From 8d52b1b359f57d6983963a372e8504e7b118f720 Mon Sep 17 00:00:00 2001 From: callebtc <93376500+callebtc@users.noreply.github.com> Date: Tue, 19 Jul 2022 11:15:11 +0200 Subject: [PATCH 1/6] check description hash --- lnbits/core/views/api.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py index 290fd402b..f1a641a1f 100644 --- a/lnbits/core/views/api.py +++ b/lnbits/core/views/api.py @@ -317,11 +317,11 @@ async def api_payments_pay_lnurl( detail=f"{domain} returned an invalid invoice. Expected {data.amount} msat, got {invoice.amount_msat}.", ) - # if invoice.description_hash != data.description_hash: - # raise HTTPException( - # status_code=HTTPStatus.BAD_REQUEST, - # detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", - # ) + if invoice.description_hash != data.description_hash: + raise HTTPException( + status_code=HTTPStatus.BAD_REQUEST, + detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", + ) extra = {} From b2a0faf9de0933b5c0aa08761d14681644145eca Mon Sep 17 00:00:00 2001 From: callebtc <93376500+callebtc@users.noreply.github.com> Date: Tue, 19 Jul 2022 11:21:54 +0200 Subject: [PATCH 2/6] error check for pr --- lnbits/core/views/api.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py index f1a641a1f..64f34f91a 100644 --- a/lnbits/core/views/api.py +++ b/lnbits/core/views/api.py @@ -310,6 +310,12 @@ async def api_payments_pay_lnurl( detail=f"{domain} said: '{params.get('reason', '')}'", ) + if not params.get("pr"): + raise HTTPException( + status_code=HTTPStatus.BAD_REQUEST, + detail=f"{domain} did not return a payment request.", + ) + invoice = bolt11.decode(params["pr"]) if invoice.amount_msat != data.amount: raise HTTPException( From 694124b5d6d9ef2341b88fd72d9facc2b8d99694 Mon Sep 17 00:00:00 2001 From: callebtc <93376500+callebtc@users.noreply.github.com> Date: Tue, 19 Jul 2022 11:27:32 +0200 Subject: [PATCH 3/6] require admin --- lnbits/core/views/api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py index 64f34f91a..3a34513d8 100644 --- a/lnbits/core/views/api.py +++ b/lnbits/core/views/api.py @@ -284,7 +284,7 @@ class CreateLNURLData(BaseModel): @core_app.post("/api/v1/payments/lnurl") async def api_payments_pay_lnurl( - data: CreateLNURLData, wallet: WalletTypeInfo = Depends(get_key_type) + data: CreateLNURLData, wallet: WalletTypeInfo = Depends(require_admin_key) ): domain = urlparse(data.callback).netloc From 462fffbeaad2d668f3426c3862fc7900da08a834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?dni=20=E2=9A=A1?= Date: Mon, 25 Jul 2022 15:08:30 +0200 Subject: [PATCH 4/6] .gitignore coverage.xml + do not delete mock_data.zip (#779) * add coverage.xml to gitignore * fix deleting mock_data.zip Co-authored-by: dni --- .gitignore | 1 + Makefile | 7 ++----- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 5b6199125..855e8737a 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ venv __bundle__ +coverage.xml node_modules lnbits/static/bundle.* docker diff --git a/Makefile b/Makefile index 5cc3f0509..2873ae774 100644 --- a/Makefile +++ b/Makefile @@ -17,7 +17,7 @@ mypy: $(shell find lnbits -name "*.py") ./venv/bin/mypy lnbits/core ./venv/bin/mypy lnbits/extensions/* -isort: $(shell find lnbits -name "*.py") +isort: $(shell find lnbits -name "*.py") ./venv/bin/isort --profile black lnbits checkprettier: $(shell find lnbits -name "*.js" -name ".html") @@ -36,7 +36,6 @@ requirements.txt: Pipfile.lock cat Pipfile.lock | jq -r '.default | map_values(.version) | to_entries | map("\(.key)\(.value)") | join("\n")' > requirements.txt test: - rm -rf ./tests/data mkdir -p ./tests/data LNBITS_BACKEND_WALLET_CLASS="FakeWallet" \ FAKE_WALLET_SECRET="ToTheMoon1" \ @@ -45,14 +44,12 @@ test: ./venv/bin/pytest --durations=1 -s --cov=lnbits --cov-report=xml tests test-real-wallet: - rm -rf ./tests/data mkdir -p ./tests/data LNBITS_DATA_FOLDER="./tests/data" \ PYTHONUNBUFFERED=1 \ - ./venv/bin/pytest --durations=1 -s --cov=lnbits --cov-report=xml tests + ./venv/bin/pytest --durations=1 -s --cov=lnbits --cov-report=xml tests test-pipenv: - rm -rf ./tests/data mkdir -p ./tests/data LNBITS_BACKEND_WALLET_CLASS="FakeWallet" \ FAKE_WALLET_SECRET="ToTheMoon1" \ From b708950b93cd126f1b8c34898ac0507de1f151fc Mon Sep 17 00:00:00 2001 From: Arc <33088785+arcbtc@users.noreply.github.com> Date: Mon, 25 Jul 2022 15:32:59 +0100 Subject: [PATCH 5/6] Revert "LNURLp: check description hash" --- lnbits/core/views/api.py | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py index bc3e759fa..9fee6063d 100644 --- a/lnbits/core/views/api.py +++ b/lnbits/core/views/api.py @@ -279,7 +279,7 @@ class CreateLNURLData(BaseModel): @core_app.post("/api/v1/payments/lnurl") async def api_payments_pay_lnurl( - data: CreateLNURLData, wallet: WalletTypeInfo = Depends(require_admin_key) + data: CreateLNURLData, wallet: WalletTypeInfo = Depends(get_key_type) ): domain = urlparse(data.callback).netloc @@ -305,12 +305,6 @@ async def api_payments_pay_lnurl( detail=f"{domain} said: '{params.get('reason', '')}'", ) - if not params.get("pr"): - raise HTTPException( - status_code=HTTPStatus.BAD_REQUEST, - detail=f"{domain} did not return a payment request.", - ) - invoice = bolt11.decode(params["pr"]) if invoice.amount_msat != data.amount: raise HTTPException( @@ -318,11 +312,11 @@ async def api_payments_pay_lnurl( detail=f"{domain} returned an invalid invoice. Expected {data.amount} msat, got {invoice.amount_msat}.", ) - if invoice.description_hash != data.description_hash: - raise HTTPException( - status_code=HTTPStatus.BAD_REQUEST, - detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", - ) + # if invoice.description_hash != data.description_hash: + # raise HTTPException( + # status_code=HTTPStatus.BAD_REQUEST, + # detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", + # ) extra = {} From 2d46eda5f55515dfa9e3682f1848b7d7d9f3227c Mon Sep 17 00:00:00 2001 From: Arc <33088785+arcbtc@users.noreply.github.com> Date: Mon, 25 Jul 2022 15:54:49 +0100 Subject: [PATCH 6/6] Revert "Revert "LNURLp: check description hash"" --- lnbits/core/views/api.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py index 9fee6063d..bc3e759fa 100644 --- a/lnbits/core/views/api.py +++ b/lnbits/core/views/api.py @@ -279,7 +279,7 @@ class CreateLNURLData(BaseModel): @core_app.post("/api/v1/payments/lnurl") async def api_payments_pay_lnurl( - data: CreateLNURLData, wallet: WalletTypeInfo = Depends(get_key_type) + data: CreateLNURLData, wallet: WalletTypeInfo = Depends(require_admin_key) ): domain = urlparse(data.callback).netloc @@ -305,6 +305,12 @@ async def api_payments_pay_lnurl( detail=f"{domain} said: '{params.get('reason', '')}'", ) + if not params.get("pr"): + raise HTTPException( + status_code=HTTPStatus.BAD_REQUEST, + detail=f"{domain} did not return a payment request.", + ) + invoice = bolt11.decode(params["pr"]) if invoice.amount_msat != data.amount: raise HTTPException( @@ -312,11 +318,11 @@ async def api_payments_pay_lnurl( detail=f"{domain} returned an invalid invoice. Expected {data.amount} msat, got {invoice.amount_msat}.", ) - # if invoice.description_hash != data.description_hash: - # raise HTTPException( - # status_code=HTTPStatus.BAD_REQUEST, - # detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", - # ) + if invoice.description_hash != data.description_hash: + raise HTTPException( + status_code=HTTPStatus.BAD_REQUEST, + detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.", + ) extra = {}