mirrors/lnbits-legend
1
0
Fork 0
mirror of https://github.com/lnbits/lnbits-legend.git synced 2024-11-19 01:43:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

[FEAT] Auth, Login, OAuth, create account with username and password #1653 (#2092)

Browse Source 
no more superuser url!
delete cookie on logout
add usr login feature
fix node management
* Cleaned up login form
* CreateUser
* information leak
* cleaner parsing usr from url
* rename decorators
* login secret
* fix: add back `superuser` command
* chore: remove `fastapi_login`
* fix: extract `token` from cookie
* chore: prepare to extract user
* feat: check user
* chore: code clean-up
* feat: happy flow working
* fix: usr only login
* fix: user already logged in
* feat: check user in URL
* fix: verify password at DB level
* fix: do not show `Login` controls if user already logged in
* fix: separate login endpoints
* fix: remove `usr` param
* chore: update error message
* refactor: register method
* feat: logout
* chore: move comments
* fix: remove user auth check from API
* fix: user check unnecessary
* fix: redirect after logout
* chore: remove garbage files
* refactor: simplify constructor call
* fix: hide user icon if not authorized
* refactor: rename auth env vars
* chore: code clean-up
* fix: add types for `python-jose`
* fix: add types for `passlib`
* fix: return type
* feat: set default value for `auth_secret_key` to hash of super user
* fix: default value
* feat: rework login page
* feat: ui polishing
* feat: google auth
* feat: add google auth
* chore: remove `authlib` dependency
* refactor: extract `_handle_sso_login` method
* refactor: convert methods to `properties`
* refactor: rename: `user_api` to `auth_api`
* feat: store user info from SSO
* chore: re-arange the buttons
* feat: conditional rendering of login options
* feat: correctly render buttons
* fix: re-add `Claim Bitcoin` from the main page
* fix: create wallet must send new user
* fix:  no `username-password` auth method
* refactor: rename auth method
* fix: do not force API level UUID4 validation
* feat: add validation for username
* feat: add account page
* feat: update account
* feat: add `has_password` for user
* fix: email not editable
* feat: validate email for existing account
* fix: register check
* feat: reset password
* chore: code clean-up
* feat: handle token expired
* fix: only redirect if `text/html`
* refactor: remove `OAuth2PasswordRequestForm`
* chore: remove `python-multipart` dependency
* fix: handle no headers for exception
* feat: add back button on error screen
* feat: show user profile image
* fix: check account creation permissions
* fix: auth for internal api call
* chore: add some docs
* chore: code clean-up
* fix: rebase stuff
* fix: default value types
* refactor: customize error messages
* fix: move types libs to dev dependencies
* doc: specify the `Authorization callback URL`
* fix: pass missing superuser id in node ui test
* fix: keep usr param on wallet redirect
removing usr param causes an issue if the browser doesnt yet have an access token.
* fix: do not redirect if `wal` query param not present
* fix: add nativeBuildInputs and buildInputs overrides to flake.nix
* bump fastapi-sso to 0.9.0 which fixes some security issues
* refactor: move the `lnbits_admin_extensions` to decorators
* chore: bring package config from `dev`
* chore: re-add dependencies
* chore: re-add cev dependencies
* chore: re-add mypy ignores
* feat: i18n
* refactor: move admin ext check to decorator (fix after rebase)
* fix: label mapping
* fix: re-fetch user after first wallet was created
* fix: unlikely case that `user` is not found
* refactor translations (move '*' to code)
* reorganize deps in pyproject.toml, add comment
* update flake.lock and simplify flake.nix after upstreaming
overrides for fastapi-sso, types-passlib, types-pyasn1, types-python-jose
were upstreamed in https://github.com/nix-community/poetry2nix/pull/1463
* fix: more relaxed email verification (by @prusnak)
* fix: remove `\b` (boundaries) since we re using `fullmatch`
* chore: `make bundle`

---------

Co-authored-by: dni  <office@dnilabs.com>
Co-authored-by: Arc <ben@arc.wales>
Co-authored-by: jackstar12 <jkranawetter05@gmail.com>
Co-authored-by: Pavol Rusnak <pavol@rusnak.io>
This commit is contained in:
Vlad Stan 2023-12-12 12:38:19 +02:00 committed by GitHub
parent e76ba62b46
commit c9093715b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
39 changed files with 1926 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.env.example
View File

