core-lightning/plugins/fetchinvoice.c

#include "config.h"
#include <bitcoin/chainparams.h>
#include <ccan/array_size/array_size.h>
#include <ccan/cast/cast.h>
#include <ccan/json_out/json_out.h>
#include <ccan/mem/mem.h>
#include <ccan/str/hex/hex.h>
#include <ccan/tal/str/str.h>
#include <common/blindedpath.h>
#include <common/bolt12_merkle.h>
#include <common/dijkstra.h>
#include <common/gossmap.h>
#include <common/json_param.h>
#include <common/json_stream.h>
#include <common/memleak.h>
#include <common/overflows.h>
#include <common/route.h>
#include <common/type_to_string.h>
#include <errno.h>
#include <plugins/libplugin.h>
#include <secp256k1_schnorrsig.h>
#include <sodium.h>

static struct gossmap *global_gossmap;
static struct pubkey local_id;
static bool disable_connect = false;
static LIST_HEAD(sent_list);

struct sent {
	/* We're in sent_invreqs, awaiting reply. */
	struct list_node list;
	/* The secret used by reply */
	struct secret *reply_secret;
	/* The command which sent us. */
	struct command *cmd;
	/* The offer we are trying to get an invoice/payment for. */
	struct tlv_offer *offer;
	/* Path to use (including self) */
	struct pubkey *path;

	/* The invreq we sent, OR the invoice we sent */
	struct tlv_invoice_request *invreq;

	struct tlv_invoice *inv;
	struct preimage inv_preimage;
	struct json_escape *inv_label;
	/* How long to wait for response before giving up. */
	u32 wait_timeout;
};

static struct sent *find_sent_by_secret(const struct secret *pathsecret)
{
	struct sent *i;

	list_for_each(&sent_list, i, list) {
		if (i->reply_secret && secret_eq_consttime(i->reply_secret, pathsecret))
			return i;
	}
	return NULL;
}

/* Hack to suppress warnings when we finish a different command */
static void discard_result(struct command_result *ret)
{
}

/* Returns NULL if it wasn't an error. */
static struct command_result *handle_error(struct command *cmd,
					   struct sent *sent,
					   const char *buf,
					   const jsmntok_t *om)
{
	const u8 *data;
	size_t dlen;
	struct tlv_invoice_error *err;
	struct json_out *details;
	const jsmntok_t *errtok;

	errtok = json_get_member(buf, om, "invoice_error");
	if (!errtok)
		return NULL;

	data = json_tok_bin_from_hex(cmd, buf, errtok);
	dlen = tal_bytelen(data);
	details = json_out_new(cmd);

	plugin_log(cmd->plugin, LOG_DBG, "errtok = %.*s",
		   json_tok_full_len(errtok),
		   json_tok_full(buf, errtok));
	json_out_start(details, NULL, '{');
	err = fromwire_tlv_invoice_error(cmd, &data, &dlen);
	if (!err) {
		plugin_log(cmd->plugin, LOG_DBG,
			   "Invalid invoice_error %.*s",
			   json_tok_full_len(errtok),
			   json_tok_full(buf, errtok));
		json_out_addstr(details, "invoice_error_hex",
				tal_strndup(tmpctx,
					    buf + errtok->start,
					    errtok->end - errtok->start));
	} else {
		char *failstr;

		/* FIXME: with a bit more generate-wire.py support,
		 * we could have fieldnames and even types. */
		if (err->erroneous_field)
			json_out_add(details, "erroneous_field", false,
				     "%"PRIu64, *err->erroneous_field);
		if (err->suggested_value)
			json_out_addstr(details, "suggested_value",
					tal_hex(tmpctx,
						err->suggested_value));
		/* If they don't include this, it'll be empty */
		failstr = tal_strndup(tmpctx,
				      err->error,
				      tal_bytelen(err->error));
		json_out_addstr(details, "error", failstr);
	}
	json_out_end(details, '}');
	discard_result(command_done_err(sent->cmd,
					OFFER_BAD_INVREQ_REPLY,
					"Remote node sent failure message",
						details));
	return command_hook_success(cmd);
}

/* BOLT-offers #12:
 * - if the invoice is a response to an `invoice_request`:
 *   - MUST reject the invoice if all fields less than type 160 do not
 *     exactly match the `invoice_request`.
 */
static bool invoice_matches_request(struct command *cmd,
				    const u8 *invbin,
				    const struct tlv_invoice_request *invreq)
{
	size_t len1, len2;
	u8 *wire;

	/* We linearize then strip signature.  This is dumb! */
	wire = tal_arr(tmpctx, u8, 0);
	towire_tlv_invoice_request(&wire, invreq);
	len1 = tlv_span(wire, 0, 159, NULL);

	len2 = tlv_span(invbin, 0, 159, NULL);
	return memeq(wire, len1, invbin, len2);
}

static struct command_result *handle_invreq_response(struct command *cmd,
						     struct sent *sent,
						     const char *buf,
						     const jsmntok_t *om)
{
	const u8 *invbin, *cursor;
	const jsmntok_t *invtok;
	size_t len;
	struct tlv_invoice *inv;
	struct sha256 merkle, sighash;
	struct json_stream *out;
	const char *badfield;
	u64 *expected_amount;

	invtok = json_get_member(buf, om, "invoice");
	if (!invtok) {
		plugin_log(cmd->plugin, LOG_UNUSUAL,
			   "Neither invoice nor invoice_request_failed in reply %.*s",
			   json_tok_full_len(om),
			   json_tok_full(buf, om));
		discard_result(command_fail(sent->cmd,
					    OFFER_BAD_INVREQ_REPLY,
					    "Neither invoice nor invoice_request_failed in reply %.*s",
					    json_tok_full_len(om),
					    json_tok_full(buf, om)));
		return command_hook_success(cmd);
	}

	invbin = json_tok_bin_from_hex(cmd, buf, invtok);
	cursor = invbin;
	len = tal_bytelen(invbin);
 	inv = fromwire_tlv_invoice(cmd, &cursor, &len);
	if (!inv) {
		badfield = "invoice";
		goto badinv;
	}

#if DEVELOPER
	/* Raw send?  Just fwd reply. */
	if (!sent->offer) {
		out = jsonrpc_stream_success(sent->cmd);
		json_add_string(out, "invoice", invoice_encode(tmpctx, inv));
		discard_result(command_finished(sent->cmd, out));
		return command_hook_success(cmd);
	}
#endif /* DEVELOPER */

	/* BOLT-offers #12:
	 * - if the invoice is a response to an `invoice_request`:
	 *   - MUST reject the invoice if all fields less than type 160 do not
	 *     exactly match the `invoice_request`.
	 */
	if (!invoice_matches_request(cmd, invbin, sent->invreq)) {
		badfield = "invoice_request match";
		goto badinv;
	}

	/* BOLT-offers #12:
	 *     - if `offer_node_id` is present (invoice_request for an offer):
	 * 	  - MUST reject the invoice if `invoice_node_id` is not equal to `offer_node_id`.
	 */
	if (!inv->invoice_node_id || !pubkey_eq(inv->offer_node_id, inv->invoice_node_id)) {
		badfield = "invoice_node_id";
		goto badinv;
	}

	/* BOLT-offers #12:
	 *   - MUST reject the invoice if `signature` is not a valid signature
	 *      using `invoice_node_id` as described in [Signature Calculation]
	 */
	merkle_tlv(inv->fields, &merkle);
	sighash_from_merkle("invoice", "signature", &merkle, &sighash);

	if (!inv->signature
	    || !check_schnorr_sig(&sighash, &inv->invoice_node_id->pubkey, inv->signature)) {
		badfield = "signature";
		goto badinv;
	}

	/* BOLT-offers #12:
	 * A reader of an invoice:
	 *   - MUST reject the invoice if `invoice_amount` is not present.
	 */
	if (!inv->invoice_amount) {
		badfield = "invoice_amount";
		goto badinv;
	}

	/* Get the amount we expected: firstly, if that's what we sent,
	 * secondly, if specified in the invoice. */
	if (inv->invreq_amount) {
		expected_amount = tal_dup(tmpctx, u64, inv->invreq_amount);
	} else if (inv->offer_amount && !inv->offer_currency) {
		expected_amount = tal(tmpctx, u64);

		*expected_amount = *inv->offer_amount;
		if (inv->invreq_quantity) {
			/* We should never have sent this! */
			if (mul_overflows_u64(*expected_amount,
					      *inv->invreq_quantity)) {
				badfield = "quantity overflow";
				goto badinv;
			}
			*expected_amount *= *inv->invreq_quantity;
		}
	} else
		expected_amount = NULL;

	/* BOLT-offers-recurrence #12:
	 * - if the offer contained `recurrence`:
	 *   - MUST reject the invoice if `recurrence_basetime` is not set.
	 */
	if (inv->invreq_recurrence_counter && !inv->invoice_recurrence_basetime) {
		badfield = "recurrence_basetime";
		goto badinv;
	}

	out = jsonrpc_stream_success(sent->cmd);
	json_add_string(out, "invoice", invoice_encode(tmpctx, inv));
	json_object_start(out, "changes");
	/* BOLT-offers #12:
	 *   - SHOULD confirm authorization if `msat` is not within the amount
	 *     range authorized.
	 */
	/* We always tell them this unless it's trivial to calc and
	 * exactly as expected. */
	if (!expected_amount || *inv->invoice_amount != *expected_amount) {
		json_add_amount_msat_only(out, "amount_msat",
					  amount_msat(*inv->invoice_amount));
	}
	json_object_end(out);

	/* We tell them about next period at this point, if any. */
	if (inv->offer_recurrence) {
		u64 next_counter, next_period_idx;
		u64 paywindow_start, paywindow_end;

		next_counter = *inv->invreq_recurrence_counter + 1;
		if (inv->invreq_recurrence_start)
			next_period_idx = *inv->invreq_recurrence_start
				+ next_counter;
		else
			next_period_idx = next_counter;

		/* If this was the last, don't tell them about a next! */
		if (!inv->offer_recurrence_limit
		    || next_period_idx <= *inv->offer_recurrence_limit) {
			json_object_start(out, "next_period");
			json_add_u64(out, "counter", next_counter);
			json_add_u64(out, "starttime",
				     offer_period_start(*inv->invoice_recurrence_basetime,
							next_period_idx,
							inv->offer_recurrence));
			json_add_u64(out, "endtime",
				     offer_period_start(*inv->invoice_recurrence_basetime,
							next_period_idx + 1,
							inv->offer_recurrence) - 1);

			offer_period_paywindow(inv->offer_recurrence,
					       inv->offer_recurrence_paywindow,
					       inv->offer_recurrence_base,
					       *inv->invoice_recurrence_basetime,
					       next_period_idx,
					       &paywindow_start, &paywindow_end);
			json_add_u64(out, "paywindow_start", paywindow_start);
			json_add_u64(out, "paywindow_end", paywindow_end);
			json_object_end(out);
		}
	}

	discard_result(command_finished(sent->cmd, out));
	return command_hook_success(cmd);

badinv:
	plugin_log(cmd->plugin, LOG_DBG, "Failed invoice due to %s", badfield);
	discard_result(command_fail(sent->cmd,
				    OFFER_BAD_INVREQ_REPLY,
				    "Incorrect %s field in %.*s",
				    badfield,
				    json_tok_full_len(invtok),
				    json_tok_full(buf, invtok)));
	return command_hook_success(cmd);
}

static struct command_result *recv_modern_onion_message(struct command *cmd,
							const char *buf,
							const jsmntok_t *params)
{
	const jsmntok_t *om, *secrettok;
	struct sent *sent;
	struct secret pathsecret;
	struct command_result *err;

	om = json_get_member(buf, params, "onion_message");

	secrettok = json_get_member(buf, om, "pathsecret");
	json_to_secret(buf, secrettok, &pathsecret);
	sent = find_sent_by_secret(&pathsecret);
	if (!sent) {
		plugin_log(cmd->plugin, LOG_DBG,
			   "No match for modern onion %.*s",
			   json_tok_full_len(om),
			   json_tok_full(buf, om));
		return command_hook_success(cmd);
	}

	plugin_log(cmd->plugin, LOG_DBG, "Received modern onion message: %.*s",
		   json_tok_full_len(params),
		   json_tok_full(buf, params));

	err = handle_error(cmd, sent, buf, om);
	if (err)
		return err;

	if (sent->invreq)
		return handle_invreq_response(cmd, sent, buf, om);

	return command_hook_success(cmd);
}

static void destroy_sent(struct sent *sent)
{
	list_del(&sent->list);
}

/* We've received neither a reply nor a payment; return failure. */
static void timeout_sent_invreq(struct sent *sent)
{
	/* This will free sent! */
	discard_result(command_fail(sent->cmd, OFFER_TIMEOUT,
				    "Timeout waiting for response"));
}

static struct command_result *sendonionmsg_done(struct command *cmd,
						const char *buf UNUSED,
						const jsmntok_t *result UNUSED,
						struct sent *sent)
{
	tal_steal(cmd, plugin_timer(cmd->plugin,
				    time_from_sec(sent->wait_timeout),
				    timeout_sent_invreq, sent));
	sent->cmd = cmd;
	list_add_tail(&sent_list, &sent->list);
	tal_add_destructor(sent, destroy_sent);
	return command_still_pending(cmd);
}

static void init_gossmap(struct plugin *plugin)
{
	size_t num_cupdates_rejected;
	global_gossmap
		= notleak_with_children(gossmap_load(NULL,
						     GOSSIP_STORE_FILENAME,
						     &num_cupdates_rejected));
	if (!global_gossmap)
		plugin_err(plugin, "Could not load gossmap %s: %s",
			   GOSSIP_STORE_FILENAME, strerror(errno));
	if (num_cupdates_rejected)
		plugin_log(plugin, LOG_DBG,
			   "gossmap ignored %zu channel updates",
			   num_cupdates_rejected);
}

static struct gossmap *get_gossmap(struct plugin *plugin)
{
	if (!global_gossmap)
		init_gossmap(plugin);
	else
		gossmap_refresh(global_gossmap, NULL);
	return global_gossmap;
}

static struct command_result *param_offer(struct command *cmd,
					  const char *name,
					  const char *buffer,
					  const jsmntok_t *tok,
					  struct tlv_offer **offer)
{
	char *fail;
	int badf;

	*offer = offer_decode(cmd, buffer + tok->start, tok->end - tok->start,
			      plugin_feature_set(cmd->plugin), chainparams,
			      &fail);
	if (!*offer)
		return command_fail_badparam(cmd, name, buffer, tok,
					     tal_fmt(cmd,
						     "Unparsable offer: %s",
						     fail));
	/* BOLT-offers #12:
	 * A reader of an offer:
	 * - if the offer contains any unknown TLV fields greater or equal to 80:
	 *   - MUST NOT respond to the offer.
	 * - if `offer_features` contains unknown _odd_ bits that are non-zero:
	 *     - MUST ignore the bit.
	 * - if `offer_features` contains unknown _even_ bits that are non-zero:
	 *   - MUST NOT respond to the offer.
	 *   - SHOULD indicate the unknown bit to the user.
	 * - if `offer_description` is not set:
	 *   - MUST NOT respond to the offer.
	 * - if `offer_node_id` is not set:
	 *   - MUST NOT respond to the offer.
	 */
	for (size_t i = 0; i < tal_count((*offer)->fields); i++) {
		if ((*offer)->fields[i].numtype > 80) {
			return command_fail_badparam(cmd, name, buffer, tok,
						     tal_fmt(tmpctx,
							     "Offer %"PRIu64
							     " field >= 80",
							     (*offer)->fields[i].numtype));
		}
	}

	badf = features_unsupported(plugin_feature_set(cmd->plugin),
				    (*offer)->offer_features,
				    BOLT12_OFFER_FEATURE);
	if (badf != -1) {
		return command_fail_badparam(cmd, name, buffer, tok,
					     tal_fmt(tmpctx,
						     "unknown feature %i",
						     badf));
	}
	if (!(*offer)->offer_description)
		return command_fail_badparam(cmd, name, buffer, tok,
					     "Offer does not contain a description");
	if (!(*offer)->offer_node_id)
		return command_fail_badparam(cmd, name, buffer, tok,
					     "Offer does not contain a node_id");

	/* BOLT-offers #12:
	 * - if `offer_chains` is not set:
	 *    - if the node does not accept bitcoin invoices:
	 *      - MUST NOT respond to the offer
	 * - otherwise: (`offer_chains` is set):
	 *    - if the node does not accept invoices for any of the `chains`:
	 *      - MUST NOT respond to the offer
	 */
	if (!bolt12_chains_match((*offer)->offer_chains,
				 tal_count((*offer)->offer_chains),
				 chainparams)) {
		return command_fail_badparam(cmd, name, buffer, tok,
					     "Offer for wrong chains");
	}

	return NULL;
}

static bool can_carry_onionmsg(const struct gossmap *map,
			       const struct gossmap_chan *c,
			       int dir,
			       struct amount_msat amount UNUSED,
			       void *arg UNUSED)
{
	const struct gossmap_node *n;
	/* Don't use it if either side says it's disabled */
	if (!c->half[dir].enabled || !c->half[!dir].enabled)
		return false;

	/* Check features of recipient */
	n = gossmap_nth_node(map, c, !dir);
	/* 102/103 was the old EXPERIMENTAL feature bit: remove soon! */
	return gossmap_node_get_feature(map, n, OPT_ONION_MESSAGES) != -1
		|| gossmap_node_get_feature(map, n, 102) != -1;
}

static struct pubkey *path_to_node(const tal_t *ctx,
				   struct plugin *plugin,
				   const struct pubkey *node_id)
{
	struct route_hop *r;
	const struct dijkstra *dij;
	const struct gossmap_node *src;
	const struct gossmap_node *dst;
	struct node_id dstid, local_nodeid;
	struct pubkey *nodes;
	struct gossmap *gossmap = get_gossmap(plugin);

	node_id_from_pubkey(&dstid, node_id);
	dst = gossmap_find_node(gossmap, &dstid);
	if (!dst)
		return NULL;

	/* If we don't exist in gossip, routing can't happen. */
	node_id_from_pubkey(&local_nodeid, &local_id);
	src = gossmap_find_node(gossmap, &local_nodeid);
	if (!src)
		return NULL;

	dij = dijkstra(tmpctx, gossmap, dst, AMOUNT_MSAT(0), 0,
		       can_carry_onionmsg, route_score_shorter, NULL);

	r = route_from_dijkstra(tmpctx, gossmap, dij, src, AMOUNT_MSAT(0), 0);
	if (!r)
		return NULL;

	nodes = tal_arr(ctx, struct pubkey, tal_count(r) + 1);
	nodes[0] = local_id;
	for (size_t i = 0; i < tal_count(r); i++) {
		if (!pubkey_from_node_id(&nodes[i+1], &r[i].node_id)) {
			plugin_err(plugin, "Could not convert nodeid %s",
				   type_to_string(tmpctx, struct node_id,
						  &r[i].node_id));
		}
	}
	return nodes;
}

/* Marshal arguments for sending onion messages */
struct sending {
	struct sent *sent;
	struct tlv_onionmsg_tlv *payload;
	struct command_result *(*done)(struct command *cmd,
				       const char *buf UNUSED,
				       const jsmntok_t *result UNUSED,
				       struct sent *sent);
};

static struct command_result *
send_modern_message(struct command *cmd,
		    struct blinded_path *reply_path,
		    struct sending *sending)
{
	struct sent *sent = sending->sent;
	struct privkey blinding_iter;
	struct pubkey fwd_blinding, *node_alias;
	size_t nhops = tal_count(sent->path);
	struct tlv_onionmsg_tlv **payloads;
	struct out_req *req;
	struct tlv_encrypted_data_tlv *tlv;

	/* Now create enctlvs for *forward* path. */
	randombytes_buf(&blinding_iter, sizeof(blinding_iter));
	if (!pubkey_from_privkey(&blinding_iter, &fwd_blinding))
		return command_fail(cmd, LIGHTNINGD,
				    "Could not convert blinding %s to pubkey!",
				    type_to_string(tmpctx, struct privkey,
						   &blinding_iter));

	/* We overallocate: this node (0) doesn't have payload or alias */
	payloads = tal_arr(cmd, struct tlv_onionmsg_tlv *, nhops);
	node_alias = tal_arr(cmd, struct pubkey, nhops);

	for (size_t i = 1; i < nhops - 1; i++) {
		payloads[i] = tlv_onionmsg_tlv_new(payloads);

		tlv = tlv_encrypted_data_tlv_new(tmpctx);
		tlv->next_node_id = &sent->path[i+1];
		/* FIXME: Pad? */

		payloads[i]->encrypted_recipient_data
			= encrypt_tlv_encrypted_data(payloads[i],
						     &blinding_iter,
						     &sent->path[i],
						     tlv,
						     &blinding_iter,
						     &node_alias[i]);
	}
	/* Final payload contains the actual data. */
	payloads[nhops-1] = sending->payload;

	/* We don't include enctlv in final, but it gives us final alias */
	tlv = tlv_encrypted_data_tlv_new(tmpctx);
	if (!encrypt_tlv_encrypted_data(tmpctx,
					&blinding_iter,
					&sent->path[nhops-1],
					tlv,
					NULL,
					&node_alias[nhops-1])) {
		/* Should not happen! */
		return command_fail(cmd, LIGHTNINGD,
				    "Could create final enctlv");
	}

	payloads[nhops-1]->reply_path = reply_path;

	req = jsonrpc_request_start(cmd->plugin, cmd, "sendonionmessage",
				    sending->done,
				    forward_error,
				    sending->sent);
	json_add_pubkey(req->js, "first_id", &sent->path[1]);
	json_add_pubkey(req->js, "blinding", &fwd_blinding);
	json_array_start(req->js, "hops");
	for (size_t i = 1; i < nhops; i++) {
		u8 *tlvbin;
		json_object_start(req->js, NULL);
		json_add_pubkey(req->js, "id", &node_alias[i]);
		tlvbin = tal_arr(tmpctx, u8, 0);
		towire_tlv_onionmsg_tlv(&tlvbin, payloads[i]);
		json_add_hex_talarr(req->js, "tlv", tlvbin);
		json_object_end(req->js);
	}
	json_array_end(req->js);
	return send_outreq(cmd->plugin, req);
}

/* Lightningd gives us reply path, since we don't know secret to put
 * in final so it will recognize it. */
static struct command_result *use_reply_path(struct command *cmd,
					     const char *buf,
					     const jsmntok_t *result,
					     struct sending *sending)
{
	struct blinded_path *rpath;

	rpath = json_to_blinded_path(cmd, buf,
				     json_get_member(buf, result, "blindedpath"));
	if (!rpath)
		plugin_err(cmd->plugin,
			   "could not parse reply path %.*s?",
			   json_tok_full_len(result),
			   json_tok_full(buf, result));

	return send_modern_message(cmd, rpath, sending);
}

static struct command_result *make_reply_path(struct command *cmd,
					      struct sending *sending)
{
	struct out_req *req;
	size_t nhops = tal_count(sending->sent->path);

	/* FIXME: Maybe we should allow this? */
	if (tal_count(sending->sent->path) == 1)
		return command_fail(cmd, PAY_ROUTE_NOT_FOUND,
				    "Refusing to talk to ourselves");

	/* Create transient secret so we can validate reply! */
	sending->sent->reply_secret = tal(sending->sent, struct secret);
	randombytes_buf(sending->sent->reply_secret, sizeof(struct secret));

	req = jsonrpc_request_start(cmd->plugin, cmd, "blindedpath",
				    use_reply_path,
				    forward_error,
				    sending);

	/* FIXME: Could create an independent reply path, not just
	 * reverse existing. */
	json_array_start(req->js, "ids");
	for (int i = nhops - 2; i >= 0; i--)
		json_add_pubkey(req->js, NULL, &sending->sent->path[i]);
	json_array_end(req->js);
	json_add_secret(req->js, "pathsecret", sending->sent->reply_secret);
	return send_outreq(cmd->plugin, req);
}

static struct command_result *send_message(struct command *cmd,
					   struct sent *sent,
					   struct tlv_onionmsg_tlv *payload STEALS,
					   struct command_result *(*done)
					   (struct command *cmd,
					    const char *buf UNUSED,
					    const jsmntok_t *result UNUSED,
					    struct sent *sent))
{
	struct sending *sending = tal(cmd, struct sending);
	sending->sent = sent;
	sending->payload = tal_steal(sending, payload);
	sending->done = done;

	return make_reply_path(cmd, sending);
}

/* We've connected (if we tried), so send the invreq. */
static struct command_result *
sendinvreq_after_connect(struct command *cmd,
			 const char *buf UNUSED,
			 const jsmntok_t *result UNUSED,
			 struct sent *sent)
{
	struct tlv_onionmsg_tlv *payload = tlv_onionmsg_tlv_new(sent);

	payload->invoice_request = tal_arr(payload, u8, 0);
	towire_tlv_invoice_request(&payload->invoice_request, sent->invreq);

	return send_message(cmd, sent, payload, sendonionmsg_done);
}

struct connect_attempt {
	struct node_id node_id;
	struct command_result *(*cb)(struct command *command,
				     const char *buf,
				     const jsmntok_t *result,
				     struct sent *sent);
	struct sent *sent;
};

static struct command_result *connected(struct command *command,
					const char *buf,
					const jsmntok_t *result,
					struct connect_attempt *ca)
{
	return ca->cb(command, buf, result, ca->sent);
}

static struct command_result *connect_failed(struct command *command,
					     const char *buf,
					     const jsmntok_t *result,
					     struct connect_attempt *ca)
{
	return command_done_err(command, OFFER_ROUTE_NOT_FOUND,
				"Failed: could not route, could not connect",
				NULL);
}

/* We can't find a route, so we're going to try to connect, then just blast it
 * to them. */
static struct command_result *
connect_direct(struct command *cmd,
	       const struct pubkey *dst,
	       struct command_result *(*cb)(struct command *command,
					    const char *buf,
					    const jsmntok_t *result,
					    struct sent *sent),
	       struct sent *sent)
{
	struct out_req *req;
	struct connect_attempt *ca = tal(cmd, struct connect_attempt);

	ca->cb = cb;
	ca->sent = sent;
	node_id_from_pubkey(&ca->node_id, dst);

	/* Make a direct path -> dst. */
	sent->path = tal_arr(sent, struct pubkey, 2);
	sent->path[0] = local_id;
	if (!pubkey_from_node_id(&sent->path[1], &ca->node_id)) {
		/* Should not happen! */
		return command_done_err(cmd, LIGHTNINGD,
					"Failed: could not convert to pubkey?",
					NULL);
	}

	if (disable_connect) {
		/* FIXME: This means we will fail if parity is wrong! */
		plugin_notify_message(cmd, LOG_UNUSUAL,
				      "Cannot find route, but"
				      " fetchplugin-noconnect set:"
				      " trying direct anyway to %s",
				      type_to_string(tmpctx, struct pubkey,
						     dst));
		return cb(cmd, NULL, NULL, sent);
	}

	req = jsonrpc_request_start(cmd->plugin, cmd, "connect", connected,
				    connect_failed, ca);
	json_add_node_id(req->js, "id", &ca->node_id);
	return send_outreq(cmd->plugin, req);
}

static struct command_result *invreq_done(struct command *cmd,
					  const char *buf,
					  const jsmntok_t *result,
					  struct sent *sent)
{
	const jsmntok_t *t;
	char *fail;

	/* Get invoice request */
	t = json_get_member(buf, result, "bolt12");
	if (!t)
		return command_fail(cmd, LIGHTNINGD,
				    "Missing bolt12 %.*s",
				    json_tok_full_len(result),
				    json_tok_full(buf, result));

	plugin_log(cmd->plugin, LOG_DBG,
		   "invoice_request: %.*s",
		   json_tok_full_len(t),
		   json_tok_full(buf, t));

	sent->inv = NULL;
	sent->invreq = invrequest_decode(sent,
					 buf + t->start,
					 t->end - t->start,
					 plugin_feature_set(cmd->plugin),
					 chainparams,
					 &fail);
	if (!sent->invreq)
		return command_fail(cmd, LIGHTNINGD,
				    "Invalid invoice_request %.*s: %s",
				    json_tok_full_len(t),
				    json_tok_full(buf, t),
				    fail);

	/* Now that's given us the previous base, check this is an OK time
	 * to request an invoice. */
	if (sent->invreq->invreq_recurrence_counter) {
		u64 *base;
		const jsmntok_t *pbtok;
		u64 period_idx = *sent->invreq->invreq_recurrence_counter;

		if (sent->invreq->invreq_recurrence_start)
			period_idx += *sent->invreq->invreq_recurrence_start;

		/* BOLT-offers-recurrence #12:
		 * - if the offer contained `recurrence_limit`:
		 *   - MUST NOT send an `invoice_request` for a period greater
		 *     than `max_period`
		 */
		if (sent->invreq->offer_recurrence_limit
		    && period_idx > *sent->invreq->offer_recurrence_limit)
			return command_fail(cmd, LIGHTNINGD,
					    "Can't send invreq for period %"
					    PRIu64" (limit %u)",
					    period_idx,
					    *sent->invreq->offer_recurrence_limit);

		/* BOLT-offers-recurrence #12:
		 * - SHOULD NOT send an `invoice_request` for a period which has
		 *   already passed.
		 */
		/* If there's no recurrence_base, we need a previous payment
		 * for this: fortunately createinvoicerequest does that
		 * lookup. */
		pbtok = json_get_member(buf, result, "previous_basetime");
		if (pbtok) {
			base = tal(tmpctx, u64);
			json_to_u64(buf, pbtok, base);
		} else if (sent->invreq->offer_recurrence_base)
			base = &sent->invreq->offer_recurrence_base->basetime;
		else {
			/* happens with *recurrence_base == 0 */
			assert(*sent->invreq->invreq_recurrence_counter == 0);
			base = NULL;
		}

		if (base) {
			u64 period_start, period_end, now = time_now().ts.tv_sec;
			offer_period_paywindow(sent->invreq->offer_recurrence,
					       sent->invreq->offer_recurrence_paywindow,
					       sent->invreq->offer_recurrence_base,
					       *base, period_idx,
					       &period_start, &period_end);
			if (now < period_start)
				return command_fail(cmd, LIGHTNINGD,
						    "Too early: can't send until time %"
						    PRIu64" (in %"PRIu64" secs)",
						    period_start,
						    period_start - now);
			if (now > period_end)
				return command_fail(cmd, LIGHTNINGD,
						    "Too late: expired time %"
						    PRIu64" (%"PRIu64" secs ago)",
						    period_end,
						    now - period_end);
		}
	}

	sent->path = path_to_node(sent, cmd->plugin,
				  sent->invreq->offer_node_id);
	if (!sent->path)
		return connect_direct(cmd, sent->invreq->offer_node_id,
				      sendinvreq_after_connect, sent);

	return sendinvreq_after_connect(cmd, NULL, NULL, sent);
}

/* If they hand us the payer secret, we sign it directly, bypassing checks
 * about periods etc. */
static struct command_result *
force_payer_secret(struct command *cmd,
		   struct sent *sent,
		   struct tlv_invoice_request *invreq STEALS,
		   const struct secret *payer_secret)
{
	struct sha256 merkle, sha;
	secp256k1_keypair kp;

	if (secp256k1_keypair_create(secp256k1_ctx, &kp, payer_secret->data) != 1)
		return command_fail(cmd, LIGHTNINGD, "Bad payer_secret");

	invreq->invreq_payer_id = tal(invreq, struct pubkey);
	/* Docs say this only happens if arguments are invalid! */
	if (secp256k1_keypair_pub(secp256k1_ctx,
				  &invreq->invreq_payer_id->pubkey,
				  &kp) != 1)
		plugin_err(cmd->plugin,
			   "secp256k1_keypair_pub failed on %s?",
			   type_to_string(tmpctx, struct secret, payer_secret));

	/* Re-calculate ->fields */
	tal_free(invreq->fields);
	invreq->fields = tlv_make_fields(invreq, tlv_invoice_request);

	sent->invreq = tal_steal(sent, invreq);
	merkle_tlv(sent->invreq->fields, &merkle);
	sighash_from_merkle("invoice_request", "signature", &merkle, &sha);

	sent->invreq->signature = tal(invreq, struct bip340sig);
	if (!secp256k1_schnorrsig_sign32(secp256k1_ctx,
				       sent->invreq->signature->u8,
				       sha.u.u8,
				       &kp,
				       NULL)) {
		return command_fail(cmd, LIGHTNINGD,
				    "Failed to sign with payer_secret");
	}

	sent->path = path_to_node(sent, cmd->plugin,
				  sent->invreq->offer_node_id);
	if (!sent->path)
		return connect_direct(cmd, sent->invreq->offer_node_id,
				      sendinvreq_after_connect, sent);

	return sendinvreq_after_connect(cmd, NULL, NULL, sent);
}

/* Fetches an invoice for this offer, and makes sure it corresponds. */
static struct command_result *json_fetchinvoice(struct command *cmd,
						const char *buffer,
						const jsmntok_t *params)
{
	struct amount_msat *msat;
	const char *rec_label, *payer_note;
	struct out_req *req;
	struct tlv_invoice_request *invreq;
	struct sent *sent = tal(cmd, struct sent);
	struct secret *payer_secret = NULL;
	u32 *timeout;
	u64 *quantity;
	u32 *recurrence_counter, *recurrence_start;

	if (!param(cmd, buffer, params,
		   p_req("offer", param_offer, &sent->offer),
		   p_opt("amount_msat|msatoshi", param_msat, &msat),
		   p_opt("quantity", param_u64, &quantity),
		   p_opt("recurrence_counter", param_number, &recurrence_counter),
		   p_opt("recurrence_start", param_number, &recurrence_start),
		   p_opt("recurrence_label", param_string, &rec_label),
		   p_opt_def("timeout", param_number, &timeout, 60),
		   p_opt("payer_note", param_string, &payer_note),
#if DEVELOPER
		   p_opt("payer_secret", param_secret, &payer_secret),
#endif
		   NULL))
		return command_param_failed();

	sent->wait_timeout = *timeout;

	/* BOLT-offers #12:
	 * - SHOULD not respond to an offer if the current time is after
	 *   `absolute_expiry`.
	 */
	if (sent->offer->offer_absolute_expiry
	    && time_now().ts.tv_sec > *sent->offer->offer_absolute_expiry)
		return command_fail(cmd, OFFER_EXPIRED, "Offer expired");

	/* BOLT-offers #12:
	 * The writer:
	 *  - if it is responding to an offer:
	 *    - MUST copy all fields from the offer (including unknown fields).
	 */
	invreq = invoice_request_for_offer(sent, sent->offer);
	invreq->invreq_recurrence_counter = tal_steal(invreq, recurrence_counter);
	invreq->invreq_recurrence_start = tal_steal(invreq, recurrence_start);

	/* BOLT-offers-recurrence #12:
	 * - if `offer_amount` is not present:
	 *       - MUST specify `invreq_amount`.
	 *     - otherwise:
	 *       - MAY omit `invreq_amount`.
	 *       - if it sets `invreq_amount`:
	 *         - MUST specify `invreq_amount`.`msat` as greater or equal to
	 *           amount expected by `offer_amount` (and, if present,
	 *          `offer_currency` and `invreq_quantity`).
	 */
	if (invreq->offer_amount) {
		/* FIXME: Check after quantity? */
		if (msat) {
			invreq->invreq_amount = tal_dup(invreq, u64,
							&msat->millisatoshis); /* Raw: tu64 */
		}
	} else {
		if (!msat)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "msatoshi parameter required");
		invreq->invreq_amount = tal_dup(invreq, u64,
						&msat->millisatoshis); /* Raw: tu64 */
	}

	/* BOLT-offers #12:
	 * - if `offer_quantity_max` is present:
	 *    - MUST set `invreq_quantity`
	 *    - if `offer_quantity_max` is non-zero:
	 *      - MUST set `invreq_quantity` less than or equal to
	 *       `offer_quantity_max`.
	 */
	if (invreq->offer_quantity_max) {
		if (!invreq->invreq_quantity)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "quantity parameter required");
		if (*invreq->offer_quantity_max
		    && *invreq->invreq_quantity > *invreq->offer_quantity_max)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "quantity must be <= %"PRIu64,
					    *invreq->offer_quantity_max);
	} else {
		if (invreq->invreq_quantity)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "quantity parameter unnecessary");
	}

	/* BOLT-offers-recurrence #12:
	 * - if the offer contained `recurrence`:
	 */
	if (invreq->offer_recurrence) {
		/* BOLT-offers-recurrence #12:
		 *    - for the initial request:
		 *...
		 *      - MUST set `recurrence_counter` `counter` to 0.
		 */
		/* BOLT-offers-recurrence #12:
		 *    - for any successive requests:
		 *...
		 *      - MUST set `recurrence_counter` `counter` to one greater
		 *        than the highest-paid invoice.
		 */
		if (!invreq->invreq_recurrence_counter)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "needs recurrence_counter");

		/* BOLT-offers-recurrence #12:
		 *    - if the offer contained `recurrence_base` with
		 *      `start_any_period` non-zero:
		 *      - MUST include `recurrence_start`
		 *...
		 *    - otherwise:
		 *      - MUST NOT include `recurrence_start`
		 */
		if (invreq->offer_recurrence_base
		    && invreq->offer_recurrence_base->start_any_period) {
			if (!invreq->invreq_recurrence_start)
				return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
						    "needs recurrence_start");
		} else {
			if (invreq->invreq_recurrence_start)
				return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
						    "unnecessary recurrence_start");
		}

		/* recurrence_label uniquely identifies this series of
		 * payments (unless they supply secret themselves)! */
		if (!rec_label && !payer_secret)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "needs recurrence_label");
	} else {
		/* BOLT-offers-recurrence #12:
		 * - otherwise:
		 *   - MUST NOT set `recurrence_counter`.
		 *   - MUST NOT set `recurrence_start`
		 */
		if (invreq->invreq_recurrence_counter)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "unnecessary recurrence_counter");
		if (invreq->invreq_recurrence_start)
			return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
					    "unnecessary recurrence_start");
	}

	/* BOLT-offers #12:
	 *
	 * - if `offer_chains` is set:
	 *   - MUST set `invreq_chain` to one of `offer_chains` unless that
	 *     chain is bitcoin, in which case it MAY omit `invreq_chain`.
	 * - otherwise:
	 *   - if it sets `invreq_chain` it MUST set it to bitcoin.
	 */
	/* We already checked that we're compatible chain, in param_offer */
	if (!streq(chainparams->network_name, "bitcoin")) {
		invreq->invreq_chain = tal_dup(invreq, struct bitcoin_blkid,
					       &chainparams->genesis_blockhash);
	}

	/* BOLT-offers #12:
	 *   - if it supports bolt12 invoice request features:
	 *     - MUST set `invreq_features`.`features` to the bitmap of features.
	 */
	invreq->invreq_features
		= plugin_feature_set(cmd->plugin)->bits[BOLT12_OFFER_FEATURE];

	/* invreq->invreq_payer_note is not a nul-terminated string! */
	if (payer_note)
		invreq->invreq_payer_note = tal_dup_arr(invreq, utf8,
							payer_note,
							strlen(payer_note),
							0);

	/* They can provide a secret, and we don't assume it's our job
	 * to pay. */
	if (payer_secret)
		return force_payer_secret(cmd, sent, invreq, payer_secret);

	/* Make the invoice request (fills in payer_key and payer_info) */
	req = jsonrpc_request_start(cmd->plugin, cmd, "createinvoicerequest",
				    &invreq_done,
				    &forward_error,
				    sent);

	/* We don't want this is the database: that's only for ones we publish */
	json_add_string(req->js, "bolt12", invrequest_encode(tmpctx, invreq));
	json_add_bool(req->js, "savetodb", false);
	if (rec_label)
		json_add_string(req->js, "recurrence_label", rec_label);
	return send_outreq(cmd->plugin, req);
}

/* FIXME: Using a hook here is not ideal: technically it doesn't mean
 * it's actually hit the db!  But using waitinvoice is also suboptimal
 * because we don't have libplugin infra to cancel a pending req (and I
 * want to rewrite our wait* API anyway) */
static struct command_result *invoice_payment(struct command *cmd,
					      const char *buf,
					      const jsmntok_t *params)
{
	struct sent *i;
	const jsmntok_t *ptok, *preimagetok, *msattok;
	struct preimage preimage;
	struct amount_msat msat;

	ptok = json_get_member(buf, params, "payment");
	preimagetok = json_get_member(buf, ptok, "preimage");
	msattok = json_get_member(buf, ptok, "msat");
	if (!preimagetok || !msattok)
		plugin_err(cmd->plugin,
			   "Invalid invoice_payment %.*s",
			   json_tok_full_len(params),
			   json_tok_full(buf, params));

	hex_decode(buf + preimagetok->start,
		   preimagetok->end - preimagetok->start,
		   &preimage, sizeof(preimage));
	json_to_msat(buf, msattok, &msat);

	list_for_each(&sent_list, i, list) {
		struct out_req *req;

		if (!i->inv)
			continue;
		if (!preimage_eq(&preimage, &i->inv_preimage))
			continue;

		/* It was paid!  Success.  Return as per waitinvoice. */
		req = jsonrpc_request_start(cmd->plugin, i->cmd, "waitinvoice",
					    &forward_result,
					    &forward_error,
					    i);
		json_add_escaped_string(req->js, "label", i->inv_label);
		discard_result(send_outreq(cmd->plugin, req));
		break;
	}
	return command_hook_success(cmd);
}

#if DEVELOPER
static struct command_result *param_invreq(struct command *cmd,
					   const char *name,
					   const char *buffer,
					   const jsmntok_t *tok,
					   struct tlv_invoice_request **invreq)
{
	char *fail;

	*invreq = invrequest_decode(cmd, buffer + tok->start, tok->end - tok->start,
				    plugin_feature_set(cmd->plugin), chainparams,
				    &fail);
	if (!*invreq)
		return command_fail_badparam(cmd, name, buffer, tok,
					     tal_fmt(cmd,
						     "Unparsable invreq: %s",
						     fail));
	return NULL;
}

static struct command_result *json_rawrequest(struct command *cmd,
					      const char *buffer,
					      const jsmntok_t *params)
{
	struct sent *sent = tal(cmd, struct sent);
	u32 *timeout;
	struct pubkey *node_id;

	if (!param(cmd, buffer, params,
		   p_req("invreq", param_invreq, &sent->invreq),
		   p_req("nodeid", param_pubkey, &node_id),
		   p_opt_def("timeout", param_number, &timeout, 60),
		   NULL))
		return command_param_failed();

	/* This is how long we'll wait for a reply for. */
	sent->wait_timeout = *timeout;
	sent->cmd = cmd;
	sent->offer = NULL;

	sent->path = path_to_node(sent, cmd->plugin, node_id);
	if (!sent->path) {
		return connect_direct(cmd, node_id,
				      sendinvreq_after_connect, sent);
	}

	return sendinvreq_after_connect(cmd, NULL, NULL, sent);
}
#endif /* DEVELOPER */

static const struct plugin_command commands[] = {
	{
		"fetchinvoice",
		"payment",
		"Request remote node for an invoice for this {offer}, with {amount}, {quanitity}, {recurrence_counter}, {recurrence_start} and {recurrence_label} iff required.",
		NULL,
		json_fetchinvoice,
	},
#if DEVELOPER
	{
		"dev-rawrequest",
		"util",
		"Send {invreq} to {nodeid}, wait {timeout} (60 seconds by default)",
		NULL,
		json_rawrequest,
	},
#endif /* DEVELOPER */
};

static const char *init(struct plugin *p, const char *buf UNUSED,
			const jsmntok_t *config UNUSED)
{
	bool exp_offers;

	rpc_scan(p, "getinfo",
		 take(json_out_obj(NULL, NULL, NULL)),
		 "{id:%}", JSON_SCAN(json_to_pubkey, &local_id));

	rpc_scan(p, "listconfigs",
		 take(json_out_obj(NULL, "config", "experimental-offers")),
		 "{experimental-offers:%}",
		 JSON_SCAN(json_to_bool, &exp_offers));

	if (!exp_offers)
		return "offers not enabled in config";
	return NULL;
}

static const struct plugin_hook hooks[] = {
	{
		"onion_message_recv_secret",
		recv_modern_onion_message
	},
	{
		"invoice_payment",
		invoice_payment,
	},
};

int main(int argc, char *argv[])
{
	setup_locale();
	plugin_main(argv, init, PLUGIN_RESTARTABLE, true, NULL,
		    commands, ARRAY_SIZE(commands),
		    /* No notifications */
	            NULL, 0,
		    hooks, ARRAY_SIZE(hooks),
		    NULL, 0,
		    plugin_option("fetchinvoice-noconnect", "flag",
				  "Don't try to connect directly to fetch an invoice.",
				  flag_option, &disable_connect),
		    NULL);
}