fix(discovery): prefer the advisory whose method matches the declared OpenAPI method#933
Open
craigbidenbot[bot] wants to merge 1 commit into
Open
fix(discovery): prefer the advisory whose method matches the declared OpenAPI method#933craigbidenbot[bot] wants to merge 1 commit into
craigbidenbot[bot] wants to merge 1 commit into
Conversation
… OpenAPI method When the payment middleware fires before HTTP method routing, the probe yields a 402 for every method — but only one method is declared in the OpenAPI spec, and only that method's advisory carries the per-method `inputSchema` extracted from the spec. `pickX402Advisory` was picking the most-preferred-by-method advisory (POST > GET > …), then rewriting `.method` to whatever the spec declared. That preserved the registered method but silently dropped the schema, surfacing as 'Missing input schema' on registration. Now: when a declared method is supplied AND an advisory matches it exactly, return that advisory unchanged. Only fall back to the preferred-method-then-rewrite path when no advisory matches. Repro: see x402scan#923 (GoldBean — 89 of 120 GET-only endpoints registered without their query-parameter schema).
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pickX402Advisorywas picking the most-preferred-by-method advisory (POST > GET > …), then rewriting.methodto whatever the OpenAPI spec declared. When the payment middleware on a merchant API fires before method routing, the probe gets a 402 for every HTTP method — but only the declared method's advisory carries the per-methodinputSchemaextracted from the spec. The rewrite preserved the registered method but silently dropped the schema, surfacing as "Missing input schema" on registration.Now: when a declared method is supplied AND an advisory matches it exactly, return that advisory unchanged. Only fall back to the preferred-method-then-rewrite path when no advisory matches.
Closes #923.
Changes
apps/scan/src/lib/discovery/probe.ts:pickX402Advisorynow short-circuits on direct method match before falling back to method preference. Case-insensitive match onpreferredMethod.apps/scan/src/lib/discovery/probe.test.ts(new): 7 unit tests covering empty discovery, no x402 candidates, method-preference path, the GoldBean regression case (#923), case-insensitive match, and the no-matching-advisory fallback.Repro (issue #923)
GoldBean API (
https://goldbean-api.xyz) declares 120GET /paid/*endpoints. Their payment middleware 402s on every HTTP method, so the probe yields advisories for both GET (withinputSchemafrom the spec's query parameters) and POST (no schema — no POST in the spec).Before:
pickX402Advisorypicks POST (method preference), rewrites.method→ "GET", and the GET advisory's schema is lost. Registration fails withMissing input schemaon the 89 endpoints with no x402-bazaar input block.After: matching advisory wins, schema survives, endpoints register cleanly.
Test Plan
pnpm --filter @x402scan/app test:run src/lib/discovery/probe.test.ts— 7/7 passpnpm --filter @x402scan/app test:run— 117/117 pass (no regressions)pnpm format:check:dir apps/scan/src/lib/discovery/probe*.ts— cleanpnpm --filter @x402scan/app lint:fix apps/scan/src/lib/discovery/probe*.ts— cleanmain(route typing, missing@signinwithethereum/siwe) confirmed unrelated to this changeAfter merge, recommend re-running
batchTestagainstgoldbean-api.xyzto clear out the 89 stale failures.