payment-kit 1.27.2 → 1.29.0

package/cloudflare/shims/blocklet-sdk/auth-service.ts

@@ -0,0 +1,33 @@
+export class BlockletService {
+  async getVault() {
+    return { address: (globalThis as any).__CF_ENV__?.VAULT_ADDRESS || '' };
+  }
+  async getBlocklet() {
+    return { id: '', site: { id: '' } };
+  }
+  async updateRoutingRule() {}
+  async addRoutingRule() {}
+  async getPermissionsByRole(_role: string) {
+    return [];
+  }
+  async getRoles() {
+    return [];
+  }
+  async getUsers(_params?: any) {
+    return [];
+  }
+  async getUser(did: string, _opts?: any) {
+    // In CF Workers, the DID from DID Connect IS the wallet DID.
+    // Return it as a connectedAccount so getWalletDid(user) works correctly.
+    return {
+      user: {
+        did,
+        fullName: did,
+        email: '',
+        phone: '',
+        remark: '',
+        connectedAccounts: [{ provider: 'wallet', did }],
+      },
+    };
+  }
+}

package/cloudflare/shims/blocklet-sdk/cdn.ts

@@ -0,0 +1,3 @@
+export function cdn() {
+  return (_req: any, _res: any, next: any) => next();
+}

package/cloudflare/shims/blocklet-sdk/component-api.ts

@@ -0,0 +1,35 @@
+// componentApi shim — HTTP client with signature headers
+// Mirrors the subset of axios API used by payment-kit (post, get, request)
+export const componentApi = {
+  post: async (url: string, data: any, _opts?: any) => {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(data),
+    });
+    return { data: await res.json() };
+  },
+  get: async (url: string, _opts?: any) => {
+    const res = await fetch(url);
+    return { data: await res.json() };
+  },
+  // Used by queues/webhook.ts for webhook delivery
+  request: async (config: { url: string; method?: string; data?: any; headers?: Record<string, string>; timeout?: number }) => {
+    const controller = new AbortController();
+    const timeoutId = config.timeout ? setTimeout(() => controller.abort(), config.timeout) : null;
+    try {
+      const res = await fetch(config.url, {
+        method: config.method || 'POST',
+        headers: { 'Content-Type': 'application/json', ...config.headers },
+        body: config.data ? JSON.stringify(config.data) : undefined,
+        signal: controller.signal,
+      });
+      const data = await res.json().catch(() => null);
+      return { data, status: res.status, headers: Object.fromEntries(res.headers.entries()) };
+    } finally {
+      if (timeoutId) clearTimeout(timeoutId);
+    }
+  },
+};
+
+export default componentApi;

package/cloudflare/shims/blocklet-sdk/component.ts

@@ -0,0 +1,18 @@
+// @blocklet/sdk/lib/component shim
+function _getUrl(path?: string) {
+  const base = (globalThis as any).__CF_ENV__?.APP_URL || '';
+  if (!path) return base;
+  // In CF Workers there is no blocklet prefix — assets are served from root
+  return `${base}${path.startsWith('/') ? path : '/' + path}`;
+}
+
+const component = {
+  getUrl: _getUrl,
+};
+
+export default component;
+export function getUrl(path?: string) {
+  return _getUrl(path);
+}
+export function getResources() { return []; }
+export function getPackResources() { return []; }

package/cloudflare/shims/blocklet-sdk/config.ts

@@ -0,0 +1,8 @@
+import { env } from './env';
+
+export { env };
+export const Events = {};
+export const events = { on: () => {}, emit: () => {} };
+
+const config = { env, Events, events };
+export default config;

