mppx 0.6.28 → 0.6.30

package/src/proxy/internal/Headers.ts

@@ -9,6 +9,17 @@ const hopByHopHeaders = new Set([
   'trailer',
 ])
 
+// Payment credentials are consumed by the proxy and must never reach upstream services.
+const paymentHeaders = new Set([
+  'accept-payment',
+  'authorization',
+  'payment-receipt',
+  'payment-required',
+  'payment-response',
+  'payment-signature',
+  'www-authenticate',
+])
+
 /** Strips hop-by-hop, auth, encoding, cookie, and forwarding headers from a request before proxying upstream. */
 export function scrub(headers: Headers): Headers {
   const scrubbed = new Headers()
@@ -16,7 +27,7 @@ export function scrub(headers: Headers): Headers {
   for (const [name, value] of headers) {
     const lower = name.toLowerCase()
 
-    if (lower === 'authorization') continue
+    if (paymentHeaders.has(lower)) continue
     if (lower === 'accept-encoding') continue
     if (lower === 'content-length') continue
     if (lower === 'cookie') continue

package/src/proxy/services/openai.test.ts

@@ -35,8 +35,64 @@ const mppx_client = Mppx_client.create({
 })
 
 let proxyServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
+let upstreamServer: Awaited<ReturnType<typeof Http.createServer>> | undefined
 
-afterEach(() => proxyServer?.close())
+afterEach(() => {
+  proxyServer?.close()
+  upstreamServer?.close()
+})
+
+describe('openai', () => {
+  test('security: strips caller-supplied OpenAI tenant headers before proxying', async () => {
+    upstreamServer = await Http.createServer((req, res) => {
+      res.writeHead(200, { 'Content-Type': 'application/json' })
+      res.end(
+        JSON.stringify({
+          headers: {
+            authorization: req.headers.authorization,
+            organization: req.headers['openai-organization'],
+            project: req.headers['openai-project'],
+          },
+        }),
+      )
+    })
+
+    const proxy = ApiProxy.create({
+      services: [
+        openai({
+          apiKey: 'sk-test',
+          baseUrl: upstreamServer.url,
+          routes: {
+            'POST /v1/chat/completions': true,
+          },
+        }),
+      ],
+    })
+    proxyServer = await Http.createServer(proxy.listener)
+
+    const res = await fetch(`${proxyServer.url}/openai/v1/chat/completions`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'OpenAI-Organization': 'org_attacker',
+        'OpenAI-Project': 'proj_attacker',
+      },
+      body: '{}',
+    })
+    expect(res.status).toBe(200)
+
+    const body = (await res.json()) as {
+      headers: {
+        authorization: string
+        organization?: string | string[] | undefined
+        project?: string | string[] | undefined
+      }
+    }
+    expect(body.headers.authorization).toBe('Bearer sk-test')
+    expect(body.headers.organization).toBeUndefined()
+    expect(body.headers.project).toBeUndefined()
+  })
+})
 
 describe.skipIf(!apiKey)('openai', () => {
   test('behavior: proxies GET /v1/models with charge', async () => {

package/src/proxy/services/openai.ts

@@ -29,6 +29,8 @@ export function openai(config: openai.Config) {
     },
     rewriteRequest(request, ctx) {
       const apiKey = ctx.apiKey ?? config.apiKey
+      request.headers.delete('OpenAI-Organization')
+      request.headers.delete('OpenAI-Project')
       request.headers.set('Authorization', `Bearer ${apiKey}`)
       return request
     },

package/src/server/Methods.ts

@@ -1,2 +1,3 @@
+export { evm } from '../evm/server/index.js'
 export { stripe } from '../stripe/server/index.js'
 export { tempo } from '../tempo/server/index.js'

package/src/server/Mppx.test.ts

@@ -6,7 +6,9 @@ import {
   session as tempo_session_client,
   tempo as tempo_client,
 } from 'mppx/client'
-import { Mppx, stripe, Store, Transport, tempo } from 'mppx/server'
+import { Types as evm_Types } from 'mppx/evm'
+import { evm, Mppx, stripe, Store, Transport, tempo } from 'mppx/server'
+import { Header as x402_Header, Types as x402_Types, type PaymentPayload } from 'mppx/x402'
 import { getTransactionReceipt } from 'viem/actions'
 import { describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
@@ -14,6 +16,7 @@ import { deployEscrow } from '~test/tempo/session.js'
 import { accounts, asset, client } from '~test/tempo/viem.js'
 
