Disallow automated withdrawals to same node

2024-01-13 05:22:00 +01:00 · 2024-01-13 05:22:00 +01:00 · 40f2697675
commit 40f2697675
parent 5dd4136c0b
2 changed files with 16 additions and 5 deletions
--- a/api/resolvers/wallet.js
+++ b/api/resolvers/wallet.js
@ -1,4 +1,4 @@
-import { createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service'
+import { getIdentity, createHodlInvoice, createInvoice, decodePaymentRequest, payViaPaymentRequest, cancelHodlInvoice, getInvoice as getInvoiceFromLnd, getNode } from 'ln-service'
 import { GraphQLError } from 'graphql'
 import crypto from 'crypto'
 import serialize from './serial'
@ -475,6 +475,19 @@ export async function sendToLnAddr (parent, { addr, amount, maxFee, comment, ...
  // decode invoice
  try {
    const decoded = await decodePaymentRequest({ lnd, request: res.pr })
+    const ourPubkey = (await getIdentity({ lnd })).public_key
+    if (autoWithdraw && decoded.destination === ourPubkey) {
+      // unset lnaddr so we don't trigger another withdrawal with same destination
+      await models.user.update({
+        where: { id: me.id },
+        data: {
+          lnAddr: null,
+          autoWithdrawThreshold: null,
+          autoWithdrawMaxFeePercent: null
+        }
+      })
+      throw new Error('automated withdrawals to other stackers are not allowed')
+    }
    if (decoded.description_hash !== lnurlPayDescriptionHash(`${options.metadata}${stringifiedPayerData}`)) {
      throw new Error('description hash does not match')
    }
--- a/lib/validate.js
+++ b/lib/validate.js
@ -208,10 +208,8 @@ export function lnAddrAutowithdrawSchema ({ me } = {}) {
  return object({
    lnAddr: lightningAddressValidator.required('required').test({
      name: 'lnAddr',
-      test: async addr => {
-        return addr !== `${me.name}@stacker.news` && !addr.startsWith(`${me.name}@localhost`)
-      },
-      message: 'cannot send to yourself'
+      test: addr => !addr.endsWith('@stacker.news'),
+      message: 'automated withdrawals must be external'
    }),
    autoWithdrawThreshold: intValidator.required('required').min(0, 'must be at least 0').max(msatsToSats(BALANCE_LIMIT_MSATS), `must be at most ${abbrNum(msatsToSats(BALANCE_LIMIT_MSATS))}`),
    autoWithdrawMaxFeePercent: floatValidator.required('required').min(0, 'must be at least 0').max(50, 'must not exceed 50')