wip

Author: JiahuiWho

internal/data/embedded_wallet.go

@@ -127,6 +127,40 @@ func (ew *EmbeddedWalletModel) GetByCredentialID(ctx context.Context, sqlExec db
 	return &wallet, nil
 }
 
+// GetPendingDisbursementAsset returns the asset associated with the pending disbursement for the
+// embedded wallet identified by the provided contract address. Pending disbursements are
+// determined by payments in an active (ready or pending) state for disbursement payments.
+func (ew *EmbeddedWalletModel) GetPendingDisbursementAsset(ctx context.Context, sqlExec db.SQLExecuter, contractAddress string) (*Asset, error) {
+	if strings.TrimSpace(contractAddress) == "" {
+		return nil, ErrMissingInput
+	}
+
+	query := fmt.Sprintf(`
+		SELECT
+			%s
+		FROM embedded_wallets ew
+		JOIN receiver_wallets rw ON rw.id = ew.receiver_wallet_id
+		JOIN payments p ON p.receiver_wallet_id = rw.id
+		JOIN disbursements d ON d.id = p.disbursement_id
+		JOIN assets a ON a.id = d.asset_id
+		WHERE ew.contract_address = $1
+			AND p.type = $2
+			AND p.status = ANY($3)
+		ORDER BY p.updated_at DESC
+		LIMIT 1
+	`, AssetColumnNames("a", "", false))
+
+	var asset Asset
+	if err := sqlExec.GetContext(ctx, &asset, query, contractAddress, PaymentTypeDisbursement, pq.Array(PaymentInProgressStatuses())); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, ErrRecordNotFound
+		}
+		return nil, fmt.Errorf("querying pending disbursement asset for contract %s: %w", contractAddress, err)
+	}
+
+	return &asset, nil
+}
+
 type EmbeddedWalletInsert struct {
 	Token                string               `db:"token"`
 	WasmHash             string               `db:"wasm_hash"`

internal/serve/httphandler/passkey_handler.go

@@ -1,6 +1,7 @@
 package httphandler
 
 import (
+	"context"
 	"encoding/base64"
 	"errors"
 	"net/http"
@@ -198,7 +199,9 @@ func (r RefreshTokenRequest) Validate() *httperror.HTTPError {
 }
 
 type RefreshTokenResponse struct {
-	Token string `json:"token"`
+	Token                 string      `json:"token"`
+	IsVerificationPending bool        `json:"is_verification_pending"`
+	PendingAsset          *data.Asset `json:"pending_asset,omitempty"`
 }
 
 func (h PasskeyHandler) RefreshToken(rw http.ResponseWriter, req *http.Request) {
@@ -229,18 +232,35 @@ func (h PasskeyHandler) RefreshToken(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	if contractAddress == "" {
-		var embeddedWallet *data.EmbeddedWallet
-		embeddedWallet, err = h.EmbeddedWalletService.GetWalletByCredentialID(ctx, credentialID)
+	embeddedWallet, err := h.EmbeddedWalletService.GetWalletByCredentialID(ctx, credentialID)
+	if err != nil {
+		if errors.Is(err, services.ErrInvalidCredentialID) {
+			httperror.Unauthorized("Invalid credential ID", err, nil).Render(rw)
+		} else {
+			httperror.InternalError(ctx, "Failed to lookup wallet", err, nil).Render(rw)
+		}
+		return
+	}
+	if embeddedWallet.ContractAddress != "" {
+		contractAddress = embeddedWallet.ContractAddress
+	}
+	isVerificationPending, err := h.IsVerificationPending(ctx, embeddedWallet)
+	if err != nil {
+		if errors.Is(err, services.ErrInvalidReceiverWalletID) {
+			httperror.InternalError(ctx, "Receiver wallet not found", err, nil).Render(rw)
+		} else {
+			httperror.InternalError(ctx, "Failed to evaluate verification requirement", err, nil).Render(rw)
+		}
+		return
+	}
+
+	var asset *data.Asset
+	if contractAddress != "" {
+		asset, err = h.EmbeddedWalletService.GetPendingDisbursementAsset(ctx, contractAddress)
 		if err != nil {
-			if errors.Is(err, services.ErrInvalidCredentialID) {
-				httperror.Unauthorized("Invalid credential ID", err, nil).Render(rw)
-			} else {
-				httperror.InternalError(ctx, "Failed to lookup wallet", err, nil).Render(rw)
-			}
+			httperror.InternalError(ctx, "Failed to retrieve pending disbursement asset", err, nil).Render(rw)
 			return
 		}
-		contractAddress = embeddedWallet.ContractAddress
 	}
 
 	expiresAt := time.Now().Add(WalletTokenExpiration)
@@ -251,8 +271,27 @@ func (h PasskeyHandler) RefreshToken(rw http.ResponseWriter, req *http.Request)
 	}
 
 	resp := RefreshTokenResponse{
-		Token: refreshedToken,
+		Token:                 refreshedToken,
+		IsVerificationPending: isVerificationPending,
+		PendingAsset:          asset,
 	}
 
 	httpjson.Render(rw, resp, httpjson.JSON)
 }
+
+func (h PasskeyHandler) IsVerificationPending(ctx context.Context, embeddedWallet *data.EmbeddedWallet) (bool, error) {
+	if embeddedWallet == nil || !embeddedWallet.RequiresVerification {
+		return false, nil
+	}
+
+	if embeddedWallet.ReceiverWalletID == "" {
+		return false, nil
+	}
+
+	receiverWallet, err := h.EmbeddedWalletService.GetReceiverWalletByID(ctx, embeddedWallet.ReceiverWalletID)
+	if err != nil {
+		return false, err
+	}
+
+	return receiverWallet.Status == data.ReadyReceiversWalletStatus, nil
+}

internal/serve/httphandler/passkey_handler_test.go

@@ -680,6 +680,28 @@ func Test_PasskeyHandler_RefreshToken(t *testing.T) {
 		Return(credentialID, contractAddress, nil).
 		Once()
 
+	embeddedWallet := &data.EmbeddedWallet{
+		ContractAddress:      contractAddress,
+		CredentialID:         credentialID,
+		RequiresVerification: true,
+		ReceiverWalletID:     "rw-1",
+	}
+	mockEmbeddedWalletService.
+		On("GetWalletByCredentialID", mock.Anything, credentialID).
+		Return(embeddedWallet, nil).
+		Once()
+
+	mockEmbeddedWalletService.
+		On("GetReceiverWalletByID", mock.Anything, "rw-1").
+		Return(&data.ReceiverWallet{ID: "rw-1", Status: data.ReadyReceiversWalletStatus}, nil).
+		Once()
+
+	pendingAsset := &data.Asset{ID: "asset-1", Code: "USDC", Issuer: "GDUKMGUGDZQK6YH6Q7"}
+	mockEmbeddedWalletService.
+		On("GetPendingDisbursementAsset", mock.Anything, contractAddress).
+		Return(pendingAsset, nil).
+		Once()
+
 	var capturedExpiresAt time.Time
 	mockJWTManager.
 		On("GenerateToken", mock.Anything, credentialID, contractAddress, mock.AnythingOfType("time.Time")).
@@ -700,11 +722,131 @@ func Test_PasskeyHandler_RefreshToken(t *testing.T) {
 	err = json.Unmarshal(rr.Body.Bytes(), &respBody)
 	require.NoError(t, err)
 	assert.Equal(t, "refreshed-token", respBody.Token)
+	assert.True(t, respBody.IsVerificationPending)
+	require.NotNil(t, respBody.PendingAsset)
+	assert.Equal(t, pendingAsset.Code, respBody.PendingAsset.Code)
+	assert.Equal(t, pendingAsset.Issuer, respBody.PendingAsset.Issuer)
 
 	expectedExpiry := time.Now().Add(WalletTokenExpiration)
 	assert.WithinDuration(t, expectedExpiry, capturedExpiresAt, 5*time.Second)
 }
 
+func Test_PasskeyHandler_RefreshToken_ReceiverAlreadyRegistered(t *testing.T) {
+	mockWebAuthnService := walletMocks.NewMockWebAuthnService(t)
+	mockEmbeddedWalletService := servicesMocks.NewMockEmbeddedWalletService(t)
+	mockJWTManager := walletMocks.NewMockWalletJWTManager(t)
+	handler := PasskeyHandler{
+		WebAuthnService:       mockWebAuthnService,
+		WalletJWTManager:      mockJWTManager,
+		EmbeddedWalletService: mockEmbeddedWalletService,
+	}
+
+	rr := httptest.NewRecorder()
+	requestBody, err := json.Marshal(RefreshTokenRequest{
+		Token: "valid-token",
+	})
+	require.NoError(t, err)
+	ctx := context.Background()
+
+	contractAddress := "CBGTG3VGUMVDZE6O4CRZ2LBCFP7O5XY2VQQQU7AVXLVDQHZLVQFRMHKX"
+	credentialID := "test-credential-id"
+
+	mockJWTManager.
+		On("ValidateToken", mock.Anything, "valid-token").
+		Return(credentialID, contractAddress, nil).
+		Once()
+
+	embeddedWallet := &data.EmbeddedWallet{
+		ContractAddress:      contractAddress,
+		CredentialID:         credentialID,
+		RequiresVerification: true,
+		ReceiverWalletID:     "rw-registered",
+	}
+	mockEmbeddedWalletService.
+		On("GetWalletByCredentialID", mock.Anything, credentialID).
+		Return(embeddedWallet, nil).
+		Once()
+
+	mockEmbeddedWalletService.
+		On("GetReceiverWalletByID", mock.Anything, "rw-registered").
+		Return(&data.ReceiverWallet{ID: "rw-registered", Status: data.RegisteredReceiversWalletStatus}, nil).
+		Once()
+	mockEmbeddedWalletService.
+		On("GetPendingDisbursementAsset", mock.Anything, contractAddress).
+		Return((*data.Asset)(nil), nil).
+		Once()
+
+	mockJWTManager.
+		On("GenerateToken", mock.Anything, credentialID, contractAddress, mock.AnythingOfType("time.Time")).
+		Return("refreshed-token", nil).
+		Once()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "/embedded-wallets/passkey/authentication/refresh", strings.NewReader(string(requestBody)))
+	require.NoError(t, err)
+	req.Header.Set("Content-Type", "application/json")
+	http.HandlerFunc(handler.RefreshToken).ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var respBody RefreshTokenResponse
+	err = json.Unmarshal(rr.Body.Bytes(), &respBody)
+	require.NoError(t, err)
+	assert.Equal(t, "refreshed-token", respBody.Token)
+	assert.False(t, respBody.IsVerificationPending)
+	assert.Nil(t, respBody.PendingAsset)
+}
+
+func Test_PasskeyHandler_RefreshToken_AssetLookupError(t *testing.T) {
+	mockWebAuthnService := walletMocks.NewMockWebAuthnService(t)
+	mockEmbeddedWalletService := servicesMocks.NewMockEmbeddedWalletService(t)
+	mockJWTManager := walletMocks.NewMockWalletJWTManager(t)
+	handler := PasskeyHandler{
+		WebAuthnService:       mockWebAuthnService,
+		WalletJWTManager:      mockJWTManager,
+		EmbeddedWalletService: mockEmbeddedWalletService,
+	}
+
+	rr := httptest.NewRecorder()
+	requestBody, err := json.Marshal(RefreshTokenRequest{Token: "valid-token"})
+	require.NoError(t, err)
+	ctx := context.Background()
+
+	contractAddress := "CBGTG3VGUMVDZE6O4CRZ2LBCFP7O5XY2VQQQU7AVXLVDQHZLVQFRMHKX"
+	credentialID := "test-credential-id"
+	assetErr := errors.New("asset lookup failed")
+
+	mockJWTManager.
+		On("ValidateToken", mock.Anything, "valid-token").
+		Return(credentialID, contractAddress, nil).
+		Once()
+
+	embeddedWallet := &data.EmbeddedWallet{
+		ContractAddress:      contractAddress,
+		CredentialID:         credentialID,
+		RequiresVerification: true,
+		ReceiverWalletID:     "rw-asset",
+	}
+	mockEmbeddedWalletService.
+		On("GetWalletByCredentialID", mock.Anything, credentialID).
+		Return(embeddedWallet, nil).
+		Once()
+	mockEmbeddedWalletService.
+		On("GetReceiverWalletByID", mock.Anything, "rw-asset").
+		Return(&data.ReceiverWallet{ID: "rw-asset", Status: data.ReadyReceiversWalletStatus}, nil).
+		Once()
+	mockEmbeddedWalletService.
+		On("GetPendingDisbursementAsset", mock.Anything, contractAddress).
+		Return((*data.Asset)(nil), assetErr).
+		Once()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "/embedded-wallets/passkey/authentication/refresh", strings.NewReader(string(requestBody)))
+	require.NoError(t, err)
+	req.Header.Set("Content-Type", "application/json")
+	http.HandlerFunc(handler.RefreshToken).ServeHTTP(rr, req)
+
+	assert.Equal(t, http.StatusInternalServerError, rr.Result().StatusCode)
+}
+
 func Test_PasskeyHandler_RefreshToken_InvalidRequestBody(t *testing.T) {
 	mockWebAuthnService := walletMocks.NewMockWebAuthnService(t)
 	mockEmbeddedWalletService := servicesMocks.NewMockEmbeddedWalletService(t)
@@ -851,6 +993,27 @@ func Test_PasskeyHandler_RefreshToken_GenerateTokenErrors(t *testing.T) {
 				Return(credentialID, contractAddress, nil).
 				Once()
 
+			embeddedWallet := &data.EmbeddedWallet{
+				ContractAddress:      contractAddress,
+				CredentialID:         credentialID,
+				RequiresVerification: true,
+				ReceiverWalletID:     "rw-2",
+			}
+			mockEmbeddedWalletService.
+				On("GetWalletByCredentialID", mock.Anything, credentialID).
+				Return(embeddedWallet, nil).
+				Once()
+
+			mockEmbeddedWalletService.
+				On("GetReceiverWalletByID", mock.Anything, "rw-2").
+				Return(&data.ReceiverWallet{ID: "rw-2", Status: data.ReadyReceiversWalletStatus}, nil).
+				Once()
+
+			mockEmbeddedWalletService.
+				On("GetPendingDisbursementAsset", mock.Anything, contractAddress).
+				Return((*data.Asset)(nil), nil).
+				Once()
+
 			mockJWTManager.
 				On("GenerateToken", mock.Anything, credentialID, contractAddress, mock.AnythingOfType("time.Time")).
 				Return("", tc.generateError).
@@ -892,12 +1055,23 @@ func Test_PasskeyHandler_RefreshToken_UpdatesContractAddress(t *testing.T) {
 		Return(credentialID, oldContractAddress, nil).
 		Once()
 
+	embeddedWallet := &data.EmbeddedWallet{
+		CredentialID:         credentialID,
+		ContractAddress:      newContractAddress,
+		RequiresVerification: true,
+		ReceiverWalletID:     "rw-3",
+	}
 	mockEmbeddedWalletService.
 		On("GetWalletByCredentialID", mock.Anything, credentialID).
-		Return(&data.EmbeddedWallet{
-			CredentialID:    credentialID,
-			ContractAddress: newContractAddress,
-		}, nil).
+		Return(embeddedWallet, nil).
+		Once()
+	mockEmbeddedWalletService.
+		On("GetReceiverWalletByID", mock.Anything, "rw-3").
+		Return(&data.ReceiverWallet{ID: "rw-3", Status: data.ReadyReceiversWalletStatus}, nil).
+		Once()
+	mockEmbeddedWalletService.
+		On("GetPendingDisbursementAsset", mock.Anything, newContractAddress).
+		Return((*data.Asset)(nil), nil).
 		Once()
 
 	mockJWTManager.
@@ -916,6 +1090,7 @@ func Test_PasskeyHandler_RefreshToken_UpdatesContractAddress(t *testing.T) {
 	err = json.Unmarshal(rr.Body.Bytes(), &respBody)
 	require.NoError(t, err)
 	assert.Equal(t, "refreshed-token-with-address", respBody.Token)
+	assert.True(t, respBody.IsVerificationPending)
 }
 
 func Test_PasskeyHandler_RefreshToken_WalletLookupError(t *testing.T) {

internal/serve/serve.go

@@ -198,7 +198,6 @@ func (opts *ServeOptions) SetupDependencies() error {
 			WebAuthVerifyContractID:   opts.Sep45ContractID,
 			ServerSigningKeypair:      signingKP,
 			BaseURL:                   opts.BaseURL,
-			ClientAttributionRequired: opts.Sep10ClientAttributionRequired,
 			AllowHTTPRetry:            allowHTTPRetry,
 		})
 		if sep45Err != nil {