ekzyis
/
stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix anon payment verification (#1235) 

* Enforce hash & hmac for anons in serialize

* Enforce logged in for idempotent zaps
This commit is contained in:
ekzyis 2024-06-12 18:15:00 +02:00 committed by GitHub
parent 93713b33df
commit 967b5b74fb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/resolvers/item.js
View File

@ -825,7 +825,7 @@ export default {
await serialize( await serialize(
models.$queryRawUnsafe(`${SELECT} FROM poll_vote($1::INTEGER, $2::INTEGER) AS "Item"`, Number(id), Number(me.id)), models.$queryRawUnsafe(`${SELECT} FROM poll_vote($1::INTEGER, $2::INTEGER) AS "Item"`, Number(id), Number(me.id)),
{ models, lnd, me, hash, hmac } { models, lnd, me, hash, hmac, verifyPayment: !!hash || !me }
) )
return id return id
@ -859,7 +859,7 @@ export default {
} }
} }
if (idempotent) { if (me && idempotent) {
await serialize( await serialize(
models.$queryRaw` models.$queryRaw`
SELECT SELECT
@ -869,7 +869,7 @@ export default {
WHERE act IN ('TIP', 'FEE') WHERE act IN ('TIP', 'FEE')
AND "itemId" = ${Number(id)}::INTEGER AND "itemId" = ${Number(id)}::INTEGER
AND "userId" = ${me.id}::INTEGER)::INTEGER)`, AND "userId" = ${me.id}::INTEGER)::INTEGER)`,
{ models, lnd, hash, hmac } { models, lnd, hash, hmac, verifyPayment: !!hash }
) )
} else { } else {
await serialize( await serialize(
@ -877,7 +877,7 @@ export default {
SELECT SELECT
item_act(${Number(id)}::INTEGER, item_act(${Number(id)}::INTEGER,
${me?.id || USER_ID.anon}::INTEGER, ${act}::"ItemActType", ${Number(sats)}::INTEGER)`, ${me?.id || USER_ID.anon}::INTEGER, ${act}::"ItemActType", ${Number(sats)}::INTEGER)`,
{ models, lnd, me, hash, hmac, fee: sats } { models, lnd, me, hash, hmac, fee: sats, verifyPayment: !!hash || !me }
) )
} }
@ -1348,7 +1348,7 @@ export const updateItem = async (parent, { sub: subName, forward, options, ...it
([item] = await serialize( ([item] = await serialize(
models.$queryRawUnsafe(`${SELECT} FROM update_item($1::JSONB, $2::JSONB, $3::JSONB, $4::INTEGER[]) AS "Item"`, models.$queryRawUnsafe(`${SELECT} FROM update_item($1::JSONB, $2::JSONB, $3::JSONB, $4::INTEGER[]) AS "Item"`,
JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds), JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds),
{ models, lnd, me, hash, hmac, fee: imgFees } { models, lnd, me, hash, hmac, fee: imgFees, verifyPayment: !!hash || !me }
)) ))
await createMentions(item, models) await createMentions(item, models)
@ -1405,7 +1405,7 @@ export const createItem = async (parent, { forward, options, ...item }, { me, mo
models.$queryRawUnsafe( models.$queryRawUnsafe(
`${SELECT} FROM create_item($1::JSONB, $2::JSONB, $3::JSONB, '${spamInterval}'::INTERVAL, $4::INTEGER[]) AS "Item"`, `${SELECT} FROM create_item($1::JSONB, $2::JSONB, $3::JSONB, '${spamInterval}'::INTERVAL, $4::INTEGER[]) AS "Item"`,
JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds), JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds),
{ models, lnd, me, hash, hmac, fee } { models, lnd, me, hash, hmac, fee, verifyPayment: !!hash || !me }
)) ))
await createMentions(item, models) await createMentions(item, models)

