fix(mpp): prevent key_authorization from being included when key is already provisioned

grandizzy · ampcode-com · grandizzy · commit 2de6d326e847 · 2026-04-01T20:34:57.000+03:00
Two fixes for the 'access key already exists' error on MPP charge payments: 1. pay_charge (session.rs): Strip key_authorization from the signing mode when key_provisioned is true. Previously the charge path passed self.signing_mode directly to TempoCharge::sign_with_options, which always included key_authorization from keys.toml. The session path (create_open_tx) already had this guard, but the charge path did not. 2. 402 retry (transport.rs): Only retry with key_authorization when the error specifically indicates the key is not provisioned ('access key does not exist'). Previously any 402 retry unconditionally called mark_key_not_provisioned(), causing the second attempt to include key_authorization even when the first failure was for a different reason (e.g. wrong currency, insufficient balance). Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d4989-0b60-72ef-99a0-2d0d9f0bc62c
diff --git a/crates/common/src/provider/mpp/session.rs b/crates/common/src/provider/mpp/session.rs
@@ -344,8 +344,24 @@ impl SessionProvider {
         use mpp::client::tempo::charge::{SignOptions, TempoCharge};
 
         let charge = TempoCharge::from_challenge(challenge)?;
-        let options =
-            SignOptions { signing_mode: Some(self.signing_mode.clone()), ..Default::default() };
+
+        // Strip key_authorization from the signing mode when the key is already
+        // provisioned on-chain. Otherwise the payment tx includes a redundant
+        // key provisioning call that fails with "access key already exists".
+        let signing_mode = if *self.key_provisioned.lock().unwrap() {
+            match &self.signing_mode {
+                TempoSigningMode::Keychain { wallet, version, .. } => TempoSigningMode::Keychain {
+                    wallet: *wallet,
+                    key_authorization: None,
+                    version: *version,
+                },
+                other => other.clone(),
+            }
+        } else {
+            self.signing_mode.clone()
+        };
+
+        let options = SignOptions { signing_mode: Some(signing_mode), ..Default::default() };
         let signed = charge.sign_with_options(&self.signer, options).await?;
         Ok(signed.into_credential())
     }
diff --git a/crates/common/src/provider/mpp/transport.rs b/crates/common/src/provider/mpp/transport.rs
@@ -271,38 +271,55 @@ where
             )));
         }
 
-        // Retry 402 → try with key_authorization
+        // Retry 402 → only retry with key_authorization if the error indicates
+        // the access key is not provisioned on-chain. Unconditionally retrying
+        // caused "access key already exists" when the 402 was for a different
+        // reason (e.g. wrong currency, insufficient balance).
         if retry_resp.status() == StatusCode::PAYMENT_REQUIRED {
-            self.provider.mark_key_not_provisioned();
-            let resolved = self.provider.resolve()?;
+            let retry_body = retry_resp.bytes().await.map_err(TransportErrorKind::custom)?;
+            let retry_text = String::from_utf8_lossy(&retry_body);
+
+            if retry_text.contains("access key does not exist")
+                || retry_text.contains("key is not provisioned")
+            {
+                self.provider.mark_key_not_provisioned();
+                let resolved = self.provider.resolve()?;
+
+                if resolved.supports(challenge.method.as_str(), challenge.intent.as_str()) {
+                    debug!(
+                        "MPP 402 indicates key not provisioned, retrying with key_authorization"
+                    );
 
-            if resolved.supports(challenge.method.as_str(), challenge.intent.as_str()) {
-                debug!("first MPP attempt returned 402, retrying with key_authorization");
-
-                let credential = resolved.pay(challenge).await.map_err(|e| {
-                    TransportErrorKind::custom(std::io::Error::other(format!(
-                        "MPP payment failed: {e}"
-                    )))
-                })?;
-                let auth_header = format_authorization(&credential).map_err(|e| {
-                    TransportErrorKind::custom(std::io::Error::other(format!(
-                        "failed to format MPP credential: {e}"
-                    )))
-                })?;
-
-                let final_resp = self
-                    .client
-                    .post(self.url.clone())
-                    .headers(headers)
-                    .header("content-type", "application/json")
-                    .header(AUTHORIZATION_HEADER, auth_header)
-                    .body(body)
-                    .send()
-                    .await
-                    .map_err(TransportErrorKind::custom)?;
-
-                return Self::handle_response(final_resp).await;
+                    let credential = resolved.pay(challenge).await.map_err(|e| {
+                        TransportErrorKind::custom(std::io::Error::other(format!(
+                            "MPP payment failed: {e}"
+                        )))
+                    })?;
+                    let auth_header = format_authorization(&credential).map_err(|e| {
+                        TransportErrorKind::custom(std::io::Error::other(format!(
+                            "failed to format MPP credential: {e}"
+                        )))
+                    })?;
+
+                    let final_resp = self
+                        .client
+                        .post(self.url.clone())
+                        .headers(headers)
+                        .header("content-type", "application/json")
+                        .header(AUTHORIZATION_HEADER, auth_header)
+                        .body(body)
+                        .send()
+                        .await
+                        .map_err(TransportErrorKind::custom)?;
+
+                    return Self::handle_response(final_resp).await;
+                }
             }
+
+            return Err(TransportErrorKind::http_error(
+                StatusCode::PAYMENT_REQUIRED.as_u16(),
+                retry_text.into_owned(),
+            ));
         }
 
         Self::handle_response(retry_resp).await
