Skip to content

fix: only advertise protocols with actual challenge data#162

Merged
badjer merged 4 commits intomainfrom
fix/authorize-protocols-from-challenge-data
Apr 14, 2026
Merged

fix: only advertise protocols with actual challenge data#162
badjer merged 4 commits intomainfrom
fix/authorize-protocols-from-challenge-data

Conversation

@badjer
Copy link
Copy Markdown
Contributor

@badjer badjer commented Apr 14, 2026

Summary

  • ATXPAccountHandler was hardcoding protocols: ['atxp', 'x402', 'mpp'] when calling /authorize/auto, regardless of what the MCP server's challenge actually contained
  • When the server only sent a paymentRequestUrl (no inline x402/mpp data), /authorize/auto would select x402 via feature flag and fabricate paymentRequirements from the generic receiver field — an ATXP account ID — causing 403 "Destination not allowed for IOU conversion"
  • Now the protocols list is derived from what buildAuthorizeParams actually extracted: always atxp, plus x402 only if paymentRequirements exist, plus mpp only if challenges exist

Companion PR

  • circuitandchisel/accounts#674 — removes the fabrication code from /authorize/auto and whitelists the Music ATXP account ID

Test plan

  • Reproduced the 403 locally against a local music MCP server with the old code
  • Verified the fix sends protocols=[atxp] when only ATXP challenge data is present
  • End-to-end test with accounts whitelist change deployed

🤖 Generated with Claude Code

badjer and others added 4 commits April 14, 2026 15:22
@badjer @claude
fix: only advertise protocols with actual challenge data in authorize
647d6e4 
ATXPAccountHandler was hardcoding protocols: ['atxp', 'x402', 'mpp']
regardless of what the MCP server's challenge actually contained. When
the server only sent a paymentRequestUrl (no x402 accepts or mpp
challenges), /authorize/auto would select x402 via feature flag and
fabricate paymentRequirements from the generic receiver field — an ATXP
account ID — causing 403 "Destination not allowed for IOU conversion".

Now the protocols list is built from what's actually available:
- Always 'atxp' (needs only amount + destination)
- 'x402' only if paymentRequirements were extracted from the challenge
- 'mpp' only if challenges were extracted from the challenge

This lets resolveProtocol() fall back to a protocol the client actually
has data for, instead of selecting one it can't fulfill.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@badjer @claude
chore: remove unused eslint-disable directive in x402Wrapper
7679dce 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@badjer @claude
chore: fix pre-existing lint errors across packages
e24b1d4 
- atxp-server: prefix unused logger param with underscore
- atxp-base: remove unused eslint-disable directive

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@badjer @claude
fix: update test and fix pre-existing lint errors
cf97f8c 
- Update atxpAccountHandler test to expect protocols=['atxp'] when
  challenge data has no x402/mpp data
- atxp-server: prefix unused logger param with underscore
- atxp-base: remove unused eslint-disable directive

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@badjer badjer merged commit 4f2f799 into main Apr 14, 2026
1 check passed
@badjer badjer deleted the fix/authorize-protocols-from-challenge-data branch April 14, 2026 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@badjer