 import type { SessionReceipt } from '../tempo/session/Types.js'
+import * as x402_RouteBinding from '../x402/internal/RouteBinding.js'
 
 const realm = 'api.example.com'
 const secretKey = 'test-secret-key'
@@ -1855,6 +1858,29 @@ describe('compose', () => {
     },
   })
 
+  const x402Method = evm.charge({
+    currency: evm.assets.baseSepolia.USDC,
+    recipient: accounts[0].address,
+    x402: {
+      facilitator: {
+        async verify(paymentPayload: PaymentPayload) {
+          return {
+            isValid: true,
+            payer: payerOf(paymentPayload),
+          }
+        },
+        async settle(paymentPayload: PaymentPayload) {
+          return {
+            network: paymentPayload.accepted.network,
+            payer: payerOf(paymentPayload),
+            success: true,
+            transaction: `0x${'3'.repeat(64)}`,
+          }
+        },
+      },
+    },
+  })
+
   const challengeOpts = {
     amount: '1000',
     currency: '0x0000000000000000000000000000000000000001',
@@ -1879,6 +1905,142 @@ describe('compose', () => {
     expect(wwwAuth).toContain('method="beta"')
   })
 
+  test('returns composed x402 challenge headers when no credential', async () => {
+    const mppx = Mppx.create({ methods: [x402Method], realm, secretKey })
+
+    const result = await mppx.compose(['evm/charge', { amount: '0.01' }])(
+      new Request('https://example.com/resource'),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    expect(result.challenge.headers.get('WWW-Authenticate')).toContain('method="evm"')
+    const header = result.challenge.headers.get(x402_Types.paymentRequiredHeader)
+    expect(header).toBeTruthy()
+    expect(result.challenge.headers.get('Content-Type')).toContain('application/problem+json')
+    expect(await result.challenge.json()).toMatchObject({ status: 402 })
+
+    const paymentRequired = x402_Header.decodePaymentRequired(header!)
+    expect(paymentRequired.accepts).toHaveLength(1)
+    expect(paymentRequired.accepts[0]).toMatchObject({
+      amount: '10000',
+      scheme: x402_Types.schemes[0],
+    })
+    expect(paymentRequired.resource.url).toBe('https://example.com/resource')
+  })
+
+  test('merges Payment auth and x402 challenge headers in compose()', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, x402Method], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      ['evm/charge', { amount: '0.01' }],
+    )(new Request('https://example.com/resource'))
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const wwwAuth = result.challenge.headers.get('WWW-Authenticate')
+    expect(wwwAuth).toContain('method="alpha"')
+
+    const header = result.challenge.headers.get(x402_Types.paymentRequiredHeader)
+    expect(header).toBeTruthy()
+    const paymentRequired = x402_Header.decodePaymentRequired(header!)
+    expect(paymentRequired.accepts.map((accepted) => accepted.amount)).toEqual(['10000'])
+  })
+
+  test('keeps pure x402 challenge headers when Payment auth challenges are present', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod], realm, secretKey })
+    const pureX402 = async () =>
+      ({
+        status: 402,
+        challenge: new Response('{}', {
+          status: 402,
+          headers: {
+            [x402_Types.paymentRequiredHeader]: x402_Header.encodePaymentRequired({
+              accepts: [
+                {
+                  amount: '10000',
+                  asset: evm.assets.baseSepolia.USDC.address,
+                  extra: {
+                    assetTransferMethod: evm_Types.eip3009,
+                    name: 'USDC',
+                    version: '2',
+                  },
+                  maxTimeoutSeconds: 300,
+                  network: 'eip155:84532',
+                  payTo: accounts[0].address,
+                  scheme: 'exact',
+                },
+              ],
+              resource: { url: 'https://example.com/resource' },
+              x402Version: 2,
+            }),
+          },
+        }),
+      }) as const
+
+    const alpha = (mppx as unknown as Record<string, (options: unknown) => any>)['alpha/charge']!(
+      challengeOpts,
+    )
+
+    const result = await Mppx.compose(alpha, pureX402)(new Request('https://example.com/resource'))
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    expect(result.challenge.headers.get('WWW-Authenticate')).toContain('method="alpha"')
+    expect(result.challenge.headers.get(x402_Types.paymentRequiredHeader)).toBeTruthy()
+  })
+
+  test('merges multiple x402 exact offers in compose()', async () => {
+    const mppx = Mppx.create({ methods: [x402Method], realm, secretKey })
+
+    const result = await mppx.compose(
+      ['evm/charge', { amount: '0.01' }],
+      ['evm/charge', { amount: '0.02' }],
+    )(new Request('https://example.com/resource'))
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const header = result.challenge.headers.get(x402_Types.paymentRequiredHeader)
+    expect(header).toBeTruthy()
+    const paymentRequired = x402_Header.decodePaymentRequired(header!)
+    expect(paymentRequired.accepts.map((accepted) => accepted.amount)).toEqual(['10000', '20000'])
+  })
+
+  test('dispatches x402 credentials through compose()', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, x402Method], realm, secretKey })
+    const handle = mppx.compose([alphaMethod, challengeOpts], ['evm/charge', { amount: '0.01' }])
+
+    const firstResult = await handle(new Request('https://example.com/resource'))
+    expect(firstResult.status).toBe(402)
+    if (firstResult.status !== 402) throw new Error()
+
+    const paymentRequired = x402_Header.decodePaymentRequired(
+      firstResult.challenge.headers.get(x402_Types.paymentRequiredHeader)!,
+    )
+    const credential = await x402PaymentSignature(
+      paymentRequired.accepts[0]!,
+      paymentRequired.resource,
+      paymentRequired.extensions,
+    )
+
+    const result = await handle(
+      new Request('https://example.com/resource', {
+        headers: { [x402_Types.paymentSignatureHeader]: credential },
+      }),
+    )
+
+    expect(result.status).toBe(200)
+    if (result.status !== 200) throw new Error()
+    const response = result.withReceipt(new Response('paid'))
+    expect(response.headers.get(x402_Types.paymentResponseHeader)).toBeTruthy()
+    expect(await response.text()).toBe('paid')
+  })
+
   test('filters compose challenges using Accept-Payment', async () => {
     const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
 
@@ -1899,6 +2061,27 @@ describe('compose', () => {
     expect(challenges[0]?.method).toBe('beta')
   })
 
+  test('filters compose x402 challenge headers using Accept-Payment', async () => {
+    const mppx = Mppx.create({ methods: [alphaMethod, x402Method], realm, secretKey })
+
+    const result = await mppx.compose(
+      [alphaMethod, challengeOpts],
+      ['evm/charge', { amount: '0.01' }],
+    )(
+      new Request('https://example.com/resource', {
+        headers: { 'Accept-Payment': 'alpha/charge' },
+      }),
+    )
+
+    expect(result.status).toBe(402)
+    if (result.status !== 402) throw new Error()
+
+    const challenges = Challenge.fromResponseList(result.challenge)
+    expect(challenges).toHaveLength(1)
+    expect(challenges[0]?.method).toBe('alpha')
+    expect(result.challenge.headers.get(x402_Types.paymentRequiredHeader)).toBeNull()
+  })
+
   test('orders compose challenges by Accept-Payment q-value', async () => {
     const mppx = Mppx.create({ methods: [alphaMethod, betaMethod], realm, secretKey })
 
@@ -2522,6 +2705,66 @@ describe('compose', () => {
   })
 })
 
+async function x402PaymentSignature(
+  accepted: x402_Types.PaymentRequirements,
+  resource: x402_Types.ResourceInfo,
+  extensions: x402_Types.Extensions | undefined,
+): Promise<string> {
+  const authorization = {
+    from: accounts[0].address,
+    nonce: x402_RouteBinding.nonce({
+      accepted,
+      extensions: extensions!,
+      resource,
+    }),
+    to: accepted.payTo as `0x${string}`,
+    validAfter: '0',
+    validBefore: '9999999999',
+    value: accepted.amount,
+  }
+  const signature = await accounts[0].signTypedData({
+    domain: {
+      chainId: Number(accepted.network.slice(x402_Types.evmNetworkPrefix.length)),
+      name: accepted.extra?.name as string,
+      verifyingContract: accepted.asset as `0x${string}`,
+      version: accepted.extra?.version as string,
+    },
+    message: {
+      ...authorization,
+      validAfter: BigInt(authorization.validAfter),
+      validBefore: BigInt(authorization.validBefore),
+      value: BigInt(authorization.value),
+    },
+    primaryType: 'TransferWithAuthorization',
+    types: {
+      TransferWithAuthorization: [
+        { name: 'from', type: 'address' },
+        { name: 'to', type: 'address' },
+        { name: 'value', type: 'uint256' },
+        { name: 'validAfter', type: 'uint256' },
+        { name: 'validBefore', type: 'uint256' },
+        { name: 'nonce', type: 'bytes32' },
+      ],
+    },
+  })
+
+  return x402_Header.encodePaymentSignature({
+    accepted,
+    ...(extensions ? { extensions } : {}),
+    payload: {
+      authorization,
+      signature,
+    },
+    resource,
+    x402Version: 2,
+  })
+}
+
+function payerOf(paymentPayload: PaymentPayload): string {
+  if ('authorization' in paymentPayload.payload) return paymentPayload.payload.authorization.from
+  return paymentPayload.payload.permit2Authorization.from
+}
+
 describe('compose: pre-dispatch narrowing edge cases', () => {
   const mockCharge = Method.from({
     name: 'alpha',

package/src/server/Mppx.ts

@@ -11,6 +11,8 @@ import type { MaybePromise } from '../internal/types.js'
 import type * as Method from '../Method.js'
 import * as PaymentRequest from '../PaymentRequest.js'
 import type * as Receipt from '../Receipt.js'
+import * as x402_Header from '../x402/Header.js'
+import * as x402_Types from '../x402/Types.js'
 import * as z from '../zod.js'
 import * as Html from './internal/html/config.js'
 import { serviceWorker } from './internal/html/serviceWorker.gen.js'
@@ -790,7 +792,7 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
             : staticMeta
 
         // Extract credential once — getCredential may have side effects (e.g. SSE transports).
-        const [credential, credentialError] = (() => {
+        let [credential, credentialError] = (() => {
           try {
             const credential = transport.getCredential(input) as Credential.Credential | null
             return [credential ? hydrateCredentialMeta(credential) : null, undefined] as const
@@ -898,6 +900,21 @@ function createMethodFn(parameters: createMethodFn.Parameters): createMethodFn.R
         if ('response' in routeChallenge) return { challenge: routeChallenge.response, status: 402 }
         const { challenge, parsedRequest, request } = routeChallenge
 
+        if (credential && transport.bindCredential) {
+          try {
+            credential = hydrateCredentialMeta(
+              (await transport.bindCredential({
+                challenge,
+                credential,
+                input,
+              })) as Credential.Credential,
+            )
+          } catch (e) {
+            credential = null
+            credentialError = e as Error
+          }
+        }
+
         // Credential was provided but malformed
         if (credentialError) {
           const reason = getSafeCredentialReason(credentialError)
@@ -2004,6 +2021,29 @@ type ConfiguredHandler = ((input: Request) => Promise<MethodFn.Response<Transpor
   }
 }
 
