Fix anon payment verification (#1235)
* Enforce hash & hmac for anons in serialize * Enforce logged in for idempotent zaps
This commit is contained in:
ekzyis
GitHub
parent
93713b33df
commit
967b5b74fb
|
|
@ -825,7 +825,7 @@ export default {
|
|||
|
||||
await serialize(
|
||||
models.$queryRawUnsafe(`${SELECT} FROM poll_vote($1::INTEGER, $2::INTEGER) AS "Item"`, Number(id), Number(me.id)),
|
||||
{ models, lnd, me, hash, hmac }
|
||||
{ models, lnd, me, hash, hmac, verifyPayment: !!hash || !me }
|
||||
)
|
||||
|
||||
return id
|
||||
|
|
@ -859,7 +859,7 @@ export default {
|
|||
}
|
||||
}
|
||||
|
||||
if (idempotent) {
|
||||
if (me && idempotent) {
|
||||
await serialize(
|
||||
models.$queryRaw`
|
||||
SELECT
|
||||
|
|
@ -869,7 +869,7 @@ export default {
|
|||
WHERE act IN ('TIP', 'FEE')
|
||||
AND "itemId" = ${Number(id)}::INTEGER
|
||||
AND "userId" = ${me.id}::INTEGER)::INTEGER)`,
|
||||
{ models, lnd, hash, hmac }
|
||||
{ models, lnd, hash, hmac, verifyPayment: !!hash }
|
||||
)
|
||||
} else {
|
||||
await serialize(
|
||||
|
|
@ -877,7 +877,7 @@ export default {
|
|||
SELECT
|
||||
item_act(${Number(id)}::INTEGER,
|
||||
${me?.id || USER_ID.anon}::INTEGER, ${act}::"ItemActType", ${Number(sats)}::INTEGER)`,
|
||||
{ models, lnd, me, hash, hmac, fee: sats }
|
||||
{ models, lnd, me, hash, hmac, fee: sats, verifyPayment: !!hash || !me }
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -1348,7 +1348,7 @@ export const updateItem = async (parent, { sub: subName, forward, options, ...it
|
|||
([item] = await serialize(
|
||||
models.$queryRawUnsafe(`${SELECT} FROM update_item($1::JSONB, $2::JSONB, $3::JSONB, $4::INTEGER[]) AS "Item"`,
|
||||
JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds),
|
||||
{ models, lnd, me, hash, hmac, fee: imgFees }
|
||||
{ models, lnd, me, hash, hmac, fee: imgFees, verifyPayment: !!hash || !me }
|
||||
))
|
||||
|
||||
await createMentions(item, models)
|
||||
|
|
@ -1405,7 +1405,7 @@ export const createItem = async (parent, { forward, options, ...item }, { me, mo
|
|||
models.$queryRawUnsafe(
|
||||
`${SELECT} FROM create_item($1::JSONB, $2::JSONB, $3::JSONB, '${spamInterval}'::INTERVAL, $4::INTEGER[]) AS "Item"`,
|
||||
JSON.stringify(item), JSON.stringify(fwdUsers), JSON.stringify(options), uploadIds),
|
||||
{ models, lnd, me, hash, hmac, fee }
|
||||
{ models, lnd, me, hash, hmac, fee, verifyPayment: !!hash || !me }
|
||||
))
|
||||
|
||||
await createMentions(item, models)
|
||||
|
|
|
|||
|
|
@ -166,7 +166,7 @@ export default {
|
|||
|
||||
await serialize(
|
||||
models.$queryRaw`SELECT donate(${sats}::INTEGER, ${me?.id || USER_ID.anon}::INTEGER)`,
|
||||
{ models, lnd, me, hash, hmac, fee: sats }
|
||||
{ models, lnd, me, hash, hmac, fee: sats, verifyPayment: !!hash || !me }
|
||||
)
|
||||
|
||||
return sats
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import { createHmac } from './wallet'
|
|||
import { msatsToSats, numWithUnits } from '@/lib/format'
|
||||
import { BALANCE_LIMIT_MSATS } from '@/lib/constants'
|
||||
|
||||
export default async function serialize (trx, { models, lnd, me, hash, hmac, fee }) {
|
||||
export default async function serialize (trx, { models, lnd, me, hash, hmac, fee, verifyPayment: verify }) {
|
||||
// wrap first argument in array if not array already
|
||||
const isArray = Array.isArray(trx)
|
||||
if (!isArray) trx = [trx]
|
||||
|
|
@ -17,7 +17,7 @@ export default async function serialize (trx, { models, lnd, me, hash, hmac, fee
|
|||
trx = trx.filter(q => !!q)
|
||||
|
||||
let invoice
|
||||
if (hash) {
|
||||
if (verify) {
|
||||
invoice = await verifyPayment(models, hash, hmac, fee)
|
||||
trx = [
|
||||
models.$executeRaw`SELECT confirm_invoice(${hash}, ${invoice.msatsReceived})`,
|
||||
|
|
|
|||
|
|
@ -248,7 +248,7 @@ export default {
|
|||
|
||||
const results = await serialize(
|
||||
queries,
|
||||
{ models, lnd, me, hash, hmac, fee: sub.billingCost })
|
||||
{ models, lnd, me, hash, hmac, fee: sub.billingCost, verifyPayment: !!hash || !me })
|
||||
return results[1]
|
||||
},
|
||||
toggleMuteSub: async (parent, { name }, { me, models }) => {
|
||||
|
|
@ -368,7 +368,7 @@ export default {
|
|||
models.sub.update({ where: { name }, data: newSub }),
|
||||
isTransfer && models.territoryTransfer.create({ data: { subName: name, oldUserId: oldSub.userId, newUserId: me.id } })
|
||||
],
|
||||
{ models, lnd, hash, me, hmac, fee: billingCost })
|
||||
{ models, lnd, hash, me, hmac, fee: billingCost, verifyPayment: !!hash || !me })
|
||||
|
||||
if (isTransfer) notifyTerritoryTransfer({ models, sub: newSub, to: me })
|
||||
}
|
||||
|
|
@ -464,7 +464,7 @@ async function createSub (parent, data, { me, models, lnd, hash, hmac }) {
|
|||
subName: data.name
|
||||
}
|
||||
})
|
||||
], { models, lnd, me, hash, hmac, fee: billingCost })
|
||||
], { models, lnd, me, hash, hmac, fee: billingCost, verifyPayment: !!hash || !me })
|
||||
|
||||
return results[1]
|
||||
} catch (error) {
|
||||
|
|
@ -545,7 +545,7 @@ async function updateSub (parent, { oldName, ...data }, { me, models, lnd, hash,
|
|||
userId: me.id
|
||||
}
|
||||
})
|
||||
], { models, lnd, me, hash, hmac, fee: proratedCost })
|
||||
], { models, lnd, me, hash, hmac, fee: proratedCost, verifyPayment: !!hash || !me })
|
||||
return results[2]
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue