From 8d52b1b359f57d6983963a372e8504e7b118f720 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Tue, 19 Jul 2022 11:15:11 +0200
Subject: [PATCH 1/3] check description hash

---
 lnbits/core/views/api.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index 290fd402b..f1a641a1f 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -317,11 +317,11 @@ async def api_payments_pay_lnurl(
             detail=f"{domain} returned an invalid invoice. Expected {data.amount} msat, got {invoice.amount_msat}.",
         )
 
-    #  if invoice.description_hash != data.description_hash:
-    #      raise HTTPException(
-    #          status_code=HTTPStatus.BAD_REQUEST,
-    #          detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.",
-    #      )
+    if invoice.description_hash != data.description_hash:
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail=f"{domain} returned an invalid invoice. Expected description_hash == {data.description_hash}, got {invoice.description_hash}.",
+        )
 
     extra = {}
 

From b2a0faf9de0933b5c0aa08761d14681644145eca Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Tue, 19 Jul 2022 11:21:54 +0200
Subject: [PATCH 2/3] error check for pr

---
 lnbits/core/views/api.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index f1a641a1f..64f34f91a 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -310,6 +310,12 @@ async def api_payments_pay_lnurl(
             detail=f"{domain} said: '{params.get('reason', '')}'",
         )
 
+    if not params.get("pr"):
+        raise HTTPException(
+            status_code=HTTPStatus.BAD_REQUEST,
+            detail=f"{domain} did not return a payment request.",
+        )
+
     invoice = bolt11.decode(params["pr"])
     if invoice.amount_msat != data.amount:
         raise HTTPException(

From 694124b5d6d9ef2341b88fd72d9facc2b8d99694 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Tue, 19 Jul 2022 11:27:32 +0200
Subject: [PATCH 3/3] require admin

---
 lnbits/core/views/api.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index 64f34f91a..3a34513d8 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -284,7 +284,7 @@ class CreateLNURLData(BaseModel):
 
 @core_app.post("/api/v1/payments/lnurl")
 async def api_payments_pay_lnurl(
-    data: CreateLNURLData, wallet: WalletTypeInfo = Depends(get_key_type)
+    data: CreateLNURLData, wallet: WalletTypeInfo = Depends(require_admin_key)
 ):
     domain = urlparse(data.callback).netloc