From a3f910acf4002695ef251229af8acd2ee3d72cc2 Mon Sep 17 00:00:00 2001
From: Lee Salminen <leesalminen@gmail.com>
Date: Sun, 21 Aug 2022 13:17:44 -0600
Subject: [PATCH] additional validation

---
 lnbits/extensions/boltcards/views_api.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lnbits/extensions/boltcards/views_api.py b/lnbits/extensions/boltcards/views_api.py
index 960ce43e1..37a796262 100644
--- a/lnbits/extensions/boltcards/views_api.py
+++ b/lnbits/extensions/boltcards/views_api.py
@@ -159,6 +159,9 @@ async def api_scan(p, c, request: Request, card_uid: str = None):
         try:
             card = await get_card_by_uid(card_uid)
             card_uid, counter = decryptSUN(bytes.fromhex(p), bytes.fromhex(card.k1))
+
+            if card.uid.upper() != card_uid.hex().upper():
+                return {"status": "ERROR", "reason": "Card UID mis-match."}
         except:
             return {"status": "ERROR", "reason": "Error decrypting card."}