fd8510d59f
Our invoice IDs can be enumerated. So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself. Random payment hashes prevent this. Also, since we delete invoices after use, using database IDs as proof of payments are not suitable. If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs. |
||
---|---|---|
.. | ||
comments.js | ||
invites.js | ||
items.js | ||
notifications.js | ||
price.js | ||
subs.js | ||
users.js | ||
wallet.js |