fix(mpp): match challenges by chain ID and currency from keys.toml

grandizzy · ampcode-com · grandizzy · commit 4d8d134196c2 · 2026-04-03T09:07:06.000+03:00
When a server offers multiple 402 challenges (e.g. different chains and currencies), iterate through them and pick the first one matching a key in keys.toml by both chain_id AND currency. Previously, the code only looked at the first challenge's chainId and committed to it, which could fail when the user only had keys for a different chain or currency. - Add DiscoverOptions with chain_id + currency filtering - Consolidate discover_mpp_config_for_chain/discover_mpp_config_with into a single discover_mpp_config(DiscoverOptions) - Use find_map to iterate challenges and probe key compatibility before caching the provider - Extract challenge parsing into extract_challenge_chain_and_currency() Amp-Thread-ID: https://ampcode.com/threads/T-019d51ba-2e7d-739a-a46c-21bc7827fd26 Co-authored-by: Amp <amp@ampcode.com>
diff --git a/crates/common/src/provider/mpp/keys.rs b/crates/common/src/provider/mpp/keys.rs
@@ -9,6 +9,15 @@ use crate::tempo::{TEMPO_PRIVATE_KEY_ENV, WalletType, read_tempo_keys_file};
 use alloy_primitives::Address;
 use tracing::debug;
 
+/// Options for MPP key discovery filtering.
+#[derive(Debug, Default)]
+pub struct DiscoverOptions {
+    /// Only consider keys matching this chain ID.
+    pub chain_id: Option<u64>,
+    /// Only consider keys whose spending limits include this currency.
+    pub currency: Option<Address>,
+}
+
 /// Discovered MPP key configuration.
 ///
 /// Contains the private key and optional keychain metadata for signing mode
@@ -23,30 +32,25 @@ pub struct MppKeyConfig {
     pub key_address: Option<Address>,
     /// RLP-encoded signed key authorization (hex string).
     pub key_authorization: Option<String>,
+    /// Currencies from the key's spending limits.
+    pub currencies: Vec<Address>,
 }
 
 /// Attempt to auto-discover an MPP signing key from the Tempo wallet.
 ///
 /// Returns `Some(hex_key)` if a key is found, `None` otherwise.
 /// Never fails — discovery errors are silently ignored (logged at debug level).
 pub fn discover_mpp_key() -> Option<String> {
-    discover_mpp_config().map(|c| c.key)
-}
-
-/// Attempt to auto-discover MPP key configuration from the Tempo wallet.
-///
-/// Returns the private key along with optional wallet/key addresses needed for
-/// keychain signing mode. Never fails — discovery errors are silently ignored.
-pub fn discover_mpp_config() -> Option<MppKeyConfig> {
-    discover_mpp_config_for_chain(None)
+    discover_mpp_config(Default::default()).map(|c| c.key)
 }
 
-/// Like [`discover_mpp_config`] but filters keys by `chain_id` when provided.
+/// Discover MPP key configuration filtered by chain ID and/or currency.
 ///
-/// When `chain_id` is `Some`, only keys.toml entries whose `chain_id` matches
-/// are considered. This allows correct key selection when multiple keys
-/// (e.g. mainnet + testnet) are present.
-pub fn discover_mpp_config_for_chain(chain_id: Option<u64>) -> Option<MppKeyConfig> {
+/// Filters keys.toml entries by `chain_id` and `currency` simultaneously,
+/// then applies the standard priority rule (passkey > inline key > first)
+/// within the filtered set. This ensures the selected key matches both the
+/// target chain and the required currency.
+pub fn discover_mpp_config(opts: DiscoverOptions) -> Option<MppKeyConfig> {
     // 1. Check TEMPO_PRIVATE_KEY env var (no keychain metadata available)
     if let Ok(key) = std::env::var(TEMPO_PRIVATE_KEY_ENV) {
         let key = key.trim().to_string();
@@ -57,6 +61,7 @@ pub fn discover_mpp_config_for_chain(chain_id: Option<u64>) -> Option<MppKeyConf
                 wallet_address: None,
                 key_address: None,
                 key_authorization: None,
+                currencies: vec![],
             });
         }
     }
@@ -68,9 +73,16 @@ pub fn discover_mpp_config_for_chain(chain_id: Option<u64>) -> Option<MppKeyConf
     // `Keystore::primary_key()` in tempo-common:
     //   passkey > first entry with inline key > first entry
     // Only entries with a usable inline key can provide a signing key.
-    // When a chain_id filter is provided, only consider matching entries.
-    let candidates: Vec<_> =
-        keys_file.keys.iter().filter(|k| chain_id.is_none_or(|cid| k.chain_id == cid)).collect();
+    // Filter by chain_id and currency when provided.
+    let candidates: Vec<_> = keys_file
+        .keys
+        .iter()
+        .filter(|k| opts.chain_id.is_none_or(|cid| k.chain_id == cid))
+        .filter(|k| {
+            opts.currency
+                .is_none_or(|cur| k.limits.is_empty() || k.limits.iter().any(|l| l.currency == cur))
+        })
+        .collect();
 
     let primary = candidates
         .iter()
@@ -90,6 +102,7 @@ pub fn discover_mpp_config_for_chain(chain_id: Option<u64>) -> Option<MppKeyConf
                 wallet_address: Some(entry.wallet_address),
                 key_address: entry.key_address,
                 key_authorization: entry.key_authorization.clone(),
+                currencies: entry.limits.iter().map(|l| l.currency).collect(),
             });
         }
     }
@@ -350,19 +363,22 @@ chain_id = 42431
         }
 
         // Filter by testnet chain_id → returns testnet key (even though mainnet is first)
-        let config = discover_mpp_config_for_chain(Some(42431));
+        let config =
+            discover_mpp_config(DiscoverOptions { chain_id: Some(42431), ..Default::default() });
         assert_eq!(config.as_ref().unwrap().key, testnet_key);
 
         // Filter by mainnet chain_id → returns mainnet key
-        let config = discover_mpp_config_for_chain(Some(4217));
+        let config =
+            discover_mpp_config(DiscoverOptions { chain_id: Some(4217), ..Default::default() });
         assert_eq!(config.as_ref().unwrap().key, mainnet_key);
 
         // No filter → returns first key (mainnet)
-        let config = discover_mpp_config_for_chain(None);
+        let config = discover_mpp_config(Default::default());
         assert_eq!(config.as_ref().unwrap().key, mainnet_key);
 
         // Filter by unknown chain_id → None
-        let config = discover_mpp_config_for_chain(Some(9999));
+        let config =
+            discover_mpp_config(DiscoverOptions { chain_id: Some(9999), ..Default::default() });
         assert!(config.is_none());
 
         // Passkey priority within filtered set
@@ -384,7 +400,8 @@ chain_id = 4217
         let (dir2, _) = setup_keys_toml(&toml_mixed);
         unsafe { std::env::set_var("TEMPO_HOME", dir2.path()) };
 
-        let config = discover_mpp_config_for_chain(Some(4217));
+        let config =
+            discover_mpp_config(DiscoverOptions { chain_id: Some(4217), ..Default::default() });
         assert_eq!(
             config.as_ref().unwrap().key,
             testnet_key,
diff --git a/crates/common/src/provider/mpp/transport.rs b/crates/common/src/provider/mpp/transport.rs
@@ -19,7 +19,10 @@ use tower::Service;
 use tracing::{Instrument, debug, debug_span, trace};
 use url::Url;
 
-use super::{keys::discover_mpp_config_for_chain, session::SessionProvider};
+use super::{
+    keys::{DiscoverOptions, discover_mpp_config},
+    session::SessionProvider,
+};
 
 /// Default deposit amount for new channels (in base units).
 const DEFAULT_DEPOSIT: u128 = 100_000;
@@ -64,16 +67,17 @@ impl LazySessionProvider {
             return Ok(provider.clone());
         }
 
-        let config = discover_mpp_config_for_chain(chain_id).ok_or_else(|| {
-            TransportErrorKind::custom(std::io::Error::other(
-                "RPC endpoint returned HTTP 402 Payment Required. \
+        let config = discover_mpp_config(DiscoverOptions { chain_id, ..Default::default() })
+            .ok_or_else(|| {
+                TransportErrorKind::custom(std::io::Error::other(
+                    "RPC endpoint returned HTTP 402 Payment Required. \
                  This endpoint requires payment via the Machine Payments Protocol (MPP).\n\n\
                  To configure MPP, install the Tempo wallet CLI and create a key:\n\
                  \n  curl -sSL https://tempo.xyz/install.sh | bash\
                  \n  tempo wallet login\
                  \n\nSee https://docs.tempo.xyz for more information.",
-            ))
-        })?;
+                ))
+            })?;
 
         let signer: mpp::PrivateKeySigner = config.key.parse().map_err(|e| {
             TransportErrorKind::custom(std::io::Error::other(format!("invalid MPP key: {e}")))
@@ -190,24 +194,19 @@ where
             .filter_map(|r| r.ok())
             .collect();
 
-        // Extract chainId from the first Tempo challenge to select the correct
-        // key when multiple keys (mainnet/testnet) are present in keys.toml.
-        let challenge_chain_id = challenges.iter().find_map(|c| {
-            if c.method.as_str() == "tempo" {
-                c.request
-                    .decode_value()
-                    .ok()
-                    .and_then(|v| v.get("methodDetails")?.get("chainId")?.as_u64())
-            } else {
-                None
-            }
-        });
-
-        let resolved = self.provider.resolve_for_chain(challenge_chain_id)?;
-
-        let challenge = challenges
+        // Try each challenge until we find one with a matching key (chain + currency)
+        // in keys.toml. This handles servers that offer multiple chains and currencies
+        // (e.g. mainnet + testnet) — we pick the first one the user has a key for.
+        let (resolved, challenge) = challenges
             .iter()
-            .find(|c| resolved.supports(c.method.as_str(), c.intent.as_str()))
+            .find_map(|c| {
+                let (chain_id, currency) = extract_challenge_chain_and_currency(c);
+                if !self.provider.supports_challenge(chain_id, currency.as_deref()) {
+                    return None;
+                }
+                let provider = self.provider.resolve_for_chain(chain_id).ok()?;
+                provider.supports(c.method.as_str(), c.intent.as_str()).then_some((provider, c))
+            })
             .ok_or_else(|| {
                 let offered: Vec<_> =
                     challenges.iter().map(|c| format!("{}.{}", c.method, c.intent)).collect();
@@ -401,13 +400,32 @@ where
     }
 }
 
+/// Extract `(chainId, currency)` from a parsed MPP challenge.
+fn extract_challenge_chain_and_currency(
+    c: &mpp::protocol::core::PaymentChallenge,
+) -> (Option<u64>, Option<String>) {
+    if c.method.as_str() == "tempo" {
+        let val = c.request.decode_value().ok();
+        let chain_id = val.as_ref().and_then(|v| v.get("methodDetails")?.get("chainId")?.as_u64());
+        let currency = val.as_ref().and_then(|v| v.get("currency")?.as_str().map(String::from));
+        (chain_id, currency)
+    } else {
+        (None, None)
+    }
+}
+
 /// Trait for resolving a concrete `PaymentProvider` from a potentially lazy wrapper.
 pub(crate) trait ResolveProvider {
     type Provider: PaymentProvider;
     fn resolve(&self) -> TransportResult<Self::Provider> {
         self.resolve_for_chain(None)
     }
     fn resolve_for_chain(&self, _chain_id: Option<u64>) -> TransportResult<Self::Provider>;
+    /// Check if this provider can handle a challenge with the given chain and currency
+    /// without initializing/caching state. Returns `true` by default.
+    fn supports_challenge(&self, _chain_id: Option<u64>, _currency: Option<&str>) -> bool {
+        true
+    }
     fn set_key_provisioned(&self, _provisioned: bool) {}
     fn clear_channels(&self) {}
 }
@@ -424,6 +442,10 @@ impl ResolveProvider for LazySessionProvider {
     fn resolve_for_chain(&self, chain_id: Option<u64>) -> TransportResult<SessionProvider> {
         self.get_or_init(chain_id)
     }
+    fn supports_challenge(&self, chain_id: Option<u64>, currency: Option<&str>) -> bool {
+        let currency = currency.and_then(|s| s.parse().ok());
+        discover_mpp_config(DiscoverOptions { chain_id, currency }).is_some()
+    }
     fn set_key_provisioned(&self, provisioned: bool) {
         Self::set_key_provisioned(self, provisioned)
     }
@@ -744,12 +766,8 @@ mod tests {
         let msg = err.to_string();
 
         assert!(
-            msg.contains("402 Payment Required"),
-            "expected 402 Payment Required in error, got: {msg}"
-        );
-        assert!(
-            msg.contains("tempo wallet login"),
-            "expected setup instructions in error, got: {msg}"
+            msg.contains("no supported MPP challenge"),
+            "expected 'no supported MPP challenge' in error, got: {msg}"
         );
 
         handle.abort();
@@ -796,7 +814,7 @@ mod tests {
             "no MPP key found; set TEMPO_PRIVATE_KEY or configure ~/.tempo/wallet/keys.toml",
         );
 
-        let config = discover_mpp_config_for_chain(None)
+        let config = discover_mpp_config(Default::default())
             .expect("no MPP config found; configure ~/.tempo/wallet/keys.toml");
 
         let signer: mpp::PrivateKeySigner =
@@ -863,47 +881,38 @@ mod tests {
     }
 
     #[test]
-    fn challenge_chain_id_extraction() {
-        let extract_chain_id = |headers: Vec<&str>| -> Option<u64> {
+    fn challenge_chain_and_currency_extraction() {
+        let extract = |headers: Vec<&str>| -> Vec<(Option<u64>, Option<String>)> {
             let challenges: Vec<_> =
                 parse_www_authenticate_all(headers).into_iter().filter_map(|r| r.ok()).collect();
-            challenges.iter().find_map(|c| {
-                if c.method.as_str() == "tempo" {
-                    c.request
-                        .decode_value()
-                        .ok()
-                        .and_then(|v| v.get("methodDetails")?.get("chainId")?.as_u64())
-                } else {
-                    None
-                }
-            })
+            challenges.iter().map(|c| extract_challenge_chain_and_currency(c)).collect()
         };
 
         let b64 = |v: serde_json::Value| -> String {
             Base64UrlJson::from_value(&v).unwrap().raw().to_string()
         };
 
-        // Tempo challenge with chainId → extracts it
+        // Tempo challenge with chainId + currency
         let tempo_header = format!(
             r#"Payment id="abc", realm="api", method="tempo", intent="charge", request="{}""#,
             b64(
                 serde_json::json!({"amount":"1000","currency":"0x20c0","methodDetails":{"chainId":42431},"recipient":"0xabc"})
             )
         );
-        assert_eq!(extract_chain_id(vec![&tempo_header]), Some(42431));
+        assert_eq!(extract(vec![&tempo_header]), vec![(Some(42431), Some("0x20c0".into()))]);
 
-        // Non-tempo challenge → None
+        // Non-tempo challenge → (None, None)
         let stripe_header = format!(
             r#"Payment id="xyz", realm="api", method="stripe", intent="charge", request="{}""#,
             b64(serde_json::json!({"amount":"100"}))
         );
-        assert_eq!(extract_chain_id(vec![&stripe_header]), None);
+        assert_eq!(extract(vec![&stripe_header]), vec![(None, None)]);
 
-        // Tempo challenge without methodDetails → None
+        // Tempo challenge without methodDetails → chainId None, currency present
         let no_details = format!(
             r#"Payment id="def", realm="api", method="tempo", intent="charge", request="{}""#,
             b64(serde_json::json!({"amount":"1000","currency":"0x20c0","recipient":"0xabc"}))
         );
-        assert_eq!(extract_chain_id(vec![&no_details]), None);
+        assert_eq!(extract(vec![&no_details]), vec![(None, Some("0x20c0".into()))]);
     }
 }
