ekzyis/stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disallow automated withdrawals to same node

Browse Source
This commit is contained in:
ekzyis 2024-01-13 05:22:00 +01:00
parent 5dd4136c0b
commit 40f2697675
2 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
api/resolvers/wallet.js
View File

@ -1,4 +1,4 @@
import { createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service' import { getIdentity, createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service'
import { GraphQLError } from 'graphql' import { GraphQLError } from 'graphql'
import crypto from 'crypto' import crypto from 'crypto'
import serialize from './serial' import serialize from './serial'
@ -475,6 +475,19 @@ export async function sendToLnAddr (parent, { addr, amount, maxFee, comment, ...
// decode invoice // decode invoice
try { try {
const decoded = await decodePaymentRequest({ lnd, request: res.pr }) const decoded = await decodePaymentRequest({ lnd, request: res.pr })
const ourPubkey = (await getIdentity({ lnd })).public_key
if (autoWithdraw && decoded.destination === ourPubkey) {
// unset lnaddr so we don't trigger another withdrawal with same destination
await models.user.update({
where: { id: me.id },
data: {
lnAddr: null,
autoWithdrawThreshold: null,
autoWithdrawMaxFeePercent: null
}
})
throw new Error('automated withdrawals to other stackers are not allowed')
}
if (decoded.description_hash !== lnurlPayDescriptionHash(`${options.metadata}${stringifiedPayerData}`)) { if (decoded.description_hash !== lnurlPayDescriptionHash(`${options.metadata}${stringifiedPayerData}`)) {
throw new Error('description hash does not match') throw new Error('description hash does not match')
} }

6
lib/validate.js
View File

@ -208,10 +208,8 @@ export function lnAddrAutowithdrawSchema ({ me } = {}) {
return object({ return object({
lnAddr: lightningAddressValidator.required('required').test({ lnAddr: lightningAddressValidator.required('required').test({
name: 'lnAddr', name: 'lnAddr',
test: async addr => { test: addr => !addr.endsWith('@stacker.news'),
return addr !== `${me.name}@stacker.news` && !addr.startsWith(`${me.name}@localhost`) message: 'automated withdrawals must be external'
},
message: 'cannot send to yourself'
}), }),
autoWithdrawThreshold: intValidator.required('required').min(0, 'must be at least 0').max(msatsToSats(BALANCE_LIMIT_MSATS), `must be at most ${abbrNum(msatsToSats(BALANCE_LIMIT_MSATS))}`), autoWithdrawThreshold: intValidator.required('required').min(0, 'must be at least 0').max(msatsToSats(BALANCE_LIMIT_MSATS), `must be at most ${abbrNum(msatsToSats(BALANCE_LIMIT_MSATS))}`),
autoWithdrawMaxFeePercent: floatValidator.required('required').min(0, 'must be at least 0').max(50, 'must not exceed 50') autoWithdrawMaxFeePercent: floatValidator.required('required').min(0, 'must be at least 0').max(50, 'must not exceed 50')