fix: prevent tempo charge hash replay across push/pull

Author: brendanjryan

src/tempo/server/Charge.test.ts

@@ -9,6 +9,7 @@ import { Abis, Actions, Addresses, Tick } from 'viem/tempo'
 import { beforeAll, describe, expect, test } from 'vitest'
 import * as Http from '~test/Http.js'
 import { accounts, asset, chain, client, fundAccount } from '~test/tempo/viem.js'
+import * as Store from '../../Store.js'
 import * as Attribution from '../Attribution.js'
 
 const realm = 'api.example.com'
@@ -149,6 +150,220 @@ describe('tempo', () => {
       httpServer.close()
     })
 
+    test('behavior: rejects replayed transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: receipt.transactionHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+
+      const mixedCaseHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: mixedCaseHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+
+      httpServer.close()
+    })
+
+    test('behavior: rejects replayed hash with alternating case', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response1 = await fetch(httpServer.url)
+      expect(response1.status).toBe(402)
+
+      const challenge1 = Challenge.fromResponse(response1, {
+        methods: [tempo_client.charge()],
+      })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge1.request.amount),
+        to: challenge1.request.recipient as Hex.Hex,
+        token: challenge1.request.currency as Hex.Hex,
+      })
+
+      const hex = receipt.transactionHash.slice(2)
+      const alternating = `0x${hex
+        .split('')
+        .map((c, i) => (i % 2 === 0 ? c.toUpperCase() : c.toLowerCase()))
+        .join('')}` as Hex.Hex
+
+      const credential1 = Credential.from({
+        challenge: challenge1,
+        payload: { hash: alternating, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential1) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      const response2 = await fetch(httpServer.url)
+      expect(response2.status).toBe(402)
+
+      const challenge2 = Challenge.fromResponse(response2, {
+        methods: [tempo_client.charge()],
+      })
+
+      const credential2 = Credential.from({
+        challenge: challenge2,
+        payload: { hash: receipt.transactionHash.toLowerCase() as Hex.Hex, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential2) },
+        })
+        expect(response.status).toBe(402)
+        const body = (await response.json()) as { detail: string }
+        expect(body.detail).toContain('Transaction hash has already been used.')
+      }
+
+      httpServer.close()
+    })
+
+    test('behavior: accepts uppercase hash on first use', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(dedupServer.charge({ amount: '1' }))(
+          req,
+          res,
+        )
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const response = await fetch(httpServer.url)
+      expect(response.status).toBe(402)
+
+      const challenge = Challenge.fromResponse(response, {
+        methods: [tempo_client.charge()],
+      })
+
+      const { receipt } = await Actions.token.transferSync(client, {
+        account: accounts[1],
+        amount: BigInt(challenge.request.amount),
+        to: challenge.request.recipient as Hex.Hex,
+        token: challenge.request.currency as Hex.Hex,
+      })
+
+      const upperHash = `0x${receipt.transactionHash.slice(2).toUpperCase()}` as Hex.Hex
+
+      const credential = Credential.from({
+        challenge,
+        payload: { hash: upperHash, type: 'hash' as const },
+      })
+
+      {
+        const response = await fetch(httpServer.url, {
+          headers: { Authorization: Credential.serialize(credential) },
+        })
+        expect(response.status).toBe(200)
+      }
+
+      httpServer.close()
+    })
+
     test('behavior: rejects expired request', async () => {
       const httpServer = await Http.createServer(async (req, res) => {
         const result = await Mppx_server.toNodeListener(
@@ -262,6 +477,77 @@ describe('tempo', () => {
   })
 
   describe('intent: charge; type: transaction; via Mppx', () => {
+    test('behavior: rejects pull then push replay of the same transaction hash', async () => {
+      const dedupServer = Mppx_server.create({
+        methods: [
+          tempo_server.charge({
+            getClient() {
+              return client
+            },
+            currency: asset,
+            account: accounts[0],
+            store: Store.memory(),
+          }),
+        ],
+        realm,
+        secretKey,
+      })
+
+      const pullClient = Mppx_client.create({
+        polyfill: false,
+        methods: [
+          tempo_client({
+            account: accounts[1],
+            mode: 'pull',
+            getClient() {
+              return client
+            },
+          }),
+        ],
+      })
+
+      const httpServer = await Http.createServer(async (req, res) => {
+        const result = await Mppx_server.toNodeListener(
+          dedupServer.charge({ amount: '1', currency: asset, recipient: accounts[0].address }),
+        )(req, res)
+        if (result.status === 402) return
+        res.end('OK')
+      })
+
+      const challengeResponse = await fetch(httpServer.url)
+      expect(challengeResponse.status).toBe(402)
+
+      const pullCredentialSerialized = await pullClient.createCredential(challengeResponse)
+
+      const pullAuthResponse = await fetch(httpServer.url, {
+        headers: { Authorization: pullCredentialSerialized },
+      })
+      expect(pullAuthResponse.status).toBe(200)
+
+      const pullReceipt = Receipt.fromResponse(pullAuthResponse)
+
+      const replayChallengeResponse = await fetch(httpServer.url)
+      expect(replayChallengeResponse.status).toBe(402)
+
+      const replayChallenge = Challenge.fromResponse(replayChallengeResponse, {
+        methods: [tempo_client.charge()],
+      })
+
+      const replayCredential = Credential.from({
+        challenge: replayChallenge,
+        payload: { hash: pullReceipt.reference as Hex.Hex, type: 'hash' as const },
+      })
+
+      const replayResponse = await fetch(httpServer.url, {
+        headers: { Authorization: Credential.serialize(replayCredential) },
+      })
+      expect(replayResponse.status).toBe(402)
+      const replayBody = (await replayResponse.json()) as { detail: string }
+      expect(replayBody.detail).toContain('Transaction hash has already been used.')
+
+      httpServer.close()
+    })
+
     test('default', async () => {
       const mppx = Mppx_client.create({
         polyfill: false,