payment-kit 1.29.1 → 1.29.3

package/api/src/middlewares/hono/session.ts

@@ -0,0 +1,114 @@
+// Phase 3 (express→hono) — hono fork of @blocklet/sdk/lib/middlewares/session.js
+// (sessionMiddleware). NOT in the Phase 1 fork set, but used by many resource
+// routes (customers, checkout-sessions, payment-currencies, auto-recharge-configs,
+// …) via `sessionMiddleware({ accessKey: true })`. Unlike authenticate(), this is
+// NOT a gate: it POPULATES c.set('user', …) when a login token OR access key is
+// present and otherwise just calls next() (the downstream handler decides). The
+// token verification (verifyLoginToken / verifyAccessKey / verifyComponentCall /
+// verifySignedToken) + the optional blacklist check are reused verbatim; only the
+// req plumbing becomes a thin hono shim for getTokenFromReq.
+import type { MiddlewareHandler } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { getTokenFromReq } from '@abtnode/util/lib/get-token-from-req';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import {
+  verifyLoginToken,
+  verifyAccessKey,
+  verifyComponentCall,
+  verifySignedToken,
+} from '@blocklet/sdk/lib/util/verify-session';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { isLoginToken, isAccessKey } from '@blocklet/sdk/lib/util/login';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import config from '@blocklet/sdk/lib/config';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import serviceApi from '@blocklet/sdk/lib/util/service-api';
+import { isTestEnv } from '../../libs/env';
+
+interface SessionOptions {
+  loginToken?: boolean;
+  componentCall?: boolean;
+  signedToken?: string;
+  strictMode?: boolean;
+  accessKey?: boolean;
+  signedTokenKey?: string;
+}
+
+export function sessionMiddleware(options: SessionOptions = {}): MiddlewareHandler {
+  const {
+    loginToken = true,
+    componentCall = false,
+    signedToken = '',
+    strictMode = false,
+    accessKey = false,
+    signedTokenKey = '__jwt',
+  } = options;
+
+  return async (c, next) => {
+    let result: any = null;
+    // a thin express-req shim covering exactly what getTokenFromReq /
+    // verifyComponentCall read (query / cookie+authorization headers / method / url / body).
+    const url = new URL(c.req.url);
+    const shimReq: any = {
+      query: c.req.query(),
+      headers: { cookie: c.req.header('cookie'), authorization: c.req.header('authorization') },
+      get: (h: string) => c.req.header(h),
+      method: c.req.method,
+      originalUrl: url.pathname + url.search,
+      body: c.get('sanitizedBody') ?? {},
+    };
+
+    try {
+      if (loginToken || accessKey) {
+        const { _duplicate: hasDuplicate, token: loginTokenValue } = await getTokenFromReq(shimReq, {
+          cookie: { key: 'login_token' },
+        });
+        if (hasDuplicate) {
+          return c.text('Access token found in multiple locations', 400);
+        }
+        if (loginTokenValue && typeof loginTokenValue === 'string') {
+          if (!isTestEnv()) {
+            const blockletSettings = config.getBlockletSettings();
+            if (blockletSettings.enableBlacklist) {
+              const { data: checkResult } = await serviceApi.post('/api/user/checkToken', { token: loginTokenValue });
+              if (!checkResult.valid) {
+                if (strictMode) {
+                  return c.text('Access token is blocked', 401);
+                }
+                // not strict → treat as unauthenticated and proceed. NOT awaited
+                // on purpose: awaiting would pull downstream route errors into this
+                // try/catch and wrongly report them as 401 (parity with the express
+                // `next(); return;`, which does not await downstream).
+                // eslint-disable-next-line @typescript-eslint/return-await
+                return next();
+              }
+            }
+          }
+          if (isLoginToken(loginTokenValue)) {
+            result = await verifyLoginToken({ token: loginTokenValue, strictMode });
+          } else if (isAccessKey(loginTokenValue) && accessKey) {
+            result = await verifyAccessKey({ token: loginTokenValue, strictMode });
+          }
+        }
+      }
+
+      if (!result && componentCall) {
+        result = await verifyComponentCall({ req: shimReq, strictMode });
+      }
+
+      if (!result && signedToken) {
+        const token = c.req.query(signedTokenKey) || '';
+        result = await verifySignedToken({ token, strictMode });
+      }
+    } catch (err: any) {
+      return c.json({ error: err.message }, 401);
+    }
+
+    if (result) {
+      c.set('user', result);
+    }
+    return next();
+  };
+}
+
+export default sessionMiddleware;

package/api/src/middlewares/hono/xss.ts

@@ -0,0 +1,61 @@
+// Phase 1 (express→hono) — hono fork of @blocklet/xss (cjs/index.js:26).
+//
+// The express version sanitizes body/params/headers/query IN PLACE. hono's
+// Request is immutable and the query/params/headers are never reflected as HTML
+// (pure JSON API → Joi + parameterized Sequelize), so this fork DELIBERATELY
+// NARROWS to body-only sanitization (design §7, decided 2026-06-12). The
+// query/params/headers narrowing is locked by an explicit spec assertion.
+//
+// This middleware is the SINGLE body read-point: it consumes the request body
+// once, sanitizes it, and stores it on c.set('sanitizedBody'). Downstream routes
+// MUST read c.get('sanitizedBody') and NEVER call c.req.json() again — hono's
+// bodyCache holds the UN-sanitized original, so a re-read is a security hole
+// (design §7). The Stripe webhook (raw-body) is mounted so it never passes
+// through this middleware (Phase 3e).
+import type { MiddlewareHandler } from 'hono';
+// eslint-disable-next-line import/no-extraneous-dependencies
+import { initSanitize } from '@blocklet/xss';
+
+// allowedKeys: [] matches the express call site `xss({ allowedKeys: [] })`.
+const sanitize = initSanitize({ allowedKeys: [] });
+
+// Raw-body routes whose bytes must reach the handler unconsumed — the Stripe
+// webhook verifies its HMAC signature over the EXACT received bytes. Parity with
+// the express app shell, which routes this path around the json/body middleware
+// (service.ts buildNodeHandler). The route reads c.req.arrayBuffer() itself.
+const RAW_BODY_PREFIXES = ['/api/integrations/stripe/webhook'];
+
+export function xss(): MiddlewareHandler {
+  return async (c, next) => {
+    if (RAW_BODY_PREFIXES.some((p) => c.req.path.startsWith(p))) {
+      c.set('sanitizedBody', undefined);
+      return next();
+    }
+    // Parse the body by CONTENT-TYPE, not method — express's body-parser parses a
+    // json/form body on ANY method (including a GET with a body, which a few
+    // routes use, e.g. customers GET /:id reading body.create). A request with no
+    // parseable content-type yields no sanitizedBody (routes read `?? {}`, matching
+    // express.json()'s empty {} ).
+    const contentType = c.req.header('content-type') || '';
+    let body: unknown;
+    if (contentType.includes('application/json')) {
+      // single read; empty body → {} to match express.json() (which yields {}),
+      // malformed JSON throws (→ app.onError, parity with the express 400 path).
+      const raw = await c.req.text();
+      body = raw === '' ? {} : JSON.parse(raw);
+    } else if (
+      contentType.includes('application/x-www-form-urlencoded') ||
+      contentType.includes('multipart/form-data')
+    ) {
+      body = await c.req.parseBody();
+    } else {
+      // no parseable body content-type (or no body) — nothing to sanitize
+      body = undefined;
+    }
+
+    c.set('sanitizedBody', body === undefined ? undefined : sanitize(body));
+    return next();
+  };
+}
+
+export default xss;

package/api/src/queues/auto-recharge.ts

@@ -1,7 +1,8 @@
 import { BN } from '@ocap/util';
-
 import { Op } from 'sequelize';
-import createQueue from '../libs/queue';
+import { systemFindByPk, systemFindOne } from '../store/scoped';
+
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   AutoRechargeConfig,
   ChainType,
@@ -48,13 +49,14 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   logger.info('Processing auto recharge job', { job });
   const { customer_id: customerId, currency_id: currencyId } = job;
 
-  const customer = await Customer.findByPk(customerId);
+  const customer = await systemFindByPk(Customer, customerId);
   if (!customer) {
     logger.error('Customer not found', { customerId });
     return;
   }
+  assertJobObjectTenant(customer);
 
-  const currency = await PaymentCurrency.findByPk(currencyId);
+  const currency = await systemFindByPk(PaymentCurrency, currencyId);
   if (!currency) {
     logger.error('Currency not found', { currencyId });
     return;
@@ -63,7 +65,7 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   // Check if the associated meter is inactive
   if (currency.type === 'credit') {
     // Find meter by currency_id (meter.currency_id -> PaymentCurrency) or by metadata.meter_id
-    const meter = await Meter.findOne({
+    const meter = await systemFindOne(Meter, {
       where: { currency_id: currencyId },
     });
     if (meter && meter.status === 'inactive') {
@@ -77,7 +79,7 @@ export async function processAutoRecharge(job: AutoRechargeJobData) {
   }
 
   // 1. find auto recharge config
-  const config = (await AutoRechargeConfig.findOne({
+  const config = (await systemFindOne(AutoRechargeConfig, {
     where: {
       customer_id: customerId,
       currency_id: currencyId,
@@ -378,7 +380,7 @@ async function createInvoiceForAutoRecharge({
   }
 
   // Check for existing invoice
-  const existInvoice = await Invoice.findOne({
+  const existInvoice = await systemFindOne(Invoice, {
     where: {
       customer_id: customer.id,
       currency_id: rechargeCurrency.id,
@@ -633,21 +635,21 @@ export async function checkAndTriggerAutoRecharge(
     }
 
     // T2b: Reuse caller-provided currency to avoid redundant DB query
-    const currency = options?.currency ?? (await PaymentCurrency.findByPk(currencyId));
+    const currency = options?.currency ?? (await systemFindByPk(PaymentCurrency, currencyId));
 
     // Reuse caller-provided meter when available to avoid redundant DB query
     let meterPromise: Promise<any>;
     if (options?.meter != null) {
       meterPromise = Promise.resolve(options.meter);
     } else if (currency?.type === 'credit') {
-      meterPromise = Meter.findOne({ where: { currency_id: currencyId } });
+      meterPromise = systemFindOne(Meter, { where: { currency_id: currencyId } });
     } else {
       meterPromise = Promise.resolve(null);
     }
 
     const [meter, config] = await Promise.all([
       meterPromise,
-      AutoRechargeConfig.findOne({
+      systemFindOne(AutoRechargeConfig, {
         where: {
           customer_id: customer.id,
           currency_id: currencyId,

package/api/src/queues/checkout-session.ts

@@ -1,13 +1,15 @@
 /* eslint-disable no-await-in-loop */
 import { Op } from 'sequelize';
+import { systemFindAll, systemFindByPk, systemFindOne } from '../store/scoped';
 
 import { mintNftForCheckoutSession } from '../integrations/arcblock/nft';
 import { ensurePassportIssued } from '../integrations/blocklet/passport';
 import { ensureInvoiceForCheckout } from '../routes/connect/shared';
+import { withTenant } from '../libs/context';
 import dayjs from '../libs/dayjs';
 import { events } from '../libs/event';
 import logger from '../libs/logger';
-import createQueue from '../libs/queue';
+import createQueue, { assertJobObjectTenant } from '../libs/queue';
 import {
   CheckoutSession,
   Customer,
@@ -40,11 +42,12 @@ export const checkoutSessionQueue = createQueue<CheckoutSessionJob>({
 });
 
 export async function handleCheckoutSessionJob(job: CheckoutSessionJob): Promise<void> {
-  const checkoutSession = await CheckoutSession.findByPk(job.id);
+  const checkoutSession = await systemFindByPk(CheckoutSession, job.id);
   if (!checkoutSession) {
     logger.warn('CheckoutSession not found', { id: job.id });
     return;
   }
+  assertJobObjectTenant(checkoutSession);
   if (job.action === 'expire') {
     if (checkoutSession.status !== 'open') {
       logger.info('Skip expire CheckoutSession since status is not open', {
@@ -80,23 +83,34 @@ export async function handleCheckoutSessionJob(job: CheckoutSessionJob): Promise
 export async function startCheckoutSessionQueue() {
   // Auto populate subscription queue
   const now = dayjs().unix();
-  const checkoutSessions = await CheckoutSession.findAll({
+  const checkoutSessions = await systemFindAll(CheckoutSession, {
     where: {
       status: 'open',
       expires_at: { [Op.lte]: now },
     },
   });
 
-  checkoutSessions.forEach(async (checkoutSession) => {
-    const exist = await checkoutSessionQueue.get(checkoutSession.id);
-    if (!exist) {
-      checkoutSessionQueue.push({
-        id: checkoutSession.id,
-        job: { id: checkoutSession.id, action: 'expire' },
-        runAt: checkoutSession.expires_at,
-      });
+  // Per-record tenant context: queue push stamps the job tenant via getInstanceDid,
+  // which fails closed in multi mode without it. for-of + await (not forEach(async),
+  // which leaks an unhandledRejection → FATAL on boot); per-record catch isolates.
+  for (const checkoutSession of checkoutSessions) {
+    const dispatch = async () => {
+      const exist = await checkoutSessionQueue.get(checkoutSession.id);
+      if (!exist) {
+        checkoutSessionQueue.push({
+          id: checkoutSession.id,
+          job: { id: checkoutSession.id, action: 'expire' },
+          runAt: checkoutSession.expires_at,
+        });
+      }
+    };
+    try {
+      // eslint-disable-next-line no-await-in-loop
+      await (checkoutSession.instance_did ? withTenant(checkoutSession.instance_did, dispatch) : dispatch());
+    } catch (error) {
+      logger.error('startCheckoutSessionQueue: re-queue failed', { id: checkoutSession.id, error });
     }
-  });
+  }
 }
 
