check pin in payment rules

lnurlw/lnurlw_callback.go

@@ -225,17 +225,15 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 	url := req.URL.RequestURI()
 	log.WithFields(log.Fields{"url": url}).Debug("cb request")
 
-	// check k1 value
-	params_k1, ok := req.URL.Query()["k1"]
+	// get k1 value
+	param_k1 := req.URL.Query().Get("k1")
 
-	if !ok || len(params_k1[0]) < 1 {
+	if param_k1 == "" {
 		log.WithFields(log.Fields{"url": url}).Debug("k1 not found")
 		resp_err.Write(w)
 		return
 	}
 
-	param_k1 := params_k1[0]
-
 	p, err := db.Get_payment_k1(param_k1)
 	if err != nil {
 		log.WithFields(log.Fields{"url": url, "k1": param_k1}).Warn(err)
@@ -263,14 +261,14 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	params_pr, ok := req.URL.Query()["pr"]
-	if !ok || len(params_pr[0]) < 1 {
+	// get the payment request
+	param_pr := req.URL.Query().Get("pr")
+	if param_pr == "" {
 		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn("pr field not found")
 		resp_err.Write(w)
 		return
 	}
 
-	param_pr := params_pr[0]
 	bolt11, _ := decodepay.Decodepay(param_pr)
 
 	// record the lightning invoice
@@ -283,6 +281,23 @@ func Callback(w http.ResponseWriter, req *http.Request) {
 
 	log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Debug("checking payment rules")
 
+	// get the pin if it has been passed in
+	param_pin := req.URL.Query().Get("pin")
+
+	c, err := db.Get_card_from_card_id(p.Card_id)
+	if err != nil {
+		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn(err)
+		resp_err.Write(w)
+		return
+	}
+
+	// check the pin if needed
+	if c.Pin_enable == "Y" && int(bolt11.MSatoshi/1000) >= c.Pin_limit_sats && c.Pin_number != param_pin {
+		log.WithFields(log.Fields{"card_payment_id": p.Card_payment_id}).Warn("incorrect pin provided")
+		resp_err.Write(w)
+		return
+	}
+
 	// check if we are only sending funds to a defined test node
 	testnode := db.Get_setting("LN_TESTNODE")
 	if testnode != "" && bolt11.Payee != testnode {