Merge pull request #1 from jeanpunt/fix-chainid-svm

Fix ChainIdToNetwork mapping for Solana

Author: HyperdustLab

FUTURE_CONTRIBUTION_IDEAS.md

@@ -0,0 +1,18 @@
+# Future Contribution Ideas
+
+## Honor Proxy Headers in TypeScript Middleware
+- **Context:** The Python Flask middleware already respects `X-Original-URI` when reconstructing the protected resource URL, but the TypeScript middlewares for Express, Hono, and Next fall back to the raw request path. Reverse proxies that rewrite URLs (e.g., Nginx, Cloudflare, API gateways) therefore produce paywall links that point at the proxy rather than the original route.
+- **Why it matters:** Incorrect resource URLs cascade into malformed payment requirements and broken paywall redirects for downstream integrators hosting behind a proxy.
+- **Suggested scope:**
+  1. Extend the Express, Hono, and Next middleware implementations to read `X-Original-URI` (and `X-Forwarded-Proto` / `X-Forwarded-Host` where available) before falling back to the local request path.
+  2. Normalize and validate the reconstructed URL to avoid header spoofing.
+  3. Add focused unit tests in each package to cover the new header-aware branch.
+  4. Update README snippets or inline docs to mention proxy compatibility.
+
+## Harden Paywall HTML Escaping
+- **Context:** `getPaywallHtml` only escapes quotes, backslashes, and whitespace before embedding dynamic values inside `<script>` tags. Strings containing `<`, `>` or `</script>` can therefore smuggle executable markup, enabling content injection when paywall settings come from user-controlled sources.
+- **Why it matters:** The facilitator may operate in multi-tenant environments; robust escaping reduces the risk of in-browser script injection.
+- **Suggested scope:**
+  1. Expand `escapeString` to escape `<`, `>`, and `/`, or switch to a whitelist encoder that converts every non-alphanumeric character to `\uXXXX`.
+  2. Back the change with unit tests that feed representative payloads (`</script><img ...>`, Unicode separators, etc.) and assert the output remains a single JavaScript string literal.
+  3. Consider documenting the escaping guarantees in the paywall README for developers embedding custom content.

typescript/packages/x402/src/types/shared/network.test.ts

@@ -0,0 +1,27 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  ChainIdToNetwork,
+  EvmNetworkToChainId,
+  SupportedEVMNetworks,
+  SupportedSVMNetworks,
+  SvmNetworkToChainId,
+} from "./network";
+
+describe("ChainIdToNetwork", () => {
+  it("maps every supported EVM chain id to its network", () => {
+    SupportedEVMNetworks.forEach(network => {
+      const chainId = EvmNetworkToChainId.get(network);
+      expect(chainId).toBeDefined();
+      expect(ChainIdToNetwork[chainId!]).toBe(network);
+    });
+  });
+
+  it("maps every supported SVM chain id to its network", () => {
+    SupportedSVMNetworks.forEach(network => {
+      const chainId = SvmNetworkToChainId.get(network);
+      expect(chainId).toBeDefined();
+      expect(ChainIdToNetwork[chainId!]).toBe(network);
+    });
+  });
+});

typescript/packages/x402/src/types/shared/network.ts

@@ -49,9 +49,22 @@ export const SvmNetworkToChainId = new Map<Network, number>([
   ["solana", 101],
 ]);
 
-export const ChainIdToNetwork = Object.fromEntries(
-  [...SupportedEVMNetworks, ...SupportedSVMNetworks].map(network => [
-    EvmNetworkToChainId.get(network),
-    network,
-  ]),
-) as Record<number, Network>;
+const chainIdEntries: Array<[number, Network]> = [];
+
+for (const network of SupportedEVMNetworks) {
+  const chainId = EvmNetworkToChainId.get(network);
+  if (chainId === undefined) {
+    throw new Error(`Missing chain id mapping for EVM network: ${network}`);
+  }
+  chainIdEntries.push([chainId, network]);
+}
+
+for (const network of SupportedSVMNetworks) {
+  const chainId = SvmNetworkToChainId.get(network);
+  if (chainId === undefined) {
+    throw new Error(`Missing chain id mapping for SVM network: ${network}`);
+  }
+  chainIdEntries.push([chainId, network]);
+}
+
+export const ChainIdToNetwork = Object.fromEntries(chainIdEntries) as Record<number, Network>;