einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-01-24 12:03:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

🔒 Add manual hex validation for LNURL-Auth parameters k1 and key with improved test coverage

Browse Source
This commit is contained in:
HolgerHatGarKeineNode
2026-01-17 17:25:21 +01:00
parent da43bcf81f
commit 74263a4581
2 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Controllers/LnurlAuthController.php
View File

@@ -24,11 +24,24 @@ final class LnurlAuthController extends Controller
{ {
try { try {
$validated = $request->validate([ $validated = $request->validate([
'k1' => ['required', 'string', 'hex', 'size:128'], 'k1' => ['required', 'string', 'size:64'],
'sig' => ['required', 'string'], 'sig' => ['required', 'string'],
'key' => ['required', 'string', 'hex', 'min:64', 'max:66'], 'key' => ['required', 'string', 'min:64', 'max:66'],
]); ]);
// Validate hex format manually
if (! ctype_xdigit($validated['k1'])) {
throw ValidationException::withMessages([
'k1' => ['The k1 field must be a valid hexadecimal string.'],
]);
}
if (! ctype_xdigit($validated['key'])) {
throw ValidationException::withMessages([
'key' => ['The key field must be a valid hexadecimal string.'],
]);
}
$isVerified = lnurl\auth($validated['k1'], $validated['sig'], $validated['key']); $isVerified = lnurl\auth($validated['k1'], $validated['sig'], $validated['key']);
if (! $isVerified) { if (! $isVerified) {

26
tests/Feature/LnurlAuthTest.php
View File

@@ -18,10 +18,30 @@ test('lnurl auth callback validates required parameters', function () {
]); ]);
}); });
test('lnurl auth callback validates hex format for k1 and key', function () {
// Invalid k1 (not hex)
$response = $this->get(route('auth.ln.callback').'?k1=ZZZZ'.str()->random(60).'&sig='.str()->random(128).'&key='.bin2hex(random_bytes(33)));
$response->assertStatus(400)
->assertJson([
'status' => 'ERROR',
'reason' => 'Invalid request parameters',
]);
// Invalid key (not hex)
$response = $this->get(route('auth.ln.callback').'?k1='.bin2hex(random_bytes(32)).'&sig='.str()->random(128).'&key=ZZZZ'.str()->random(60));
$response->assertStatus(400)
->assertJson([
'status' => 'ERROR',
'reason' => 'Invalid request parameters',
]);
});
test('lnurl auth callback handles signature verification failures', function () { test('lnurl auth callback handles signature verification failures', function () {
$k1 = str()->random(64); $k1 = bin2hex(random_bytes(32));
$sig = str()->random(128); $sig = bin2hex(random_bytes(64));
$key = str()->random(64); $key = bin2hex(random_bytes(33));
$response = $this->get(route('auth.ln.callback').'?k1='.$k1.'&sig='.$sig.'&key='.$key); $response = $this->get(route('auth.ln.callback').'?k1='.$k1.'&sig='.$sig.'&key='.$key);