mppx 0.6.13 → 0.6.15

package/src/tempo/internal/fee-payer.ts

@@ -1,5 +1,6 @@
 import type { TempoAddress } from 'ox/tempo'
 import { TxEnvelopeTempo } from 'ox/tempo'
+import type { Hex } from 'viem'
 import type { Account } from 'viem'
 import { decodeFunctionData } from 'viem'
 import { Abis, Addresses, Transaction } from 'viem/tempo'
@@ -42,6 +43,13 @@ export type Policy = {
 // Tempo transaction fields.
 type SponsoredTransaction = ReturnType<(typeof Transaction)['deserialize']>
 
+type ExpectedTransfer = {
+  amount: string
+  allowAnyMemo?: boolean | undefined
+  memo?: Hex | undefined
+  recipient: TempoAddress.Address
+}
+
 const preservedTransactionKeys = [
   'accessList',
   'calls',
@@ -122,6 +130,10 @@ function getPolicy(chainId: number, overrides: Partial<Policy> | undefined): Pol
 export function validateCalls(
   calls: readonly { data?: `0x${string}` | undefined; to?: TempoAddress.Address | undefined }[],
   details: Record<string, string>,
+  options?: {
+    currency?: TempoAddress.Address | undefined
+    expectedTransfers?: readonly ExpectedTransfer[] | undefined
+  },
 ) {
   if (calls.length === 0)
     throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
@@ -137,15 +149,19 @@ export function validateCalls(
   }
 
   const transferSelectors = callSelectors.slice(hasSwapPrefix ? 2 : 0)
+  if (transferSelectors.length === 0)
+    throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
+
+  const expectedTransfers = options?.expectedTransfers
+  const transferLimit = expectedTransfers?.length ?? 11
   if (
-    transferSelectors.length === 0 ||
-    transferSelectors.length > 11 ||
+    transferSelectors.length > transferLimit ||
     transferSelectors.some(
       (selector) => selector !== Selectors.transfer && selector !== Selectors.transferWithMemo,
-    )
-  ) {
+    ) ||
+    (expectedTransfers && transferSelectors.length !== expectedTransfers.length)
+  )
     throw new FeePayerValidationError('disallowed call pattern in fee-payer transaction', details)
-  }
 
   // Bind the swap approval to the token the DEX call will actually spend.
   const buyCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.swapExactAmountOut)
@@ -161,16 +177,79 @@ export function validateCalls(
   const approveCall = calls.find((c) => c.data?.slice(0, 10) === Selectors.approve)
   if (approveCall) {
     const { args } = decodeFunctionData({ abi: Abis.tip20, data: approveCall.data! })
+    const [spender, amount] = args as [`0x${string}`, bigint]
     if (!approveCall.to || (buyArgs && !TempoAddress_internal.isEqual(approveCall.to, buyArgs[0])))
       throw new FeePayerValidationError('approve target does not match swap tokenIn', details)
-    if (!TempoAddress_internal.isEqual((args as [`0x${string}`])[0]!, Addresses.stablecoinDex))
+    if (!TempoAddress_internal.isEqual(spender, Addresses.stablecoinDex))
       throw new FeePayerValidationError('approve spender is not the DEX', details)
+    if (buyArgs && amount !== buyArgs[3])
+      throw new FeePayerValidationError('approve amount does not match swap max input', details)
   }
   if (
     buyCall &&
     (!buyCall.to || !TempoAddress_internal.isEqual(buyCall.to, Addresses.stablecoinDex))
   )
     throw new FeePayerValidationError('buy target is not the DEX', details)
+
+  if (!expectedTransfers) return
+
+  const currency = options?.currency ?? (details.currency as TempoAddress.Address | undefined)
+  if (!currency) throw new FeePayerValidationError('missing payment currency', details)
+
+  if (buyArgs) {
+    const [, tokenOut, amountOut] = buyArgs
+    const expectedAmountOut = expectedTransfers.reduce(
+      (sum, transfer) => sum + BigInt(transfer.amount),
+      0n,
+    )
+    if (!TempoAddress_internal.isEqual(tokenOut, currency))
+      throw new FeePayerValidationError('swap tokenOut does not match payment currency', details)
+    if (amountOut !== expectedAmountOut)
+      throw new FeePayerValidationError('swap output does not match payment amount', details)
+  }
+
+  const transferCalls = calls.slice(hasSwapPrefix ? 2 : 0)
+  const sorted = [...expectedTransfers].sort((a, b) => {
+    if (a.memo && !b.memo) return -1
+    if (!a.memo && b.memo) return 1
+    return 0
+  })
+
+  const used = new Set<number>()
+  for (const expected of sorted) {
+    const matchIndex = transferCalls.findIndex((call, index) => {
+      if (used.has(index)) return false
+      if (!call.to || !TempoAddress_internal.isEqual(call.to, currency) || !call.data) return false
+
+      try {
+        const selector = call.data.slice(0, 10)
+        const { args } = decodeFunctionData({ abi: Abis.tip20, data: call.data })
+        if (selector === Selectors.transfer) {
+          const [recipient, amount] = args as [`0x${string}`, bigint]
+          if (!TempoAddress_internal.isEqual(recipient, expected.recipient)) return false
+          if (amount.toString() !== expected.amount) return false
+          return expected.memo === undefined
+        }
+
+        if (selector === Selectors.transferWithMemo) {
+          const [recipient, amount, memo] = args as [`0x${string}`, bigint, Hex]
+          if (!TempoAddress_internal.isEqual(recipient, expected.recipient)) return false
+          if (amount.toString() !== expected.amount) return false
+          if (expected.memo) return memo.toLowerCase() === expected.memo.toLowerCase()
+          return expected.allowAnyMemo === true
+        }
+      } catch {
+        return false
+      }
+
+      return false
+    })
+
+    if (matchIndex === -1)
+      throw new FeePayerValidationError('payment transfer does not match challenge', details)
+
+    used.add(matchIndex)
+  }
 }
 
 export function prepareSponsoredTransaction(parameters: {

package/src/tempo/server/Charge.test.ts

@@ -1579,6 +1579,104 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: fee payer rejects concurrent in-flight transactions from one sender', async () => {
+      let releaseSimulation!: () => void
+      let resolveSimulationStarted!: () => void
+      const simulationStarted = new Promise<void>((resolve) => {
+        resolveSimulationStarted = resolve
+      })
+      const releaseSimulationPromise = new Promise<void>((resolve) => {
+        releaseSimulation = resolve
+      })
+      let heldFirstSimulation = false
+
+      const interceptingClient = createClient({
+        account: accounts[0],
+        chain: client.chain,
+        transport: custom({
+          async request(args: any) {
+            if (args.method === 'eth_call' && !heldFirstSimulation) {
+              heldFirstSimulation = true
+              resolveSimulationStarted()
+              await releaseSimulationPromise
+            }
+            return client.transport.request(args)
+          },
+        }),
+      })
+
+      const sponsoredStore = Store.memory()
+      const serverWithSlowSimulation = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return interceptingClient
+            },
+            currency: asset,
+            account: accounts[0],
+            store: sponsoredStore,
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const mppx = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          serverWithSlowSimulation.charge({
+            feePayer: accounts[0],
+            amount: '1',
+            currency: asset,
+            recipient: accounts[0].address,
+          }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const [challengeResponse1, challengeResponse2] = await Promise.all([
+        fetch(httpServer.url),
+        fetch(httpServer.url),
+      ])
+      expect(challengeResponse1.status).toBe(402)
+      expect(challengeResponse2.status).toBe(402)
+
+      const [credential1, credential2] = await Promise.all([
+        mppx.createCredential(challengeResponse1),
+        mppx.createCredential(challengeResponse2),
+      ])
+
+      const first = fetch(httpServer.url, { headers: { Authorization: credential1 } })
+      await simulationStarted
+      const second = fetch(httpServer.url, { headers: { Authorization: credential2 } })
+
+      try {
+        const secondResponse = await second
+        expect(secondResponse.status).toBe(402)
+        const body = (await secondResponse.json()) as { detail: string }
+        expect(body.detail).toContain('Sponsored transaction from this sender is already in flight')
+      } finally {
+        releaseSimulation()
+      }
+
+      const firstResponse = await first
+      expect(firstResponse.status).toBe(200)
+
+      httpServer.close()
+    })
+
     test('behavior: fee payer with splits', async () => {
       const mppx = Mppx_client.create({
         polyfill: false,
@@ -3338,6 +3436,27 @@ describe('tempo', () => {
       })
       expect(method.defaults?.recipient).toBe(accounts[0].address)
     })
+
+    test('request keeps explicit feePayer false disabled during verification', async () => {
+      const method = tempo_server.charge({
+        getClient: () => client,
+        account: accounts[0],
+        currency: asset,
+        feePayer: accounts[0],
+      })
+
+      const normalized = await method.request!({
+        credential: { challenge: {}, payload: {} } as never,
+        request: {
+          amount: '1',
+          currency: asset,
+          decimals: 6,
+          feePayer: false,
+        },
+      } as never)
+
+      expect(normalized.feePayer).toBe(false)
+    })
   })
 
   describe('default currency resolution', () => {

package/src/tempo/server/Charge.ts

@@ -138,9 +138,10 @@ export function charge<const parameters extends charge.Parameters>(
         throw new Error(`Client not configured with chainId ${chainId}.`)
 
       const resolvedFeePayer = (() => {
+        if (request.feePayer === false) return credential ? false : undefined
         const account = typeof request.feePayer === 'object' ? request.feePayer : feePayer
-        const requested = request.feePayer !== false && (account ?? feePayer ?? feePayerUrl)
-        if (credential) return account
+        const requested = account ?? feePayer ?? feePayerUrl
+        if (credential) return account ?? (feePayerUrl ? true : undefined)
         if (requested) return true
         return undefined
       })()
@@ -167,12 +168,17 @@ export function charge<const parameters extends charge.Parameters>(
       const client = await getClient({ chainId })
 
       const { amount, methodDetails } = resolvedRequest
+      const requestAllowsFeePayer =
+        request.feePayer !== false &&
+        (request.feePayer === undefined ||
+          request.feePayer === true ||
+          typeof request.feePayer === 'object')
       const feePayerAccount =
-        typeof request.feePayer === 'object'
-          ? request.feePayer
-          : methodDetails?.feePayer === true
-            ? feePayer
-            : undefined
+        methodDetails?.feePayer === true && requestAllowsFeePayer
+          ? typeof request.feePayer === 'object'
+            ? request.feePayer
+            : feePayer
+          : undefined
       const expires = challenge.expires
       const supportedModes = methodDetails?.supportedModes as
         | readonly Methods.ChargeMode[]
@@ -292,6 +298,7 @@ export function charge<const parameters extends charge.Parameters>(
           }
 
           let releaseReservation = true
+          let sponsoredSenderReservation: { chainId: number; sender: `0x${string}` } | undefined
 
           try {
             if (!FeePayer.isTempoTransaction(serializedTransaction))
@@ -309,7 +316,10 @@ export function charge<const parameters extends charge.Parameters>(
               to?: `0x${string}` | undefined
             }[]
             const transfers = getExpectedTransfers({ amount, memo, methodDetails, recipient })
-            const isFeePayerTx = !!(feePayer || feePayerUrl) && methodDetails?.feePayer !== false
+            const isFeePayerTx =
+              methodDetails?.feePayer === true &&
+              requestAllowsFeePayer &&
+              !!(feePayerAccount || feePayerUrl)
             const matchedCalls = assertTransferCalls(calls, {
               currency,
               exactCount: isFeePayerTx,
@@ -321,8 +331,28 @@ export function charge<const parameters extends charge.Parameters>(
                 realm: challenge.realm,
               })
 
-            if (isFeePayerTx)
-              FeePayer.validateCalls(transaction.calls, { amount, currency, recipient })
+            if (isFeePayerTx) {
+              const reservationChainId = chainId ?? client.chain!.id
+              if (
+                !(await markSponsoredSenderInFlight(store, {
+                  chainId: reservationChainId,
+                  sender: transaction.from as `0x${string}`,
+                }))
+              ) {
+                throw new VerificationFailedError({
+                  reason: 'Sponsored transaction from this sender is already in flight',
+                })
+              }
+              sponsoredSenderReservation = {
+                chainId: reservationChainId,
+                sender: transaction.from as `0x${string}`,
+              }
+              FeePayer.validateCalls(
+                transaction.calls,
+                { amount, currency, recipient },
+                { currency, expectedTransfers: transfers },
+              )
+            }
 
             const expectedFeeToken = defaults.currency[chainId as keyof typeof defaults.currency]
             const resolvedFeeToken = transaction.feeToken ?? expectedFeeToken
@@ -413,6 +443,9 @@ export function charge<const parameters extends charge.Parameters>(
           } catch (error) {
             if (releaseReservation) await releaseHashUse(store, hash)
             throw error
+          } finally {
+            if (sponsoredSenderReservation)
+              await releaseSponsoredSenderInFlight(store, sponsoredSenderReservation)
           }
         }
 
@@ -698,6 +731,14 @@ function getProofStoreKey(challengeId: string): `mppx:charge:${string}` {
   return `mppx:charge:proof:${challengeId}`
 }
 
+/** @internal */
+function getSponsoredSenderStoreKey(parameters: {
+  chainId: number
+  sender: `0x${string}`
+}): `mppx:charge:${string}` {
+  return `mppx:charge:sponsor:${parameters.chainId}:${parameters.sender.toLowerCase()}`
+}
+
 async function markHashUsed(
   store: Store.AtomicStore<charge.StoreItemMap>,
   hash: `0x${string}`,
@@ -716,6 +757,25 @@ async function releaseHashUse(
   await store.delete(getHashStoreKey(hash))
 }
 
+/** @internal */
+async function markSponsoredSenderInFlight(
+  store: Store.AtomicStore<charge.StoreItemMap>,
+  parameters: { chainId: number; sender: `0x${string}` },
+): Promise<boolean> {
+  return store.update(getSponsoredSenderStoreKey(parameters), (current) => {
+    if (current !== null) return { op: 'noop', result: false }
+    return { op: 'set', value: Date.now(), result: true }
+  })
+}
+
+/** @internal */
+async function releaseSponsoredSenderInFlight(
+  store: Store.AtomicStore<charge.StoreItemMap>,
+  parameters: { chainId: number; sender: `0x${string}` },
+): Promise<void> {
+  await store.delete(getSponsoredSenderStoreKey(parameters))
+}
+
 /** @internal */
 async function markProofUsed(
   store: Store.AtomicStore<charge.StoreItemMap>,