From 036e45d77c9a1e633615830bbb10ac0c57d34a72 Mon Sep 17 00:00:00 2001
From: Pac <rafaelalves@hotmail.com>
Date: Fri, 28 May 2021 03:11:42 -0300
Subject: [PATCH] Enforce https on Success URL for lnurlp

---
 lnbits/extensions/lnurlp/views_api.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lnbits/extensions/lnurlp/views_api.py b/lnbits/extensions/lnurlp/views_api.py
index de36345a5..cbe1bc4e2 100644
--- a/lnbits/extensions/lnurlp/views_api.py
+++ b/lnbits/extensions/lnurlp/views_api.py
@@ -87,6 +87,9 @@ async def api_link_create_or_update(link_id=None):
         round(g.data["min"]) != g.data["min"] or round(g.data["max"]) != g.data["max"]
     ):
         return jsonify({"message": "Must use full satoshis."}), HTTPStatus.BAD_REQUEST
+    
+    if g.data["success_url"][:8] != "https://":
+        return jsonify({"message": "Success URL must be secure https://..."}), HTTPStatus.BAD_REQUEST
 
     if link_id:
         link = await get_pay_link(link_id)