payment-kit 1.29.1 → 1.29.3

package/api/src/routes/{vendor.ts → hono/vendor.ts}

@@ -1,23 +1,30 @@
-import { middleware } from '@blocklet/payment-vendor';
+// Phase 3 (express→hono) — hono fork of routes/vendor.ts. Sub-app with
+// routes relative to /api/vendor (mounted via mountResourceGroup). The
+// business logic is unchanged; only the express plumbing becomes hono:
+//   req.body → c.get('sanitizedBody') ?? {}; res.status(n).json(x) → c.json(x, n);
+//   res.redirect(u) → return c.redirect(u).
+import { VendorAuth } from '@blocklet/payment-vendor';
+import { toBase58 } from '@ocap/util';
 import { getUrl } from '@blocklet/sdk/lib/component';
-import { Router } from 'express';
+import { Hono } from 'hono';
+import type { MiddlewareHandler } from 'hono';
 import Joi from 'joi';
 
 // eslint-disable-next-line import/no-extraneous-dependencies
 import { gte } from 'semver';
 import { Op } from 'sequelize';
-import { MetadataSchema } from '../libs/api';
-import { wallet } from '../libs/auth';
-import dayjs from '../libs/dayjs';
-import env from '../libs/env';
-import logger from '../libs/logger';
-import { authenticate } from '../libs/security';
-import { formatToShortUrl } from '../libs/url';
-import { getBlockletJson } from '../libs/util';
-import { VendorFulfillmentService } from '../libs/vendor-util/fulfillment';
-import { buildRefundInfoFromPayout } from '../libs/vendor-util/tool';
-import { CheckoutSession, Invoice, Payout, PaymentCurrency, Subscription } from '../store/models';
-import { ProductVendor } from '../store/models/product-vendor';
+import { MetadataSchema } from '../../libs/api';
+import { wallet } from '../../libs/auth';
+import dayjs from '../../libs/dayjs';
+import env, { isDevelopmentEnv } from '../../libs/env';
+import logger from '../../libs/logger';
+import { authenticate } from '../../middlewares/hono/security';
+import { formatToShortUrl } from '../../libs/url';
+import { getBlockletJson } from '../../libs/util';
+import { VendorFulfillmentService } from '../../libs/vendor-util/fulfillment';
+import { buildRefundInfoFromPayout } from '../../libs/vendor-util/tool';
+import { CheckoutSession, Invoice, Payout, PaymentCurrency, Subscription } from '../../store/models';
+import { ProductVendor } from '../../store/models/product-vendor';
 
 const VENDOR_DID = {
   launcher: 'z8iZkFBbrVQxZHvcWWB3Sa2TrfGmSeFz9MSU7',
@@ -67,45 +74,60 @@ const vendorRedirectQuerySchema = Joi.object({
   target: Joi.string().valid('home', 'dashboard').default('home').allow(''),
 });
 
-function validateParams(schema: Joi.ObjectSchema) {
-  return (req: any, res: any, next: any) => {
-    const { error } = schema.validate(req.params);
+function validateParams(schema: Joi.ObjectSchema): MiddlewareHandler {
+  // eslint-disable-next-line require-await -- MiddlewareHandler contract is async; body is sync
+  return async (c, next) => {
+    const params: Record<string, string> = {};
+    // Collect all named params from the matched route
+    try {
+      const raw = c.req.param();
+      Object.assign(params, raw);
+    } catch (_) {
+      // no params
+    }
+    const { error } = schema.validate(params);
     if (error) {
       logger.error('Invalid parameters', {
         error,
-        params: req.params,
-      });
-      return res.status(400).json({
-        error: 'Invalid parameters',
-        message: error.message,
+        params,
       });
+      return c.json(
+        {
+          error: 'Invalid parameters',
+          message: error.message,
+        },
+        400
+      );
     }
     return next();
   };
 }
 
-function validateQuery(schema: Joi.ObjectSchema) {
-  return (req: any, res: any, next: any) => {
-    const { error, value } = schema.validate(req.query);
+function validateQuery(schema: Joi.ObjectSchema): MiddlewareHandler {
+  // eslint-disable-next-line require-await -- MiddlewareHandler contract is async; body is sync
+  return async (c, next) => {
+    const query = c.req.query();
+    const { error, value } = schema.validate(query);
     if (error) {
       logger.error('Invalid query parameters', {
         error,
-        query: req.query,
+        query,
       });
-      return res.redirect('/404');
+      return c.redirect('/404');
     }
-    req.query = value;
+    // Store validated/defaulted query in context for downstream use
+    c.set('validatedQuery' as any, value);
     return next();
   };
 }
 
-async function getAllVendors(_req: any, res: any) {
+async function getAllVendors(c: any) {
   try {
     const vendors = await ProductVendor.findAll({
       order: [['created_at', 'DESC']],
     });
 
-    return res.json({
+    return c.json({
       data: vendors,
       pk: wallet.publicKey,
       total: vendors.length,
@@ -115,24 +137,24 @@ async function getAllVendors(_req: any, res: any) {
       error,
       stack: error.stack,
     });
-    return res.status(500).json({ error: 'Internal server error. Failed to get vendors' });
+    return c.json({ error: 'Internal server error. Failed to get vendors' }, 500);
   }
 }
 
-async function getVendorInfo(req: any, res: any) {
+async function getVendorInfo(c: any) {
   try {
-    const vendor = await ProductVendor.findByPk(req.params.id);
+    const vendor = await ProductVendor.findByPk(c.req.param('id'));
     if (!vendor) {
-      return res.status(404).json({ error: 'Vendor not found' });
+      return c.json({ error: 'Vendor not found' }, 404);
     }
 
-    return res.json({ data: vendor });
+    return c.json({ data: vendor });
   } catch (error: any) {
     logger.error('Failed to get vendor', {
       error,
-      id: req.params.id,
+      id: c.req.param('id'),
     });
-    return res.status(500).json({ error: 'Internal server error. Failed to get vendor' });
+    return c.json({ error: 'Internal server error. Failed to get vendor' }, 500);
   }
 }
 
@@ -181,14 +203,18 @@ async function prepareVendorData(appUrlInput: string, vendorType: 'launcher' | '
   };
 }
 
-async function createVendor(req: any, res: any) {
+async function createVendor(c: any) {
   try {
-    const { error, value } = createVendorSchema.validate(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const { error, value } = createVendorSchema.validate(body);
     if (error) {
-      return res.status(400).json({
-        error: 'Validation failed',
-        message: error.message,
-      });
+      return c.json(
+        {
+          error: 'Validation failed',
+          message: error.message,
+        },
+        400
+      );
     }
 
     const { vendor_key: vendorKey, vendor_type: type, name, description, metadata, status } = value;
@@ -199,12 +225,12 @@ async function createVendor(req: any, res: any) {
       where: { vendor_key: vendorKey },
     });
     if (existingVendor) {
-      return res.status(400).json({ error: 'Vendor key already exists' });
+      return c.json({ error: 'Vendor key already exists' }, 400);
     }
 
     const preparedData = await prepareVendorData(value.app_url, vendorType, metadata);
     if ('error' in preparedData) {
-      return res.status(400).json({ error: preparedData.error });
+      return c.json({ error: preparedData.error }, 400);
     }
 
     const vendor = await ProductVendor.create({
@@ -214,32 +240,36 @@ async function createVendor(req: any, res: any) {
       name,
       description,
       status: status || 'active',
-      created_by: req.user?.did || 'admin',
+      created_by: c.get('user')?.did || 'admin',
     });
 
     logger.info('Vendor created', { vendorId: vendor.id, vendorKey: vendor.vendor_key });
-    return res.status(201).json({ data: vendor });
+    return c.json({ data: vendor }, 201);
   } catch (error: any) {
     logger.error('Failed to create vendor', {
       error,
     });
-    return res.status(500).json({ error: 'Internal server error' });
+    return c.json({ error: 'Internal server error' }, 500);
   }
 }
 
-async function updateVendor(req: any, res: any) {
+async function updateVendor(c: any) {
   try {
-    const vendor = await ProductVendor.findByPk(req.params.id);
+    const vendor = await ProductVendor.findByPk(c.req.param('id'));
     if (!vendor) {
-      return res.status(404).json({ error: 'Vendor not found' });
+      return c.json({ error: 'Vendor not found' }, 404);
     }
 
-    const { error, value } = updateVendorSchema.validate(req.body);
+    const body = c.get('sanitizedBody') ?? {};
+    const { error, value } = updateVendorSchema.validate(body);
     if (error) {
-      return res.status(400).json({
-        error: 'Validation failed',
-        message: error.message,
-      });
+      return c.json(
+        {
+          error: 'Validation failed',
+          message: error.message,
+        },
+        400
+      );
     }
 
     const { vendor_type: type, vendor_key: vendorKey, name, description, status, metadata } = value;
@@ -249,14 +279,14 @@ async function updateVendor(req: any, res: any) {
         where: { vendor_key: vendorKey },
       });
       if (existingVendor) {
-        return res.status(400).json({ error: 'Vendor key already exists' });
+        return c.json({ error: 'Vendor key already exists' }, 400);
       }
     }
 
     const vendorType = (type || 'launcher') as 'launcher' | 'didnames';
     const preparedData = await prepareVendorData(value.app_url, vendorType, metadata);
     if ('error' in preparedData) {
-      return res.status(400).json({ error: preparedData.error });
+      return c.json({ error: preparedData.error }, 400);
     }
 
     const updates = {
@@ -271,38 +301,41 @@ async function updateVendor(req: any, res: any) {
     await vendor.update(Object.fromEntries(Object.entries(updates).filter(([, v]) => v !== undefined)));
 
     logger.info('Vendor updated', { vendorId: vendor.id });
-    return res.json({ data: vendor });
+    return c.json({ data: vendor });
   } catch (error: any) {
-    logger.error('Failed to update vendor', { error, id: req.params.id });
-    return res.status(500).json({ error: 'Internal server error' });
+    logger.error('Failed to update vendor', { error, id: c.req.param('id') });
+    return c.json({ error: 'Internal server error' }, 500);
   }
 }
 
-async function deleteVendor(req: any, res: any) {
+async function deleteVendor(c: any) {
   try {
-    const vendor = await ProductVendor.findByPk(req.params.id);
+    const vendor = await ProductVendor.findByPk(c.req.param('id'));
     if (!vendor) {
-      return res.status(404).json({ error: 'Vendor not found' });
+      return c.json({ error: 'Vendor not found' }, 404);
     }
 
     await vendor.destroy();
 
     logger.info('Vendor deleted', { vendorId: vendor.id });
-    return res.json({ success: true });
+    return c.json({ success: true });
   } catch (error: any) {
-    logger.error('Failed to delete vendor', { error, id: req.params.id });
-    return res.status(500).json({ error: 'Internal server error' });
+    logger.error('Failed to delete vendor', { error, id: c.req.param('id') });
+    return c.json({ error: 'Internal server error' }, 500);
   }
 }
 
-async function testVendorConnection(req: any, res: any) {
+async function testVendorConnection(c: any) {
   try {
-    const vendor = await ProductVendor.findByPk(req.params.id);
+    const vendor = await ProductVendor.findByPk(c.req.param('id'));
     if (!vendor) {
-      return res.status(404).json({
-        code: 'VENDOR_NOT_FOUND',
-        error: 'Vendor not found',
-      });
+      return c.json(
+        {
+          code: 'VENDOR_NOT_FOUND',
+          error: 'Vendor not found',
+        },
+        404
+      );
     }
 
     const vendorAdapter = await VendorFulfillmentService.getVendorAdapter(vendor.vendor_key);
@@ -310,32 +343,41 @@ async function testVendorConnection(req: any, res: any) {
 
     if (result.connected) {
       if (env.appId !== result.did) {
-        return res.status(400).json({
-          code: 'VENDOR_CONNECT_TEST_FAILED',
-          error: 'Vendor connection test failed! Please check the DID in the vendor preferences config',
-        });
+        return c.json(
+          {
+            code: 'VENDOR_CONNECT_TEST_FAILED',
+            error: 'Vendor connection test failed! Please check the DID in the vendor preferences config',
+          },
+          400
+        );
       }
-      return res.status(200).json({ ...result });
+      return c.json({ ...result }, 200);
     }
 
     if (result.error) {
-      return res.status(400).json({
-        code: 'VENDOR_CONNECT_TEST_FAILED',
-        error: result.error,
-      });
+      return c.json(
+        {
+          code: 'VENDOR_CONNECT_TEST_FAILED',
+          error: result.error,
+        },
+        400
+      );
     }
 
     if (!result.sdkVersion) {
-      return res.status(400).json({
-        code: 'VENDOR_CONNECT_TEST_FAILED',
-        error: 'Vendor SDK version is too low. Please upgrade to the latest version (>=1.21.4)',
-      });
+      return c.json(
+        {
+          code: 'VENDOR_CONNECT_TEST_FAILED',
+          error: 'Vendor SDK version is too low. Please upgrade to the latest version (>=1.21.4)',
+        },
+        400
+      );
     }
 
-    return res.status(400).json({ ...result });
+    return c.json({ ...result }, 400);
   } catch (error: any) {
-    logger.error('Failed to test vendor connection', { error, id: req.params.id });
-    return res.status(500).json({ error: 'Internal server error' });
+    logger.error('Failed to test vendor connection', { error, id: c.req.param('id') });
+    return c.json({ error: 'Internal server error' }, 500);
   }
 }
 
@@ -503,45 +545,50 @@ async function getVendorStatus(sessionId: string) {
   return result;
 }
 
-async function getVendorFulfillmentStatus(req: any, res: any) {
-  const { sessionId } = req.params;
+async function getVendorFulfillmentStatus(c: any) {
+  const { sessionId } = c.req.param();
 
   try {
     const status = await getVendorStatus(sessionId);
 
     if (status.code) {
-      return res.status(status.code).json({ error: status.error });
+      return c.json({ error: status.error }, status.code);
     }
-    return res.json(status);
+    return c.json(status);
   } catch (error: any) {
-    return res.status(500).json({ error: error.message });
+    return c.json({ error: error.message }, 500);
   }
 }
 
-async function getVendorFulfillmentDetail(req: any, res: any) {
-  const { sessionId } = req.params;
-  const { shortUrl, ownerDid, appDid } = req.query;
+async function getVendorFulfillmentDetail(c: any) {
+  const { sessionId } = c.req.param();
+  const shortUrl = c.req.query('shortUrl');
+  const ownerDid = c.req.query('ownerDid');
+  const appDid = c.req.query('appDid');
 
   try {
     const detail = await processVendorOrders(sessionId, 'getOrder', shortUrl === 'true', ownerDid, appDid);
     if (detail.code) {
-      return res.status(detail.code).json({ error: detail.error });
+      return c.json({ error: detail.error }, detail.code);
     }
-    return res.json(detail);
+    return c.json(detail);
   } catch (error: any) {
-    return res.status(500).json({ error: error.message });
+    return c.json({ error: error.message }, 500);
   }
 }
 
-async function redirectToVendor(req: any, res: any) {
-  const { subscriptionId } = req.params;
-  const { vendorId, target } = req.query;
+async function redirectToVendor(c: any) {
+  const { subscriptionId } = c.req.param();
+  // validated query values are stored by validateQuery middleware
+  const validatedQuery = c.get('validatedQuery' as any) ?? {};
+  const vendorId = validatedQuery.vendorId ?? c.req.query('vendorId');
+  const target = validatedQuery.target ?? c.req.query('target');
 
   try {
     const checkoutSession = await CheckoutSession.findBySubscriptionId(subscriptionId);
     if (!checkoutSession) {
       logger.warn('CheckoutSession not found for subscription[redirect to vendor]', { subscriptionId });
-      return res.redirect('/404');
+      return c.redirect('/404');
     }
 
     const order = checkoutSession?.vendor_info?.find((item) => item.vendor_id === vendorId);
@@ -551,16 +598,16 @@ async function redirectToVendor(req: any, res: any) {
         vendorId,
         availableVendors: checkoutSession.vendor_info?.map((v) => v.vendor_key) || [],
       });
-      return res.redirect('/404');
+      return c.redirect('/404');
     }
 
-    const isOwner = req.user.did === checkoutSession.customer_did;
+    const isOwner = c.get('user').did === checkoutSession.customer_did;
 
     if (!isOwner) {
       if (order.app_url) {
-        return res.redirect(order.app_url);
+        return c.redirect(order.app_url);
       }
-      return res.redirect('/404');
+      return c.redirect('/404');
     }
 
     const result = await executeVendorOperation({
@@ -578,11 +625,11 @@ async function redirectToVendor(req: any, res: any) {
         error: result.error,
         message: result.message,
       });
-      return res.redirect('/404');
+      return c.redirect('/404');
     }
 
     const redirectUrl = target === 'dashboard' ? result.data.dashboardUrl : result.data.homeUrl;
-    return res.redirect(redirectUrl);
+    return c.redirect(redirectUrl);
   } catch (error: any) {
     logger.error('Failed to redirect to vendor service', {
       error,
@@ -590,17 +637,18 @@ async function redirectToVendor(req: any, res: any) {
       vendorId,
       target,
     });
-    return res.redirect('/404');
+    return c.redirect('/404');
   }
 }
 
-async function getCancelledSessions(req: any, res: any) {
-  const { error } = sessionIdsParamSchema.validate(req.body);
+async function getCancelledSessions(c: any) {
+  const body = c.get('sanitizedBody') ?? {};
+  const { error } = sessionIdsParamSchema.validate(body);
   if (error) {
-    return res.status(400).json({ error: error.message });
+    return c.json({ error: error.message }, 400);
   }
 
-  const { sessionIds = [] } = req.body;
+  const { sessionIds = [] } = body;
 
   const allCheckoutSessions = await CheckoutSession.findAll({
     where: { id: { [Op.in]: sessionIds } },
@@ -621,22 +669,22 @@ async function getCancelledSessions(req: any, res: any) {
   const cancelledSessions = allCheckoutSessions.filter(
     (item) => item.subscription_id && cancelledSubIds.includes(item.subscription_id)
   );
-  return res.json({ cancelledSessions });
+  return c.json({ cancelledSessions });
 }
 
-async function getVendorSubscription(req: any, res: any) {
-  const { sessionId } = req.params;
+async function getVendorSubscription(c: any) {
+  const { sessionId } = c.req.param();
 
   const checkoutSession = await CheckoutSession.findByPk(sessionId);
 
   if (!checkoutSession) {
-    return res.status(404).json({ error: 'Checkout session not found' });
+    return c.json({ error: 'Checkout session not found' }, 404);
   }
 
   const subscription = await Subscription.findByPk(checkoutSession.subscription_id);
 
   if (!subscription) {
-    return res.status(404).json({ error: 'Subscription not found' });
+    return c.json({ error: 'Subscription not found' }, 404);
   }
 
   const invoices = await Invoice.findAll({
@@ -667,56 +715,57 @@ async function getVendorSubscription(req: any, res: any) {
     limit: 20,
   });
 
-  return res.json({
+  return c.json({
     subscription: subscription.toJSON(),
     billing_history: invoices,
   });
 }
 
-async function handleSubscriptionRedirect(req: any, res: any) {
-  const { sessionId } = req.params;
+async function handleSubscriptionRedirect(c: any) {
+  const { sessionId } = c.req.param();
 
   const checkoutSession = await CheckoutSession.findByPk(sessionId);
   if (!checkoutSession) {
-    return res.status(404).json({ error: 'Checkout session not found' });
+    return c.json({ error: 'Checkout session not found' }, 404);
   }
 
-  return res.redirect(getUrl(`/customer/subscription/${checkoutSession.subscription_id}`));
+  return c.redirect(getUrl(`/customer/subscription/${checkoutSession.subscription_id}`));
 }
 
-async function vendorRefund(req: any, res: any) {
-  const { id } = req.params;
-  const { reason } = req.body;
+async function vendorRefund(c: any) {
+  const id = c.req.param('id');
+  const body = c.get('sanitizedBody') ?? {};
+  const { reason } = body;
   try {
     const payout = await Payout.findByPk(id);
 
     if (!payout) {
-      return res.status(404).json({ error: 'Payout not found' });
+      return c.json({ error: 'Payout not found' }, 404);
     }
 
     if (payout.status !== 'paid') {
-      return res.status(400).json({ error: 'Only paid payouts can be refunded' });
+      return c.json({ error: 'Only paid payouts can be refunded' }, 400);
     }
 
     if (!payout.vendor_info?.vendor_id || !payout.vendor_info?.order_id) {
-      return res.status(400).json({ error: 'Payout has no vendor information' });
+      return c.json({ error: 'Payout has no vendor information' }, 400);
     }
 
     const vendor = await ProductVendor.findByPk(payout.vendor_info.vendor_id);
     if (!vendor) {
-      return res.status(404).json({ error: 'Vendor not found' });
+      return c.json({ error: 'Vendor not found' }, 404);
     }
 
     let refundInfo;
     try {
       refundInfo = await buildRefundInfoFromPayout(payout, reason);
     } catch (err: any) {
-      return res.status(400).json({ error: err.message });
+      return c.json({ error: err.message }, 400);
     }
 
     const vendorAdapter = await VendorFulfillmentService.getVendorAdapter(vendor.vendor_key);
     if (!vendorAdapter) {
-      return res.status(404).json({ error: `No adapter found for vendor: ${vendor.vendor_key}` });
+      return c.json({ error: `No adapter found for vendor: ${vendor.vendor_key}` }, 404);
     }
 
     logger.info('Requesting refund from vendor', {
@@ -724,7 +773,7 @@ async function vendorRefund(req: any, res: any) {
       vendorId: vendor.id,
       orderId: payout.vendor_info.order_id,
       refundInfo,
-      requestedBy: req.user?.did,
+      requestedBy: c.get('user')?.did,
     });
 
     const result = await vendorAdapter.requestRefund({
@@ -739,7 +788,7 @@ async function vendorRefund(req: any, res: any) {
         refundResult: result.data?.refundResult,
       });
       await payout.update({ status: 'reverted', description: reason || 'Refund requested by admin' });
-      return res.json({ data: result.data?.refundResult });
+      return c.json({ data: result.data?.refundResult });
     }
     logger.error('Vendor payout refund failed', {
       payoutId: payout.id,
@@ -747,49 +796,148 @@ async function vendorRefund(req: any, res: any) {
       refundInfo,
       refundResult: result.data?.refundResult,
     });
-    return res.status(400).json({
-      error: result.message || 'Vendor payout refund failed',
-      data: result.data?.refundResult,
-      requestedBy: req.user?.did,
-    });
+    return c.json(
+      {
+        error: result.message || 'Vendor payout refund failed',
+        data: result.data?.refundResult,
+        requestedBy: c.get('user')?.did,
+      },
+      400
+    );
   } catch (err: any) {
     logger.error('Request refund failed', {
       error: err,
-      payoutId: req.params.id,
-      requestedBy: req.user?.did,
+      payoutId: c.req.param('id'),
+      requestedBy: c.get('user')?.did,
     });
-    return res.status(500).json({ error: err.message || 'Failed to request refund' });
+    return c.json({ error: err.message || 'Failed to request refund' }, 500);
   }
 }
 
-function getVendorConnectTest(req: any, res: any) {
-  const sdkVersion = req.headers['x-broker-vendor-version'];
+function getVendorConnectTest(c: any) {
+  const sdkVersion = c.req.header('x-broker-vendor-version');
   if (sdkVersion && gte(sdkVersion, '1.21.4')) {
-    return res.json({ connected: true, sdkVersion });
+    return c.json({ connected: true, sdkVersion });
   }
-  return res.json({
+  return c.json({
     connected: false,
     sdkVersion,
     error: 'Vendor SDK version is too low, please upgrade to the latest version (>=1.21.4)',
   });
 }
 
-const router = Router();
+const app = new Hono();
 
-const ensureVendorAuth = middleware.ensureVendorAuth((vendorPk: string) =>
-  ProductVendor.findOne({ where: { 'extends.appPk': vendorPk } }).then((v) => v as any)
-);
+// Hono-native version of middleware.ensureVendorAuth — inlined because the
+// upstream middleware is express-specific (req.vendor, req.vendorRequest).
+const ensureVendorAuth: MiddlewareHandler = async (c, next) => {
+  try {
+    let vendorPk = c.req.header('x-broker-vendor-did') as string;
+    const sig = c.req.header('x-broker-vendor-sig') as string;
+
+    if (!vendorPk) {
+      logger.warn('Authentication failed: Missing vendor ID header', { url: c.req.url });
+      return c.json(
+        {
+          error: 'Vendor public key is required',
+          code: 'MISSING_VENDOR_PUBLIC_KEY',
+        },
+        400
+      );
+    }
+
+    if (!sig) {
+      logger.warn('Authentication failed: Missing signature header', { url: c.req.url });
+      return c.json(
+        {
+          error: 'Vendor signature is required',
+          code: 'MISSING_SIGNATURE',
+        },
+        400
+      );
+    }
+
+    vendorPk = vendorPk.startsWith('0x') ? toBase58(vendorPk) : vendorPk;
+    const isGetRequest = c.req.method === 'GET';
+    const requestBody = isGetRequest ? (c.req.query() as any) : ((c.get('sanitizedBody') ?? {}) as any);
+
+    if (!requestBody || typeof requestBody !== 'object') {
+      return c.json(
+        {
+          error: 'Valid request body is required',
+          code: 'INVALID_REQUEST_BODY',
+        },
+        400
+      );
+    }
+
+    const vendor = await ProductVendor.findOne({ where: { 'extends.appPk': vendorPk } }).then((v) => v as any);
+
+    if (!vendor) {
+      logger.warn('Authorization failed: Vendor not found or inactive', {
+        url: c.req.url,
+        vendorId: `${vendorPk.substring(0, 10)}...`,
+      });
+      return c.json(
+        {
+          error: 'Vendor not found or inactive',
+          code: 'VENDOR_NOT_ALLOWED',
+        },
+        403
+      );
+    }
+
+    const signedRequest = { ...requestBody, signature: sig };
+    const verified = await VendorAuth.verifyRequest(signedRequest, vendor.extends.appPk);
+
+    if (!verified) {
+      logger.warn('Authentication failed: Invalid request signature', {
+        url: c.req.url,
+        vendorId: vendor.id,
+        appId: vendor.extends.appId,
+      });
+      return c.json(
+        {
+          error: 'Invalid request signature',
+          code: 'INVALID_SIGNATURE',
+        },
+        401
+      );
+    }
+
+    c.set('vendor' as any, vendor);
+    c.set('vendorRequest' as any, signedRequest);
+
+    // eslint-disable-next-line @typescript-eslint/return-await -- do NOT await: downstream errors must not be caught by this auth catch
+    return next();
+  } catch (error: any) {
+    logger.error('Vendor authentication middleware error', {
+      url: c.req.url,
+      error: error.message,
+      stack: error.stack,
+    });
+
+    return c.json(
+      {
+        error: 'Authentication failed',
+        code: 'AUTHENTICATION_ERROR',
+        details: isDevelopmentEnv() ? error.message : undefined,
+      },
+      500
+    );
+  }
+};
 
-router.get('/order/:sessionId/status', loginAuth, validateParams(sessionIdParamSchema), getVendorFulfillmentStatus);
-router.get('/order/:sessionId/detail', loginAuth, validateParams(sessionIdParamSchema), getVendorFulfillmentDetail);
+app.get('/order/:sessionId/status', loginAuth, validateParams(sessionIdParamSchema), getVendorFulfillmentStatus);
+app.get('/order/:sessionId/detail', loginAuth, validateParams(sessionIdParamSchema), getVendorFulfillmentDetail);
 
 // Those for Vendor Call
-router.get('/connectTest', ensureVendorAuth, getVendorConnectTest);
-router.post('/subscription/cancelled', ensureVendorAuth, getCancelledSessions);
-router.get('/subscription/:sessionId/redirect', handleSubscriptionRedirect);
-router.get('/subscription/:sessionId', ensureVendorAuth, getVendorSubscription);
+app.get('/connectTest', ensureVendorAuth, getVendorConnectTest);
+app.post('/subscription/cancelled', ensureVendorAuth, getCancelledSessions);
+app.get('/subscription/:sessionId/redirect', handleSubscriptionRedirect);
+app.get('/subscription/:sessionId', ensureVendorAuth, getVendorSubscription);
 
-router.get(
+app.get(
   '/open/:subscriptionId',
   loginAuth,
   validateParams(subscriptionIdParamSchema),
@@ -797,14 +945,14 @@ router.get(
   redirectToVendor
 );
 
-router.post('/refund/:id', authAdmin, vendorRefund);
+app.post('/refund/:id', authAdmin, vendorRefund);
 
-router.get('/', getAllVendors);
-router.get('/:id', authAdmin, validateParams(vendorIdParamSchema), getVendorInfo);
-router.post('/', authAdmin, createVendor);
-router.put('/:id', authAdmin, validateParams(vendorIdParamSchema), updateVendor);
-router.delete('/:id', authAdmin, validateParams(vendorIdParamSchema), deleteVendor);
+app.get('/', getAllVendors);
+app.get('/:id', authAdmin, validateParams(vendorIdParamSchema), getVendorInfo);
+app.post('/', authAdmin, createVendor);
+app.put('/:id', authAdmin, validateParams(vendorIdParamSchema), updateVendor);
+app.delete('/:id', authAdmin, validateParams(vendorIdParamSchema), deleteVendor);
 
-router.post('/:id/test-connection', authAdmin, validateParams(vendorIdParamSchema), testVendorConnection);
+app.post('/:id/test-connection', authAdmin, validateParams(vendorIdParamSchema), testVendorConnection);
 
-export default router;
+export default app;