fix: createx402DelegationProvider should resolve redeemer addresses as interesection of facilitatorAddresses and redeemer.addresses#256
Conversation
…section of specified redeemer addresses, and facilitatorAddresses - if only one of the two is specified, that value is used
|
|
||
| if (redeemerAddresses.length === 0) { | ||
| if (!redeemerAddresses || redeemerAddresses.length === 0) { | ||
| if (!requireRedeemers) { |
There was a problem hiding this comment.
Could you clarify what this means exactly?
From my understanding, setting requireRedeemers: false just lets us omit the redeemer caveat when no redeemer source is given. If both facilitatorAddresses and redeemerAddresses are specified but have no overlapping addresses, should the process fail, or create a delegation with no redeemer restrictions on purpose?
I’m checking this because the current code handles an empty intersection the same as when no redeemer sources exist.
| }; | ||
|
|
||
| /** | ||
| * Resolves the allowed redeemer addresses from the union of facilitator specified and caller specified redeemer addresses. |
There was a problem hiding this comment.
I think it's intersection, not union
| facilitatorAddresses, | ||
| redeemerAddresses, | ||
| }: ResolveRedeemerAddressesParams): Address[] | undefined => { | ||
| if (!facilitatorAddresses) { |
There was a problem hiding this comment.
If a payment server sends extra: { facilitatorAddresses: [] }, the code enters intersection logic, produces [], and throws a confusing error — even though the user's redeemerAddresses alone would have been sufficient.
There was a problem hiding this comment.
I think the behaviour is correct. I've refactored slightly, added some comments, and clarified the error message to "No valid redeemer addresses were resolved. If both redeemers.addresses and extra.facilitatorAddresses are provided, they must overlap. If only one is provided, it must include at least one address.".
If either extra.facilitatorAddresses or redeemers.addresses is specified it implies a constraint (if undefined, it implies no constraint). If the value is either [] or the intersection of the two values is [] it implies a constraint that cannot be satisfied, hence the error.
If we treat [] as no constraint, it's error prone - ["0xaddress1","0xaddress2"] means either address can redeem, ["oxaddress1"] means only that address can redeem, [] means anyone can
There was a problem hiding this comment.
@throws only describes the old scenario, misses the new empty-intersection throw
…ts to error messages.
675f4f8 to
9c3a2a0
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 9c3a2a0. Configure here.

📝 Description
Fixes #254
When
createx402DelegationProvider, a redeemer caveat is added that contains the union offacilitatorAddressesandredeemeraddresses specified in the params.🔄 What Changed?
With this change, the intersection of
facilitatorAddressesandredeemeraddresses is used instead. If only one of the two is specified, that value is used.Note: if both the facilitator specifies
facilitatorAddressesand the configuration specifiesredeemer.addresses, they should be the same value (as the intersection will be used as theredeemercaveat terms.🚀 Why?
If a caller specifies
redeemeraddresses, it would be reasonable to expect that only those addresses can redeem the delegation, whereas if the facilitator specifiesfacilitatorAddresses, the addresses that can redeem could be expanded to include other addresses.🧪 How to Test?
Given the following snippet:
And a facilitator that specifies
facilitatorAddresses:['0xb4827a2a066cd2ef88560efdf063dd05c6c41cc7']Previously:
Now:
List any breaking changes:
📋 Checklist
Check off completed items:
🔗 Related Issues
Link to related issues:
Closes #
Related to #
📚 Additional Notes
Any additional information, concerns, or context:
Note
High Risk
Breaking change to who can redeem x402 delegations when both facilitator and config redeemer lists are supplied; incorrect overlap assumptions could block redemption or widen trust if callers relied on the old union.
Overview
Experimental
createx402DelegationProvidernow builds redeemer caveats from the intersection ofPaymentRequirements.extra.facilitatorAddressesand configuredredeemers.addresses, instead of their union. When only one side is set, that list is used; when both are set, only overlapping addresses are allowed.ensureRedeemerSufficientlyConstrainedtakes separatefacilitatorAddressesandredeemerAddressesand uses newresolveRedeemerAddresses(normalized comparison). An empty resolved list (e.g. explicit[]or non-overlapping inputs) throwsNo valid redeemer addresses were resolvedrather than skipping constraints. Changelog and unit tests were updated for intersection behavior and the new error path.Breaking: delegations that previously allowed any address in either list will only allow addresses present in both when both inputs are provided.
Reviewed by Cursor Bugbot for commit a1e3c41. Bugbot is set up for automated code reviews on this repo. Configure here.