Harden x402 paid-action example responses

TateLyman · TateLyman · commit b394ad4bcec2 · 2026-05-22T17:14:53.000-05:00
diff --git a/examples/x402-paid-action-receipt/server.js b/examples/x402-paid-action-receipt/server.js
@@ -10,7 +10,10 @@ function dedupeKey(requestId, paymentId) {
 }
 
 function sendJson(res, statusCode, body) {
-  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+  res.writeHead(statusCode, {
+    'Content-Type': 'application/json',
+    'Cache-Control': 'no-store'
+  });
   res.end(JSON.stringify(body, null, 2));
 }
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/tests/x402-paid-action-receipt.test.js b/tests/x402-paid-action-receipt.test.js
@@ -20,7 +20,7 @@ function postJson(port, path, body) {
           raw += chunk;
         });
         res.on('end', () => {
-          resolve({ statusCode: res.statusCode, body: JSON.parse(raw) });
+          resolve({ statusCode: res.statusCode, headers: res.headers, body: JSON.parse(raw) });
         });
       }
     );
@@ -55,6 +55,7 @@ test('paid-action emits receipt and enforces idempotency', async () => {
 
   const first = await postJson(port, '/paid-action', payload);
   assert.equal(first.statusCode, 200);
+  assert.equal(first.headers['cache-control'], 'no-store');
   assert.equal(first.body.duplicate, false);
   assert.equal(first.body.receipt.request_id, 'req_test_1');
   assert.equal(first.body.receipt.payment_id, 'pay_test_1');
@@ -63,8 +64,29 @@ test('paid-action emits receipt and enforces idempotency', async () => {
 
   const second = await postJson(port, '/paid-action', payload);
   assert.equal(second.statusCode, 200);
+  assert.equal(second.headers['cache-control'], 'no-store');
   assert.equal(second.body.duplicate, true);
   assert.equal(second.body.receipt.receipt_id, first.body.receipt.receipt_id);
 
   await new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve())));
 });
+
+test('paid-action payment errors are not cacheable', async () => {
+  const server = createServer();
+  await new Promise((resolve) => server.listen(0, resolve));
+  const port = server.address().port;
+
+  const res = await postJson(port, '/paid-action', {
+    paid_action_request: {
+      request_id: 'req_missing_payment',
+      action: 'summarize.text',
+      input: { text: 'Payment is intentionally missing.' },
+      payment: { required: true, plan: 'pro', max_amount: '0.05', currency: 'USD' }
+    }
+  });
+
+  assert.equal(res.statusCode, 402);
+  assert.equal(res.headers['cache-control'], 'no-store');
+
+  await new Promise((resolve, reject) => server.close((err) => (err ? reject(err) : resolve())));
+});

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,10 @@ function dedupeKey(requestId, paymentId) {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`function sendJson(res, statusCode, body) {`
`13`		`- res.writeHead(statusCode, { 'Content-Type': 'application/json' });`
	`13`	`+ res.writeHead(statusCode, {`
	`14`	`+ 'Content-Type': 'application/json',`
	`15`	`+ 'Cache-Control': 'no-store'`
	`16`	`+ });`
`14`	`17`	`res.end(JSON.stringify(body, null, 2));`
`15`	`18`	`}`
`16`	`19`