package/cloudflare/shims/blocklet-sdk/did.ts

@@ -0,0 +1,14 @@
+// In Blocklet Server, getWalletDid(user) extracts wallet DID from user.connectedAccounts.
+// In CF Workers, the user's DID from DID Connect IS the wallet DID (wallet signed directly).
+export function getWalletDid(user?: any) {
+  if (user) {
+    // If user has connectedAccounts (from enriched getUser), use it
+    if (user.connectedAccounts) {
+      const walletAccount = user.connectedAccounts.find((a: any) => a.provider === 'wallet');
+      if (walletAccount) return walletAccount.did;
+    }
+    // In CF Workers, user.did IS the wallet DID (signed via DID Connect)
+    if (user.did) return user.did;
+  }
+  return (globalThis as any).__CF_ENV__?.WALLET_DID || '';
+}

package/cloudflare/shims/blocklet-sdk/env.ts

@@ -0,0 +1,12 @@
+// @blocklet/sdk/lib/env shim
+const env = {
+  get appPid() { return (globalThis as any).__CF_ENV__?.APP_PID || ''; },
+  get appName() { return (globalThis as any).__CF_ENV__?.APP_NAME || 'Payment Kit'; },
+  get appUrl() { return (globalThis as any).__CF_ENV__?.APP_URL || ''; },
+  get componentDid() { return (globalThis as any).__CF_ENV__?.COMPONENT_DID || ''; },
+  get dataDir() { return '/tmp'; },
+  get appId() { return (globalThis as any).__CF_ENV__?.APP_ID || ''; },
+};
+
+export { env };
+export default env;

package/cloudflare/shims/blocklet-sdk/eventbus.ts

@@ -0,0 +1,3 @@
+export async function publish(_event: string, _data: any) {
+  // TODO: CF Queues or HTTP POST
+}

package/cloudflare/shims/blocklet-sdk/fallback.ts

@@ -0,0 +1,3 @@
+export function fallback(_file: string, _opts?: any) {
+  return (_req: any, _res: any, next: any) => next();
+}

package/cloudflare/shims/blocklet-sdk/index.ts

@@ -0,0 +1,11 @@
+// @blocklet/sdk main entry shim
+export { env } from './env';
+export { Notification } from './notification';
+
+export const component = {
+  getUrl: (..._args: any[]) => (globalThis as any).__CF_ENV__?.APP_URL || '',
+};
+
+export function getUrl(..._args: any[]) {
+  return (globalThis as any).__CF_ENV__?.APP_URL || '';
+}

package/cloudflare/shims/blocklet-sdk/logger.ts

@@ -0,0 +1,11 @@
+// @blocklet/logger shim
+function createLogger(_name) {
+  return {
+    info: function() { console.log.apply(console, ['[INFO]'].concat(Array.from(arguments))); },
+    warn: function() { console.warn.apply(console, ['[WARN]'].concat(Array.from(arguments))); },
+    error: function() { console.error.apply(console, ['[ERROR]'].concat(Array.from(arguments))); },
+    debug: function() {},
+  };
+}
+
+module.exports = createLogger;

package/cloudflare/shims/blocklet-sdk/middlewares.ts

@@ -0,0 +1,15 @@
+// @blocklet/sdk/lib/middlewares shim
+export function csrf() {
+  return (_req: any, _res: any, next: any) => next();
+}
+
+export function auth(options?: { roles?: string[] }) {
+  return (req: any, res: any, next: any) => {
+    if (!options?.roles) return next();
+    if (!req.user?.did) return res.status(401).json({ error: 'Login required' });
+    if (!options.roles.includes(req.user.role)) {
+      return res.status(403).json({ error: 'Insufficient permissions' });
+    }
+    next();
+  };
+}

package/cloudflare/shims/blocklet-sdk/notification.ts

@@ -0,0 +1,11 @@
+export async function sendToRelay(_channel: string, _event: string, _data: any) {
+  // TODO: HTTP POST to notification service
+}
+
+export class Notification {
+  static async sendToUser(_did: string, _notification: any, _opts?: any) {
+    // TODO: HTTP POST to notification service
+  }
+}
+
+export default Notification;

package/cloudflare/shims/blocklet-sdk/security.ts

@@ -0,0 +1,53 @@
+// @blocklet/sdk/lib/security shim for CF Workers
+//
+// Uses the same crypto chain as original Blocklet Server:
+//   password = PBKDF2(BLOCKLET_APP_EK, BLOCKLET_DID, 256, 32, sha512).hex()
+//   plaintext = CryptoJS.AES.decrypt(ciphertext, password)
+
+import crypto from 'crypto';
+import CryptoJS from 'crypto-js';
+
+let _password: string | null = null;
+
+/** Initialize with EK + DID. After this, encrypt/decrypt work identically to Blocklet Server. */
+export function initSecurity(appEk: string, blockletDid: string): void {
+  _password = crypto.pbkdf2Sync(appEk, blockletDid, 256, 32, 'sha512').toString('hex');
+}
+
+export function encrypt(data: string, password?: string, salt?: string): string {
+  const pw = password || _password;
+  if (!pw) return data;
+  return CryptoJS.AES.encrypt(data, pw).toString();
+}
+
+export function decrypt(data: string, password?: string, salt?: string): string {
+  const pw = password || _password;
+  if (!pw || !data) return data;
+  return CryptoJS.AES.decrypt(data, pw).toString(CryptoJS.enc.Utf8);
+}
+
+/**
+ * Fetch EK from AUTH_SERVICE and initialize. Call once at worker startup.
+ */
+export async function initFromAuthService(env: {
+  AUTH_SERVICE?: any;
+  APP_PID?: string;
+}): Promise<void> {
+  const { AUTH_SERVICE, APP_PID } = env;
+  if (!AUTH_SERVICE || !APP_PID) return;
+
+  try {
+    const appEk = await AUTH_SERVICE.getAppEk(APP_PID);
+    if (!appEk) {
+      console.warn('[Security] No APP_EK found for instance', APP_PID);
+      return;
+    }
+    // BLOCKLET_DID = APP_PID in Blocklet Server
+    initSecurity(appEk, APP_PID);
+    console.log('[Security] Initialized with EK from AUTH_SERVICE');
+  } catch (err: any) {
+    console.error('[Security] initFromAuthService failed:', err?.message);
+  }
+}
+
+export default { encrypt, decrypt, initSecurity, initFromAuthService };

package/cloudflare/shims/blocklet-sdk/session.ts

@@ -0,0 +1,8 @@
+// @blocklet/sdk/lib/middlewares/session shim
+// Auth is resolved in Hono middleware layer via AUTH_SERVICE RPC.
+// req.user is already populated by mountExpressRoutes().
+export default function sessionMiddleware(_options?: any) {
+  return (_req: any, _res: any, next: any) => next();
+}
+
+export { sessionMiddleware };

package/cloudflare/shims/blocklet-sdk/verify-session.ts

@@ -0,0 +1,44 @@
+// CF Workers no-op shim for @blocklet/sdk/lib/util/verify-session.
+//
+// In CF Workers, Bearer / cookie validation happens *before* Express routes
+// run — see worker.ts auth middleware at /api/*, which calls
+// `c.env.AUTH_SERVICE.resolveIdentity(...)` and injects x-user-did into the
+// request headers when the token is valid. By the time security.ts'
+// `authenticate` middleware sees the request, the x-user-did branch handles
+// it. The fallback Bearer-validation path that calls verifyLoginToken
+// directly is only needed in the Express dev server, where the tunnel
+// bypasses Blocklet Server's nginx and we can't rely on header injection.
+//
+// So in Workers we return null — security.ts treats null as "couldn't
+// validate locally, fall through" — and the x-user-did set by the worker
+// layer is the source of truth.
+
+export type SessionUser = {
+  did: string;
+  role?: string;
+  fullName?: string;
+  provider?: string;
+  walletOS?: string;
+  method?: string;
+  org?: string;
+};
+
+export async function verifyLoginToken(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifyAccessKey(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifyComponentCall(_opts: { req: any; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export async function verifySignedToken(_opts: { token: string; strictMode?: boolean }): Promise<SessionUser | null> {
+  return null;
+}
+
+export function getSessionSecret(): string {
+  return '';
+}

