fix(mpp): prevent key_authorization from being included when key is already provisioned

grandizzy · ampcode-com · grandizzy · commit d7522bc0023c · 2026-04-01T20:46:27.000+03:00
Two fixes for the 'access key already exists' error on MPP charge payments: 1. pay_charge (session.rs): Strip key_authorization from the signing mode when key_provisioned is true. Previously the charge path passed self.signing_mode directly to TempoCharge::sign_with_options, which always included key_authorization from keys.toml. The session path (create_open_tx) already had this guard, but the charge path did not. 2. 402 retry (transport.rs): Only retry with key_authorization when the error specifically indicates the key is not provisioned ('access key does not exist'). Previously any 402 retry unconditionally called mark_key_not_provisioned(), causing the second attempt to include key_authorization even when the first failure was for a different reason (e.g. wrong currency, insufficient balance). Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-019d4989-0b60-72ef-99a0-2d0d9f0bc62c
diff --git a/crates/common/src/provider/mpp/session.rs b/crates/common/src/provider/mpp/session.rs
@@ -344,8 +344,24 @@ impl SessionProvider {
         use mpp::client::tempo::charge::{SignOptions, TempoCharge};
 
         let charge = TempoCharge::from_challenge(challenge)?;
-        let options =
-            SignOptions { signing_mode: Some(self.signing_mode.clone()), ..Default::default() };
+
+        // Strip key_authorization from the signing mode when the key is already
+        // provisioned on-chain. Otherwise the payment tx includes a redundant
+        // key provisioning call that fails with "access key already exists".
+        let signing_mode = if *self.key_provisioned.lock().unwrap() {
+            match &self.signing_mode {
+                TempoSigningMode::Keychain { wallet, version, .. } => TempoSigningMode::Keychain {
+                    wallet: *wallet,
+                    key_authorization: None,
+                    version: *version,
+                },
+                other => other.clone(),
+            }
+        } else {
+            self.signing_mode.clone()
+        };
+
+        let options = SignOptions { signing_mode: Some(signing_mode), ..Default::default() };
         let signed = charge.sign_with_options(&self.signer, options).await?;
         Ok(signed.into_credential())
     }
@@ -471,3 +487,122 @@ impl PaymentProvider for SessionProvider {
         Ok(build_credential(challenge, payload, chain_id, payer))
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use mpp::client::tempo::signing::KeychainVersion;
+
+    #[test]
+    fn test_key_provisioned_default_is_true() {
+        let signer = mpp::PrivateKeySigner::random();
+        let provider = SessionProvider::new(signer, "https://rpc.example.com".into());
+        assert!(*provider.key_provisioned.lock().unwrap());
+    }
+
+    #[test]
+    fn test_set_key_provisioned() {
+        let signer = mpp::PrivateKeySigner::random();
+        let provider = SessionProvider::new(signer, "https://rpc.example.com".into());
+        provider.set_key_provisioned(false);
+        assert!(!*provider.key_provisioned.lock().unwrap());
+        provider.set_key_provisioned(true);
+        assert!(*provider.key_provisioned.lock().unwrap());
+    }
+
+    #[test]
+    fn test_pay_charge_strips_key_auth_when_provisioned() {
+        // When key_provisioned is true (default), pay_charge should produce a
+        // signing mode with key_authorization: None.
+        let signer = mpp::PrivateKeySigner::random();
+        let wallet = Address::repeat_byte(0xAA);
+        let signing_mode = TempoSigningMode::Keychain {
+            wallet,
+            key_authorization: Some(Box::new(
+                // Dummy value — never sent on-chain in this test.
+                unsafe { std::mem::zeroed() },
+            )),
+            version: KeychainVersion::V2,
+        };
+        let provider = SessionProvider::new(signer, "https://rpc.example.com".into())
+            .with_signing_mode(signing_mode);
+
+        // Simulate the stripping logic from pay_charge
+        let result_mode = if *provider.key_provisioned.lock().unwrap() {
+            match &provider.signing_mode {
+                TempoSigningMode::Keychain { wallet, version, .. } => TempoSigningMode::Keychain {
+                    wallet: *wallet,
+                    key_authorization: None,
+                    version: *version,
+                },
+                other => other.clone(),
+            }
+        } else {
+            provider.signing_mode.clone()
+        };
+
+        assert!(
+            result_mode.key_authorization().is_none(),
+            "key_authorization should be stripped when key is provisioned"
+        );
+    }
+
+    #[test]
+    fn test_pay_charge_keeps_key_auth_when_not_provisioned() {
+        let signer = mpp::PrivateKeySigner::random();
+        let wallet = Address::repeat_byte(0xAA);
+        let signing_mode = TempoSigningMode::Keychain {
+            wallet,
+            key_authorization: Some(Box::new(unsafe { std::mem::zeroed() })),
+            version: KeychainVersion::V2,
+        };
+        let provider = SessionProvider::new(signer, "https://rpc.example.com".into())
+            .with_signing_mode(signing_mode);
+
+        // Mark key as NOT provisioned
+        provider.set_key_provisioned(false);
+
+        let result_mode = if *provider.key_provisioned.lock().unwrap() {
+            match &provider.signing_mode {
+                TempoSigningMode::Keychain { wallet, version, .. } => TempoSigningMode::Keychain {
+                    wallet: *wallet,
+                    key_authorization: None,
+                    version: *version,
+                },
+                other => other.clone(),
+            }
+        } else {
+            provider.signing_mode.clone()
+        };
+
+        assert!(
+            result_mode.key_authorization().is_some(),
+            "key_authorization should be preserved when key is NOT provisioned"
+        );
+    }
+
+    #[test]
+    fn test_pay_charge_direct_mode_unaffected() {
+        let signer = mpp::PrivateKeySigner::random();
+        let provider = SessionProvider::new(signer, "https://rpc.example.com".into())
+            .with_signing_mode(TempoSigningMode::Direct);
+
+        let result_mode = if *provider.key_provisioned.lock().unwrap() {
+            match &provider.signing_mode {
+                TempoSigningMode::Keychain { wallet, version, .. } => TempoSigningMode::Keychain {
+                    wallet: *wallet,
+                    key_authorization: None,
+                    version: *version,
+                },
+                other => other.clone(),
+            }
+        } else {
+            provider.signing_mode.clone()
+        };
+
+        assert!(
+            matches!(result_mode, TempoSigningMode::Direct),
+            "Direct mode should pass through unchanged"
+        );
+    }
+}
diff --git a/crates/common/src/provider/mpp/transport.rs b/crates/common/src/provider/mpp/transport.rs
@@ -271,38 +271,55 @@ where
             )));
         }
 
-        // Retry 402 → try with key_authorization
+        // Retry 402 → only retry with key_authorization if the error indicates
+        // the access key is not provisioned on-chain. Unconditionally retrying
+        // caused "access key already exists" when the 402 was for a different
+        // reason (e.g. wrong currency, insufficient balance).
         if retry_resp.status() == StatusCode::PAYMENT_REQUIRED {
-            self.provider.mark_key_not_provisioned();
-            let resolved = self.provider.resolve()?;
+            let retry_body = retry_resp.bytes().await.map_err(TransportErrorKind::custom)?;
+            let retry_text = String::from_utf8_lossy(&retry_body);
+
+            if retry_text.contains("access key does not exist")
+                || retry_text.contains("key is not provisioned")
+            {
+                self.provider.mark_key_not_provisioned();
+                let resolved = self.provider.resolve()?;
+
+                if resolved.supports(challenge.method.as_str(), challenge.intent.as_str()) {
+                    debug!(
+                        "MPP 402 indicates key not provisioned, retrying with key_authorization"
+                    );
 
-            if resolved.supports(challenge.method.as_str(), challenge.intent.as_str()) {
-                debug!("first MPP attempt returned 402, retrying with key_authorization");
-
-                let credential = resolved.pay(challenge).await.map_err(|e| {
-                    TransportErrorKind::custom(std::io::Error::other(format!(
-                        "MPP payment failed: {e}"
-                    )))
-                })?;
-                let auth_header = format_authorization(&credential).map_err(|e| {
-                    TransportErrorKind::custom(std::io::Error::other(format!(
-                        "failed to format MPP credential: {e}"
-                    )))
-                })?;
-
-                let final_resp = self
-                    .client
-                    .post(self.url.clone())
-                    .headers(headers)
-                    .header("content-type", "application/json")
-                    .header(AUTHORIZATION_HEADER, auth_header)
-                    .body(body)
-                    .send()
-                    .await
-                    .map_err(TransportErrorKind::custom)?;
-
-                return Self::handle_response(final_resp).await;
+                    let credential = resolved.pay(challenge).await.map_err(|e| {
+                        TransportErrorKind::custom(std::io::Error::other(format!(
+                            "MPP payment failed: {e}"
+                        )))
+                    })?;
+                    let auth_header = format_authorization(&credential).map_err(|e| {
+                        TransportErrorKind::custom(std::io::Error::other(format!(
+                            "failed to format MPP credential: {e}"
+                        )))
+                    })?;
+
+                    let final_resp = self
+                        .client
+                        .post(self.url.clone())
+                        .headers(headers)
+                        .header("content-type", "application/json")
+                        .header(AUTHORIZATION_HEADER, auth_header)
+                        .body(body)
+                        .send()
+                        .await
+                        .map_err(TransportErrorKind::custom)?;
+
+                    return Self::handle_response(final_resp).await;
+                }
             }
+
+            return Err(TransportErrorKind::http_error(
+                StatusCode::PAYMENT_REQUIRED.as_u16(),
+                retry_text.into_owned(),
+            ));
         }
 
         Self::handle_response(retry_resp).await