2
api/resolvers/rewards.js
View File

@ -166,7 +166,7 @@ export default {
await serialize( await serialize(
models.$queryRaw`SELECT donate(${sats}::INTEGER, ${me?.id || USER_ID.anon}::INTEGER)`, models.$queryRaw`SELECT donate(${sats}::INTEGER, ${me?.id || USER_ID.anon}::INTEGER)`,
{ models, lnd, me, hash, hmac, fee: sats } { models, lnd, me, hash, hmac, fee: sats, verifyPayment: !!hash || !me }
) )
return sats return sats

4
api/resolvers/serial.js
View File

@ -7,7 +7,7 @@ import { createHmac } from './wallet'
import { msatsToSats, numWithUnits } from '@/lib/format' import { msatsToSats, numWithUnits } from '@/lib/format'
import { BALANCE_LIMIT_MSATS } from '@/lib/constants' import { BALANCE_LIMIT_MSATS } from '@/lib/constants'
export default async function serialize (trx, { models, lnd, me, hash, hmac, fee }) { export default async function serialize (trx, { models, lnd, me, hash, hmac, fee, verifyPayment: verify }) {
// wrap first argument in array if not array already // wrap first argument in array if not array already
const isArray = Array.isArray(trx) const isArray = Array.isArray(trx)
if (!isArray) trx = [trx] if (!isArray) trx = [trx]
@ -17,7 +17,7 @@ export default async function serialize (trx, { models, lnd, me, hash, hmac, fee
trx = trx.filter(q => !!q) trx = trx.filter(q => !!q)
let invoice let invoice
if (hash) { if (verify) {
invoice = await verifyPayment(models, hash, hmac, fee) invoice = await verifyPayment(models, hash, hmac, fee)
trx = [ trx = [
models.$executeRaw`SELECT confirm_invoice(${hash}, ${invoice.msatsReceived})`, models.$executeRaw`SELECT confirm_invoice(${hash}, ${invoice.msatsReceived})`,

8
api/resolvers/sub.js
View File

@ -248,7 +248,7 @@ export default {
const results = await serialize( const results = await serialize(
queries, queries,
{ models, lnd, me, hash, hmac, fee: sub.billingCost }) { models, lnd, me, hash, hmac, fee: sub.billingCost, verifyPayment: !!hash || !me })
return results[1] return results[1]
}, },
toggleMuteSub: async (parent, { name }, { me, models }) => { toggleMuteSub: async (parent, { name }, { me, models }) => {
@ -368,7 +368,7 @@ export default {
models.sub.update({ where: { name }, data: newSub }), models.sub.update({ where: { name }, data: newSub }),
isTransfer && models.territoryTransfer.create({ data: { subName: name, oldUserId: oldSub.userId, newUserId: me.id } }) isTransfer && models.territoryTransfer.create({ data: { subName: name, oldUserId: oldSub.userId, newUserId: me.id } })
], ],
{ models, lnd, hash, me, hmac, fee: billingCost }) { models, lnd, hash, me, hmac, fee: billingCost, verifyPayment: !!hash || !me })
if (isTransfer) notifyTerritoryTransfer({ models, sub: newSub, to: me }) if (isTransfer) notifyTerritoryTransfer({ models, sub: newSub, to: me })
} }
@ -464,7 +464,7 @@ async function createSub (parent, data, { me, models, lnd, hash, hmac }) {
subName: data.name subName: data.name
} }
}) })
], { models, lnd, me, hash, hmac, fee: billingCost }) ], { models, lnd, me, hash, hmac, fee: billingCost, verifyPayment: !!hash || !me })
return results[1] return results[1]
} catch (error) { } catch (error) {
@ -545,7 +545,7 @@ async function updateSub (parent, { oldName, ...data }, { me, models, lnd, hash,
userId: me.id userId: me.id
} }
}) })
], { models, lnd, me, hash, hmac, fee: proratedCost }) ], { models, lnd, me, hash, hmac, fee: proratedCost, verifyPayment: !!hash || !me })
return results[2] return results[2]
} }
} }