fix(payment-middleware): fail closed when X402_SERVER_ADDRESS missing outside dev (#116)

whoabuddy · claude · web-flow · commit 43d12c7e161a · 2026-04-30T05:04:14.000-07:00
Closes #112. Two payment middleware sites silently skipped verification when X402_SERVER_ADDRESS was missing, intended as a local-dev convenience: - src/middleware/x402.ts:292 (per-route middleware) - src/index.ts:305 (global middleware) If X402_SERVER_ADDRESS were ever unset in staging or production (bad deploy, secret rotation glitch, env-var migration), all paid endpoints would silently become free with only a warn log. Restrict the skip to ENVIRONMENT === "development". In staging and production, missing config now returns HTTP 503 with code "NOT_CONFIGURED" instead of fail-opening to free. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/src/index.ts b/src/index.ts
@@ -302,10 +302,20 @@ app.use("*", async (c, next) => {
     return next();
   }
 
-  // Skip if no x402 config (local dev without payment setup)
+  // Skip is allowed only in local development — staging/production deploys must
+  // have X402_SERVER_ADDRESS or all paid routes silently become free.
   if (!c.env.X402_SERVER_ADDRESS) {
-    c.var.logger.warn("X402_SERVER_ADDRESS not configured, skipping payment verification");
-    return next();
+    if (c.env.ENVIRONMENT === "development") {
+      c.var.logger.warn("X402_SERVER_ADDRESS not configured (local dev), skipping payment verification");
+      return next();
+    }
+    c.var.logger.error("X402_SERVER_ADDRESS not configured outside local dev — refusing request", {
+      environment: c.env.ENVIRONMENT,
+    });
+    return c.json(
+      { error: "x402 misconfiguration", code: "NOT_CONFIGURED" },
+      503
+    );
   }
 
   // Get tier from endpoint config
diff --git a/src/middleware/x402.ts b/src/middleware/x402.ts
@@ -288,10 +288,21 @@ export function x402Middleware(
   return async (c, next) => {
     const log = c.var.logger;
 
-    // Check if x402 is configured
+    // Check if x402 is configured. Skip is allowed only in local development —
+    // staging/production deploys must have X402_SERVER_ADDRESS or all paid routes
+    // silently become free.
     if (!c.env.X402_SERVER_ADDRESS) {
-      log.warn("X402_SERVER_ADDRESS not configured, skipping payment verification");
-      return next();
+      if (c.env.ENVIRONMENT === "development") {
+        log.warn("X402_SERVER_ADDRESS not configured (local dev), skipping payment verification");
+        return next();
+      }
+      log.error("X402_SERVER_ADDRESS not configured outside local dev — refusing request", {
+        environment: c.env.ENVIRONMENT,
+      });
+      return c.json(
+        { error: "x402 misconfiguration", code: "NOT_CONFIGURED" },
+        503
+      );
     }
 
     // Get token type from header or query
