Files
wehub-resource-sync e071084ebe
govulncheck / govulncheck (push) Waiting to run
Harness (E2E) / Harnesses (mock LLM) (push) Waiting to run
Harness (E2E) / Provider harnesses (live LLM conformance) (push) Waiting to run
Lint / golangci-lint (push) Waiting to run
Run Tests / Unit Tests (push) Waiting to run
Run Tests / Etcd Integration Tests (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 12:40:33 +08:00

110 lines
3.5 KiB
Go

package x402
import (
"crypto/ed25519"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"encoding/json"
"fmt"
"net/http"
"strings"
"time"
)
// CDPFacilitatorURL is Coinbase Developer Platform's hosted x402 facilitator,
// which can settle real payments on Base mainnet (the open x402.org facilitator
// is testnet-only).
const CDPFacilitatorURL = "https://api.cdp.coinbase.com/platform/v2/x402"
// CDP returns a Facilitator (and Settler) backed by Coinbase's hosted
// facilitator, authenticating each verify/settle call with a short-lived
// Ed25519 Bearer JWT minted from a CDP Secret API Key. keyID and keySecret are
// the CDP API Key ID and base64 Ed25519 secret; the secret is used only to sign
// the JWT (stdlib crypto — no chain code, no external dependency).
//
// cfg.Facilitator = x402.CDP(os.Getenv("CDP_API_KEY_ID"), os.Getenv("CDP_API_KEY_SECRET"))
func CDP(keyID, keySecret string) *HTTPFacilitator {
return &HTTPFacilitator{
URL: CDPFacilitatorURL,
Authorize: cdpAuthorizer(keyID, keySecret),
}
}
// cdpAuthorizer returns an Authorize hook that attaches a CDP Bearer JWT bound
// to the request's method and URL.
func cdpAuthorizer(keyID, keySecret string) func(*http.Request) error {
return func(r *http.Request) error {
tok, err := cdpBearer(keyID, keySecret, r.Method, r.URL.Host, r.URL.Path)
if err != nil {
return err
}
r.Header.Set("Authorization", "Bearer "+tok)
return nil
}
}
// cdpBearer builds a CDP Bearer JWT (EdDSA / Ed25519) authorizing a single REST
// call, per CDP's authentication spec: the token binds to "METHOD host/path"
// and is valid for two minutes.
func cdpBearer(keyID, keySecret, method, host, path string) (string, error) {
if keyID == "" || keySecret == "" {
return "", fmt.Errorf("CDP API key id and secret are required")
}
key, err := ed25519KeyFromSecret(keySecret)
if err != nil {
return "", err
}
nonce := make([]byte, 16)
if _, err := rand.Read(nonce); err != nil {
return "", err
}
header := map[string]any{
"alg": "EdDSA",
"typ": "JWT",
"kid": keyID,
"nonce": hex.EncodeToString(nonce),
}
now := time.Now().Unix()
claims := map[string]any{
"sub": keyID,
"iss": "cdp",
"aud": []string{"cdp_service"},
"nbf": now,
"exp": now + 120,
"uri": method + " " + host + path,
}
hb, _ := json.Marshal(header)
cb, _ := json.Marshal(claims)
signing := b64url(hb) + "." + b64url(cb)
sig := ed25519.Sign(key, []byte(signing))
return signing + "." + b64url(sig), nil
}
// ed25519KeyFromSecret decodes a CDP Ed25519 secret. CDP secrets are base64 and
// decode to 64 bytes (32-byte seed + 32-byte public key) — Go's PrivateKey
// layout; a bare 32-byte seed is also accepted.
func ed25519KeyFromSecret(secret string) (ed25519.PrivateKey, error) {
secret = strings.TrimSpace(secret)
if strings.Contains(secret, "BEGIN") {
return nil, fmt.Errorf("CDP secret looks like a PEM/EC key; x402 bearer auth needs an Ed25519 Secret API Key")
}
raw, err := base64.StdEncoding.DecodeString(secret)
if err != nil {
if raw, err = base64.RawURLEncoding.DecodeString(secret); err != nil {
return nil, fmt.Errorf("CDP secret is not valid base64: %w", err)
}
}
switch len(raw) {
case ed25519.PrivateKeySize: // 64: seed + public key
return ed25519.PrivateKey(raw), nil
case ed25519.SeedSize: // 32: seed only
return ed25519.NewKeyFromSeed(raw), nil
default:
return nil, fmt.Errorf("CDP secret decoded to %d bytes; expected 32 or 64 (Ed25519)", len(raw))
}
}
func b64url(b []byte) string { return base64.RawURLEncoding.EncodeToString(b) }