mppx 0.6.27 → 0.6.28

package/src/Store.ts

@@ -84,11 +84,55 @@ export type AtomicStore<itemMap extends StoreItemMap = StoreItemMap> = Store<
   AtomicActions<itemMap>
 >
 
+/** Options shared by store constructors. */
+export type Options = {
+  /** Prefix prepended to every backing store key. */
+  keyPrefix?: string | undefined
+}
+
+const keyPrefixCache = new WeakMap<Store, Map<string, Store | AtomicStore>>()
+
 /** Creates a {@link Store} from an existing implementation. */
-export function from<store extends Store>(store: store): store
-export function from<store extends AtomicStore>(store: store): store
-export function from(store: Store | AtomicStore) {
-  return store
+export function from<store extends AtomicStore<any>>(store: store, options?: Options): store
+export function from<store extends Store<any>>(store: store, options?: Options): store
+export function from(store: Store | AtomicStore, options?: Options) {
+  return withKeyPrefix(store, options?.keyPrefix)
+}
+
+function withKeyPrefix(store: Store | AtomicStore, keyPrefix = ''): Store | AtomicStore {
+  if (!keyPrefix) return store
+
+  const cached = keyPrefixCache.get(store)?.get(keyPrefix)
+  if (cached) return cached
+
+  const backing = store as Store
+  const prefixedKey = (key: string) => `${keyPrefix}${key}`
+  const prefixed = from({
+    async get(key: string) {
+      return backing.get(prefixedKey(key)) as Promise<unknown>
+    },
+    async put(key: string, value: unknown) {
+      await backing.put(prefixedKey(key), value)
+    },
+    async delete(key: string) {
+      await backing.delete(prefixedKey(key))
+    },
+    ...('update' in store
+      ? {
+          async update<result>(
+            key: string,
+            fn: (current: unknown | null) => Change<unknown, result>,
+          ) {
+            return (store as AtomicStore).update(prefixedKey(key), fn as never)
+          },
+        }
+      : {}),
+  } satisfies Store | AtomicStore)
+
+  const cachedByPrefix = keyPrefixCache.get(store) ?? new Map<string, Store | AtomicStore>()
+  cachedByPrefix.set(keyPrefix, prefixed)
+  keyPrefixCache.set(store, cachedByPrefix)
+  return prefixed
 }
 
 function wrapJsonUpdate(
@@ -113,26 +157,37 @@ function wrapJsonUpdate(
 }
 
 /** Wraps a Cloudflare KV namespace. */
-export function cloudflare(kv: cloudflare.AtomicParameters): AtomicStore
-export function cloudflare(kv: cloudflare.Parameters): Store
-export function cloudflare(kv: cloudflare.Parameters): Store {
-  return from({
-    async get(key) {
-      const raw = await kv.get(key)
-      if (raw == null) return null as any
-      return Json.parse(raw as string)
+export function cloudflare(
+  kv: cloudflare.AtomicParameters,
+  options?: cloudflare.Options,
+): AtomicStore
+export function cloudflare(kv: cloudflare.Parameters, options?: cloudflare.Options): Store
+export function cloudflare(kv: cloudflare.Parameters, options?: cloudflare.Options): Store {
+  return from(
+    {
+      async get(key: string) {
+        const raw = await kv.get(key)
+        if (raw == null) return null as any
+        return Json.parse(raw as string)
+      },
+      async put(key: string, value: unknown) {
+        await kv.put(key, Json.stringify(value))
+      },
+      async delete(key: string) {
+        await kv.delete(key)
+      },
+      ...wrapJsonUpdate(kv.update),
     },
-    async put(key, value) {
-      await kv.put(key, Json.stringify(value))
-    },
-    async delete(key) {
-      await kv.delete(key)
-    },
-    ...wrapJsonUpdate(kv.update),
-  })
+    options,
+  )
 }
 
 export declare namespace cloudflare {
+  export type Options = {
+    /** Prefix prepended to every backing store key. */
+    keyPrefix?: string | undefined
+  }
+
   export type Parameters = {
     get: (key: string) => Promise<unknown>
     put: (key: string, value: string) => Promise<void>
@@ -149,51 +204,69 @@ export declare namespace cloudflare {
 }
 
 /** In-memory store backed by a `Map`. JSON-roundtrips values to match production behavior. */
-export function memory(): AtomicStore {
+export function memory(options?: memory.Options): AtomicStore {
   const store = new Map<string, string>()
-  return from({
-    async get(key) {
-      const raw = store.get(key)
-      if (raw === undefined) return null as any
-      return Json.parse(raw)
+  return from(
+    {
+      async get(key: string) {
+        const raw = store.get(key)
+        if (raw === undefined) return null as any
+        return Json.parse(raw)
+      },
+      async put(key: string, value: unknown) {
+        store.set(key, Json.stringify(value))
+      },
+      async delete(key: string) {
+        store.delete(key)
+      },
+      async update<result>(key: string, fn: (current: unknown | null) => Change<unknown, result>) {
+        const current = store.has(key) ? (Json.parse(store.get(key)!) as never) : null
+        const change = fn(current)
+        if (change.op === 'set') store.set(key, Json.stringify(change.value))
+        if (change.op === 'delete') store.delete(key)
+        return change.result
+      },
     },
-    async put(key, value) {
-      store.set(key, Json.stringify(value))
-    },
-    async delete(key) {
-      store.delete(key)
-    },
-    async update(key, fn) {
-      const current = store.has(key) ? (Json.parse(store.get(key)!) as never) : null
-      const change = fn(current)
-      if (change.op === 'set') store.set(key, Json.stringify(change.value))
-      if (change.op === 'delete') store.delete(key)
-      return change.result
-    },
-  })
+    options,
+  )
+}
+
+export declare namespace memory {
+  export type Options = {
+    /** Prefix prepended to every backing store key. */
+    keyPrefix?: string | undefined
+  }
 }
 
 /** Wraps a standard Redis client (ioredis, node-redis, Valkey). */
-export function redis(client: redis.AtomicParameters): AtomicStore
-export function redis(client: redis.Parameters): Store
-export function redis(client: redis.Parameters): Store {
-  return from({
-    async get(key) {
-      const raw = await client.get(key)
-      if (raw == null) return null as any
-      return Json.parse(raw)
-    },
-    async put(key, value) {
-      await client.set(key, Json.stringify(value))
-    },
-    async delete(key) {
-      await client.del(key)
+export function redis(client: redis.AtomicParameters, options?: redis.Options): AtomicStore
+export function redis(client: redis.Parameters, options?: redis.Options): Store
+export function redis(client: redis.Parameters, options?: redis.Options): Store {
+  return from(
+    {
+      async get(key: string) {
+        const raw = await client.get(key)
+        if (raw == null) return null as any
+        return Json.parse(raw)
+      },
+      async put(key: string, value: unknown) {
+        await client.set(key, Json.stringify(value))
+      },
+      async delete(key: string) {
+        await client.del(key)
+      },
+      ...wrapJsonUpdate(client.update),
     },
-    ...wrapJsonUpdate(client.update),
-  })
+    options,
+  )
 }
 
 export declare namespace redis {
+  export type Options = {
+    /** Prefix prepended to every backing store key. */
+    keyPrefix?: string | undefined
+  }
+
   export type Parameters = {
     get: (key: string) => Promise<string | null>
     set: (key: string, value: string) => Promise<unknown>
@@ -210,28 +283,36 @@ export declare namespace redis {
 }
 
 /** Wraps an Upstash Redis instance (e.g. Vercel KV). */
-export function upstash(redis: upstash.AtomicParameters): AtomicStore
-export function upstash(redis: upstash.Parameters): Store
-export function upstash(redis: upstash.Parameters): Store {
-  return from({
-    async get(key) {
-      return (await redis.get(key)) as any
-    },
-    async put(key, value) {
-      await redis.set(key, value)
+export function upstash(redis: upstash.AtomicParameters, options?: upstash.Options): AtomicStore
+export function upstash(redis: upstash.Parameters, options?: upstash.Options): Store
+export function upstash(redis: upstash.Parameters, options?: upstash.Options): Store {
+  return from(
+    {
+      async get(key: string) {
+        return (await redis.get(key)) as any
+      },
+      async put(key: string, value: unknown) {
+        await redis.set(key, value)
+      },
+      async delete(key: string) {
+        await redis.del(key)
+      },
+      ...(redis.update
+        ? {
+            update: redis.update as Update,
+          }
+        : {}),
     },
-    async delete(key) {
-      await redis.del(key)
-    },
-    ...(redis.update
-      ? {
-          update: redis.update as Update,
-        }
-      : {}),
-  })
+    options,
+  )
 }
 
 export declare namespace upstash {
+  export type Options = {
+    /** Prefix prepended to every backing store key. */
+    keyPrefix?: string | undefined
+  }
+
   export type Parameters = {
     get: (key: string) => Promise<unknown>
     set: (key: string, value: unknown) => Promise<unknown>

package/src/proxy/internal/Headers.test.ts

@@ -98,4 +98,22 @@ describe('scrubResponse', () => {
     expect(result.statusText).toBe('Created')
     expect(await result.text()).toBe('hello')
   })
+
+  // Regression: an upstream service must never be able to issue a cookie
+  // under the proxy's origin. Otherwise a compromised or attacker-influenced
+  // upstream can session-fixate (`Set-Cookie: session=evil; Domain=…`) every
+  // sibling subdomain of the proxy. See the docblock on `scrubResponse`.
+  test('behavior: strips set-cookie so upstream cannot set cookies on proxy origin', () => {
+    const response = new Response('body', {
+      headers: [
+        ['Set-Cookie', '__Secure-session=evil; Domain=.example.com; Secure; HttpOnly'],
+        ['Set-Cookie', 'tracking=1; Path=/'],
+        ['Content-Type', 'application/json'],
+      ],
+    })
+    const result = Headers.scrubResponse(response)
+    expect(result.headers.has('set-cookie')).toBe(false)
+    expect(result.headers.getSetCookie?.() ?? []).toEqual([])
+    expect(result.headers.get('content-type')).toBe('application/json')
+  })
 })

package/src/proxy/internal/Headers.ts

@@ -29,11 +29,24 @@ export function scrub(headers: Headers): Headers {
   return scrubbed
 }
 
-/** Strips `content-encoding` and `content-length` from an upstream response so the proxy can re-stream it. */
+/**
+ * Strips re-streaming headers (`content-encoding`, `content-length`) and
+ * security-sensitive headers (`set-cookie`) from an upstream response.
+ *
+ * `set-cookie` is dropped because a paid API proxy must never let an upstream
+ * service set cookies in the user's browser under the proxy's origin. If a
+ * compromised, misbehaving, or attacker-influenced upstream returned
+ * `Set-Cookie: session=evil; Domain=.example.com`, the browser would honor it
+ * for every sibling subdomain of the proxy — turning any future path-confusion
+ * or open-redirect bug in the surrounding deployment into a session-fixation
+ * primitive. Proxied services authenticate via bearer tokens / signed
+ * payloads, never cookies, so dropping `set-cookie` is purely defensive.
+ */
 export function scrubResponse(response: Response): Response {
   const headers = new Headers(response.headers)
   headers.delete('content-encoding')
   headers.delete('content-length')
+  headers.delete('set-cookie')
   return new Response(response.body, {
     status: response.status,
     statusText: response.statusText,

package/src/stripe/server/Charge.test.ts

@@ -4,13 +4,18 @@ import { afterEach, describe, expect, test, vi } from 'vp/test'
 import * as Http from '~test/Http.js'
 
 import type { StripeClient } from '../internal/types.js'
+import type { charge as StripeCharge } from './Charge.js'
 
