@x402/express v2.6.0 middleware silently passes through requests (returns 200 instead of 402) with x402.org facilitator #1692
Description
Issue:
The paymentMiddleware from @x402/express v2.6.0 does not intercept requests — all protected routes return 200 OK instead of 402 Payment Required, even without any X-PAYMENT or PAYMENT-SIGNATURE header.
I reproduced this using the exact code from the official quickstart example:
import express from "express";
import { paymentMiddleware, x402ResourceServer } from "@x402/express";
import { ExactEvmScheme } from "@x402/evm/exact/server";
import { HTTPFacilitatorClient } from "@x402/core/server";
const app = express();
const payTo = "0xYourAddress";
const facilitatorClient = new HTTPFacilitatorClient({ url: "https://x402.org/facilitator" });
app.use(
paymentMiddleware(
{
"GET /weather": {
accepts: [{ scheme: "exact", price: "$0.001", network: "eip155:84532", payTo }],
description: "Weather data",
mimeType: "application/json",
},
},
new x402ResourceServer(facilitatorClient).register("eip155:84532", new ExactEvmScheme()),
),
);
app.get("/weather", (req, res) => { res.send({ weather: "sunny" }); });
app.listen(4021);
Suspected root cause:
https://x402.org/facilitator/supported returns HTTP 308 redirect before resolving to 200. The HTTPFacilitatorClient may not follow this redirect, causing syncFacilitatorOnStart to silently fail. When no supported payment kinds are loaded, the middleware passes all requests through instead of returning 402.
$ curl -s "https://x402.org/facilitator/supported" -w "\n%{http_code}" -o /dev/null
308
$ curl -sL "https://x402.org/facilitator/supported" -w "\n%{http_code}" -o /dev/null
200
Expected behavior: Middleware should return 402 Payment Required with PAYMENT-REQUIRED header for requests without payment proof.
Workaround needed: Is there a known workaround? Would using a trailing slash (https://x402.org/facilitator/) or a different facilitator resolve this?