 -0
package/src/middlewares/express.ts +24 -0
package/src/tempo/client/SessionManager.ts +26 -1
package/src/tempo/internal/fee-payer.test.ts +139 -0
package/src/tempo/internal/fee-payer.ts +85 -6
package/src/tempo/server/Charge.test.ts +119 -0
package/src/tempo/server/Charge.ts +70 -10
package/src/tempo/server/Session.test.ts +327 -0
package/src/tempo/server/Session.ts +91 -39
package/src/tempo/server/internal/html.gen.ts +1 -1
package/src/tempo/server/internal/request-body.test.ts +26 -0
package/src/tempo/server/internal/request-body.ts +4 -1
package/src/tempo/server/internal/transport.test.ts +28 -2
package/src/tempo/server/internal/transport.ts +23 -0
package/src/tempo/session/Chain.test.ts +140 -1
package/src/tempo/session/Chain.ts +34 -10
package/src/tempo/session/ChannelStore.test.ts +21 -0
package/src/tempo/session/ChannelStore.ts +6 -0
package/src/tempo/session/Sse.test.ts +52 -0
package/src/tempo/session/Sse.ts +22 -2

package/src/tempo/server/Charge.ts CHANGED Viewed

@@ -138,9 +138,10 @@ export function charge<const parameters extends charge.Parameters>(
         throw new Error(`Client not configured with chainId ${chainId}.`)
       const resolvedFeePayer = (() => {
+        if (request.feePayer === false) return credential ? false : undefined
         const account = typeof request.feePayer === 'object' ? request.feePayer : feePayer
-        const requested = request.feePayer !== false && (account ?? feePayer ?? feePayerUrl)
-        if (credential) return account
+        const requested = account ?? feePayer ?? feePayerUrl
+        if (credential) return account ?? (feePayerUrl ? true : undefined)
         if (requested) return true
         return undefined
       })()
@@ -167,12 +168,17 @@ export function charge<const parameters extends charge.Parameters>(
       const client = await getClient({ chainId })
       const { amount, methodDetails } = resolvedRequest
+      const requestAllowsFeePayer =
+        request.feePayer !== false &&
+        (request.feePayer === undefined ||
+          request.feePayer === true ||
+          typeof request.feePayer === 'object')
       const feePayerAccount =
-        typeof request.feePayer === 'object'
-          ? request.feePayer
-          : methodDetails?.feePayer === true
-            ? feePayer
-            : undefined
+        methodDetails?.feePayer === true && requestAllowsFeePayer
+          ? typeof request.feePayer === 'object'
+            ? request.feePayer
+            : feePayer
+          : undefined
       const expires = challenge.expires
       const supportedModes = methodDetails?.supportedModes as
         | readonly Methods.ChargeMode[]
@@ -292,6 +298,7 @@ export function charge<const parameters extends charge.Parameters>(
           }
           let releaseReservation = true
+          let sponsoredSenderReservation: { chainId: number; sender: `0x${string}` } | undefined
           try {
             if (!FeePayer.isTempoTransaction(serializedTransaction))
@@ -309,7 +316,10 @@ export function charge<const parameters extends charge.Parameters>(
               to?: `0x${string}` | undefined
             }[]
             const transfers = getExpectedTransfers({ amount, memo, methodDetails, recipient })
-            const isFeePayerTx = !!(feePayer || feePayerUrl) && methodDetails?.feePayer !== false
+            const isFeePayerTx =
+              methodDetails?.feePayer === true &&
+              requestAllowsFeePayer &&
+              !!(feePayerAccount || feePayerUrl)
             const matchedCalls = assertTransferCalls(calls, {
               currency,
               exactCount: isFeePayerTx,
@@ -321,8 +331,28 @@ export function charge<const parameters extends charge.Parameters>(
                 realm: challenge.realm,
               })
-            if (isFeePayerTx)
-              FeePayer.validateCalls(transaction.calls, { amount, currency, recipient })
+            if (isFeePayerTx) {
+              const reservationChainId = chainId ?? client.chain!.id
+              if (
+                !(await markSponsoredSenderInFlight(store, {
+                  chainId: reservationChainId,
+                  sender: transaction.from as `0x${string}`,
+                }))
+              ) {
+                throw new VerificationFailedError({
+                  reason: 'Sponsored transaction from this sender is already in flight',
+                })
+              }
+              sponsoredSenderReservation = {
+                chainId: reservationChainId,
+                sender: transaction.from as `0x${string}`,
+              }
+              FeePayer.validateCalls(
+                transaction.calls,
+                { amount, currency, recipient },
+                { currency, expectedTransfers: transfers },
+              )
+            }
             const expectedFeeToken = defaults.currency[chainId as keyof typeof defaults.currency]
             const resolvedFeeToken = transaction.feeToken ?? expectedFeeToken
@@ -413,6 +443,9 @@ export function charge<const parameters extends charge.Parameters>(
           } catch (error) {
             if (releaseReservation) await releaseHashUse(store, hash)
             throw error
+          } finally {
+            if (sponsoredSenderReservation)
+              await releaseSponsoredSenderInFlight(store, sponsoredSenderReservation)
           }
         }
@@ -698,6 +731,14 @@ function getProofStoreKey(challengeId: string): `mppx:charge:${string}` {
   return `mppx:charge:proof:${challengeId}`
 }
+/** @internal */
+function getSponsoredSenderStoreKey(parameters: {
+  chainId: number
+  sender: `0x${string}`
+}): `mppx:charge:${string}` {
+  return `mppx:charge:sponsor:${parameters.chainId}:${parameters.sender.toLowerCase()}`
+}
 async function markHashUsed(
   store: Store.AtomicStore<charge.StoreItemMap>,
   hash: `0x${string}`,
@@ -716,6 +757,25 @@ async function releaseHashUse(
   await store.delete(getHashStoreKey(hash))
 }
+/** @internal */
+async function markSponsoredSenderInFlight(
+  store: Store.AtomicStore<charge.StoreItemMap>,
+  parameters: { chainId: number; sender: `0x${string}` },
+): Promise<boolean> {
+  return store.update(getSponsoredSenderStoreKey(parameters), (current) => {
+    if (current !== null) return { op: 'noop', result: false }
+    return { op: 'set', value: Date.now(), result: true }
+  })
+}
+/** @internal */
+async function releaseSponsoredSenderInFlight(
+  store: Store.AtomicStore<charge.StoreItemMap>,
+  parameters: { chainId: number; sender: `0x${string}` },
+): Promise<void> {
+  await store.delete(getSponsoredSenderStoreKey(parameters))
+}
 /** @internal */
 async function markProofUsed(
   store: Store.AtomicStore<charge.StoreItemMap>,

package/src/tempo/server/Session.test.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import { Base64, Secp256k1 } from 'ox'
 import {
   type Address,
   createClient,
+  custom,
   type Hex,
   parseSignature,
   serializeCompactSignature,
@@ -258,6 +259,54 @@ describe.runIf(isLocalnet)('session', () => {
       ).rejects.toThrow('invalid voucher signature')
     })
+    test('rejects sponsored open with invalid voucher before broadcasting', async () => {
+      const rpcMethods: string[] = []
+      const interceptingClient = createClient({
+        account: recipientAccount,
+        chain,
+        transport: custom({
+          async request(args: any) {
+            rpcMethods.push(args.method)
+            return client.transport.request(args)
+          },
+        }),
+      })
+      const salt = nextSalt()
+      const { channelId, serializedTransaction } = await signOpenChannel({
+        escrow: escrowContract,
+        payer,
+        payee: recipient,
+        token: currency,
+        deposit: 10000000n,
+        salt,
+        feePayer: true,
+      })
+      const server = createServer({
+        feePayer: recipientAccount,
+        getClient: () => interceptingClient,
+      })
+      await expect(
+        server.verify({
+          credential: {
+            challenge: makeChallenge({ channelId }),
+            payload: {
+              action: 'open' as const,
+              type: 'transaction' as const,
+              channelId,
+              transaction: serializedTransaction,
+              cumulativeAmount: '1000000',
+              signature: `0x${'ab'.repeat(65)}` as Hex,
+            },
+          },
+          request: makeRequest({ feePayer: true }),
+        }),
+      ).rejects.toThrow('invalid voucher signature')
+      expect(rpcMethods).not.toContain('eth_sendRawTransactionSync')
+    })
     test('reopen existing channel with higher voucher updates state', async () => {
       const { channelId, serializedTransaction } = await createSignedOpenTransaction(10000000n)
       const server = createServer()
@@ -2083,6 +2132,10 @@ describe.runIf(isLocalnet)('session', () => {
       ).rejects.toThrow(
         `Cannot close channel ${channelId}: tx sender ${rawAccessKey.address} is not the channel payee ${recipientAccount.address}. If using an access key, pass a Tempo access-key account whose address is the payee wallet, not the raw delegated key address.`,
       )
+      const persisted = await store.getChannel(channelId)
+      expect(persisted?.closeRequestedAt).toBe(0n)
+      expect(persisted?.finalized).toBe(false)
     })
     test('sessionManager.close surfaces problem details from HTTP close failures', async () => {
@@ -2646,6 +2699,77 @@ describe.runIf(isLocalnet)('session', () => {
       expect(channel?.highestVoucherAmount).toBe(5000000n)
       expect(channel?.spent).toBe(0n)
     })
+    test('close marks the channel pending before on-chain close so concurrent charges fail', async () => {
+      const baseStore = Store.memory()
+      let pendingChargeError: unknown
+      let probedPendingClose = false
+      const probingStore = Store.from<Store.AtomicStore>({
+        get: (key) => baseStore.get(key),
+        put: (key, value) => baseStore.put(key, value),
+        delete: (key) => baseStore.delete(key),
+        async update(key, fn) {
+          const result = await baseStore.update(key, fn)
+          const current = await baseStore.get(key)
+          if (
+            current &&
+            typeof current === 'object' &&
+            'closeRequestedAt' in current &&
+            (current as ChannelStore.State).closeRequestedAt !== 0n &&
+            !(current as ChannelStore.State).finalized &&
+            !probedPendingClose
+          ) {
+            probedPendingClose = true
+            try {
+              await charge(ChannelStore.fromStore(probingStore), channelId, 1000000n)
+            } catch (error) {
+              pendingChargeError = error
+            }
+          }
+          return result
+        },
+      })
+      const probedStore = ChannelStore.fromStore(baseStore)
+      const server = createServerWithStore(probingStore)
+      const { channelId, serializedTransaction } = await createSignedOpenTransaction(10000000n)
+      await server.verify({
+        credential: {
+          challenge: makeChallenge({ id: 'open-before-pending-close', channelId }),
+          payload: {
+            action: 'open' as const,
+            type: 'transaction' as const,
+            channelId,
+            transaction: serializedTransaction,
+            cumulativeAmount: '3000000',
+            signature: await signTestVoucher(channelId, 3000000n),
+          },
+        },
+        request: makeRequest(),
+      })
+      await charge(probedStore, channelId, 1000000n)
+      const receipt = await server.verify({
+        credential: {
+          challenge: makeChallenge({ id: 'pending-close', channelId }),
+          payload: {
+            action: 'close' as const,
+            channelId,
+            cumulativeAmount: '3000000',
+            signature: await signTestVoucher(channelId, 3000000n),
+          },
+        },
+        request: makeRequest(),
+      })
+      expect(receipt.status).toBe('success')
+      expect(probedPendingClose).toBe(true)
+      expect(pendingChargeError).toBeInstanceOf(ChannelClosedError)
+      expect((pendingChargeError as Error).message).toContain('pending close request')
+    })
   })
   describe('fault tolerance', () => {
@@ -3220,6 +3344,47 @@ describe.runIf(isLocalnet)('session', () => {
       expect(persisted?.finalized).toBe(true)
     })
+    test('sessionManager rejects receipts that exceed the locally signed voucher', async () => {
+      const handler = createHandler()
+      const route = handler.session({
+        amount: '1',
+        decimals: 6,
+        unitType: 'token',
+      })
+      const fetch = async (input: RequestInfo | URL, init?: RequestInit) => {
+        const request = new Request(input, init)
+        const result = await route(request)
+        if (result.status === 402) return result.challenge
+        const response = result.withReceipt(new Response('ok'))
+        const receipt = deserializeSessionReceipt(response.headers.get('Payment-Receipt')!)
+        return new Response(response.body, {
+          status: response.status,
+          statusText: response.statusText,
+          headers: {
+            'Payment-Receipt': serializeSessionReceipt({
+              ...receipt,
+              acceptedCumulative: '3000000',
+              spent: '3000000',
+            }),
+          },
+        })
+      }
+      const manager = sessionManager({
+        account: payer,
+        client,
+        escrowContract,
+        fetch,
+        maxDeposit: '3',
+      })
+      await expect(manager.fetch('https://api.example.com/resource')).rejects.toThrow(
+        'receipt accepted cumulative exceeds local voucher state',
+      )
+    })
     test('does not return Payment-Receipt on verification errors', async () => {
       const { channelId, serializedTransaction } = await createSignedOpenTransaction(10000000n)
       const handler = createHandler()
@@ -3469,6 +3634,79 @@ describe.runIf(isLocalnet)('session', () => {
       expect(replay.headers.get('Payment-Receipt')).toBeNull()
     })
+    test('default HTTP bodyless POST query flow charges instead of treating voucher as management', async () => {
+      const { channelId, serializedTransaction } = await createSignedOpenTransaction(10000000n)
+      const signature = await signTestVoucher(channelId, 1000000n)
+      const handler = createHandler()
+      const route = handler.session({
+        amount: '1',
+        decimals: 6,
+        unitType: 'token',
+      })
+      const first = await route(
+        new Request('https://api.example.com/search?q=paid', {
+          method: 'POST',
+        }),
+      )
+      expect(first.status).toBe(402)
+      if (first.status !== 402) throw new Error('expected challenge')
+      const open = await route(
+        new Request('https://api.example.com/search?q=paid', {
+          method: 'POST',
+          headers: {
+            Authorization: Credential.serialize({
+              challenge: Challenge.fromResponse(first.challenge),
+              payload: {
+                action: 'open',
+                type: 'transaction',
+                channelId,
+                transaction: serializedTransaction,
+                cumulativeAmount: '1000000',
+                signature,
+              },
+            }),
+          },
+        }),
+      )
+      expect(open.status).toBe(200)
+      if (open.status !== 200) throw new Error('expected paid response')
+      const paid = open.withReceipt(new Response('query-result'))
+      expect(await paid.text()).toBe('query-result')
+      const receipt = deserializeSessionReceipt(paid.headers.get('Payment-Receipt') as string)
+      expect(receipt.spent).toBe('1000000')
+      expect(receipt.units).toBe(1)
+      const replayChallenge = await route(
+        new Request('https://api.example.com/search?q=paid', {
+          method: 'POST',
+        }),
+      )
+      expect(replayChallenge.status).toBe(402)
+      if (replayChallenge.status !== 402) throw new Error('expected challenge')
+      const replay = await route(
+        new Request('https://api.example.com/search?q=paid', {
+          method: 'POST',
+          headers: {
+            Authorization: Credential.serialize({
+              challenge: Challenge.fromResponse(replayChallenge.challenge),
+              payload: {
+                action: 'voucher',
+                channelId,
+                cumulativeAmount: '1000000',
+                signature,
+              },
+            }),
+          },
+        }),
+      )
+      expect(replay.status).toBe(402)
+      if (replay.status !== 402) throw new Error('expected challenge')
+      expect(replay.challenge.headers.get('Payment-Receipt')).toBeNull()
+    })
     test('converts amount/suggestedDeposit/minVoucherDelta with decimals=18', async () => {
       const handler = createHandler()
       const route = handler.session({
@@ -4245,6 +4483,89 @@ describe.runIf(isLocalnet)('session', () => {
       expect(persisted?.finalized).toBe(true)
     })
+    test('plain-response SSE fallback precharges before running concurrent paid handlers', async () => {
+      const backingStore = Store.memory()
+      const route = Mppx_server.create({
+        methods: [
+          tempo_server.session({
+            store: backingStore,
+            getClient: () => client,
+            account: recipientAccount,
+            currency,
+            escrowContract,
+            chainId: chain.id,
+            sse: true,
+          }),
+        ],
+        realm: 'api.example.com',
+        secretKey: 'secret',
+      }).session({ amount: '1', decimals: 6, unitType: 'token' })
+      const { channelId, serializedTransaction } = await createSignedOpenTransaction(10000000n)
+      const openChallenge = await route(new Request('https://api.example.com/fallback'))
+      expect(openChallenge.status).toBe(402)
+      if (openChallenge.status !== 402) throw new Error('expected challenge')
+      const openResult = await route(
+        new Request('https://api.example.com/fallback', {
+          method: 'POST',
+          headers: {
+            Authorization: Credential.serialize({
+              challenge: Challenge.fromResponse(openChallenge.challenge),
+              payload: {
+                action: 'open',
+                type: 'transaction',
+                channelId,
+                transaction: serializedTransaction,
+                cumulativeAmount: '1000000',
+                signature: await signTestVoucher(channelId, 1000000n),
+              },
+            }),
+          },
+        }),
+      )
+      expect(openResult.status).toBe(200)
+      if (openResult.status !== 200) throw new Error('expected open response')
+      expect(openResult.withReceipt().status).toBe(204)
+      const replayChallenge = await route(new Request('https://api.example.com/fallback'))
+      expect(replayChallenge.status).toBe(402)
+      if (replayChallenge.status !== 402) throw new Error('expected challenge')
+      const authorization = Credential.serialize({
+        challenge: Challenge.fromResponse(replayChallenge.challenge),
+        payload: {
+          action: 'voucher',
+          channelId,
+          cumulativeAmount: '1000000',
+          signature: await signTestVoucher(channelId, 1000000n),
+        },
+      })
+      let handlerRuns = 0
+      const serve = async () => {
+        const result = await route(
+          new Request('https://api.example.com/fallback', {
+            headers: { Authorization: authorization },
+          }),
+        )
+        if (result.status === 402) return result.challenge
+        handlerRuns++
+        return result.withReceipt(new Response('paid-fallback'))
+      }
+      const [first, second] = await Promise.all([serve(), serve()])
+      const statuses = [first.status, second.status].sort()
+      expect(statuses).toEqual([200, 402])
+      expect(handlerRuns).toBe(1)
+      const persisted = await ChannelStore.fromStore(backingStore).getChannel(channelId)
+      expect(persisted?.spent).toBe(1000000n)
+      expect(persisted?.units).toBe(1)
+    })
     test('handles repeated exhaustion/resume cycles within one stream', async () => {
       const backingStore = Store.memory()
       const routeHandler = Mppx_server.create({
@@ -5437,6 +5758,12 @@ describe('session request and verify guardrails', () => {
       request: makeRequest({ feePayer: false }),
     } as never)
     expect(normalized.feePayer).toBeUndefined()
+    const verificationRequest = await server.request!({
+      credential: { challenge: {}, payload: {} } as never,
+      request: makeRequest({ feePayer: false }),
+    } as never)
+    expect(verificationRequest.feePayer).toBe(false)
   })
   test('request leaves escrowContract undefined when chain has no configured default', async () => {