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
 
 let httpServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
 
-afterEach(() => httpServer?.close())
+afterEach(() => {
+  httpServer?.close()
+  httpServer = undefined
+  vi.restoreAllMocks()
+})
 
 function createMockStripeClient(
   overrides?: Partial<{ status: string; id: string; throws: boolean }>,
@@ -126,6 +131,215 @@ describe('stripe.charge with client', () => {
     expect(params.metadata.mpp_is_mpp).toBe('true')
   })
 
+  test('behavior: applies Connect settlement parameters in client call', async () => {
+    const { client, create } = createMockStripeClient()
+
+    const server = Mppx.create({
+      methods: [
+        stripe.charge({
+          client,
+          connect({ request }) {
+            expect(request.amount).toBe('100')
+            return {
+              applicationFeeAmount: 12,
+              onBehalfOf: 'acct_merchant',
+              stripeAccount: 'acct_connected',
+              transferData: { amount: 88, destination: 'acct_destination' },
+              transferGroup: 'order_123',
+            }
+          },
+          networkId: 'internal',
+          paymentMethodTypes: ['card'],
+        }),
+      ],
+      realm,
+      secretKey,
+    })
+
+    const handle = server.charge({ amount: '1', currency: 'usd', decimals: 2 })
+    const firstResult = await handle(new Request('https://example.com'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const challenge = Challenge.fromResponse(firstResult.challenge)
+    expect(challenge.request).not.toHaveProperty('connect')
+    expect(challenge.request.methodDetails).not.toHaveProperty('applicationFeeAmount')
+    expect(challenge.request.methodDetails).not.toHaveProperty('stripeAccount')
+
+    const credential = Credential.from({
+      challenge,
+      payload: { spt: 'spt_test_token' },
+    })
+
+    const result = await handle(
+      new Request('https://example.com', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    expect(result.status).toBe(200)
+    const [params, options] = create.mock.calls[0]!
+    expect(params).toMatchObject({
+      application_fee_amount: 12,
+      on_behalf_of: 'acct_merchant',
+      transfer_data: { amount: 88, destination: 'acct_destination' },
+      transfer_group: 'order_123',
+    })
+    expect(options).toMatchObject({ stripeAccount: 'acct_connected' })
+  })
+
+  test('behavior: applies Connect settlement parameters in secretKey call', async () => {
+    const fetchMock = vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(
+      new Response(JSON.stringify({ id: 'pi_fetch_123', status: 'succeeded' }), {
+        status: 200,
+      }),
+    )
+
+    const server = Mppx.create({
+      methods: [
+        stripe.charge({
+          connect: {
+            applicationFeeAmount: 12,
+            onBehalfOf: 'acct_merchant',
+            stripeAccount: 'acct_connected',
+            transferData: { amount: 88, destination: 'acct_destination' },
+            transferGroup: 'order_123',
+          },
+          networkId: 'internal',
+          paymentMethodTypes: ['card'],
+          secretKey,
+        }),
+      ],
+      realm,
+      secretKey,
+    })
+
+    const handle = server.charge({ amount: '1', currency: 'usd', decimals: 2 })
+    const firstResult = await handle(new Request('https://example.com'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const credential = Credential.from({
+      challenge: Challenge.fromResponse(firstResult.challenge),
+      payload: { spt: 'spt_test_token' },
+    })
+    const result = await handle(
+      new Request('https://example.com', {
+        headers: { Authorization: Credential.serialize(credential) },
+      }),
+    )
+
+    expect(result.status).toBe(200)
+    expect(fetchMock).toHaveBeenCalledOnce()
