fix(proxy): normalize public request URLs

- normalize public request URLs once at the app boundary
- prefer PUBLIC_BASE_URL over trusted forwarded headers
- restore the upstream x402 Hono middleware and cover the behavior with tests

Author: kimo-ice

.env.example

@@ -14,8 +14,11 @@ DATABASE_PATH=./data/tack.db
 DELEGATE_URL=http://localhost:8080/ipfs
 
 # Networking / security
+# Recommended in production so the AgentCard and x402 metadata always use your
+# canonical public HTTPS origin, even if proxy headers are missing or partial.
+PUBLIC_BASE_URL=
 # When false, rate limiting ignores forwarded headers and uses socket remote address.
-# Set true only when running behind a trusted reverse proxy that sets x-forwarded-for/x-real-ip.
+# Set true only when running behind a trusted reverse proxy that sets forwarded client IP/host/proto headers.
 TRUST_PROXY=false
 # Optional secret for signed wallet bearer tokens on owner pin endpoints.
 # Set this in production to enable `Authorization: Bearer <token>` auth for /pins owner operations.

docs/railway-deployment.md

@@ -41,6 +41,7 @@ Set these in Railway Variables.
 | `IPFS_API_URL` | `http://tack-ipfs.railway.internal:5001` | Use your internal service hostname from Railway networking. |
 | `DATABASE_PATH` | `/app/data/tack.db` | Must be on the mounted persistent volume. |
 | `DELEGATE_URL` | `https://<ipfs-gateway-domain>/ipfs` | Returned in pin delegates metadata. |
+| `PUBLIC_BASE_URL` | `https://<your-api-domain>` | Recommended. Used for AgentCard and x402 absolute resource URLs. |
 | `TRUST_PROXY` | `true` | Railway terminates edge traffic before your service. |
 | `WALLET_AUTH_TOKEN_SECRET` | long random secret | Required for owner `Authorization: Bearer` flows. |
 | `X402_ENABLED` | `true` | Required for production startup checks. |
@@ -101,11 +102,12 @@ When a release causes issues:
 3. `X402_ENABLED=true` and `X402_NETWORK=eip155:167000`.
 4. `X402_PAY_TO` and `X402_USDC_ASSET_ADDRESS` are real Taiko Alethia addresses.
 5. `WALLET_AUTH_TOKEN_SECRET` is set to a strong random value.
-6. `TRUST_PROXY=true` configured.
-7. `/health` stable at `200` over repeated checks.
-8. End-to-end smoke passes (`pnpm smoke:x402`) against Railway URL.
-9. Manual pin/list/get/delete flow works with paid wallet identity.
-10. Rollback owner and backup location documented before launch.
+6. `PUBLIC_BASE_URL` matches the public Railway HTTPS domain.
+7. `TRUST_PROXY=true` configured.
+8. `/health` stable at `200` over repeated checks.
+9. End-to-end smoke passes (`pnpm smoke:x402`) against Railway URL.
+10. Manual pin/list/get/delete flow works with paid wallet identity.
+11. Rollback owner and backup location documented before launch.
 
 ## 8) Production Limitations & Upgrade Path
 

src/app.ts

@@ -9,6 +9,7 @@ import {
   UpstreamServiceError,
   ValidationError
 } from './lib/errors';
+import { createExternalRequestUrlMiddleware } from './lib/request-url';
 import { toPinStatusResponse, type PinningService } from './services/pinning-service';
 import type { InMemoryRateLimiter } from './services/rate-limiter';
 import { logger } from './services/logger';
@@ -302,6 +303,7 @@ export interface AppServices {
   walletAuthTokenSecret?: string;
   gatewayCacheControlMaxAgeSeconds?: number;
   uploadMaxSizeBytes?: number;
+  publicBaseUrl?: string;
   trustProxy?: boolean;
   rateLimiter?: InMemoryRateLimiter;
   healthCheck?: () => Promise<void>;
@@ -328,8 +330,14 @@ export function createApp(services: AppServices): Hono<AppEnv> {
   const app = new Hono<AppEnv>();
   const cacheControlMaxAgeSeconds = services.gatewayCacheControlMaxAgeSeconds ?? DEFAULT_GATEWAY_CACHE_CONTROL_MAX_AGE_SECONDS;
   const uploadMaxSizeBytes = services.uploadMaxSizeBytes ?? DEFAULT_UPLOAD_MAX_SIZE_BYTES;
+  const publicBaseUrl = services.publicBaseUrl;
   const trustProxy = services.trustProxy ?? false;
 
+  app.use('*', createExternalRequestUrlMiddleware({
+    publicBaseUrl,
+    trustProxy
+  }));
+
   if (services.paymentMiddleware) {
     app.use(services.paymentMiddleware);
   }
@@ -408,8 +416,7 @@ export function createApp(services: AppServices): Hono<AppEnv> {
   });
 
   app.get('/.well-known/agent.json', (c) => {
-    const baseUrl = new URL(c.req.url);
-    const origin = `${baseUrl.protocol}//${baseUrl.host}`;
+    const origin = new URL(c.req.url).origin;
     const agent = services.agentCard;
 
     return c.json({

src/config.ts

@@ -6,6 +6,7 @@ export interface AppConfig {
   ipfsTimeoutMs: number;
   dbPath: string;
   delegateUrl: string;
+  publicBaseUrl?: string;
   trustProxy: boolean;
   walletAuthTokenSecret?: string;
   uploadMaxSizeBytes: number;
@@ -63,6 +64,41 @@ function parseList(value: string | undefined): string[] {
     .filter((item) => item.length > 0);
 }
 
+function parsePublicBaseUrl(value: string | undefined): string | undefined {
+  if (!value) {
+    return undefined;
+  }
+
+  const trimmed = value.trim();
+  if (trimmed.length === 0) {
+    return undefined;
+  }
+
+  let parsed: URL;
+
+  try {
+    parsed = new URL(trimmed);
+  } catch {
+    throw new Error('Invalid URL for PUBLIC_BASE_URL');
+  }
+
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    throw new Error('PUBLIC_BASE_URL must use http or https');
+  }
+
+  if (
+    parsed.username.length > 0 ||
+    parsed.password.length > 0 ||
+    parsed.pathname !== '/' ||
+    parsed.search.length > 0 ||
+    parsed.hash.length > 0
+  ) {
+    throw new Error('PUBLIC_BASE_URL must be an origin without path, query, or hash');
+  }
+
+  return parsed.origin;
+}
+
 function isPlaceholderEvmAddress(value: string): boolean {
   return PLACEHOLDER_EVM_ADDRESSES.has(value.trim().toLowerCase());
 }
@@ -103,6 +139,7 @@ export function getConfig(): AppConfig {
     ipfsTimeoutMs: parseNumber(process.env.IPFS_TIMEOUT_MS, 30000, 'IPFS_TIMEOUT_MS'),
     dbPath: process.env.DATABASE_PATH ?? './data/tack.db',
     delegateUrl: process.env.DELEGATE_URL ?? 'http://localhost:8080/ipfs',
+    publicBaseUrl: parsePublicBaseUrl(process.env.PUBLIC_BASE_URL),
     trustProxy: parseBoolean(process.env.TRUST_PROXY, false),
     walletAuthTokenSecret: process.env.WALLET_AUTH_TOKEN_SECRET,
     uploadMaxSizeBytes: parseNumber(process.env.UPLOAD_MAX_SIZE_BYTES, 100 * 1024 * 1024, 'UPLOAD_MAX_SIZE_BYTES'),

src/index.ts

@@ -80,6 +80,7 @@ const app = createApp({
   walletAuthTokenSecret: config.walletAuthTokenSecret,
   gatewayCacheControlMaxAgeSeconds: config.gatewayCacheControlMaxAgeSeconds,
   uploadMaxSizeBytes: config.uploadMaxSizeBytes,
+  publicBaseUrl: config.publicBaseUrl,
   trustProxy: config.trustProxy,
   healthCheck: async () => {
     await ipfsClient.id();

src/lib/request-url.ts

@@ -0,0 +1,153 @@
+import type { MiddlewareHandler } from 'hono';
+
+export interface ExternalRequestUrlOptions {
+  publicBaseUrl?: string;
+  trustProxy?: boolean;
+}
+
+interface MutableRequestUrl {
+  raw: Request;
+  url: string;
+}
+
+function getFirstHeaderValue(value: string | null): string | null {
+  if (!value) {
+    return null;
+  }
+
+  const first = value.split(',')[0]?.trim();
+  return first && first.length > 0 ? first : null;
+}
+
+function stripQuotes(value: string): string {
+  if (value.startsWith('"') && value.endsWith('"') && value.length >= 2) {
+    return value.slice(1, -1);
+  }
+
+  return value;
+}
+
+function isTrustedProtocol(value: string | null): value is 'http' | 'https' {
+  return value === 'http' || value === 'https';
+}
+
+function parseForwardedHeader(value: string | null): { host: string | null; proto: 'http' | 'https' | null } {
+  const first = getFirstHeaderValue(value);
+  if (!first) {
+    return { host: null, proto: null };
+  }
+
+  let host: string | null = null;
+  let proto: 'http' | 'https' | null = null;
+
+  for (const part of first.split(';')) {
+    const [rawKey, rawValue] = part.split('=', 2);
+    if (!rawKey || !rawValue) {
+      continue;
+    }
+
+    const key = rawKey.trim().toLowerCase();
+    const parsedValue = stripQuotes(rawValue.trim());
+
+    if (key === 'host' && parsedValue.length > 0) {
+      host = parsedValue;
+    }
+
+    if (key === 'proto') {
+      const normalized = parsedValue.toLowerCase();
+      if (isTrustedProtocol(normalized)) {
+        proto = normalized;
+      }
+    }
+  }
+
+  return { host, proto };
+}
+
+function parseForwardedPort(value: string | null): string | null {
+  const port = getFirstHeaderValue(value);
+  return port && /^[0-9]+$/.test(port) ? port : null;
+}
+
+function applyOrigin(url: URL, origin: URL): URL {
+  url.protocol = origin.protocol;
+  url.host = origin.host;
+  return url;
+}
+
+function applyForwardedHost(url: URL, forwardedHost: string): boolean {
+  try {
+    const parsed = new URL(`${url.protocol}//${forwardedHost}`);
+    if (
+      parsed.username.length > 0 ||
+      parsed.password.length > 0 ||
+      parsed.pathname !== '/' ||
+      parsed.search.length > 0 ||
+      parsed.hash.length > 0
+    ) {
+      return false;
+    }
+
+    url.hostname = parsed.hostname;
+    url.port = parsed.port;
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function getExternalRequestUrl(requestUrl: string, headers: Headers, options?: ExternalRequestUrlOptions): URL {
+  const url = new URL(requestUrl);
+
+  if (options?.publicBaseUrl) {
+    return applyOrigin(url, new URL(options.publicBaseUrl));
+  }
+
+  if (!options?.trustProxy) {
+    return url;
+  }
+
+  const forwarded = parseForwardedHeader(headers.get('forwarded'));
+  const forwardedHost = forwarded.host ?? getFirstHeaderValue(headers.get('x-forwarded-host'));
+  const forwardedPort = parseForwardedPort(headers.get('x-forwarded-port'));
+  const forwardedProto = forwarded.proto ?? (() => {
+    const proto = getFirstHeaderValue(headers.get('x-forwarded-proto'))?.toLowerCase() ?? null;
+    return isTrustedProtocol(proto) ? proto : null;
+  })();
+
+  if (forwardedHost) {
+    const appliedHost = applyForwardedHost(url, forwardedHost);
+    if (appliedHost && forwardedPort && url.port.length === 0) {
+      url.port = forwardedPort;
+    }
+  } else if (forwardedPort) {
+    url.port = forwardedPort;
+  }
+
+  if (forwardedProto) {
+    url.protocol = `${forwardedProto}:`;
+  }
+
+  return url;
+}
+
+export function normalizeExternalRequestUrl(request: MutableRequestUrl, headers: Headers, options?: ExternalRequestUrlOptions): string {
+  const externalUrl = getExternalRequestUrl(request.url, headers, options).toString();
+
+  if (externalUrl !== request.url) {
+    Object.defineProperty(request.raw, 'url', {
+      value: externalUrl,
+      configurable: true,
+      writable: true
+    });
+  }
+
+  return externalUrl;
+}
+
+export function createExternalRequestUrlMiddleware(options?: ExternalRequestUrlOptions): MiddlewareHandler {
+  return async (c, next) => {
+    normalizeExternalRequestUrl(c.req, c.req.raw.headers, options);
+    await next();
+  };
+}

tests/integration/app.test.ts

@@ -334,16 +334,59 @@ describe('API integration', () => {
     expect(response.status).toBe(200);
 
     const agentCard = (await response.json()) as {
+      endpoint: string;
       protocol: string;
       capabilities: { pinningApi: { endpoints: string[] } };
       pricing: { retrieval: { metadataField: string } };
     };
 
     expect(agentCard.protocol).toBe('a2a');
+    expect(agentCard.endpoint).toBe('http://localhost');
     expect(agentCard.capabilities.pinningApi.endpoints).toContain('/pins');
     expect(agentCard.pricing.retrieval.metadataField).toBe('meta.retrievalPrice');
   });
 
+  it('uses forwarded host and proto in the AgentCard when trustProxy is enabled', async () => {
+    const trustedProxyApp = createApp({
+      pinningService: service,
+      trustProxy: true
+    });
+
+    const response = await trustedProxyApp.request(
+      new Request('http://localhost/.well-known/agent.json', {
+        headers: {
+          'x-forwarded-host': 'tack-api-production.up.railway.app',
+          'x-forwarded-proto': 'https'
+        }
+      })
+    );
+
+    expect(response.status).toBe(200);
+    const agentCard = (await response.json()) as { endpoint: string };
+    expect(agentCard.endpoint).toBe('https://tack-api-production.up.railway.app');
+  });
+
+  it('prefers PUBLIC_BASE_URL for the AgentCard over forwarded headers', async () => {
+    const publicBaseUrlApp = createApp({
+      pinningService: service,
+      publicBaseUrl: 'https://api.tack.example',
+      trustProxy: true
+    });
+
+    const response = await publicBaseUrlApp.request(
+      new Request('http://localhost/.well-known/agent.json', {
+        headers: {
+          'x-forwarded-host': 'internal-only.example',
+          'x-forwarded-proto': 'http'
+        }
+      })
+    );
+
+    expect(response.status).toBe(200);
+    const agentCard = (await response.json()) as { endpoint: string };
+    expect(agentCard.endpoint).toBe('https://api.tack.example');
+  });
+
   it('rejects uploads over configured upload size limit', async () => {
     const strictApp = createApp({ pinningService: service, uploadMaxSizeBytes: 4 });
     const form = new FormData();

tests/unit/config.test.ts

@@ -78,6 +78,15 @@ describe('config validation', () => {
     expect(config.pinReplicaDelegateUrls).toEqual(['https://gw-a.example/ipfs', 'https://gw-b.example/ipfs']);
   });
 
+  it('parses PUBLIC_BASE_URL as an origin', () => {
+    setTestEnv({
+      PUBLIC_BASE_URL: 'https://api.tack.example/'
+    });
+
+    const config = getConfig();
+    expect(config.publicBaseUrl).toBe('https://api.tack.example');
+  });
+
   it('fails when replica delegate URLs do not match replica API URL count', () => {
     setTestEnv({
       PIN_REPLICA_IPFS_API_URLS: 'http://ipfs-a:5001,http://ipfs-b:5001',
@@ -88,4 +97,12 @@ describe('config validation', () => {
       'PIN_REPLICA_DELEGATE_URLS must have the same number of entries as PIN_REPLICA_IPFS_API_URLS'
     );
   });
+
+  it('rejects PUBLIC_BASE_URL values with paths', () => {
+    setTestEnv({
+      PUBLIC_BASE_URL: 'https://api.tack.example/v1'
+    });
+
+    expect(() => getConfig()).toThrow('PUBLIC_BASE_URL must be an origin without path, query, or hash');
+  });
 });