🔒 Add manual hex validation for LNURL-Auth parameters k1 and key with improved test coverage

2026-01-23 23:53:17 +00:00 · 2026-01-17 17:25:21 +01:00
parent da43bcf81f
commit 74263a4581
2 changed files with 38 additions and 5 deletions
--- a/app/Http/Controllers/LnurlAuthController.php
+++ b/app/Http/Controllers/LnurlAuthController.php
@@ -24,11 +24,24 @@ final class LnurlAuthController extends Controller
    {
        try {
            $validated = $request->validate([
-                'k1' => ['required', 'string', 'hex', 'size:128'],
+                'k1' => ['required', 'string', 'size:64'],
                'sig' => ['required', 'string'],
-                'key' => ['required', 'string', 'hex', 'min:64', 'max:66'],
+                'key' => ['required', 'string', 'min:64', 'max:66'],
            ]);

+            // Validate hex format manually
+            if (! ctype_xdigit($validated['k1'])) {
+                throw ValidationException::withMessages([
+                    'k1' => ['The k1 field must be a valid hexadecimal string.'],
+                ]);
+            }
+
+            if (! ctype_xdigit($validated['key'])) {
+                throw ValidationException::withMessages([
+                    'key' => ['The key field must be a valid hexadecimal string.'],
+                ]);
+            }
+
            $isVerified = lnurl\auth($validated['k1'], $validated['sig'], $validated['key']);

            if (! $isVerified) {
--- a/tests/Feature/LnurlAuthTest.php
+++ b/tests/Feature/LnurlAuthTest.php
@@ -18,10 +18,30 @@ test('lnurl auth callback validates required parameters', function () {
        ]);
 });

+test('lnurl auth callback validates hex format for k1 and key', function () {
+    // Invalid k1 (not hex)
+    $response = $this->get(route('auth.ln.callback').'?k1=ZZZZ'.str()->random(60).'&sig='.str()->random(128).'&key='.bin2hex(random_bytes(33)));
+
+    $response->assertStatus(400)
+        ->assertJson([
+            'status' => 'ERROR',
+            'reason' => 'Invalid request parameters',
+        ]);
+
+    // Invalid key (not hex)
+    $response = $this->get(route('auth.ln.callback').'?k1='.bin2hex(random_bytes(32)).'&sig='.str()->random(128).'&key=ZZZZ'.str()->random(60));
+
+    $response->assertStatus(400)
+        ->assertJson([
+            'status' => 'ERROR',
+            'reason' => 'Invalid request parameters',
+        ]);
+});
+
 test('lnurl auth callback handles signature verification failures', function () {
-    $k1 = str()->random(64);
-    $sig = str()->random(128);
-    $key = str()->random(64);
+    $k1 = bin2hex(random_bytes(32));
+    $sig = bin2hex(random_bytes(64));
+    $key = bin2hex(random_bytes(33));

    $response = $this->get(route('auth.ln.callback').'?k1='.$k1.'&sig='.$sig.'&key='.$key);