+    const [input, init] = fetchMock.mock.calls[0]!
+    expect(input).toBe('https://api.stripe.com/v1/payment_intents')
+    const headers = new Headers(init?.headers)
+    expect(headers.get('Stripe-Account')).toBe('acct_connected')
+    const body = init?.body as URLSearchParams
+    expect(body.get('application_fee_amount')).toBe('12')
+    expect(body.get('on_behalf_of')).toBe('acct_merchant')
+    expect(body.get('transfer_data[amount]')).toBe('88')
+    expect(body.get('transfer_data[destination]')).toBe('acct_destination')
+    expect(body.get('transfer_group')).toBe('order_123')
+  })
+
+  test('error: surfaces Connect PaymentIntent creation failures', async () => {
+    const { client } = createMockStripeClient({ throws: true })
+
+    const server = Mppx.create({
+      methods: [
+        stripe.charge({
+          client,
+          connect: { stripeAccount: 'acct_connected' },
+          networkId: 'internal',
+          paymentMethodTypes: ['card'],
+        }),
+      ],
+      realm,
+      secretKey,
+    })
+
+    httpServer = await Http.createServer(async (req, res) => {
+      const result = await Mppx.toNodeListener(
+        server.charge({ amount: '1', currency: 'usd', decimals: 2 }),
+      )(req, res)
+      if (result.status === 402) return
+      res.end('OK')
+    })
+
+    const response = await fetch(httpServer.url)
+    const challenge = Challenge.fromResponse(response)
+    const credential = Credential.from({
+      challenge,
+      payload: { spt: 'spt_test_token' },
+    })
+
+    const paidResponse = await fetch(httpServer.url, {
+      headers: { Authorization: Credential.serialize(credential) },
+    })
+    expect(paidResponse.status).toBe(402)
+    const body = (await paidResponse.json()) as { detail: string }
+    expect(body.detail).toContain('Stripe PaymentIntent failed')
+  })
+
+  const invalidConnectCases: readonly {
+    name: string
+    connect: StripeCharge.ConnectSettlement
+  }[] = [
+    { name: 'empty stripeAccount', connect: { stripeAccount: '' } },
+    { name: 'fee exceeds amount', connect: { applicationFeeAmount: 101 } },
+    { name: 'negative fee', connect: { applicationFeeAmount: -1 } },
+    {
+      name: 'empty transfer destination',
+      connect: { transferData: { destination: '' } },
+    },
+    {
+      name: 'missing transfer destination',
+      connect: { transferData: {} } as StripeCharge.ConnectSettlement,
+    },
+    {
+      name: 'transfer amount exceeds amount',
+      connect: { transferData: { amount: 101, destination: 'acct_destination' } },
+    },
+  ]
+
+  for (const { connect, name } of invalidConnectCases) {
+    test(`error: rejects invalid Connect settlement parameters (${name})`, async () => {
+      const { client, create } = createMockStripeClient()
+
+      const server = Mppx.create({
+        methods: [
+          stripe.charge({
+            client,
+            connect,
+            networkId: 'internal',
+            paymentMethodTypes: ['card'],
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const handle = server.charge({ amount: '1', currency: 'usd', decimals: 2 })
+      const firstResult = await handle(new Request('https://example.com'))
+      expect(firstResult.status).toBe(402)
+      if (firstResult.status !== 402) throw new Error()
+
+      const credential = Credential.from({
+        challenge: Challenge.fromResponse(firstResult.challenge),
+        payload: { spt: 'spt_test_token' },
+      })
+      const result = await handle(
+        new Request('https://example.com', {
+          headers: { Authorization: Credential.serialize(credential) },
+        }),
+      )
+
+      expect(result.status).toBe(402)
+      expect(create).not.toHaveBeenCalled()
+    })
+  }
+
   test('behavior: rejects when client throws', async () => {
     const { client } = createMockStripeClient({ throws: true })