+const paymentAuthChallengeHeader = 'WWW-Authenticate'
+
+const challengeHeaderMerges = [
+  {
+    name: paymentAuthChallengeHeader,
+    values: (context) =>
+      context.challengeEntries
+        .map((entry) =>
+          (entry.result.challenge as Response).headers.get(paymentAuthChallengeHeader),
+        )
+        .filter((value): value is string => value !== null),
+    merge: (values) => values,
+  },
+  {
+    name: x402_Types.paymentRequiredHeader,
+    values: (context) =>
+      context.negotiatedChallengeResponses
+        .map((response) => response.headers.get(x402_Types.paymentRequiredHeader))
+        .filter((value): value is string => value !== null),
+    merge: mergeX402PaymentRequiredHeaders,
+  },
+] satisfies readonly ChallengeHeaderMerge[]
+
 /** An entry for `compose()`: a method reference, handler function ref, or string key paired with its options. */
 type ComposeEntry<methods extends readonly Method.AnyServer[]> =
   | {
@@ -2172,7 +2212,7 @@ export function compose(
         if (result?.status !== 402) continue
 
         const response = result.challenge as Response
-        const wwwAuth = response.headers.get('WWW-Authenticate')
+        const wwwAuth = response.headers.get(paymentAuthChallengeHeader)
         if (!wwwAuth) continue
 
         entries.push({
@@ -2199,14 +2239,39 @@ export function compose(
       }
     })()
 
-    // Merge WWW-Authenticate headers from all 402 responses.
+    const challengeResponses = results.flatMap((result) =>
+      result.status === 402 ? [result.challenge as Response] : [],
+    )
+    const unnegotiatedX402Responses =
+      input.headers.has('Accept-Payment') || challengeEntries.length === 0
+        ? []
+        : challengeResponses.filter(
+            (response) =>
+              response.headers.has(x402_Types.paymentRequiredHeader) &&
+              !response.headers.has(paymentAuthChallengeHeader),
+          )
+    const negotiatedChallengeResponses =
+      challengeEntries.length > 0
+        ? [
+            ...challengeEntries.map((entry) => entry.result.challenge as Response),
+            ...unnegotiatedX402Responses,
+          ]
+        : challengeResponses
+
+    // Merge challenge headers from the negotiated 402 responses.
     const mergedHeaders = new Headers()
     mergedHeaders.set('Cache-Control', 'no-store')
 
-    for (const entry of challengeEntries) {
-      const response = entry.result.challenge as Response
-      const wwwAuth = response.headers.get('WWW-Authenticate')
-      if (wwwAuth) mergedHeaders.append('WWW-Authenticate', wwwAuth)
+    for (const header of challengeHeaderMerges) {
+      for (const value of header.merge(
+        header.values({
+          challengeEntries,
+          challengeResponses,
+          negotiatedChallengeResponses,
+        }),
+      )) {
+        mergedHeaders.append(header.name, value)
+      }
     }
 
     // Collect html-enabled handlers and their challenges
@@ -2257,11 +2322,15 @@ export function compose(
       }
     }
 
-    // Non-HTML fallback: use first handler's body
+    // Non-HTML fallback: prefer the first Payment-auth body, otherwise use
+    // the first transport-specific 402 body.
     let body: string | null = null
-    for (const entry of challengeEntries) {
+    const bodyResponses =
+      challengeEntries.length > 0
+        ? challengeEntries.map((entry) => entry.result.challenge as Response)
+        : challengeResponses
+    for (const response of bodyResponses) {
       if (!body) {
-        const response = entry.result.challenge as Response
         const contentType = response.headers.get('Content-Type')
         if (contentType) mergedHeaders.set('Content-Type', contentType)
         body = await response.text()
@@ -2276,6 +2345,50 @@ export function compose(
   }
 }
 
+type ChallengeHeaderMerge = {
+  name: string
+  values(context: {
+    challengeEntries: readonly {
+      handler: ConfiguredHandler
+      challenge: Challenge.Challenge
+      result: Extract<MethodFn.Response<Transport.Http>, { status: 402 }>
+    }[]
+    challengeResponses: readonly Response[]
+    negotiatedChallengeResponses: readonly Response[]
+  }): readonly string[]
+  merge(values: readonly string[]): readonly string[]
+}
+
+function mergeX402PaymentRequiredHeaders(values: readonly string[]): readonly string[] {
+  if (values.length === 0) return []
+  const [first, ...rest] = values.map((value) => x402_Header.decodePaymentRequired(value))
+  if (!first) throw new Error('Expected at least one x402 payment-required header.')
+  const incompatible = rest.some(
+    (value) =>
+      !isDeepStrictEqual(value.resource, first.resource) ||
+      !isDeepStrictEqual(value.extensions, first.extensions),
+  )
+  if (incompatible)
+    return [
+      x402_Header.encodePaymentRequired({
+        ...first,
+        error: [first.error, 'Cannot merge x402 payment requirements with different resources.']
+          .filter((value): value is string => value !== undefined && value.length > 0)
+          .join('; '),
+      }),
+    ]
+  const error = [first.error, ...rest.map((value) => value.error)]
+    .filter((value): value is string => value !== undefined && value.length > 0)
+    .join('; ')
+  return [
+    x402_Header.encodePaymentRequired({
+      ...first,
+      accepts: [first.accepts, ...rest.map((value) => value.accepts)].flat(),
+      ...(error ? { error } : {}),
+    }),
+  ]
+}
+
 /**
  * Wraps a payment handler to create a Node.js HTTP listener.
  *
@@ -2316,7 +2429,7 @@ export function toNodeListener(
       }
 
