Merge pull request #18 from Z-M-Huang/feat/jwtHeader

feat: Implement static and dynamic authorization for FacilitatorClient.

Author: ezynda3

http/facilitator.go

@@ -16,13 +16,46 @@ import (
 	"github.com/mark3labs/x402-go/retry"
 )
 
+// AuthorizationProvider is a function that returns an Authorization header value.
+// This is useful for dynamic tokens (e.g., JWT refresh) where the value may change.
+//
+// Thread-safety: The provider function is called on each HTTP request, including
+// during retry attempts. If your provider accesses shared state or performs I/O
+// (e.g., token refresh), ensure it is safe for concurrent use. The FacilitatorClient
+// does not serialize calls to the provider.
+type AuthorizationProvider func() string
+
 // FacilitatorClient is a client for communicating with x402 facilitator services.
 type FacilitatorClient struct {
 	BaseURL    string
 	Client     *http.Client
 	Timeouts   x402.TimeoutConfig // Timeout configuration for payment operations
 	MaxRetries int                // Maximum number of retry attempts for failed requests (default: 0)
 	RetryDelay time.Duration      // Delay between retry attempts (default: 100ms)
+
+	// Authorization is a static Authorization header value (e.g., "Bearer token" or "Basic base64").
+	// If AuthorizationProvider is also set, the provider takes precedence.
+	Authorization string
+
+	// AuthorizationProvider is a function that returns an Authorization header value.
+	// This is useful for dynamic tokens that may need to be refreshed.
+	// If set, this takes precedence over the static Authorization field.
+	AuthorizationProvider AuthorizationProvider
+}
+
+// setAuthorizationHeader sets the Authorization header on the request if configured.
+// If AuthorizationProvider is set, it is called to get the current token value;
+// otherwise, the static Authorization string is used. This is called per-request.
+func (c *FacilitatorClient) setAuthorizationHeader(req *http.Request) {
+	var authValue string
+	if c.AuthorizationProvider != nil {
+		authValue = c.AuthorizationProvider()
+	} else if c.Authorization != "" {
+		authValue = c.Authorization
+	}
+	if authValue != "" {
+		req.Header.Set("Authorization", authValue)
+	}
 }
 
 // FacilitatorRequest is the request payload sent to the facilitator.
@@ -79,6 +112,7 @@ func (c *FacilitatorClient) Verify(ctx context.Context, payment x402.PaymentPayl
 			return nil, fmt.Errorf("failed to create request: %w", err)
 		}
 		httpReq.Header.Set("Content-Type", "application/json")
+		c.setAuthorizationHeader(httpReq)
 
 		// Send request
 		resp, err := c.Client.Do(httpReq)
@@ -135,6 +169,7 @@ func (c *FacilitatorClient) Supported(ctx context.Context) (*facilitator.Support
 	if err != nil {
 		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
+	c.setAuthorizationHeader(httpReq)
 
 	// Send request
 	resp, err := c.Client.Do(httpReq)
@@ -203,6 +238,7 @@ func (c *FacilitatorClient) Settle(ctx context.Context, payment x402.PaymentPayl
 			return nil, fmt.Errorf("failed to create request: %w", err)
 		}
 		httpReq.Header.Set("Content-Type", "application/json")
+		c.setAuthorizationHeader(httpReq)
 
 		// Send request
 		resp, err := c.Client.Do(httpReq)

