b9461b7eb3
* Add anon zaps
* Add anon comments and posts (link, discussion, poll)
* Use payment hash instead of invoice id as proof of payment
Our invoice IDs can be enumerated.
So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself.
Random payment hashes prevent this.
Also, since we delete invoices after use, using database IDs as proof of payments are not suitable.
If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs.
* Allow pay per invoice for stackers
The modal which pops up if the stacker does not have enough sats now has two options: "fund wallet" and "pay invoice"
* Fix onSuccess called twice
For some reason, when calling `showModal`, `useMemo` in modal.js and the code for the modal component (here: <Invoice>) is called twice.
This leads to the `onSuccess` callback being called twice and one failing since the first one deletes the invoice.
* Keep invoice modal open if focus is lost
* Skip anon user during trust calculation
* Add error handling
* Skip 'invoice not found' errors
* Remove duplicate insufficient funds handling
* Fix insufficient funds error detection
* Fix invoice amount for comments
* Allow pay per invoice for bounty and job posts
* Also strike on payment after short press
* Fix unexpected token 'export'
* Fix eslint
* Remove unused id param
* Fix comment copy-paste error
* Rename to useInvoiceable
* Fix unexpected token 'export'
* Fix onConfirmation called at every render
* Add invoice HMAC
This prevents entities which know the invoice hash (like all LN nodes on the payment path) from using the invoice hash on SN.
Only the user which created the invoice knows the HMAC and thus can use the invoice hash.
* make anon posting less hidden, add anon info button explainer
* Fix anon users can't zap other anon users
* Always show repeat and contacts on action error
* Keep track of modal stack
* give anon an icon
* add generic date pivot helper
* make anon user's invoices expire in 5 minutes
* fix forgotten find and replace
* use datePivot more places
* add sat amounts to invoices
* reduce anon invoice expiration to 3 minutes
* don't abbreviate
* Fix [object Object] as error message
Any errors thrown here are already objects of shape { message: string }
* Fix empty invoice creation attempts
I stumbled across this while checking if anons can edit their items.
I monkey patched the code to make it possible (so they can see the 'edit' button) and tried to edit an item but I got this error:
Variable "$amount" of required type "Int!" was not provided.
I fixed this even though this function should never be called without an amount anyway. It will return a sane error in that case now.
* anon func mods, e.g. inv limits
* anon tips should be denormalized
* remove redundant meTotalSats
* correct overlay zap text for anon
* exclude anon from trust graph before algo runs
* remove balance limit on anon
* give anon a bio and remove cowboy hat/top stackers;
* make anon hat appear on profile
* concat hash and hmac and call it a token
* Fix localStorage cleared because error were swallowed
* fix qr layout shift
* restyle fund error modal
* Catch invoice errors in fund error modal
* invoice check backoff
* anon info typo
* make invoice expiration times have saner defaults
* add comma to anon info
* use builtin copy input label
---------
Co-authored-by: ekzyis <ek@stacker.news>
Co-authored-by: keyan <keyan.kousha+huumn@gmail.com>
|
||
|---|---|---|
| .ebextensions | ||
| .github | ||
| .platform | ||
| .vscode | ||
| api | ||
| components | ||
| docs | ||
| fragments | ||
| lib | ||
| pages | ||
| prisma | ||
| public | ||
| spawn | ||
| styles | ||
| svgs | ||
| sw | ||
| worker | ||
| .babelrc | ||
| .env.sample | ||
| .gitignore | ||
| .npmrc | ||
| .puppeteerrc.cjs | ||
| Dockerfile | ||
| LICENSE | ||
| Procfile | ||
| README.md | ||
| docker-compose.yml | ||
| middleware.js | ||
| next.config.js | ||
| package-lock.json | ||
| package.json | ||
README.md
contributing
We pay sats for PRs. Sats will be proportional to the impact of the PR. If there's something you'd like to work on, suggest how much you'd do it for on the issue. If there's something you'd like to work on that isn't already an issue, whether its a bug fix or a new feature, create one.
responsible disclosure
If you found a vulnerability, we would greatly appreciate it if you contact us via kk@stacker.news or t.me/k00bideh.
stacker.news
Stacker News is like Hacker News but we pay you Bitcoin. We use Bitcoin and the Lightning Network to provide Sybil resistance and any karma earned is withdrawable as Bitcoin.
wen decentralization
We're experimenting with providing an SN-like service on nostr in Outer Space. It's our overarching goal to align SN with Bitcoin's ethos yet still make a product the average bitcoiner loves to use.
local development
- Install docker-compose and deps if you don't already have it installed
git clone git@github.com:stackernews/stacker.news.git sn && cd sndocker-compose up --build
You should then be able to access the site at localhost:3000 and any changes you make will hot reload. If you want to login locally or use lnd you'll need to modify .env.sample appropriately. More details here and here. If you have trouble please open an issue so I can help and update the README for everyone else.
web push
To enable Web Push locally, you will need to set the VAPID_* env vars. VAPID_MAILTO needs to be a email address using the mailto: scheme. For NEXT_PUBLIC_VAPID_KEY and VAPID_PRIVKEY, you can run npx web-push generate-vapid-keys.
imgproxy
To configure the image proxy, you will need to set the IMGPROXY_ env vars. NEXT_PUBLIC_IMGPROXY_URL needs to point to the image proxy service. IMGPROXY_KEY and IMGPROXY_SALT can be set using openssl rand -hex 64.
stack
The site is written in javascript using Next.js, a React framework. The backend API is provided via graphql. The database is postgresql modelled with prisma. The job queue is also maintained in postgresql. We use lnd for our lightning node. A customized Bootstrap theme is used for styling.
processes
There are two. 1. the web app and 2. the worker, which dequeues jobs sent to it by the web app, e.g. polling lnd for invoice/payment status
wallet transaction safety
To ensure stackers balances are kept sane, all wallet updates are run in serializable transactions at the database level. Because prisma has relatively poor support for transactions all wallet touching code is written in plpgsql stored procedures and can be found in the prisma/migrations folder.
code
The code is linted with standardjs.