UX: Client-side should validate challenge expiration before creating credential #198
Description
Problem
When a client receives a Challenge with an expires timestamp that has already passed, the Mppx.createCredential() method still attempts to create a credential and make the payment.
This results in:
- Wasted user time - client does work that will be rejected
- Unnecessary network round-trips
- Potential user confusion (why did my payment fail?)
Current Behavior
The client does not check challenge expiration before creating credentials.
The server validates expiration (src/server/Mppx.ts:359-367):
if (credential.challenge.expires && new Date(credential.challenge.expires) < new Date()) {
return { challenge: response, status: 402 }
}But by then the client has already:
- Connected wallet
- Signed a transaction/message
- Submitted the credential
Suggested Fix
Add an expiration check in createCredential() before attempting to create the credential:
async createCredential(response, context) {
const challenge = transport.getChallenge(response)
// Early rejection of expired challenges
if (challenge.expires && new Date(challenge.expires) < new Date()) {
throw new Errors.PaymentExpiredError({ expires: challenge.expires })
}
// ... rest of implementation
}Impact
- Type: UX improvement
- Risk: Low - just fails faster with clearer error
- Breaking: No - just changes when the error is thrown