Val Town Code SearchReturn to Val Town

74    echo "🚀 Next steps:"
75    echo "  • Deploy to Val Town: ./scripts/deploy.sh"
76    echo "  • Test API manually: ./scripts/test-api.sh"
77    exit 0
78else

38fi
39
40# Deploy HTTP API
41echo "2/3 Deploying anchorAPI (HTTP function)..."
42if vt create http anchorAPI --file src/api/anchor-api.ts; then
43    echo "✅ anchorAPI deployed successfully"
44    API_URL=$(vt url anchorAPI)
45    echo "📍 API available at: $API_URL"
46else
47    echo "❌ Failed to deploy anchorAPI"
48    exit 1
49fi
63echo "📋 Deployment Summary:"
64echo "├── jetstreamPoller: Runs every 5 minutes to ingest check-ins"
65echo "├── anchorAPI: HTTP API for feeds and queries"
66echo "└── socialGraphSync: Runs daily at 2 AM UTC to sync social graph"
67echo ""
68echo "🔍 Next steps:"
69echo "1. Test the API: ./scripts/test-api.sh"
70echo "2. Monitor logs: vt logs <function-name>"
71echo "3. Check function status: vt list"
72echo ""
73echo "📍 API URL: $API_URL"

15  <script src="https://esm.town/v/std/catch"></script>
16  <style>
17        @import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap');
18
19        * {
87        // Endpoints
88        const SERVER_URL = 'https://6cda888e-d01d-4bd6-8bc7-ab237d4223f3-00-sjg2kdsts2w2.spock.replit.dev';
89        const NONCE_PATH = '/api/create-payment-nonce';
90        const HASH_PATH = '/api/create-payment-hash';
91        const BOOKING_TOKEN_PATH = '/api/generate-booking-token';
92        const NONCE_ENDPOINT = SERVER_URL + NONCE_PATH;
93        const HASH_ENDPOINT = SERVER_URL + HASH_PATH;
353                customerReference: generateGUID(),
354                displayMode: '0',
355                apikey: '',
356                username: '',
357                password: '',
359                timestamp: getTimestamp(),
360                email_verify: '', // 🍯
361                backendApiKey: 'demo_api_key_12345', // Enhanced security: Backend API key for dual auth
362          });
363
377          useEffect(() => {
378                setFingerprintPayload({
379                        apikey: formData.apikey,
380                        username: formData.username,
381                        password: formData.password,
416
417          const areCredentialsComplete = () => {
418                  return formData.apikey && formData.username && formData.password && formData.backendApiKey;
419          };
420
494                  console.log('🔍 Fingerprint payload for hash:', fingerprintPayload);
495
496                  const apiResponse = await fetch(HASH_ENDPOINT, {
497                        method: 'POST',
498                        headers: {
499                          'Content-Type': 'application/json',
500                          'Authorization': 'Bearer ' + formData.backendApiKey, // Enhanced security: API key required
501                          'X-Payment-Nonce': nonce,
502                          'Origin': window.location.origin,
507                  });
508
509                  if (!apiResponse.ok) {
510                        const errorText = await apiResponse.text();
511                        let errorMsg;
512                        try {
513                          const errorData = JSON.parse(errorText);
514                          errorMsg = errorData.error || 'Hash API failed';
515                        } catch {
516                          errorMsg = 'Hash API returned ' + apiResponse.status;
517                        }
518                        throw new Error(errorMsg);
519                  }
520
521                  const hashData = await apiResponse.json();
522                  hash = hashData.hash;
523                  console.log('✅ Hash received successfully 👇');
526                } catch (err) {
527                  const msg = err instanceof Error ? err.message : String(err);
528                  setPayError('Hash API failed: ' + msg);
529                  console.error('❌ Hash API failed:', msg);
530                  setIsProcessing(false);
531                  prefetchNewNonce();
537                  const paymentPayload = {
538                        merchantCode: MERCHANT_CODE,
539                        apiKey: formData.apikey,
540                        fingerprint: hash,
541                        redirectUrl: window.location.href + '/redirect?',
639                          key: 'title',
640                          className: "text-xl font-semibold mb-4"
641                        }, '🔑 API Credentials'),
642                        React.createElement('div', {
643                          key: 'inputs',
645                        }, [
646                          React.createElement(Input, {
647                                key: 'apikey',
648                                label: "Payment Gateway API Key",
649                                name: "apikey",
650                                value: formData.apikey,
651                                onChange: handleInputChange,
652                                icon: "🔑"
653                          }),
654                          React.createElement(Input, {
655                                key: 'backendApiKey',
656                                label: "Backend API Key (Security)",
657                                name: "backendApiKey",
658                                value: formData.backendApiKey,
659                                onChange: handleInputChange,
660                                icon: "🛡️"
753                          variant: 'warning',
754                          className: "mb-4"
755                        }, 'Please enter both Payment Gateway and Backend API credentials to enable tour selection'),
756                        areCredentialsComplete() && React.createElement(Alert, {
757                          key: 'security-info',
758                          variant: 'info',
759                          className: "mb-4"
760                        }, '🛡️ Enhanced Security: This demo uses dual authentication (nonce + API key) to prevent payment fingerprint harvesting attacks'),
761                        React.createElement('div', {
762                          key: 'tours-grid',

23/**
24 * Dynamic schema validation service that validates requests/responses 
25 * against OpenAPI schemas for complete automation
26 */
27export class SchemaValidationService {
29
30  /**
31   * Load schemas from OpenAPI specification
32   */
33  static loadSchemas(openApiSpec: any): void {
34    if (openApiSpec.components?.schemas) {
35      this.schemas = openApiSpec.components.schemas;
36      logger.info("Schemas loaded for validation", { 
37        schemaCount: Object.keys(this.schemas).length 
47    method: string, 
48    body: any, 
49    openApiSpec: any
50  ): ValidationResult {
51    try {
52      const pathSpec = openApiSpec.paths?.[endpoint]?.[method.toLowerCase()];
53      if (!pathSpec?.requestBody?.content?.['application/json']?.schema) {
54        return { valid: true, errors: [] }; // No schema to validate against
71    statusCode: number,
72    response: any,
73    openApiSpec: any
74  ): ValidationResult {
75    try {
76      const pathSpec = openApiSpec.paths?.[endpoint]?.[method.toLowerCase()];
77      const responseSpec = pathSpec?.responses?.[statusCode.toString()]?.content?.['application/json']?.schema;
78      
89
90  /**
91   * Core validation logic against OpenAPI schema
92   */
93  private static validateAgainstSchema(
269
270  /**
271   * Get rate limit from OpenAPI path specification
272   */
273  static extractRateLimit(pathSpec: any): number | null {
281   */
282  static requiresAuthentication(pathSpec: any): {
283    requiresApiKey: boolean;
284    requiresNonce: boolean;
285  } {
286    const security = pathSpec?.security || [];
287    
288    let requiresApiKey = false;
289    let requiresNonce = false;
290
291    for (const securityReq of security) {
292      if (securityReq.ApiKeyAuth) {
293        requiresApiKey = true;
294      }
295      if (securityReq.NonceAuth) {
298    }
299
300    return { requiresApiKey, requiresNonce };
301  }
302}

91      const origin = request.headers.get("origin") || "";
92
93      // Validate API key first (critical security - payment credentials involved)
94      const apiValidation = AuthService.validateApiKey(request);
95      if (!apiValidation.valid) {
96        logger.warn("Unauthorized payment hash creation attempt", {
97          ip,
98          error: apiValidation.error,
99          userAgent: request.headers.get("user-agent") || "unknown"
100        });
101        
102        return addCorsHeaders(
103          new Response(JSON.stringify({ error: apiValidation.error }), {
104            status: 401,
105            headers: { "Content-Type": "application/json" }
195      // Generate payment hash
196      const paymentRequest: PaymentHashRequest = {
197        apikey: body.apikey,
198        mode: body.mode,
199        paymentAmount: body.paymentAmount,
325      // Parse request body
326      const body = await request.json();
327      const { apikey, username, password, mode, paymentAmount, merchantUniquePaymentId, timestamp } = body;
328
329      // Validate all required parameters
330      const requiredFields = ['apikey', 'username', 'password', 'mode', 'paymentAmount', 'merchantUniquePaymentId', 'timestamp'];
331      const missingFields = requiredFields.filter(field => !body[field]);
332
344      // Create payment request with custom credentials
345      const paymentRequest: PaymentHashRequest = {
346        apikey,
347        mode,
348        paymentAmount,

1openapi: 3.0.3
2info:
3  title: Secure Payment API
4  description: |
5    A secure payment API backend with token-based authentication, nonce-based security, 
6    and comprehensive security controls. Designed to prevent mass harvesting of payment 
7    fingerprints while maintaining secure shareable booking links.
9    ## Security Architecture
10    - **Booking Access**: 256-bit secure tokens (24-hour expiry)
11    - **Payment Security**: Nonce-based authentication with API key requirement
12    - **Webhook Security**: API key authentication (header or query string)
13    - **Rate Limiting**: Per-endpoint throttling (5-20 req/min)
14    - **CORS Protection**: Origin validation and security headers
15  version: 1.0.0
16  contact:
17    name: API Support
18    email: api-support@yourdomain.com
19  license:
20    name: MIT
22
23servers:
24  - url: https://api.yourdomain.com
25    description: Production server
26  - url: https://staging-api.yourdomain.com
27    description: Staging server
28  - url: http://localhost:5000
30
31security:
32  - ApiKeyAuth: []
33  - NonceAuth: []
34
36  /:
37    get:
38      summary: API documentation redirect
39      description: Redirects to the interactive API documentation
40      tags:
41        - Documentation
43      responses:
44        '302':
45          description: Redirect to API documentation
46          headers:
47            Location:
48              schema:
49                type: string
50                example: "/api/docs"
51
52  /api/docs:
53    get:
54      summary: Interactive API documentation
55      description: |
56        Modern Swagger UI interface with comprehensive documentation, 
61      responses:
62        '200':
63          description: API documentation page
64          content:
65            text/html:
70    get:
71      summary: Health check endpoint
72      description: Returns the health status of the API and all components
73      tags:
74        - System
76      responses:
77        '200':
78          description: API is healthy
79          content:
80            application/json:
108          $ref: '#/components/responses/NotFound'
109
110  /api/generate-booking-token:
111    post:
112      summary: Generate secure booking token (Admin)
113      description: |
114        Generate a new secure booking token for creating shareable links.
115        **Requires API key authentication**.
116      tags:
117        - Bookings
118        - Admin
119      security:
120        - ApiKeyAuth: []
121      requestBody:
122        required: true
141          $ref: '#/components/responses/TooManyRequests'
142
143  /api/create-payment-nonce:
144    post:
145      summary: Generate payment nonce
171          $ref: '#/components/responses/TooManyRequests'
172
173  /api/create-payment-hash:
174    post:
175      summary: Create payment fingerprint
176      description: |
177        Exchange valid nonce for payment gateway fingerprint.
178        **CRITICAL SECURITY**: Requires both nonce and API key authentication.
179        Server injects payment credentials securely.
180      tags:
181        - Payment
182      security:
183        - ApiKeyAuth: []
184        - NonceAuth: []
185      requestBody:
207          $ref: '#/components/responses/TooManyRequests'
208
209  /api/generate-payment-hash:
210    post:
211      summary: Generate payment hash with custom credentials (Public Service)
212      description: |
213        Public service endpoint for generating SHA3-512 payment hashes using custom credentials.
214        Users provide their own apikey, username, password, and payment details.
215        **No authentication required** - designed as a public hash generation service.
216        **Rate Limited**: 10 requests per minute per IP.
236          $ref: '#/components/responses/TooManyRequests'
237
238  /api/v1/payment/refresh:
239    post:
240      summary: Refresh payment session
265          $ref: '#/components/responses/TooManyRequests'
266
267  /api/v1/turnstile/verify:
268    post:
269      summary: Verify Cloudflare Turnstile token
297      description: |
298        Accepts any JSON payload for webhook processing.
299        **Requires API key authentication** (header or query string).
300        Returns processing confirmation with audit details.
301      tags:
302        - Webhooks
303      security:
304        - ApiKeyAuth: []
305      requestBody:
306        required: true
330      description: |
331        Identical to webhook endpoint for maximum flexibility.
332        **Requires API key authentication** (header or query string).
333      tags:
334        - Webhooks
335      security:
336        - ApiKeyAuth: []
337      requestBody:
338        required: true
357          $ref: '#/components/responses/TooManyRequests'
358
359  /openapi.yaml:
360    get:
361      summary: OpenAPI specification
362      description: Raw OpenAPI 3.0.3 specification in YAML format
363      tags:
364        - Documentation
366      responses:
367        '200':
368          description: OpenAPI specification
369          content:
370            application/yaml:
374components:
375  securitySchemes:
376    ApiKeyAuth:
377      type: apiKey
378      in: header
379      name: Authorization
380      description: |
381        API key authentication using Bearer token format.
382        
383        **Header**: `Authorization: Bearer {api_key}`
384        
385        **Query Parameter**: `?api_key={api_key}` (fallback)
386        
387        Required for payment hash creation and webhook endpoints.
388
389    NonceAuth:
390      type: apiKey
391      in: header
392      name: X-Payment-Nonce
550      type: object
551      properties:
552        apikey:
553          type: string
554          description: Payment gateway API key
555          example: 'LFc3-qneWUmL2bIWSSZZGA'
556        mode:
575          example: '2024-01-01T10:00:00'
576      required:
577        - apikey
578        - mode
579        - paymentAmount
584      type: object
585      properties:
586        apikey:
587          type: string
588          description: Payment gateway API key
589          example: 'LFc3-qneWUmL2bIWSSZZGA'
590        username:
617          example: '2024-01-01T10:00:00'
618      required:
619        - apikey
620        - username
621        - password
635          type: string
636          example: 'DEMO-MERCHANT'
637        apiKey:
638          type: string
639          example: 'LFc3-qneWUmL2bIWSSZZGA'
658        - fingerprint
659        - merchantCode
660        - apiKey
661        - redirectUrl
662        - mode
851tags:
852  - name: Documentation
853    description: API documentation and specification endpoints
854  - name: System
855    description: System health and status endpoints
863    description: Generic webhook and callback processing
864  - name: Admin
865    description: Administrative endpoints requiring API key authentication

1# Secure Payment API Documentation
2
3## Overview
4
5This secure payment API solves the critical problem of **payment fingerprint harvesting** while maintaining the business requirement of publicly shareable booking links. The system implements a multi-layered security architecture with token-based booking access and nonce-based payment protection.
6
7## The Core Problem
30    D --> E[Payment Button Click]
31    E --> F[Nonce Generation]
32    F --> G[API Key + Nonce Validation]
33    G --> H[Payment Fingerprint Creation]
34    H --> I[Single-Use Protection]
38
391. **Token-Based Booking Access** - 256-bit cryptographically secure tokens replace direct booking ID access
402. **Dual Authentication for Payments** - API key + nonce requirement for payment fingerprint creation
413. **Single-Use Nonces** - IP-bound, 15-minute expiry, marked as used immediately
424. **Environment Protection** - Server fails to start without required credentials
435. **Rate Limiting** - Per-endpoint throttling prevents abuse
446. **Input Validation** - Dynamic schema validation against OpenAPI specifications
45
46## File Structure & Purpose
54│   └── schema.ts               # Database schema with booking tokens & security tables
55├── gateway/
56│   └── apiGateway.ts           # Centralized entry point - all routing & security control
57├── handlers/
58│   ├── bookingHandler.ts       # Token-based booking access & token generation
65│   └── security.ts             # Pattern detection & suspicious activity monitoring
66├── services/
67│   ├── authService.ts          # Token generation & API key validation
68│   ├── nonceService.ts         # Cryptographically secure nonce management
69│   ├── paymentService.ts       # SHA3-512 fingerprint generation with server credentials
70│   ├── schemaValidationService.ts # Dynamic OpenAPI schema validation
71│   └── validationService.ts    # Input sanitization & format validation
72├── types/
74└── utils/
75    ├── logger.ts               # Structured security event logging
76    ├── openApiLoader.ts        # Dynamic OpenAPI specification loading
77    └── sanitizer.ts            # SQL injection prevention utilities
78```
84    participant S as Server Start
85    participant E as Environment
86    participant G as API Gateway
87    participant D as Database
88    participant O as OpenAPI Loader
89    participant L as Logger
90
91    S->>E: Validate Required Secrets
92    Note over E: PAYMENT_USERNAME, PAYMENT_PASSWORD,<br/>MERCHANT_CODE, API_KEY
93    E-->>S: ✅ Secrets Valid or ❌ Exit(1)
94    
95    S->>G: Initialize API Gateway
96    G->>D: Initialize Database
97    D->>D: Create Tables & Indexes
99    D-->>G: ✅ Database Ready
100    
101    G->>O: Load OpenAPI Spec
102    O->>O: Parse YAML & Validate
103    O->>O: Extract Endpoints & Security
145    G->>H: Route to Handler
146    H->>H: Authentication Check
147    Note over H: API Key / Token / Nonce
148    H->>DB: Database Operations
149    DB-->>H: Query Results
167
168    Note over A,DB: Token Generation (Admin)
169    A->>S: POST /api/generate-booking-token
170    Note over S: API Key Required
171    S->>S: Validate API Key
172    S->>S: Generate 256-bit Token
173    S->>DB: Store Token + Booking ID + Expiry
183
184**Client Requirements:**
185- **Admin**: Must provide API key in `Authorization: Bearer {key}` header
186- **Public Users**: No authentication required - just use the token URL
187
196
197    Note over C,PG: Phase 1: Nonce Generation
198    C->>S: POST /api/create-payment-nonce
199    Note over S: Rate Limited: 5 req/min
200    S->>S: Validate Booking ID
204
205    Note over C,PG: Phase 2: Payment Fingerprint Creation
206    C->>S: POST /api/create-payment-hash
207    Note over S: Dual Auth: API Key + Nonce
208    S->>S: Validate API Key
209    S->>S: Validate Nonce (exists, unused, not expired, IP match)
210    S->>DB: Mark Nonce as USED
221- **Nonce Request**: Provide valid `bookingId` in request body
222- **Payment Hash**: Must include both:
223  - `Authorization: Bearer {api_key}` header
224  - `X-Payment-Nonce: {nonce}` header
225  - Valid payment data (amount, merchantUniquePaymentId, timestamp)
234
235    Note over C,DB: Payment Failed - Need Fresh Session
236    C->>S: POST /api/v1/payment/refresh
237    S->>S: Validate Booking ID
238    S->>DB: Invalidate Existing Nonces for Booking
243```
244
245## API Reference
246
247### Booking Endpoints
258```
259
260#### POST /api/generate-booking-token
261**Purpose**: Generate secure shareable booking links (Admin only)
262**Authentication**: API Key required
263**Security**: Prevents unauthorized token generation
264
265```javascript
266// Admin Usage
267const response = await fetch('/api/generate-booking-token', {
268  method: 'POST',
269  headers: {
270    'Authorization': 'Bearer your_api_key',
271    'Content-Type': 'application/json'
272  },
278### Payment Endpoints
279
280#### POST /api/create-payment-nonce
281**Purpose**: Generate single-use nonce for payment attempts
282**Authentication**: None (rate limited)
285```javascript
286// Frontend Usage
287const response = await fetch('/api/create-payment-nonce', {
288  method: 'POST',
289  headers: { 'Content-Type': 'application/json' },
293```
294
295#### POST /api/create-payment-hash
296**Purpose**: Exchange nonce for payment fingerprint
297**Authentication**: API Key + Nonce required
298**Security**: Dual authentication prevents unauthorized access
299
300```javascript
301// Frontend Usage - CRITICAL SECURITY
302const response = await fetch('/api/create-payment-hash', {
303  method: 'POST',
304  headers: {
305    'Authorization': 'Bearer your_api_key',
306    'X-Payment-Nonce': nonce,
307    'Content-Type': 'application/json'
308  },
309  body: JSON.stringify({
310    apikey: 'payment_gateway_key',
311    mode: '0',
312    paymentAmount: '1200.00',
318```
319
320#### POST /api/v1/payment/refresh
321**Purpose**: Refresh payment session after failures
322**Authentication**: None (rate limited)
325```javascript
326// Frontend Usage - After Payment Failure
327const response = await fetch('/api/v1/payment/refresh', {
328  method: 'POST',
329  headers: { 'Content-Type': 'application/json' },
335### Security Endpoints
336
337#### POST /api/v1/turnstile/verify
338**Purpose**: Verify Cloudflare Turnstile CAPTCHA token
339**Authentication**: None (rate limited)
342```javascript
343// Frontend Usage
344const response = await fetch('/api/v1/turnstile/verify', {
345  method: 'POST',
346  headers: { 'Content-Type': 'application/json' },
381```javascript
382class SecurePaymentFlow {
383  constructor(apiKey) {
384    this.apiKey = apiKey;
385  }
386
388    try {
389      // Step 1: Generate nonce
390      const nonceResponse = await fetch('/api/create-payment-nonce', {
391        method: 'POST',
392        headers: { 'Content-Type': 'application/json' },
396
397      // Step 2: Create payment hash with dual authentication
398      const hashResponse = await fetch('/api/create-payment-hash', {
399        method: 'POST',
400        headers: {
401          'Authorization': `Bearer ${this.apiKey}`,
402          'X-Payment-Nonce': nonce,
403          'Content-Type': 'application/json'
404        },
405        body: JSON.stringify({
406          apikey: 'payment_gateway_key',
407          mode: '0',
408          paymentAmount: amount,
451### POST /webhook
452**Purpose**: Process any JSON payload from external systems
453**Authentication**: API Key required
454**Usage**: Third-party system notifications
455
456### POST /callback
457**Purpose**: Identical to webhook for maximum flexibility  
458**Authentication**: API Key required
459**Usage**: Payment gateway callbacks, external service notifications
460
468PAYMENT_PASSWORD=your_payment_gateway_password  
469MERCHANT_CODE=your_merchant_code
470API_KEY=your_secure_api_key_256_bit
471```
472

58  REDIRECT_URL: getEnvVar("REDIRECT_URL", "https://yourdomain.com/payment/results"),
59
60  // API authentication
61  WEBHOOK_SECRET: getEnvVarOptional("WEBHOOK_SECRET", "webhook_secret_2024"),
62  SESSION_SECRET: getEnvVarOptional("SESSION_SECRET", "session_secret_2024"),

5import { FlashControls } from './FlashControls.tsx';
6import { serialService } from '../services/serialService.ts';
7import { apiClient } from '../services/api.ts';
8import { FirmwareInfo, DeviceInfo, FlashProgress } from '../../shared/types.ts';
9
39      
40      // Load firmware list
41      const firmwareResult = await apiClient.getFirmwareList();
42      if (firmwareResult.success && firmwareResult.data) {
43        setState(prev => ({ 
115      
116      // Download firmware
117      const downloadResult = await apiClient.downloadFirmware(state.selectedFirmware.name);
118      if (!downloadResult.success || !downloadResult.data) {
119        throw new Error(downloadResult.error || 'Failed to download firmware');
147      setState(prev => ({ ...prev, error: null }));
148      
149      const result = await apiClient.convertElfToBin(file, chipType);
150      if (result.success) {
151        // In a real implementation, you'd handle the converted binary
280        </div>
281
282        {/* Web Serial API Support Check */}
283        {!serialService.constructor.isSupported() && (
284          <div className="mt-8 bg-yellow-50 border border-yellow-200 rounded-lg p-6">
289              <div className="ml-3">
290                <h3 className="text-sm font-medium text-yellow-800">
291                  Web Serial API Not Supported
292                </h3>
293                <div className="mt-2 text-sm text-yellow-700">
294                  <p>
295                    Your browser doesn't support the Web Serial API. Please use a supported browser:
296                  </p>
297                  <ul className="list-disc list-inside mt-2">

1import { serve } from "https://deno.land/std@0.208.0/http/server.ts";
2import { ApiGateway } from "./src/gateway/apiGateway.ts";
3import { environment } from "./src/config/environment.ts";
4
5// Initialize the centralized API Gateway
6const gateway = new ApiGateway();
7await gateway.initialize();
8
9// Centralized router function - delegates to API Gateway
10async function router(request: Request): Promise<Response> {
11  return await gateway.handleRequest(request);