[codex] refactor gateway paid-request verification flow#235
Conversation
Co-authored-by: codex <codex@users.noreply.github.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6f7c12b062
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| timestampValue, err := strconv.ParseUint(timestampHeader, 10, 64) | ||
| if err != nil || timestampValue == 0 { | ||
| respondError(c, 400, "invalid_timestamp", fmt.Errorf("invalid X-402-Timestamp header")) | ||
| payment, ok := verifyPaidRequest(c) |
There was a problem hiding this comment.
Validate the body before verifying payment
When CACHE_ENABLED=false (the default path where registerAPIRoutes attaches handleSummarize directly), this now calls verifyPaidRequest before the request body is read and size-limited below. The verifier claims a nonce after any valid signature, so a signed request with an oversized or otherwise unreadable body now gets rejected with 413/500 only after burning the payment nonce and cannot retry that signed payment; before this refactor, the MaxBytesReader body read happened before verifyPayment. Keep the verifier call after the body read/size guard, or split timestamp/header validation from nonce-claiming verification.
Useful? React with 👍 / 👎.
What changed
This refactor extracts the shared paid-request verification and paid-response receipt flow out of the gateway's summarize handler and cache-hit path.
It adds a small gateway seam in
gateway/payment_flow.goand rewires bothhandleSummarizeandCacheMiddlewareto use it.Why
Before this change, the gateway duplicated the same x402 paid-request steps in two places:
That duplication made the x402 flow harder to change safely and kept too much protocol behavior spread across
gateway/main.goandgateway/cache.go.Impact
402 Payment Requiredpath remains unchanged.Validation
cd gateway && go test ./... -run 'TestVerifyPaidRequest'cd gateway && go test ./... -run 'TestHandleSummarize_NoHeaders|TestHandleSummarize|TestCacheHit|TestVerifyPaidRequest'cd gateway && go test ./...cd gateway && go vet ./...Summary by CodeRabbit
Release Notes
Refactor
Tests