From 40f2697675ec02a46841bcbbca5aa094da8d8e3d Mon Sep 17 00:00:00 2001
From: ekzyis <ek@stacker.news>
Date: Sat, 13 Jan 2024 05:22:00 +0100
Subject: [PATCH] Disallow automated withdrawals to same node

---
 api/resolvers/wallet.js | 15 ++++++++++++++-
 lib/validate.js         |  6 ++----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/api/resolvers/wallet.js b/api/resolvers/wallet.js
index 32d6e981..3e427dc1 100644
--- a/api/resolvers/wallet.js
+++ b/api/resolvers/wallet.js
@@ -1,4 +1,4 @@
-import { createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service'
+import { getIdentity, createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service'
 import { GraphQLError } from 'graphql'
 import crypto from 'crypto'
 import serialize from './serial'
@@ -475,6 +475,19 @@ export async function sendToLnAddr (parent, { addr, amount, maxFee, comment, ...
   // decode invoice
   try {
     const decoded = await decodePaymentRequest({ lnd, request: res.pr })
+    const ourPubkey = (await getIdentity({ lnd })).public_key
+    if (autoWithdraw && decoded.destination === ourPubkey) {
+      // unset lnaddr so we don't trigger another withdrawal with same destination
+      await models.user.update({
+        where: { id: me.id },
+        data: {
+          lnAddr: null,
+          autoWithdrawThreshold: null,
+          autoWithdrawMaxFeePercent: null
+        }
+      })
+      throw new Error('automated withdrawals to other stackers are not allowed')
+    }
     if (decoded.description_hash !== lnurlPayDescriptionHash(`${options.metadata}${stringifiedPayerData}`)) {
       throw new Error('description hash does not match')
     }
diff --git a/lib/validate.js b/lib/validate.js
index 23768856..30d8dc0f 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -208,10 +208,8 @@ export function lnAddrAutowithdrawSchema ({ me } = {}) {
   return object({
     lnAddr: lightningAddressValidator.required('required').test({
       name: 'lnAddr',
-      test: async addr => {
-        return addr !== `${me.name}@stacker.news` && !addr.startsWith(`${me.name}@localhost`)
-      },
-      message: 'cannot send to yourself'
+      test: addr => !addr.endsWith('@stacker.news'),
+      message: 'automated withdrawals must be external'
     }),
     autoWithdrawThreshold: intValidator.required('required').min(0, 'must be at least 0').max(msatsToSats(BALANCE_LIMIT_MSATS), `must be at most ${abbrNum(msatsToSats(BALANCE_LIMIT_MSATS))}`),
     autoWithdrawMaxFeePercent: floatValidator.required('required').min(0, 'must be at least 0').max(50, 'must not exceed 50')