 checkoutSessionQueue.on('failed', ({ id, job, error }) => {
@@ -146,7 +160,7 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
     });
   } else {
     // Do some reverse lookup if invoice is not related to checkout session
-    const invoice = await Invoice.findOne({ where: { checkout_session_id: checkoutSession.id } });
+    const invoice = await systemFindOne(Invoice, { where: { checkout_session_id: checkoutSession.id } });
     if (invoice) {
       await destroyExistingInvoice(invoice);
       logger.info('Invoice and InvoiceItem for checkout session deleted on expire', {
@@ -165,10 +179,10 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
   }
 
   if (checkoutSession.payment_intent_id && checkoutSession.payment_status !== 'paid') {
-    const paymentIntent = await PaymentIntent.findByPk(checkoutSession.payment_intent_id);
+    const paymentIntent = await systemFindByPk(PaymentIntent, checkoutSession.payment_intent_id);
     const stripePaymentId = paymentIntent?.payment_details?.stripe?.payment_intent_id;
     if (paymentIntent && stripePaymentId) {
-      const method = await PaymentMethod.findByPk(paymentIntent.payment_method_id);
+      const method = await systemFindByPk(PaymentMethod, paymentIntent.payment_method_id);
       if (method?.type === 'stripe') {
         const client = method.getStripeClient();
         try {
@@ -198,12 +212,12 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 
   const subscriptionIds = getCheckoutSessionSubscriptionIds(checkoutSession);
   if (subscriptionIds.length > 0) {
-    const subscriptions = await Subscription.findAll({ where: { id: { [Op.in]: subscriptionIds } } });
+    const subscriptions = await systemFindAll(Subscription, { where: { id: { [Op.in]: subscriptionIds } } });
     await Promise.all(
       subscriptions.map(async (subscription) => {
         const stripeSubscriptionId = subscription?.payment_details?.stripe?.subscription_id;
         if (subscription && stripeSubscriptionId) {
-          const method = await PaymentMethod.findByPk(subscription.default_payment_method_id);
+          const method = await systemFindByPk(PaymentMethod, subscription.default_payment_method_id);
           if (method?.type === 'stripe') {
             const client = method.getStripeClient();
             try {
@@ -245,7 +259,7 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 
   // update price lock status
   for (const item of checkoutSession.line_items) {
-    const price = await Price.findByPk(item.price_id);
+    const price = await systemFindByPk(Price, item.price_id);
     if (price?.locked) {
       const used = await price.isUsed(false);
       logger.info('Price used status recheck on expire', {
@@ -269,11 +283,12 @@ events.on('checkout.session.expired', async (checkoutSession: CheckoutSession) =
 events.on(
   'checkout.session.pending_invoice',
   async ({ checkoutSessionId, paymentIntentId }: { checkoutSessionId: string; paymentIntentId: string }) => {
-    const checkoutSession = await CheckoutSession.findByPk(checkoutSessionId);
+    const checkoutSession = await systemFindByPk(CheckoutSession, checkoutSessionId);
     if (!checkoutSession) {
       logger.warn('CheckoutSession not found for pending invoice', { checkoutSessionId });
       return;
     }
+    assertJobObjectTenant(checkoutSession);
     if (checkoutSession.invoice_id) {
       logger.info('Invoice already exists for checkout session', {
         checkoutSessionId,
@@ -293,15 +308,17 @@ events.on(
       return;
     }
 
-    const paymentIntent = await PaymentIntent.findByPk(paymentIntentId);
+    const paymentIntent = await systemFindByPk(PaymentIntent, paymentIntentId);
     if (!paymentIntent) {
       return;
     }
+    assertJobObjectTenant(paymentIntent);
 
-    const customer = await Customer.findByPk(checkoutSession.customer_id);
+    const customer = await systemFindByPk(Customer, checkoutSession.customer_id);
     if (!customer) {
       return;
     }
+    assertJobObjectTenant(customer);
 
     await ensureInvoiceForCheckout({
       checkoutSession,