       const wrapped = result.withReceipt(new globalThis.Response()) as globalThis.Response
-      res.setHeader('Payment-Receipt', wrapped.headers.get('Payment-Receipt')!)
+      for (const [name, value] of wrapped.headers) res.setHeader(name, value)
     }
 
     return result

package/src/server/NodeListener.test.ts

@@ -1,7 +1,7 @@
 import { EventEmitter } from 'node:events'
 import type { IncomingMessage, ServerResponse } from 'node:http'
 
-import { NodeListener, Request } from 'mppx/server'
+import { Mppx, NodeListener, Request } from 'mppx/server'
 import { afterEach, describe, expect, test } from 'vp/test'
 import * as Http from '~test/Http.js'
 
@@ -185,6 +185,33 @@ describe('toNodeListener', () => {
     expect(await response.json()).toEqual({ path: '/hello' })
   })
 
+  test('copies all receipt response headers for successful payment handlers', async () => {
+    const handler = Mppx.toNodeListener(async () => ({
+      status: 200,
+      withReceipt(response?: Response) {
+        if (!response) {
+          const error = new Error('withReceipt() requires a response argument')
+          error.name = 'MissingReceiptResponseError'
+          throw error
+        }
+        const headers = new Headers(response?.headers)
+        headers.set('Payment-Receipt', 'receipt')
+        headers.set('PAYMENT-RESPONSE', 'x402-response')
+        return new Response(response?.body, { headers })
+      },
+    }))
+
+    server = await Http.createServer(async (req, res) => {
+      await handler(req, res)
+      res.end('ok')
+    })
+
+    const response = await fetch(server.url)
+    expect(response.headers.get('Payment-Receipt')).toBe('receipt')
+    expect(response.headers.get('PAYMENT-RESPONSE')).toBe('x402-response')
+    expect(await response.text()).toBe('ok')
+  })
+
   test('forwards request method', async () => {
     const handler = Request.toNodeListener(async (request) => {
       return Response.json({ method: request.method })

package/src/server/Transport.test.ts

@@ -408,6 +408,7 @@ describe('http', () => {
       }).toMatchInlineSnapshot(`
         {
           "headers": {
+            "cache-control": "private",
             "content-type": "text/plain;charset=UTF-8",
             "payment-receipt": "eyJtZXRob2QiOiJ0ZW1wbyIsInJlZmVyZW5jZSI6IjB4dHhoYXNoIiwic3RhdHVzIjoic3VjY2VzcyIsInRpbWVzdGFtcCI6IjIwMjUtMDEtMDFUMDA6MDA6MDAuMDAwWiJ9",
           },
@@ -415,6 +416,24 @@ describe('http', () => {
         }
       `)
     })
+
+    test('preserves existing cache directives while marking receipts private', () => {
+      const transport = Transport.http()
+      const originalResponse = new Response('OK', {
+        status: 200,
+        headers: { 'Cache-Control': 'max-age=60' },
+      })
+
+      const response = transport.respondReceipt({
+        credential,
+        input: new Request('https://example.com'),
+        receipt,
+        response: originalResponse,
+        challengeId: challenge.id,
+      })
+
+      expect(response.headers.get('Cache-Control')).toBe('max-age=60, private')
+    })
   })
 })