fix(x402): fail closed on zero/sub-atomic priced routes, preserve Origin on free routes#784
Merged
Merged
Conversation
…gin on free routes BuildV2RequirementWithAsset only rejected parse errors and negative amounts in decimalToAtomic's result, so a "0" price — or a sub-atomic price like "0.0000001" at 6 decimals, which rounds to 0 — produced a payment requirement with Amount "0", contradicting its own doc comment promising it never returns a $0 requirement. resolvePaidRoute now skips (and, with no other options, fails the whole route closed at 403) instead of advertising a free accepts[] entry for a nominally paid route. Free/gate:auth routes never build a paid requirement, so they're unaffected. buildUpstreamProxy also unconditionally stripped Origin/Sec-Fetch-* on every route class. That's correct on paid/gate:auth routes, where the verifier is the browser-facing auth boundary and must not let raw fetch-context headers leak upstream after it already re-issued the request under its own authority. But gate:free routes have no verifier auth to protect — stripping there instead broke an upstream's own Origin-based CSRF defense. Only strip on !rule.IsFree() now. Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Medium + low from the PR #756 review. decimalToAtomic now errors when the computed atomic amount is 0 (a
0price or sub-atomic price rounding to 0), so a paid route can't advertise a $0 free requirement despite its fail-closed contract. Origin/Sec-Fetch-* are stripped only where the verifier is the auth boundary (paid + gate:auth), not on gate:free routes whose upstreams may run their own Origin-based CSRF defense.https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk