mppx 0.6.8 → 0.6.9

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # mppx
 
+## 0.6.9
+
+### Patch Changes
+
+- Fixed Stripe proxy to strip caller-supplied `Stripe-Account` headers before forwarding requests upstream.
+
 ## 0.6.8
 
 ### Patch Changes

package/dist/proxy/services/stripe.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"stripe.d.ts","sourceRoot":"","sources":["../../../src/proxy/services/stripe.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,eAAe,CAAA;AAExC;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,mBAkB3C;AAED,MAAM,CAAC,OAAO,WAAW,MAAM,CAAC;IAC9B,KAAY,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;QAChC,mDAAmD;QACnD,MAAM,EAAE,MAAM,CAAA;QACd,iEAAiE;QACjE,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,MAAM,EACF,kBAAkB,GAClB,oBAAoB,GACpB,uBAAuB,GACvB,0BAA0B,GAC1B,6BAA6B,GAC7B,wBAAwB,GACxB,2BAA2B,GAC3B,mBAAmB,GACnB,sBAAsB,CAAA;KAC3B,CAAC,CAAA;CACH"}
+{"version":3,"file":"stripe.d.ts","sourceRoot":"","sources":["../../../src/proxy/services/stripe.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,eAAe,CAAA;AAExC;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,mBAmB3C;AAED,MAAM,CAAC,OAAO,WAAW,MAAM,CAAC;IAC9B,KAAY,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;QAChC,mDAAmD;QACnD,MAAM,EAAE,MAAM,CAAA;QACd,iEAAiE;QACjE,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;QAC5B,MAAM,EACF,kBAAkB,GAClB,oBAAoB,GACpB,uBAAuB,GACvB,0BAA0B,GAC1B,6BAA6B,GAC7B,wBAAwB,GACxB,2BAA2B,GAC3B,mBAAmB,GACnB,sBAAsB,CAAA;KAC3B,CAAC,CAAA;CACH"}

package/dist/proxy/services/stripe.js

@@ -28,6 +28,7 @@ export function stripe(config) {
         },
         rewriteRequest(request, ctx) {
             const apiKey = ctx.apiKey ?? config.apiKey;
+            request.headers.delete('Stripe-Account');
             request.headers.set('Authorization', `Basic ${btoa(`${apiKey}:`)}`);
             return request;
         },

package/dist/proxy/services/stripe.js.map

@@ -1 +1 @@
-{"version":3,"file":"stripe.js","sourceRoot":"","sources":["../../../src/proxy/services/stripe.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,eAAe,CAAA;AAExC;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,MAAM,CAAC,MAAqB;IAC1C,OAAO,OAAO,CAAC,IAAI,CAAgB,QAAQ,EAAE;QAC3C,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,wBAAwB;QACnD,UAAU,EAAE,CAAC,UAAU,CAAC;QACxB,WAAW,EAAE,6DAA6D;QAC1E,IAAI,EAAE;YACJ,YAAY,EAAE,6BAA6B;YAC3C,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,kCAAkC;SACzC;QACD,cAAc,CAAC,OAAO,EAAE,GAAG;YACzB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAA;YAC1C,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,CAAA;YACnE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;AACJ,CAAC"}
+{"version":3,"file":"stripe.js","sourceRoot":"","sources":["../../../src/proxy/services/stripe.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,OAAO,MAAM,eAAe,CAAA;AAExC;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,MAAM,CAAC,MAAqB;IAC1C,OAAO,OAAO,CAAC,IAAI,CAAgB,QAAQ,EAAE;QAC3C,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,wBAAwB;QACnD,UAAU,EAAE,CAAC,UAAU,CAAC;QACxB,WAAW,EAAE,6DAA6D;QAC1E,IAAI,EAAE;YACJ,YAAY,EAAE,6BAA6B;YAC3C,QAAQ,EAAE,yBAAyB;YACnC,IAAI,EAAE,kCAAkC;SACzC;QACD,cAAc,CAAC,OAAO,EAAE,GAAG;YACzB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,CAAA;YAC1C,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;YACxC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,SAAS,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,CAAA;YACnE,OAAO,OAAO,CAAA;QAChB,CAAC;QACD,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,KAAK,EAAE,QAAQ;KAChB,CAAC,CAAA;AACJ,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "mppx",
   "type": "module",
-  "version": "0.6.8",
+  "version": "0.6.9",
   "main": "./dist/index.js",
   "license": "MIT",
   "files": [

package/src/proxy/services/stripe.test.ts

@@ -81,6 +81,49 @@ describe('stripe', () => {
     expect(receipt.method).toBe('tempo')
   })
 
+  test('security: strips caller-supplied Stripe-Account header before proxying', async () => {
+    upstreamServer = await Http.createServer((req, res) => {
+      res.writeHead(200, { 'Content-Type': 'application/json' })
+      res.end(
+        JSON.stringify({
+          headers: {
+            authorization: req.headers.authorization,
+            stripeAccount: req.headers['stripe-account'],
+          },
+        }),
+      )
+    })
+
+    const proxy = ApiProxy.create({
+      services: [
+        stripe({
+          apiKey,
+          baseUrl: upstreamServer.url,
+          routes: {
+            'POST /v1/charges': true,
+          },
+        }),
+      ],
+    })
+    proxyServer = await Http.createServer(proxy.listener)
+
+    const res = await fetch(`${proxyServer.url}/stripe/v1/charges`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        'Stripe-Account': 'acct_123',
+      },
+      body: 'amount=100&currency=usd',
+    })
+    expect(res.status).toBe(200)
+
+    const body = (await res.json()) as {
+      headers: { authorization: string; stripeAccount?: string | string[] | undefined }
+    }
+    expect(body.headers.authorization).toBe(`Basic ${btoa(`${apiKey}:`)}`)
+    expect(body.headers.stripeAccount).toBeUndefined()
+  })
+
   test('behavior: returns 402 without credential', async () => {
     upstreamServer = await Http.createServer((_req, res) => {
       res.writeHead(200, { 'Content-Type': 'application/json' })

package/src/proxy/services/stripe.ts

@@ -29,6 +29,7 @@ export function stripe(config: stripe.Config) {
     },
     rewriteRequest(request, ctx) {
       const apiKey = ctx.apiKey ?? config.apiKey
+      request.headers.delete('Stripe-Account')
       request.headers.set('Authorization', `Basic ${btoa(`${apiKey}:`)}`)
       return request
     },