Skip to content

feat: add lud21 verify base spec. #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dni wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add lud21 verify base spec. #108

dni wants to merge 2 commits into from

Conversation

@dni
Copy link
Member

@dni dni commented Oct 15, 2025
edited
Loading

closes #79

  • added as optional in advanced settings
  • api endpoint returning the success response
    screenshot-1760523700
    screenshot-1760523965

screenshot-1760523538

dni added 2 commits October 15, 2025 12:11
@dni
feat: add lud21 verify base spec.
b357410 
- added as optional in advanced settings
- api endpoint returning the success response
@dni
remove todo
eafb8ab
motorina0
motorina0 reviewed Nov 4, 2025
View reviewed changes
views_lnurl.py

if link.verify:
verify_url = request.url_for(
"lnurlp.api_lnurl_verify", payment_hash=payment.payment_hash
Copy link
Collaborator

@motorina0 motorina0 Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The LUD does not specify that the check value must be the payment hash.
Can't this in fact be a vulnerability? Anyone that sees the QR code can check the payment status (and obtain the pre-image).

Suggestion:

  • use verify_secret random value
  • introduce extra column (not to have such a large number of migrations)

Copy link
Collaborator

@motorina0 motorina0 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nack

Copy link
Member Author

@dni dni Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the payment_hash is actually inside the bolt11 invoice

Copy link
Member Author

@dni dni Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no reason for adding anything extra, the verify link is sent with the bolt11 invoice which contains the payment_hash already, so there is no additional information leaked.

Copy link
Member Author

@dni dni Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@motorina0 can you re-evaluate the NACK?

talvasconcelos
talvasconcelos approved these changes Nov 4, 2025
View reviewed changes
Copy link
Collaborator

@talvasconcelos talvasconcelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested

@dni dni mentioned this pull request Nov 20, 2025
Merged
@dni dni requested a review from motorina0 December 16, 2025 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@talvasconcelos talvasconcelos talvasconcelos approved these changes

@arcbtc arcbtc Awaiting requested review from arcbtc

@blackcoffeexbt blackcoffeexbt Awaiting requested review from blackcoffeexbt

@motorina0 motorina0 Awaiting requested review from motorina0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feature request: add LUD-21 support

4 participants

@dni @motorina0 @talvasconcelos