package/cloudflare/shims/blocklet-sdk/verify-sign.ts

@@ -0,0 +1,38 @@
+// @blocklet/sdk/lib/util/verify-sign shim for CF Workers
+//
+// In Blocklet Server, component.call uses ED25519 signatures (x-component-sig)
+// to authenticate inter-component calls.
+//
+// In CF Workers, all authentication is delegated to AUTH_SERVICE (blocklet-service)
+// via the Hono caller middleware. By the time security.ts runs, the caller identity
+// is already resolved and injected into req.headers['x-user-did'] / req.user.
+//
+// This shim delegates to AUTH_SERVICE.resolveIdentity() using the request's
+// existing credentials (Cookie JWT or Authorization header), instead of
+// doing local ED25519 signature verification.
+
+export function getVerifyData(req: any, type = 'component') {
+  const sig = req.get?.(`x-${type}-sig`) || req.headers?.[`x-${type}-sig`] || '';
+  return { sig, data: {}, sigVersion: '', sigPk: '' };
+}
+
+export async function verify(_data: any, _sig: any): Promise<boolean> {
+  // AUTH_SERVICE handles all authentication in CF Workers.
+  // The Hono caller middleware (worker.ts) already called AUTH_SERVICE.resolveIdentity()
+  // and injected the result into x-user-did / x-user-role headers before Express runs.
+  //
+  // If AUTH_SERVICE verified the caller → x-user-did is set → security.ts x-user-did path handles it.
+  // If AUTH_SERVICE couldn't verify → caller is null → this path should reject.
+  //
+  // We return false here so the component.call path in security.ts falls through
+  // to the x-user-did path, which uses the AUTH_SERVICE-resolved identity.
+  const env = (globalThis as any).__CF_ENV__;
+  if (env?.AUTH_SERVICE) {
+    // AUTH_SERVICE is available — don't trust local signature, let the x-user-did path handle auth
+    return false;
+  }
+  // No AUTH_SERVICE — cannot verify
+  return false;
+}
+
+export default { verify, getVerifyData };

package/cloudflare/shims/blocklet-sdk/wallet-authenticator.ts

@@ -0,0 +1,3 @@
+export class WalletAuthenticator {
+  constructor(_opts?: any) {}
+}

package/cloudflare/shims/blocklet-sdk/wallet-handler.ts

@@ -0,0 +1,6 @@
+export class WalletHandlers {
+  constructor(_opts?: any) {}
+  attach(_opts: any) {
+    // TODO: implement DID Connect for CF
+  }
+}

package/cloudflare/shims/blocklet-sdk/wallet.ts

@@ -0,0 +1,103 @@
+// @blocklet/sdk/lib/wallet shim
+// Uses @ocap/wallet to create real wallets from APP_SK for on-chain operations
+import * as Mcrypto from '@ocap/mcrypto';
+import { fromSecretKey } from '@ocap/wallet';
+
+const walletTypeArcblock = {
+  role: Mcrypto.types.RoleType.ROLE_APPLICATION,
+  pk: Mcrypto.types.KeyType.ED25519,
+  hash: Mcrypto.types.HashType.SHA3,
+};
+
+const walletTypeEthereum = {
+  role: Mcrypto.types.RoleType.ROLE_APPLICATION,
+  pk: Mcrypto.types.KeyType.SECP256K1,
+  hash: Mcrypto.types.HashType.KECCAK,
+};
+
+// Cache wallets per type so they are not re-created on every call
+let _arcblockWallet: any = null;
+let _ethereumWallet: any = null;
+let _lastSK: string = '';
+
+function getAppSK(): string {
+  return (globalThis as any).__CF_ENV__?.APP_SK || process.env.APP_SK || '';
+}
+
+function ensureWallet(type?: string): any {
+  const sk = getAppSK();
+  if (!sk) {
+    return null;
+  }
+
+  // If SK changed, invalidate cached wallets
+  if (sk !== _lastSK) {
+    _arcblockWallet = null;
+    _ethereumWallet = null;
+    _lastSK = sk;
+  }
+
+  try {
+    if (type === 'ethereum') {
+      if (!_ethereumWallet) {
+        // Ethereum wallet uses first 66 chars of SK (0x + 32 bytes hex)
+        // matching @blocklet/sdk behavior: appSk.slice(0, 66)
+        const ethSk = sk.slice(0, 66);
+        _ethereumWallet = fromSecretKey(ethSk, walletTypeEthereum);
+      }
+      return _ethereumWallet;
+    }
+
+    if (!_arcblockWallet) {
+      _arcblockWallet = fromSecretKey(sk, walletTypeArcblock);
+    }
+    return _arcblockWallet;
+  } catch (e: any) {
+    console.error(`[CF Worker] ensureWallet(${type}) failed:`, e?.message);
+    return null;
+  }
+}
+
+/**
+ * Returns a wallet proxy that lazily initializes the real wallet on first property access.
+ * This is needed because auth.ts calls getWallet() at module init time, before __CF_ENV__
+ * is available. The proxy defers the real wallet creation to request time.
+ */
+export function getWallet(type?: string, _appSk?: string, _keyType?: string): any {
+  return new Proxy(
+    {},
+    {
+      get(_target, prop) {
+        const realWallet = ensureWallet(type);
+        if (!realWallet) {
+          if (prop === 'address') return '';
+          if (prop === 'publicKey') return '';
+          if (prop === 'toJSON') return () => ({});
+          if (prop === 'sign') return async () => '';
+          if (prop === 'verify') return async () => true;
+          if (prop === 'signJWT') return async () => '';
+          if (prop === 'then') return undefined;
+          return undefined;
+        }
+        const value = realWallet[prop];
+        if (typeof value === 'function') {
+          return value.bind(realWallet);
+        }
+        return value;
+      },
+      has(_target, prop) {
+        const realWallet = ensureWallet(type);
+        if (!realWallet) return false;
+        return prop in realWallet;
+      },
+    }
+  );
+}
+
+// CF shim re-exports: on CF the runtime/permanent/access wallets all derive
+// from the single APP_SK, so these just alias getWallet. Needed because
+// payment-kit's api/src/libs/auth.ts imports { getAccessWallet } and the
+// patch in that file calls getWallet(undefined, '', 'sk').
+export const getAccessWallet = () => getWallet('arcblock');
+export const getPermanentWallet = () => getWallet('arcblock');
+export const getEthereumWallet = () => getWallet('ethereum');

package/cloudflare/shims/cookie-parser.ts

@@ -0,0 +1,3 @@
+export default function cookieParser() {
+  return (_req: any, _res: any, next: any) => next();
+}

package/cloudflare/shims/cors.ts

@@ -0,0 +1,21 @@
+// Minimal cors shim for CF Workers
+// Uses Object.assign pattern so both ESM and CJS interop work:
+// - ESM: import cors from 'cors' -> cors is the function
+// - CJS: const cors = require('cors') -> cors is the function (via __toCommonJS default)
+function cors(_opts?: any) {
+  return (_req: any, res: any, next: any) => {
+    res?.set?.('Access-Control-Allow-Origin', '*');
+    res?.set?.('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,PATCH,OPTIONS');
+    res?.set?.('Access-Control-Allow-Headers', 'Content-Type,Authorization,x-user-did,x-csrf-token');
+    if (_req?.method === 'OPTIONS') {
+      res?.status?.(204)?.end?.();
+      return;
+    }
+    next();
+  };
+}
+
+// @ts-ignore - module.exports for CJS compat
+module.exports = cors;
+// @ts-ignore
+module.exports.default = cors;