Skip to content

fix: validate x402 payment requirements #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ralyodio merged 1 commit into from
Jun 27, 2026
Merged

fix: validate x402 payment requirements #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion packages/payments/src/index.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,41 @@ describe('x402 header codec', () => {
});

it('parses a 402 body and rejects malformed input', () => {
const body = { x402Version: 1, accepts: [{ network: 'base' }] };
const body = {
x402Version: 1,
accepts: [
{
scheme: 'exact',
network: 'base',
maxAmountRequired: '1000',
resource: 'https://x/y',
payTo: '0xdest',
asset: 'USDC',
},
],
};
expect(parsePaymentRequired(body).accepts).toHaveLength(1);
expect(() => parsePaymentRequired({})).toThrow(/accepts/);
expect(() => parsePaymentRequired(null)).toThrow();
});

it('rejects malformed accepts entries before payment processing', () => {
expect(() => parsePaymentRequired({ accepts: [null] })).toThrow(/accepts\[0\] is not an object/);
expect(() =>
parsePaymentRequired({
accepts: [
{
scheme: 'exact',
network: 'base',
maxAmountRequired: 'not-a-number',
resource: 'https://x/y',
payTo: '0xdest',
asset: 'USDC',
},
],
}),
).toThrow(/maxAmountRequired/);
});
});

describe('CoinPay address selection', () => {
Expand Down
31 changes: 30 additions & 1 deletion packages/payments/src/x402.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,35 @@ export interface PaymentPayload {
payload: Record<string, unknown>;
}

const REQUIRED_ACCEPT_FIELDS = [
'scheme',
'network',
'maxAmountRequired',
'resource',
'payTo',
'asset',
] as const satisfies readonly (keyof PaymentRequirements)[];

function validatePaymentRequirement(value: unknown, index: number): PaymentRequirements {
if (typeof value !== 'object' || value === null || Array.isArray(value)) {
throw new Error(`x402: accepts[${index}] is not an object`);
}

const req = value as Record<string, unknown>;
for (const field of REQUIRED_ACCEPT_FIELDS) {
if (typeof req[field] !== 'string' || !req[field].trim()) {
throw new Error(`x402: accepts[${index}].${field} must be a non-empty string`);
}
}

const maxAmountRequired = req['maxAmountRequired'] as string;
if (!/^\d+$/.test(maxAmountRequired)) {
throw new Error(`x402: accepts[${index}].maxAmountRequired must be an atomic-unit integer string`);
}

return req as unknown as PaymentRequirements;
}

/** Parses a 402 response body, throwing on malformed input. */
export function parsePaymentRequired(body: unknown): PaymentRequiredBody {
if (typeof body !== 'object' || body === null) {
Expand All @@ -58,7 +87,7 @@ export function parsePaymentRequired(body: unknown): PaymentRequiredBody {
}
return {
x402Version: typeof b['x402Version'] === 'number' ? b['x402Version'] : X402_VERSION,
accepts: b['accepts'] as PaymentRequirements[],
accepts: b['accepts'].map(validatePaymentRequirement),
...(typeof b['error'] === 'string' ? { error: b['error'] } : {}),
};
}
Expand Down
Loading