Go to file
ekzyis fd8510d59f Use payment hash instead of invoice id as proof of payment
Our invoice IDs can be enumerated.
So there is a - even though very rare - chance that an attacker could find a paid invoice which is not used yet and use it for himself.
Random payment hashes prevent this.

Also, since we delete invoices after use, using database IDs as proof of payments are not suitable.
If a user tells us an invoice ID after we deleted it, we can no longer tell if the invoice was paid or not since the LN node only knows about payment hashes but nothing about the database IDs.
2023-07-30 23:45:07 +02:00
.ebextensions log tor to own file 2022-09-06 12:07:12 -05:00
.github Update issue templates 2023-06-23 10:39:37 -05:00
.platform Revert "Revert "prevent slashtags from accessing disk"" 2023-07-23 10:08:56 -05:00
.vscode remove vscode settings 2022-06-08 16:56:35 -05:00
api Use payment hash instead of invoice id as proof of payment 2023-07-30 23:45:07 +02:00
components Use payment hash instead of invoice id as proof of payment 2023-07-30 23:45:07 +02:00
docs Add docs for local LND setup 2023-05-19 18:28:46 -05:00
fragments Use payment hash instead of invoice id as proof of payment 2023-07-30 23:45:07 +02:00
lib Use payment hash instead of invoice id as proof of payment 2023-07-30 23:45:07 +02:00
pages Add anon zaps 2023-07-30 23:45:07 +02:00
prisma Add anon comments and posts (link, discussion, poll) 2023-07-30 23:45:07 +02:00
public upgrade to next-auth 4 (bonus: improve error pages) 2023-07-29 14:38:20 -05:00
spawn upgrade deps 2022-11-06 11:28:58 -06:00
styles upgrade to next-auth 4 (bonus: improve error pages) 2023-07-29 14:38:20 -05:00
svgs Revert "Revert "shield your eyes; massive, squashed refactor; nextjs/react/react-dom/apollo upgrades"" 2023-07-23 10:08:43 -05:00
sw service worker enhancements 2023-07-29 14:33:19 -05:00
worker upgrade to next-auth 4 (bonus: improve error pages) 2023-07-29 14:38:20 -05:00
.babelrc dark mode with css variables instead 2021-11-09 16:43:56 -06:00
.env.sample Render images without markdown and use image proxy (#245) 2023-07-12 19:10:01 -05:00
.gitignore Revert "Revert "try to store slashtags in cwd"" 2023-07-23 10:09:00 -05:00
.npmrc Revert "Revert "shield your eyes; massive, squashed refactor; nextjs/react/react-dom/apollo upgrades"" 2023-07-23 10:08:43 -05:00
.puppeteerrc.cjs puppeteer config 2022-11-16 10:57:03 -06:00
Dockerfile Use node:16.16.0-bullseye for docker images (#341) 2023-07-04 19:49:00 -05:00
LICENSE add license 2021-06-28 18:28:26 -05:00
Procfile remove check from procfile 2022-01-09 11:57:15 -06:00
README.md users? => stackers? 2023-07-09 12:53:50 -05:00
docker-compose.yml Render images without markdown and use image proxy (#245) 2023-07-12 19:10:01 -05:00
middleware.js referrals 2022-12-19 16:27:52 -06:00
next.config.js cache lightning font encodings forever 2023-07-29 15:15:58 -05:00
package-lock.json provide jwt migration 2023-07-30 14:03:24 -05:00
package.json provide jwt migration 2023-07-30 14:03:24 -05:00

README.md

contributing

We pay sats for PRs. Sats will be proportional to the impact of the PR. If there's something you'd like to work on, suggest how much you'd do it for on the issue. If there's something you'd like to work on that isn't already an issue, whether its a bug fix or a new feature, create one.

responsible disclosure

If you found a vulnerability, we would greatly appreciate it if you contact us via kk@stacker.news or t.me/k00bideh.

stacker.news

Stacker News is like Hacker News but we pay you Bitcoin. We use Bitcoin and the Lightning Network to provide Sybil resistance and any karma earned is withdrawable as Bitcoin.

wen decentralization

We're experimenting with providing an SN-like service on nostr in Outer Space. It's our overarching goal to align SN with Bitcoin's ethos yet still make a product the average bitcoiner loves to use.

local development

  1. Install docker-compose and deps if you don't already have it installed
  2. git clone git@github.com:stackernews/stacker.news.git sn && cd sn
  3. docker-compose up --build

You should then be able to access the site at localhost:3000 and any changes you make will hot reload. If you want to login locally or use lnd you'll need to modify .env.sample appropriately. More details here and here. If you have trouble please open an issue so I can help and update the README for everyone else.

stack

The site is written in javascript using Next.js, a React framework. The backend API is provided via graphql. The database is postgresql modelled with prisma. The job queue is also maintained in postgresql. We use lnd for our lightning node. A customized Bootstrap theme is used for styling.

processes

There are two. 1. the web app and 2. the worker, which dequeues jobs sent to it by the web app, e.g. polling lnd for invoice/payment status

wallet transaction safety

To ensure stackers balances are kept sane, all wallet updates are run in serializable transactions at the database level. Because prisma has relatively poor support for transactions all wallet touching code is written in plpgsql stored procedures and can be found in the prisma/migrations folder.

code

The code is linted with standardjs.

license

MIT