Skip to content

fix(x402): default 402 challenge resource.url to https on public hosts#751

Open
bussyjd wants to merge 1 commit into
mainfrom
fix/x402-challenge-url-scheme
Open

fix(x402): default 402 challenge resource.url to https on public hosts#751
bussyjd wants to merge 1 commit into
mainfrom
fix/x402-challenge-url-scheme

Conversation

@bussyjd

@bussyjd bussyjd commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

What changed: buildResourceURL (the 402 challenge resource.url builder in the verifier's ForwardAuth path) now uses the same scheme resolution as resolveSiteURL: default https, downgrade to http only for hosts the stack serves locally over plain HTTP (obol.stack, loopback, *.localhost/*.local); an explicit https signal (direct TLS or X-Forwarded-Proto: https) still wins for any host. The resolution is extracted into a shared resolveScheme so challenge URLs and 402-page links can never disagree again.

Why it matters: behind a TLS-terminating tunnel the ForwardAuth hop sees plaintext, so the scheme keyed off X-Forwarded-Proto alone renders http:// resource URLs whenever a route lacks the X-Forwarded-Proto: https RequestHeaderModifier. The controller's host-bound so-<name>-host routes carry that filter, but the shared-origin so-<name> routes do not — and being more path-specific for /services/<name>, they win the match even on dedicated-hostname origins. Observed live: 5 of 8 host-bound offers advertised http:// resources in their 402 challenges on https endpoints — a scheme mismatch visible to strict x402 v2 clients and discovery crawlers.

This is the verifier-side half of the correctness gap discussed in #679. It deliberately does NOT force X-Forwarded-Proto: https on shared-origin routes: those also serve genuine local plaintext traffic on obol.stack, where claiming https would be wrong in the other direction.

Risk level: low

Base branch: main

Scope

  • Code

Validation

Unit tests:

go build ./... && go test ./internal/x402/ -count=1 — ok
New TestBuildResourceURL_Scheme: public host no-XFP -> https; public host
XFP=http (tunnel case) -> https; forwarded host honored; obol.stack/localhost
stay http; explicit XFP=https on local host honored; X-Forwarded-Uri preserved.

Live evidence (v0.13.0 deployment behind a Cloudflare tunnel): all 8 host-bound offers' /services/<name> challenges advertised http:// or https:// depending solely on whether a hand-authored route with the header filter happened to match; with trusted forwarded headers (the operator-side workaround) all emit https and a real x402 payment settled end-to-end ($0.01 USDC on Base, exact ledger delta). This patch makes the correct scheme the default with no per-route filters or Traefik trust configuration required.

Refs #679

https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk

buildResourceURL keyed the scheme off X-Forwarded-Proto alone, so behind
a TLS-terminating tunnel (edge https -> plaintext to Traefik -> verifier)
any route without an explicit X-Forwarded-Proto:https RequestHeaderModifier
produced http:// resource URLs in 402 challenges. The controller's
host-bound so-<name>-host routes carry that filter but the shared-origin
so-<name> routes do not — and being more path-specific for
/services/<name>, they win the match even on dedicated-hostname origins,
so challenges on those origins advertised http:// resources on an https
endpoint (strict v2 payment clients and discovery crawlers see a
scheme mismatch; observed live on 5 of 8 host-bound offers, #679).

resolveSiteURL already solved exactly this for 402-page links: default
https, downgrade only for hosts the stack serves locally over plain HTTP
(obol.stack, loopback, *.localhost/*.local), explicit signals always win.
Extract that resolution into resolveScheme and use it in both places, so
challenge resource URLs and page links can never disagree again.

Refs #679

Claude-Session: https://claude.ai/code/session_014YjPMViNrZ7zBVgUQzwEKk
@bussyjd bussyjd requested a review from OisinKyne July 15, 2026 13:28
@bussyjd bussyjd mentioned this pull request Jul 15, 2026
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant