Skip to content

fix(x402): fail closed on zero/sub-atomic priced routes, preserve Origin on free routes#784

Merged
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/x402-zero-price
Jul 16, 2026
Merged

fix(x402): fail closed on zero/sub-atomic priced routes, preserve Origin on free routes#784
bussyjd merged 1 commit into
integration/v0.14.0-rc0from
fix/x402-zero-price

Conversation

@bussyjd

@bussyjd bussyjd commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Medium + low from the PR #756 review. decimalToAtomic now errors when the computed atomic amount is 0 (a 0 price or sub-atomic price rounding to 0), so a paid route can't advertise a $0 free requirement despite its fail-closed contract. Origin/Sec-Fetch-* are stripped only where the verifier is the auth boundary (paid + gate:auth), not on gate:free routes whose upstreams may run their own Origin-based CSRF defense.

https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk

…gin on free routes

BuildV2RequirementWithAsset only rejected parse errors and negative
amounts in decimalToAtomic's result, so a "0" price — or a sub-atomic
price like "0.0000001" at 6 decimals, which rounds to 0 — produced a
payment requirement with Amount "0", contradicting its own doc comment
promising it never returns a $0 requirement. resolvePaidRoute now skips
(and, with no other options, fails the whole route closed at 403)
instead of advertising a free accepts[] entry for a nominally paid
route. Free/gate:auth routes never build a paid requirement, so they're
unaffected.

buildUpstreamProxy also unconditionally stripped Origin/Sec-Fetch-* on
every route class. That's correct on paid/gate:auth routes, where the
verifier is the browser-facing auth boundary and must not let raw
fetch-context headers leak upstream after it already re-issued the
request under its own authority. But gate:free routes have no verifier
auth to protect — stripping there instead broke an upstream's own
Origin-based CSRF defense. Only strip on !rule.IsFree() now.

Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
@bussyjd
bussyjd merged commit 9785496 into integration/v0.14.0-rc0 Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant