From 6c03c1c3d93ece33e81d56532f4c651723bbf9d8 Mon Sep 17 00:00:00 2001
From: Peter Rounce <peter@rounce.me.uk>
Date: Thu, 20 Jul 2023 11:00:37 +0000
Subject: [PATCH] check pin in payment rules

---
 lnurlw/lnurlw_callback.go | 31 +++++++++++++++++++++++--------
 1 file changed, 23 insertions(+), 8 deletions(-)

diff --git a/lnurlw/lnurlw_callback.go b/lnurlw/lnurlw_callback.go
index b5d5a61..f07e1b0 100644
--- a/lnurlw/lnurlw_callback.go
+++ b/lnurlw/lnurlw_callback.go
@@ -225,17 +225,15 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 	url := req.URL.RequestURI()
 	log.WithFields(log.Fields{"url": url}).Debug("cb request")
 
-	// check k1 value
-	params_k1, ok := req.URL.Query()["k1"]
+	// get k1 value
+	param_k1 := req.URL.Query().Get("k1")
 
-	if !ok || len(params_k1[0]) < 1 {
+	if param_k1 == "" {
 		log.WithFields(log.Fields{"url": url}).Debug("k1 not found")
 		resp_err.Write(w)
 		return
 	}
 
-	param_k1 := params_k1[0]
-
 	p, err := db.Get_payment_k1(param_k1)
 	if err != nil {
 		log.WithFields(log.Fields{"url": url, "k1": param_k1}).Warn(err)
@@ -263,14 +261,14 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	params_pr, ok := req.URL.Query()["pr"]
-	if !ok || len(params_pr[0]) < 1 {
+	// get the payment request
+	param_pr := req.URL.Query().Get("pr")
+	if param_pr == "" {
 		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn("pr field not found")
 		resp_err.Write(w)
 		return
 	}
 
-	param_pr := params_pr[0]
 	bolt11, _ := decodepay.Decodepay(param_pr)
 
 	// record the lightning invoice
@@ -283,6 +281,23 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 
 	log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Debug("checking payment rules")
 
+	// get the pin if it has been passed in
+	param_pin := req.URL.Query().Get("pin")
+
+	c, err := db.Get_card_from_card_id(p.Card_id)
+	if err != nil {
+		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn(err)
+		resp_err.Write(w)
+		return
+	}
+
+	// check the pin if needed
+	if c.Pin_enable == "Y" && int(bolt11.MSatoshi/1000) >= c.Pin_limit_sats && c.Pin_number != param_pin {
+		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn("incorrect pin provided")
+		resp_err.Write(w)
+		return
+	}
+
 	// check if we are only sending funds to a defined test node
 	testnode := db.Get_setting("LN_TESTNODE")
 	if testnode != "" && bolt11.Payee != testnode {