http/facilitator_test.go

@@ -67,6 +67,278 @@ func TestFacilitatorClient_Verify(t *testing.T) {
 	}
 }
 
+func TestFacilitatorClient_Verify_WithStaticAuthorization(t *testing.T) {
+	expectedAuth := "Bearer test-api-key"
+
+	// Create a mock facilitator server that validates the Authorization header
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Check that Authorization header is present
+		authHeader := r.Header.Get("Authorization")
+		if authHeader != expectedAuth {
+			t.Errorf("Expected Authorization header %q, got %q", expectedAuth, authHeader)
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		response := facilitator.VerifyResponse{
+			IsValid: true,
+			Payer:   "0x857b06519E91e3A54538791bDbb0E22373e36b66",
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			t.Errorf("Failed to encode response: %v", err)
+		}
+	}))
+	defer mockServer.Close()
+
+	client := &FacilitatorClient{
+		BaseURL:       mockServer.URL,
+		Client:        &http.Client{},
+		Timeouts:      x402.DefaultTimeouts,
+		Authorization: expectedAuth,
+	}
+
+	payload := x402.PaymentPayload{
+		X402Version: 1,
+		Scheme:      "exact",
+		Network:     "base-sepolia",
+	}
+
+	requirement := x402.PaymentRequirement{
+		Scheme:            "exact",
+		Network:           "base-sepolia",
+		MaxAmountRequired: "10000",
+	}
+
+	resp, err := client.Verify(context.Background(), payload, requirement)
+	if err != nil {
+		t.Fatalf("Verify failed: %v", err)
+	}
+
+	if !resp.IsValid {
+		t.Error("Expected IsValid to be true")
+	}
+}
+
+func TestFacilitatorClient_Verify_WithAuthorizationProvider(t *testing.T) {
+	callCount := 0
+	provider := func() string {
+		callCount++
+		return "Bearer dynamic-token-" + string(rune('0'+callCount))
+	}
+
+	// Expected token for the first call
+	expectedAuth := "Bearer dynamic-token-1"
+
+	// Create a mock facilitator server that validates the Authorization header
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" {
+			t.Error("Expected Authorization header to be present")
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		// Verify the dynamic token value is used and static is ignored
+		if authHeader != expectedAuth {
+			t.Errorf("Expected Authorization header %q, got %q", expectedAuth, authHeader)
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		response := facilitator.VerifyResponse{
+			IsValid: true,
+			Payer:   "0x857b06519E91e3A54538791bDbb0E22373e36b66",
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			t.Errorf("Failed to encode response: %v", err)
+		}
+	}))
+	defer mockServer.Close()
+
+	client := &FacilitatorClient{
+		BaseURL:               mockServer.URL,
+		Client:                &http.Client{},
+		Timeouts:              x402.DefaultTimeouts,
+		Authorization:         "Bearer static-should-be-ignored",
+		AuthorizationProvider: provider,
+	}
+
+	payload := x402.PaymentPayload{
+		X402Version: 1,
+		Scheme:      "exact",
+		Network:     "base-sepolia",
+	}
+
+	requirement := x402.PaymentRequirement{
+		Scheme:            "exact",
+		Network:           "base-sepolia",
+		MaxAmountRequired: "10000",
+	}
+
+	_, err := client.Verify(context.Background(), payload, requirement)
+	if err != nil {
+		t.Fatalf("Verify failed: %v", err)
+	}
+
+	if callCount != 1 {
+		t.Errorf("Expected AuthorizationProvider to be called exactly once, got %d calls", callCount)
+	}
+}
+
+func TestFacilitatorClient_Verify_WithoutAuthorization(t *testing.T) {
+	// Create a mock facilitator server that checks no Authorization header is sent
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader != "" {
+			t.Errorf("Expected no Authorization header, got %q", authHeader)
+		}
+
+		response := facilitator.VerifyResponse{
+			IsValid: true,
+			Payer:   "0x857b06519E91e3A54538791bDbb0E22373e36b66",
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			t.Errorf("Failed to encode response: %v", err)
+		}
+	}))
+	defer mockServer.Close()
+
+	client := &FacilitatorClient{
+		BaseURL:  mockServer.URL,
+		Client:   &http.Client{},
+		Timeouts: x402.DefaultTimeouts,
+		// No Authorization or AuthorizationProvider set
+	}
+
+	payload := x402.PaymentPayload{
+		X402Version: 1,
+		Scheme:      "exact",
+		Network:     "base-sepolia",
+	}
+
+	requirement := x402.PaymentRequirement{
+		Scheme:            "exact",
+		Network:           "base-sepolia",
+		MaxAmountRequired: "10000",
+	}
+
+	_, err := client.Verify(context.Background(), payload, requirement)
+	if err != nil {
+		t.Fatalf("Verify failed: %v", err)
+	}
+}
+
+func TestFacilitatorClient_Settle_WithStaticAuthorization(t *testing.T) {
+	expectedAuth := "Bearer settle-api-key"
+
+	// Create a mock facilitator server that validates the Authorization header
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader != expectedAuth {
+			t.Errorf("Expected Authorization header %q, got %q", expectedAuth, authHeader)
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		response := x402.SettlementResponse{
+			Success:     true,
+			Transaction: "0x1234567890abcdef",
+			Network:     "base-sepolia",
+			Payer:       "0x857b06519E91e3A54538791bDbb0E22373e36b66",
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			t.Errorf("Failed to encode response: %v", err)
+		}
+	}))
+	defer mockServer.Close()
+
+	client := &FacilitatorClient{
+		BaseURL:       mockServer.URL,
+		Client:        &http.Client{},
+		Timeouts:      x402.DefaultTimeouts,
+		Authorization: expectedAuth,
+	}
+
+	payload := x402.PaymentPayload{
+		X402Version: 1,
+		Scheme:      "exact",
+		Network:     "base-sepolia",
+	}
+
+	requirement := x402.PaymentRequirement{
+		Scheme:            "exact",
+		Network:           "base-sepolia",
+		MaxAmountRequired: "10000",
+	}
+
+	resp, err := client.Settle(context.Background(), payload, requirement)
+	if err != nil {
+		t.Fatalf("Settle failed: %v", err)
+	}
+
+	if !resp.Success {
+		t.Error("Expected Success to be true")
+	}
+}
+
+func TestFacilitatorClient_Supported_WithStaticAuthorization(t *testing.T) {
+	expectedAuth := "Bearer supported-api-key"
+
+	// Create a mock facilitator server that validates the Authorization header
+	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/supported" {
+			t.Errorf("Expected path /supported, got %s", r.URL.Path)
+		}
+
+		authHeader := r.Header.Get("Authorization")
+		if authHeader != expectedAuth {
+			t.Errorf("Expected Authorization header %q, got %q", expectedAuth, authHeader)
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		response := facilitator.SupportedResponse{
+			Kinds: []facilitator.SupportedKind{
+				{
+					X402Version: 1,
+					Scheme:      "exact",
+					Network:     "base-sepolia",
+				},
+			},
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		if err := json.NewEncoder(w).Encode(response); err != nil {
+			t.Errorf("Failed to encode response: %v", err)
+		}
+	}))
+	defer mockServer.Close()
+
+	client := &FacilitatorClient{
+		BaseURL:       mockServer.URL,
+		Client:        &http.Client{},
+		Timeouts:      x402.DefaultTimeouts,
+		Authorization: expectedAuth,
+	}
+
+	resp, err := client.Supported(context.Background())
+	if err != nil {
+		t.Fatalf("Supported failed: %v", err)
+	}
+
+	if len(resp.Kinds) != 1 {
+		t.Errorf("Expected 1 kind, got %d", len(resp.Kinds))
+	}
+}
+
 func TestFacilitatorClient_Settle(t *testing.T) {
 	// Create a mock facilitator server
 	mockServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

http/gin/middleware.go

@@ -50,18 +50,22 @@ import (
 func NewGinX402Middleware(config *httpx402.Config) gin.HandlerFunc {
 	// Create facilitator client
 	facilitator := &httpx402.FacilitatorClient{
-		BaseURL:  config.FacilitatorURL,
-		Client:   &http.Client{},
-		Timeouts: x402.DefaultTimeouts,
+		BaseURL:               config.FacilitatorURL,
+		Client:                &http.Client{},
+		Timeouts:              x402.DefaultTimeouts,
+		Authorization:         config.FacilitatorAuthorization,
+		AuthorizationProvider: config.FacilitatorAuthorizationProvider,
 	}
 
 	// Create fallback facilitator client if configured
 	var fallbackFacilitator *httpx402.FacilitatorClient
 	if config.FallbackFacilitatorURL != "" {
 		fallbackFacilitator = &httpx402.FacilitatorClient{
-			BaseURL:  config.FallbackFacilitatorURL,
-			Client:   &http.Client{},
-			Timeouts: x402.DefaultTimeouts,
+			BaseURL:               config.FallbackFacilitatorURL,
+			Client:                &http.Client{},
+			Timeouts:              x402.DefaultTimeouts,
+			Authorization:         config.FallbackFacilitatorAuthorization,
+			AuthorizationProvider: config.FallbackFacilitatorAuthorizationProvider,
 		}
 	}