Harden marketplace checkout with on-chain tx verification

2026-02-18 13:24:45 -08:00 · 2026-02-18 13:24:45 -08:00 · 86a57b2888
commit 86a57b2888
parent 5a857f5554
5 changed files with 165 additions and 1 deletions
--- a/backend/secretapi/README.md
+++ b/backend/secretapi/README.md
@ -33,6 +33,14 @@ Copy `.env.example` in this folder and set contract/runtime values before deploy
 - `POST /secret/membership/confirm`
 - `GET /secret/membership/status`

+### Marketplace
+
+- `GET /marketplace/offers`
+- `GET /marketplace/offers/{offer_id}`
+- `POST /marketplace/checkout/quote`
+- `POST /marketplace/checkout/confirm`
+- `GET /marketplace/entitlements`
+
 ### Governance install + availability

 - `POST /governance/install/token`
@ -77,7 +85,7 @@ Company-first sponsor path is also supported:
 - `SECRET_API_MEMBER_POLL_INTERVAL_SECONDS` (default `30`)
 - `SECRET_API_CHAIN_ID` (default `84532`)
 - `SECRET_API_CHAIN_RPC_URL` (optional, enables on-chain tx receipt verification)
- `SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION` (default `false`; when `true`, membership confirm fails closed without chain receipt verification)
+- `SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION` (default `false`; when `true`, membership confirm and marketplace checkout confirm fail closed without chain receipt verification)

 ### Membership

--- a/backend/secretapi/app_test.go
+++ b/backend/secretapi/app_test.go
@ -671,6 +671,76 @@ func TestMarketplaceDistinctPayerRequiresOwnershipProof(t *testing.T) {
 	}
 }

+func TestMarketplaceCheckoutConfirmRejectsPayerWalletMismatch(t *testing.T) {
+	a, cfg, cleanup := newTestApp(t)
+	defer cleanup()
+
+	ownerKey := mustKey(t)
+	ownerAddr := strings.ToLower(crypto.PubkeyToAddress(ownerKey.PublicKey).Hex())
+	payerKey := mustKey(t)
+	payerAddr := strings.ToLower(crypto.PubkeyToAddress(payerKey.PublicKey).Hex())
+	if err := seedActiveMembership(context.Background(), a.store, ownerAddr); err != nil {
+		t.Fatalf("seed active membership: %v", err)
+	}
+
+	quote := postJSONExpect[marketplaceCheckoutQuoteResponse](t, a, "/marketplace/checkout/quote", marketplaceCheckoutQuoteRequest{
+		Wallet:         ownerAddr,
+		PayerWallet:    payerAddr,
+		OfferID:        offerIDWorkspaceCore,
+		OwnershipProof: "0x" + strings.Repeat("a", 130),
+		OrgRootID:      "org.marketplace.payer",
+		PrincipalID:    "human.owner",
+		PrincipalRole:  "org_root_owner",
+	}, http.StatusOK)
+
+	errResp := postJSONExpect[map[string]string](t, a, "/marketplace/checkout/confirm", marketplaceCheckoutConfirmRequest{
+		QuoteID:       quote.QuoteID,
+		Wallet:        ownerAddr,
+		PayerWallet:   ownerAddr,
+		OfferID:       offerIDWorkspaceCore,
+		OrgRootID:     "org.marketplace.payer",
+		PrincipalID:   "human.owner",
+		PrincipalRole: "org_root_owner",
+		TxHash:        "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+		ChainID:       cfg.ChainID,
+	}, http.StatusBadRequest)
+	if code := errResp["code"]; code != "context_mismatch" {
+		t.Fatalf("expected context_mismatch, got %+v", errResp)
+	}
+}
+
+func TestMarketplaceConfirmRequiresChainRPCWhenStrictVerificationEnabled(t *testing.T) {
+	a, cfg, cleanup := newTestApp(t)
+	defer cleanup()
+	a.cfg.RequireOnchainTxVerify = true
+	a.cfg.ChainRPCURL = ""
+
+	ownerKey := mustKey(t)
+	ownerAddr := strings.ToLower(crypto.PubkeyToAddress(ownerKey.PublicKey).Hex())
+
+	quote := postJSONExpect[marketplaceCheckoutQuoteResponse](t, a, "/marketplace/checkout/quote", marketplaceCheckoutQuoteRequest{
+		Wallet:        ownerAddr,
+		OfferID:       offerIDWorkspaceCore,
+		OrgRootID:     "org.marketplace.strict",
+		PrincipalID:   "human.owner",
+		PrincipalRole: "org_root_owner",
+	}, http.StatusOK)
+
+	errResp := postJSONExpect[map[string]string](t, a, "/marketplace/checkout/confirm", marketplaceCheckoutConfirmRequest{
+		QuoteID:       quote.QuoteID,
+		Wallet:        ownerAddr,
+		OfferID:       offerIDWorkspaceCore,
+		OrgRootID:     "org.marketplace.strict",
+		PrincipalID:   "human.owner",
+		PrincipalRole: "org_root_owner",
+		TxHash:        "0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+		ChainID:       cfg.ChainID,
+	}, http.StatusServiceUnavailable)
+	if code := errResp["code"]; code != "chain_verification_unavailable" {
+		t.Fatalf("expected chain_verification_unavailable, got %+v", errResp)
+	}
+}
+
 func TestMarketplaceWorkspaceAddOnRequiresCoreEntitlement(t *testing.T) {
 	a, _, cleanup := newTestApp(t)
 	defer cleanup()
--- a/backend/secretapi/chain.go
+++ b/backend/secretapi/chain.go
@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"math/big"
 	"strings"

 	"github.com/ethereum/go-ethereum/accounts/abi"
@ -73,3 +74,56 @@ func verifyMintedOnChain(ctx context.Context, cfg Config, txHash string, expecte
 	}
 	return fmt.Errorf("membership mint event not found for wallet")
 }
+
+func verifyTransactionSenderOnChain(ctx context.Context, cfg Config, txHash string, expectedSender string) error {
+	if strings.TrimSpace(cfg.ChainRPCURL) == "" {
+		return nil
+	}
+	expectedSender = strings.TrimSpace(expectedSender)
+	if expectedSender == "" {
+		return fmt.Errorf("expected sender missing")
+	}
+
+	client, err := ethclient.DialContext(ctx, cfg.ChainRPCURL)
+	if err != nil {
+		return fmt.Errorf("dial chain rpc: %w", err)
+	}
+	defer client.Close()
+
+	hash := common.HexToHash(txHash)
+	receipt, err := client.TransactionReceipt(ctx, hash)
+	if err != nil {
+		return fmt.Errorf("read tx receipt: %w", err)
+	}
+	if receipt == nil {
+		return fmt.Errorf("tx receipt not found")
+	}
+	if receipt.Status != types.ReceiptStatusSuccessful {
+		return fmt.Errorf("tx failed status=%d", receipt.Status)
+	}
+
+	tx, pending, err := client.TransactionByHash(ctx, hash)
+	if err != nil {
+		return fmt.Errorf("read tx body: %w", err)
+	}
+	if pending {
+		return fmt.Errorf("tx pending")
+	}
+
+	chainID := tx.ChainId()
+	if chainID == nil || chainID.Sign() <= 0 {
+		chainID = big.NewInt(cfg.ChainID)
+	}
+	signer := types.LatestSignerForChainID(chainID)
+	from, err := types.Sender(signer, tx)
+	if err != nil {
+		return fmt.Errorf("resolve tx sender: %w", err)
+	}
+
+	gotSender := strings.ToLower(from.Hex())
+	wantSender := strings.ToLower(common.HexToAddress(expectedSender).Hex())
+	if gotSender != wantSender {
+		return fmt.Errorf("tx sender mismatch got=%s want=%s", gotSender, wantSender)
+	}
+	return nil
+}
--- a/backend/secretapi/marketplace.go
+++ b/backend/secretapi/marketplace.go
@ -451,6 +451,14 @@ func (a *app) handleMarketplaceCheckoutConfirm(w http.ResponseWriter, r *http.Re
 		writeErrorCode(w, http.StatusBadRequest, "invalid_wallet", err.Error())
 		return
 	}
+	payerWallet := ""
+	if strings.TrimSpace(req.PayerWallet) != "" {
+		payerWallet, err = normalizeAddress(req.PayerWallet)
+		if err != nil {
+			writeErrorCode(w, http.StatusBadRequest, "invalid_payer_wallet", err.Error())
+			return
+		}
+	}
 	if req.ChainID != a.cfg.ChainID {
 		writeErrorCode(w, http.StatusBadRequest, "unsupported_chain_id", fmt.Sprintf("unsupported chain_id: %d", req.ChainID))
 		return
@ -493,6 +501,10 @@ func (a *app) handleMarketplaceCheckoutConfirm(w http.ResponseWriter, r *http.Re
 		writeErrorCode(w, http.StatusBadRequest, "context_mismatch", "workspace_id mismatch")
 		return
 	}
+	if payerWallet != "" && !strings.EqualFold(payerWallet, quote.PayerWallet) {
+		writeErrorCode(w, http.StatusBadRequest, "context_mismatch", "payer_wallet mismatch")
+		return
+	}
 	if quote.ConfirmedAt != nil {
 		if existing, existingErr := a.store.getMarketplaceEntitlementByQuote(r.Context(), quote.QuoteID); existingErr == nil {
 			writeJSON(w, http.StatusOK, marketplaceCheckoutConfirmResponse{
@ -514,6 +526,25 @@ func (a *app) handleMarketplaceCheckoutConfirm(w http.ResponseWriter, r *http.Re
 		writeErrorCode(w, http.StatusConflict, "quote_already_confirmed", "quote already confirmed")
 		return
 	}
+	if a.cfg.RequireOnchainTxVerify && strings.TrimSpace(a.cfg.ChainRPCURL) == "" {
+		writeErrorCode(w, http.StatusServiceUnavailable, "chain_verification_unavailable", "chain rpc required for checkout confirmation")
+		return
+	}
+
+	expectedPayer := strings.TrimSpace(quote.PayerWallet)
+	if expectedPayer == "" {
+		expectedPayer = wallet
+	}
+	if err := verifyTransactionSenderOnChain(r.Context(), a.cfg, req.TxHash, expectedPayer); err != nil {
+		writeErrorCode(w, http.StatusConflict, "tx_verification_failed", fmt.Sprintf("tx verification pending/failed: %v", err))
+		return
+	}
+	if quote.MembershipIncluded {
+		if err := verifyMintedOnChain(r.Context(), a.cfg, req.TxHash, wallet); err != nil {
+			writeErrorCode(w, http.StatusConflict, "membership_verification_failed", fmt.Sprintf("membership verification pending/failed: %v", err))
+			return
+		}
+	}

 	now := time.Now().UTC()
 	quote.ConfirmedAt = &now
--- a/docs/roadmap-status.md
+++ b/docs/roadmap-status.md
@ -57,6 +57,7 @@ Implemented now:
 28. Membership confirm now supports strict fail-closed mode (`SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION`) that requires chain receipt verification when enabled.
 29. `secretapi` now validates critical config at startup and fails fast on invalid deploy combinations.
 30. `secretapi` now ships an explicit `.env.example` deployment template aligned to current endpoint/runtime requirements.
+31. Marketplace checkout confirm now validates on-chain tx sender/receipt and supports strict fail-closed verification mode.

 Remaining in this repo: