fd8510d59f
Our invoice IDs can be enumerated. So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself. Random payment hashes prevent this. Also, since we delete invoices after use, using database IDs as proof of payments are not suitable. If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs.
66 lines
1.2 KiB
JavaScript
66 lines
1.2 KiB
JavaScript
import { gql } from '@apollo/client'
|
|
import { ITEM_FULL_FIELDS } from './items'
|
|
|
|
export const INVOICE = gql`
|
|
query Invoice($id: ID!) {
|
|
invoice(id: $id) {
|
|
id
|
|
hash
|
|
bolt11
|
|
satsReceived
|
|
cancelled
|
|
confirmedAt
|
|
expiresAt
|
|
}
|
|
}`
|
|
|
|
export const WITHDRAWL = gql`
|
|
query Withdrawl($id: ID!) {
|
|
withdrawl(id: $id) {
|
|
id
|
|
bolt11
|
|
satsPaid
|
|
satsFeePaying
|
|
satsFeePaid
|
|
status
|
|
}
|
|
}`
|
|
|
|
export const WALLET_HISTORY = gql`
|
|
${ITEM_FULL_FIELDS}
|
|
|
|
query WalletHistory($cursor: String, $inc: String) {
|
|
walletHistory(cursor: $cursor, inc: $inc) {
|
|
facts {
|
|
id
|
|
factId
|
|
type
|
|
createdAt
|
|
sats
|
|
satsFee
|
|
status
|
|
type
|
|
description
|
|
item {
|
|
...ItemFullFields
|
|
}
|
|
}
|
|
cursor
|
|
}
|
|
}
|
|
`
|
|
|
|
export const CREATE_WITHDRAWL = gql`
|
|
mutation createWithdrawl($invoice: String!, $maxFee: Int!) {
|
|
createWithdrawl(invoice: $invoice, maxFee: $maxFee) {
|
|
id
|
|
}
|
|
}`
|
|
|
|
export const SEND_TO_LNADDR = gql`
|
|
mutation sendToLnAddr($addr: String!, $amount: Int!, $maxFee: Int!) {
|
|
sendToLnAddr(addr: $addr, amount: $amount, maxFee: $maxFee) {
|
|
id
|
|
}
|
|
}`
|