fix: forbid fetching 0 amount bolt12 invoices

BoltzExchange · Jan 28, 2025 · 02783ec · 02783ec
1 parent 985599e
commit 02783ec
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 5 deletions.
diff --git a/boltzr/src/api/lightning.rs b/boltzr/src/api/lightning.rs
@@ -1,4 +1,5 @@
 use crate::api::errors::{ApiError, AxumError};
+use crate::api::types::assert_not_zero;
 use crate::api::ws::status::SwapInfos;
 use crate::api::ServerState;
 use crate::service::InfoFetchError;
@@ -16,6 +17,7 @@ use std::sync::Arc;
 pub struct Bolt12FetchRequest {
     offer: String,
     // In satoshis
+    #[serde(deserialize_with = "assert_not_zero")]
     amount: u64,
 }
 
@@ -252,7 +254,7 @@ mod test {
                     .body(Body::from(
                         serde_json::to_vec(&Bolt12FetchRequest {
                             offer: "".to_string(),
-                            amount: 0,
+                            amount: 1,
                         })
                         .unwrap(),
                     ))
@@ -270,6 +272,38 @@ mod test {
         );
     }
 
+    #[tokio::test]
+    async fn test_bolt12_fetch_zero_amount() {
+        let mut manager = MockManager::new();
+        manager.expect_get_currency().return_const(None);
+
+        let res = setup_router(manager)
+            .oneshot(
+                Request::builder()
+                    .method(axum::http::Method::POST)
+                    .uri("/v2/lightning/BTC/bolt12/fetch")
+                    .header(axum::http::header::CONTENT_TYPE, "application/json")
+                    .body(Body::from(
+                        serde_json::to_vec(&Bolt12FetchRequest {
+                            offer: "".to_string(),
+                            amount: 0,
+                        })
+                        .unwrap(),
+                    ))
+                    .unwrap(),
+            )
+            .await
+            .unwrap();
+
+        assert_eq!(res.status(), StatusCode::UNPROCESSABLE_ENTITY);
+
+        let body = res.into_body().collect().await.unwrap().to_bytes();
+        assert_eq!(
+            serde_json::from_slice::<ApiError>(&body).unwrap().error,
+            "Failed to deserialize the JSON body into the target type: amount: invalid value: integer `0`, expected value greater than 0 at line 1 column 23"
+        );
+    }
+
     #[rstest]
     #[case("03a7ee82c3c7fc4c796d26e513676d445d49b9c62004a47f2e813695a439a8fd01")]
     #[case("02d39d33219daac2e5db99c07d4568485d2842e108ff7c1fb0ce13b0cc908e559b")]

diff --git a/boltzr/src/api/mod.rs b/boltzr/src/api/mod.rs
@@ -20,6 +20,7 @@ mod headers;
 mod lightning;
 mod sse;
 mod stats;
+mod types;
 pub mod ws;
 
 #[derive(Deserialize, Serialize, PartialEq, Clone, Debug)]
@@ -122,10 +123,6 @@ where
                 "/v2/swap/{swap_type}/stats/{from}/{to}",
                 get(get_stats::<S, M>),
             )
-            .route(
-                "/v2/lightning/{currency}/bolt12/fetch",
-                post(lightning::bolt12_fetch::<S, M>),
-            )
             .route(
                 "/v2/lightning/{currency}/node/{node}",
                 get(lightning::node_info::<S, M>),
@@ -134,6 +131,10 @@ where
                 "/v2/lightning/{currency}/channels/{node}",
                 get(lightning::channels::<S, M>),
             )
+            .route(
+                "/v2/lightning/{currency}/bolt12/fetch",
+                post(lightning::bolt12_fetch::<S, M>),
+            )
             .layer(axum::middleware::from_fn(error_middleware))
     }
 }

diff --git a/boltzr/src/api/types.rs b/boltzr/src/api/types.rs
@@ -0,0 +1,15 @@
+use serde::{Deserialize, Deserializer};
+
+pub fn assert_not_zero<'de, D>(deserializer: D) -> Result<u64, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let amount = u64::deserialize(deserializer)?;
+    if amount == 0 {
+        return Err(serde::de::Error::invalid_value(
+            serde::de::Unexpected::Unsigned(amount),
+            &"value greater than 0",
+        ));
+    }
+    Ok(amount)
+}