@ -99,6 +99,29 @@ LNBITS_THEME_OPTIONS="classic, bitcoin, flamingo, freedom, mint, autumn, monochr
HOST=127.0.0.1
PORT=5000
######################################
####### Auth Configurations ##########
######################################
# Secret Key: will default to the hash of the super user. It is strongly recommended that you set your own value.
AUTH_SECRET_KEY=""
AUTH_TOKEN_EXPIRE_MINUTES=525600
# Possible authorization methods: user-id-only, username-password, google-auth, github-auth
AUTH_ALLOWED_METHODS="user-id-only, username-password"
# Set this flag if HTTP is used for OAuth
# OAUTHLIB_INSECURE_TRANSPORT="1"
# Google OAuth Config
# Make sure thant the authorized redirect URIs contain https://{domain}/api/v1/auth/google/token
GOOGLE_CLIENT_ID=""
GOOGLE_CLIENT_SECRET=""
# GitHub OAuth Config
# Make sure thant the authorization callback URL is set to https://{domain}/api/v1/auth/github/token
GITHUB_CLIENT_ID=""
GITHUB_CLIENT_SECRET=""
######################################
# uvicorn variable, uncomment to allow https behind a proxy
# FORWARDED_ALLOW_IPS="*"

12
flake.lock
View File

@ -41,11 +41,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1701539137,
"narHash": "sha256-nVO/5QYpf1GwjvtpXhyxx5M3U/WN0MwBro4Lsk+9mL0=",
"lastModified": 1702233072,
"narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "933d7dc155096e7575d207be6fb7792bc9f34f6d",
"rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
"type": "github"
},
"original": {
@ -66,11 +66,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1701861752,
"narHash": "sha256-QfrE05P66856b1SMan69NPhjc9e82VtLxBKg3yiQGW8=",
"lastModified": 1702334837,
"narHash": "sha256-QZG6+zFshyY+L8m2tlOTm75U5m9y7z01g0josVK+8Os=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "9fc487b32a68473da4bf9573f85b388043c5ecda",
"rev": "1f4bcbf1be73abc232a972a77102a3e820485a99",
"type": "github"
},
"original": {

12
lnbits/app.py
View File

@ -15,10 +15,12 @@ from typing import Callable, List
from fastapi import FastAPI, HTTPException, Request
from fastapi.exceptions import RequestValidationError
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import RedirectResponse
from fastapi.staticfiles import StaticFiles
from loguru import logger
from slowapi import Limiter
from slowapi.util import get_remote_address
from starlette.middleware.sessions import SessionMiddleware
from starlette.responses import JSONResponse
from lnbits.core.crud import get_installed_extensions
@ -96,6 +98,9 @@ def create_app() -> FastAPI:
CustomGZipMiddleware, minimum_size=1000, exclude_paths=["/api/v1/payments/sse"]
)
# required for SSO login
app.add_middleware(SessionMiddleware, secret_key=settings.auth_secret_key)
# order of these two middlewares is important
app.add_middleware(InstalledExtensionMiddleware)
app.add_middleware(ExtensionsRedirectMiddleware)
@ -515,6 +520,13 @@ def register_exception_handlers(app: FastAPI):
and "accept" in request.headers
and "text/html" in request.headers["accept"]
):
if exc.headers and "token-expired" in exc.headers:
response = RedirectResponse("/")
response.delete_cookie("cookie_access_token")
response.delete_cookie("is_lnbits_user_authorized")
response.set_cookie("is_access_token_expired", "true")
return response
return template_renderer().TemplateResponse(
"error.html",
{

2
lnbits/core/__init__.py
View File

@ -3,6 +3,7 @@ from fastapi import APIRouter
from .db import core_app_extra, db
from .views.admin_api import admin_router
from .views.api import api_router
from .views.auth_api import auth_router
# this compat is needed for usermanager extension
from .views.generic import generic_router, update_user_extension
@ -26,3 +27,4 @@ def init_core_routers(app):
app.include_router(admin_router)
app.include_router(tinyurl_router)
app.include_router(webpush_router)
app.include_router(auth_router)

167
lnbits/core/crud.py
View File

@ -5,6 +5,7 @@ from urllib.parse import urlparse
from uuid import UUID, uuid4
import shortuuid
from passlib.context import CryptContext
from lnbits.core.db import db
from lnbits.core.models import WalletType
@ -20,11 +21,14 @@ from lnbits.settings import (
from .models import (
BalanceCheck,
CreateUser,
Payment,
PaymentFilters,
PaymentHistoryPoint,
TinyURL,
UpdateUserPassword,
User,
UserConfig,
Wallet,
WebPushSubscription,
)
@ -33,8 +37,43 @@ from .models import (
# --------
async def create_user(
data: CreateUser, user_config: Optional[UserConfig] = None
) -> User:
if not settings.new_accounts_allowed:
raise ValueError("Account creation is disabled.")
if await get_account_by_username(data.username):
raise ValueError("Username already exists.")
if data.email and await get_account_by_email(data.email):
raise ValueError("Email already exists.")
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
user_id = uuid4().hex
await db.execute(
"""
INSERT INTO accounts (id, email, username, pass, extra)
VALUES (?, ?, ?, ?, ?)
""",
(
user_id,
data.email,
data.username,
pwd_context.hash(data.password),
json.dumps(dict(user_config)) if user_config else "{}",
),
)
new_account = await get_account(user_id=user_id)
assert new_account, "Newly created account couldn't be retrieved"
return new_account
async def create_account(
conn: Optional[Connection] = None, user_id: Optional[str] = None
conn: Optional[Connection] = None,
user_id: Optional[str] = None,
email: Optional[str] = None,
user_config: Optional[UserConfig] = None,
) -> User:
if user_id:
user_uuid4 = UUID(hex=user_id, version=4)
@ -42,7 +81,11 @@ async def create_account(
else:
user_id = uuid4().hex
await (conn or db).execute("INSERT INTO accounts (id) VALUES (?)", (user_id,))
extra = json.dumps(dict(user_config)) if user_config else "{}"
await (conn or db).execute(
"INSERT INTO accounts (id, email, extra) VALUES (?, ?, ?)",
(user_id, email, extra),
)
new_account = await get_account(user_id=user_id, conn=conn)
assert new_account, "Newly created account couldn't be retrieved"
@ -50,19 +93,132 @@ async def create_account(
return new_account
async def update_account(
user_id: str,
username: Optional[str] = None,
email: Optional[str] = None,
user_config: Optional[UserConfig] = None,
) -> Optional[User]:
user = await get_account(user_id)
assert user, "User not found"
if email:
assert not user.email or email == user.email, "Cannot change email."
account = await get_account_by_email(email)
assert not account or account.id == user_id, "Email already in use."
if username:
assert not user.username or username == user.username, "Cannot change username."
account = await get_account_by_username(username)
assert not account or account.id == user_id, "Username already in exists."
username = user.username or username
email = user.email or email
extra = user_config or user.config
await db.execute(
"""
UPDATE accounts SET (username, email, extra) = (?, ?, ?)
WHERE id = ?
""",
(username, email, json.dumps(dict(extra)) if extra else "{}", user_id),
)
user = await get_user(user_id)
assert user, "Updated account couldn't be retrieved"
return user
async def get_account(
user_id: str, conn: Optional[Connection] = None
) -> Optional[User]:
row = await (conn or db).fetchone(
"SELECT id, email, pass as password FROM accounts WHERE id = ?", (user_id,)
"SELECT id, email, username FROM accounts WHERE id = ?",
(user_id,),
)
return User(**row) if row else None
async def get_user_password(user_id: str) -> Optional[str]:
row = await db.fetchone(
"SELECT pass FROM accounts WHERE id = ?",
(user_id,),
)
if not row:
return None
return row[0]
async def verify_user_password(user_id: str, password: str) -> bool:
existing_password = await get_user_password(user_id)
if not existing_password:
return False
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
return pwd_context.verify(password, existing_password)
# todo: , conn: Optional[Connection] = None ??
async def update_user_password(data: UpdateUserPassword) -> Optional[User]:
assert data.password == data.password_repeat, "Passwords do not match."
# old accounts do not have a pasword
if await get_user_password(data.user_id):
assert data.password_old, "Missing old password"
old_pwd_ok = await verify_user_password(data.user_id, data.password_old)
assert old_pwd_ok, "Invalid credentials."
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
await db.execute(
"UPDATE accounts SET pass = ? WHERE id = ?",
(
pwd_context.hash(data.password),
data.user_id,
),
)
user = await get_user(data.user_id)
assert user, "Updated account couldn't be retrieved"
return user
async def get_account_by_username(
username: str, conn: Optional[Connection] = None
) -> Optional[User]:
row = await (conn or db).fetchone(
"SELECT id, username, email FROM accounts WHERE username = ?",
(username,),
)
return User(**row) if row else None
async def get_account_by_email(
email: str, conn: Optional[Connection] = None
) -> Optional[User]:
row = await (conn or db).fetchone(
"SELECT id, username, email FROM accounts WHERE email = ?",
(email,),
)
return User(**row) if row else None
async def get_account_by_username_or_email(
username_or_email: str, conn: Optional[Connection] = None
) -> Optional[User]:
user = await get_account_by_username(username_or_email, conn)
if not user:
user = await get_account_by_email(username_or_email, conn)
return user
async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[User]:
user = await (conn or db).fetchone(
"SELECT id, email FROM accounts WHERE id = ?", (user_id,)
"SELECT id, email, username, pass, extra FROM accounts WHERE id = ?", (user_id,)
)
if user:
@ -86,6 +242,7 @@ async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[
return User(
id=user["id"],
email=user["email"],
username=user["username"],
extensions=[
e[0] for e in extensions if User.is_extension_for_user(e[0], user["id"])
],
@ -93,6 +250,8 @@ async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[
admin=user["id"] == settings.super_user
or user["id"] in settings.lnbits_admin_users,
super_user=user["id"] == settings.super_user,
has_password=True if user["pass"] else False,
config=UserConfig(**json.loads(user["extra"])) if user["extra"] else None,
)

17
lnbits/core/helpers.py
View File

@ -1,6 +1,6 @@
import importlib
import re
from typing import Any
from typing import Any, Optional
from uuid import UUID
import httpx
@ -48,7 +48,9 @@ async def run_migration(
await update_migration_version(conn, db_name, version)
async def stop_extension_background_work(ext_id: str, user: str):
async def stop_extension_background_work(
ext_id: str, user: str, access_token: Optional[str] = None
):
"""
Stop background work for extension (like asyncio.Tasks, WebSockets, etc).
Extensions SHOULD expose a DELETE enpoint at the root level of their API.
@ -58,14 +60,13 @@ async def stop_extension_background_work(ext_id: str, user: str):
async with httpx.AsyncClient() as client:
try:
url = f"http://{settings.host}:{settings.port}/{ext_id}/api/v1?usr={user}"
await client.delete(url)
headers = (
{"Authorization": "Bearer " + access_token} if access_token else None
)
resp = await client.delete(url=url, headers=headers)
resp.raise_for_status()
except Exception as ex:
logger.warning(ex)
try:
# try https
url = f"https://{settings.host}:{settings.port}/{ext_id}/api/v1?usr={user}"
except Exception as ex:
logger.warning(ex)
def to_valid_user_id(user_id: str) -> UUID:

11
lnbits/core/migrations.py
View File

@ -393,3 +393,14 @@ async def m015_create_push_notification_subscriptions_table(db):
);
"""
)
async def m016_add_username_column_to_accounts(db):
"""
Adds username column to accounts.
"""
try:
await db.execute("ALTER TABLE accounts ADD COLUMN username TEXT")
await db.execute("ALTER TABLE accounts ADD COLUMN extra TEXT")
except OperationalError:
pass

43
lnbits/core/models.py
View File

@ -79,14 +79,25 @@ class WalletTypeInfo:
wallet: Wallet
class UserConfig(BaseModel):
email_verified: Optional[bool] = False
first_name: Optional[str] = None
last_name: Optional[str] = None
display_name: Optional[str] = None
picture: Optional[str] = None
provider: Optional[str] = "lnbits" # auth provider
class User(BaseModel):
id: str
email: Optional[str] = None
username: Optional[str] = None
extensions: List[str] = []
wallets: List[Wallet] = []
password: Optional[str] = None
admin: bool = False
super_user: bool = False
has_password: bool = False
config: Optional[UserConfig] = None
@property
def wallet_ids(self) -> List[str]:
@ -107,6 +118,36 @@ class User(BaseModel):
return False
class CreateUser(BaseModel):
email: Optional[str] = Query(default=None)
username: str = Query(default=..., min_length=2, max_length=20)
password: str = Query(default=..., min_length=8, max_length=50)
password_repeat: str = Query(default=..., min_length=8, max_length=50)
class UpdateUser(BaseModel):
user_id: str
email: Optional[str] = Query(default=None)
username: Optional[str] = Query(default=..., min_length=2, max_length=20)
config: Optional[UserConfig] = None
class UpdateUserPassword(BaseModel):
user_id: str
password: str = Query(default=..., min_length=8, max_length=50)
password_repeat: str = Query(default=..., min_length=8, max_length=50)
password_old: Optional[str] = Query(default=None, min_length=8, max_length=50)
class LoginUsr(BaseModel):
usr: str
class LoginUsernamePassword(BaseModel):
username: str
password: str
class Payment(FromRowModel):
checking_id: str
pending: bool

2
lnbits/core/tasks.py
View File

@ -188,6 +188,8 @@ async def send_payment_push_notification(payment: Payment):
body += f"\r\n{payment.memo}"
for subscription in subscriptions:
# todo: review permissions when user-id-only not allowed
# todo: replace all this logic with websockets?
url = (
f"https://{subscription.host}/wallet?usr={wallet.user}&wal={wallet.id}"
)

235
lnbits/core/templates/core/account.html Normal file
View File

@ -0,0 +1,235 @@
{% extends "base.html" %}
<!---->
{% from "macros.jinja" import window_vars with context %}
<!---->
{% block scripts %} {{ window_vars(user) }}
<script src="{{ static_url_for('static', 'js/account.js') }}"></script>
{% endblock %} {% block page %}
<div class="row q-col-gutter-md">
<div v-if="user" class="col-12 col-md-6 q-gutter-y-md">
<q-card v-if="passwordData.show">
<q-card-section>
<div class="row">
<div class="col">
<h4 class="q-my-none">Password Settings</h4>
</div>
<div class="col">
<q-img
v-if="user.config.picture"
style="max-width: 100px"
:src="user.config.picture"
class="float-right"
></q-img>
</div>
</div>
</q-card-section>
<q-separator></q-separator>
<q-card-section>
<q-input
v-if="user.has_password"
v-model="passwordData.oldPassword"
type="password"
autocomplete="off"
label="Old Password"
filled
dense
:rules="[(val) => !val || val.length >= 8 || 'Password must have at least 8 characters']"
></q-input>
<q-input
v-model="passwordData.newPassword"
type="password"
autocomplete="off"
label="New Password"
filled
dense
:rules="[(val) => !val || val.length >= 8 || 'Password must have at least 8 characters']"
></q-input>
<q-input
v-model="passwordData.newPasswordRepeat"
type="password"
autocomplete="off"
label="New Password Repeat"
filled
dense
class="q-mb-md"
:rules="[(val) => !val || val.length >= 8 || 'Password must have at least 8 characters']"
></q-input>
</q-card-section>
<q-separator></q-separator>
<q-card-section class="q-pb-lg">
<q-btn
@click="updatePassword"
:disable="(!passwordData.newPassword || !passwordData.newPasswordRepeat) || passwordData.newPassword !== passwordData.newPasswordRepeat"
unelevated
color="primary"
>Update Password</q-btn
>
<q-btn
@click="passwordData.show = false"
label="Back"
outline
unelevated
color="grey"
class="float-right"
></q-btn>
</q-card-section>
</q-card>
<q-card v-else>
<q-card-section>
<div class="row">
<div class="col">
<h4 class="q-my-none">Account Settings</h4>
</div>
<div class="col">
<q-img
v-if="user.config.picture"
style="max-width: 100px"
:src="user.config.picture"
class="float-right"
></q-img>
</div>
</div>
</q-card-section>
<q-separator></q-separator>
<q-card-section>
<q-input
v-model="user.id"
label="User ID"
filled
dense
readonly
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.username"
label="Username"
filled
dense
:readonly="hasUsername"
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.email"
label="Email"
filled
dense
readonly
class="q-mb-md"
>
</q-input>
<div v-if="!user.email" class="row"></div>
<div v-if="!user.email" class="row">
<div class="col q-pa-sm text-h6">Check email using:</div>
{% if "google-auth" in LNBITS_AUTH_METHODS %}
<div class="col q-pa-sm">
<q-btn
:href="`/api/v1/auth/google?user_id=${user.id}`"
type="a"
outline
no-caps
rounded
color="grey"
class="full-width"
>
<q-avatar size="32px" class="q-mr-md">
<q-img
:src="'{{ static_url_for('static', 'images/google-logo.png') }}'"
></q-img>
</q-avatar>
<div>Google</div>
</q-btn>
</div>
{%endif%} {% if "github-auth" in LNBITS_AUTH_METHODS %}
<div class="col q-pa-sm">
<q-btn
:href="`/api/v1/auth/github?user_id=${user.id}`"
type="a"
outline
no-caps
color="grey"
rounded
class="full-width"
>
<q-avatar size="32px" class="q-mr-md">
<q-img
:src="'{{ static_url_for('static', 'images/github-logo.png') }}'"
></q-img>
</q-avatar>
<div>GitHub</div>
</q-btn>
</div>
{%endif%}
</div>
</q-card-section>
<q-card-section v-if="user.config">
<q-input
v-model="user.config.display_name"
label="Display Name"
filled
dense
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.config.first_name"
label="First Name"
filled
dense
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.config.last_name"
label="Last Name"
filled
dense
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.config.provider"
label="Auth Provider"
filled
dense
readonly
class="q-mb-md"
>
</q-input>
<q-input
v-model="user.config.picture"
label="Picture"
filled
dense
class="q-mb-md"
>
</q-input>
</q-card-section>
<q-separator></q-separator>
<q-card-section>
<q-btn @click="updateAccount" unelevated color="primary"
>Update Account</q-btn
>
<q-btn
@click="showChangePassword()"
:label="user.has_password ? 'Change Password': 'Set Password'"
outline
unelevated
color="grey"
class="float-right"
></q-btn>
</q-card-section>
</q-card>
</div>
<div v-else class="col-12 col-md-6 q-gutter-y-md">
<q-card>
<q-card-section>
<h4 class="q-my-none">Account</h4>
</q-card-section>
</q-card>
</div>
</div>
{% endblock %}

21
lnbits/core/templates/core/extensions.html
View File

@ -185,7 +185,7 @@
flat
color="primary"
type="a"
:href="[extension.id, '/?usr=', g.user.id].join('')"
:href="extension.id"
>{%raw%}{{ $t('open') }}{%endraw%}</q-btn
>
<q-btn
@ -195,7 +195,7 @@
type="a"
:href="['{{
url_for('install.extensions')
}}', '?usr=', g.user.id, '&disable=', extension.id].join('')"
}}', '?disable=', extension.id].join('')"
>
{%raw%}{{ $t('disable') }}{%endraw%}</q-btn
>
@ -209,7 +209,7 @@
type="a"
:href="['{{
url_for('install.extensions')
}}', '?usr=', g.user.id, '&enable=', extension.id].join('')"
}}', '?enable=', extension.id].join('')"
>
{%raw%}{{ $t('enable') }}{%endraw%}
<q-tooltip>
@ -511,7 +511,7 @@
LNbits.api
.request(
'POST',
`/api/v1/extension?usr=${this.g.user.id}`,
`/api/v1/extension`,
this.g.user.wallets[0].adminkey,
{
ext_id: extension.id,
@ -542,7 +542,7 @@
LNbits.api
.request(
'DELETE',
`/api/v1/extension/${extension.id}?usr=${this.g.user.id}`,
`/api/v1/extension/${extension.id}`,
this.g.user.wallets[0].adminkey
)
.then(response => {
@ -576,7 +576,7 @@
LNbits.api
.request(
'DELETE',
`/api/v1/extension/${extension.id}/db?usr=${this.g.user.id}`,
`/api/v1/extension/${extension.id}/db`,
this.g.user.wallets[0].adminkey
)
.then(response => {
@ -598,9 +598,8 @@
LNbits.api
.request(
'GET',
"{{ url_for('install.extensions') }}?usr=" +
this.g.user.id +
'&' +
"{{ url_for('install.extensions') }}" +
'?' +
action +
'=' +
extension.id
@ -629,7 +628,7 @@
try {
const {data} = await LNbits.api.request(
'GET',
`/api/v1/extension/${extension.id}/releases?usr=${this.g.user.id}`,
`/api/v1/extension/${extension.id}/releases`,
this.g.user.wallets[0].adminkey
)
@ -694,7 +693,7 @@
try {
const {data} = await LNbits.api.request(
'GET',
`/api/v1/extension/release/${org}/${repo}/${release.version}?usr=${this.g.user.id}`,
`/api/v1/extension/release/${org}/${repo}/${release.version}`,
this.g.user.wallets[0].adminkey
)
release.loaded = true

426
lnbits/core/templates/core/index.html
View File

@ -2,77 +2,309 @@
<script src="{{ static_url_for('static', 'js/index.js') }}"></script>
{% endblock %} {% block page %}
<div class="row q-col-gutter-md justify-center">
<div class="col-12 col-md-7 col-lg-6 q-gutter-y-md">
{% if lnurl or LNBITS_NEW_ACCOUNTS_ALLOWED %}
<q-card>
<q-card-section>
{% if lnurl %}
<q-btn
unelevated
color="primary"
@click="processing"
type="a"
href="{{ url_for('core.lnurlwallet') }}?lightning={{ lnurl }}"
v-text="$t('press_to_claim')"
></q-btn>
{% elif LNBITS_NEW_ACCOUNTS_ALLOWED %}
<q-form @submit="createWallet" class="q-gutter-md">
<q-input
filled
dense
v-model="walletName"
:label='$t("name_your_wallet", { name: "{{ SITE_TITLE }} *" })'
></q-input>
<q-btn
unelevated
color="primary"
:disable="walletName == ''"
type="submit"
:label="$t('add_wallet')"
></q-btn>
</q-form>
{% endif %}
</q-card-section>
</q-card>
{% endif %}
<div
v-if="isUserAuthorized"
class="col-12 col-md-7 col-lg-6 q-gutter-y-md"
></div>
<div v-else class="col-12 col-md-7 col-lg-6 q-gutter-y-md">
<div>
<h3 class="q-my-none">{{SITE_TITLE}}</h3>
<h5 class="q-my-md">{{SITE_TAGLINE}}</h5>
</div>
{% if lnurl and LNBITS_NEW_ACCOUNTS_ALLOWED and ("user-id-only" in
LNBITS_AUTH_METHODS)%}
<div class="row q-mt-xl">
<div class="col-12 col-md-8 col-lg-7 q-gutter-y-md">
<q-card>
<q-card-section>
<q-btn
unelevated
color="primary"
@click="processing"
type="a"
href="{{ url_for('core.lnurlwallet') }}?lightning={{ lnurl }}"
v-text="$t('press_to_claim')"
class="full-width"
></q-btn>
</q-card-section>
</q-card>
</div>
</div>
{%else%} {% endif %}
<q-card>
<q-card-section>
<h3 class="q-my-none">{{SITE_TITLE}}</h3>
<h5 class="q-my-md">{{SITE_TAGLINE}}</h5>
<div v-if="'{{SITE_TITLE}}' == 'LNbits'">
<p v-text="$t('lnbits_description')"></p>
<div class="row q-mt-md q-gutter-sm">
<q-btn
outline
color="grey"
type="a"
href="https://github.com/lnbits/lnbits"
target="_blank"
rel="noopener noreferrer"
:label="$t('view_github')"
></q-btn>
<q-btn
outline
color="grey"
type="a"
href="https://legend.lnbits.com/paywall/GAqKguK5S8f6w5VNjS9DfK"
target="_blank"
rel="noopener noreferrer"
:label="$t('donate')"
></q-btn>
<div class="row q-mt-xl">
<div class="col-12 col-md-8 col-lg-7 q-gutter-y-md">
<q-badge v-if="isAccessTokenExpired" color="primary" rounded>
<div class="text-h5">
<span v-text="$t('session_has_expired')"></span>
</div>
</div>
<div v-else>
<div v-html="formatDescription"></div>
</div>
</q-card-section>
</q-card>
</q-badge>
<q-card class="shadow-12">
{% if "user-id-only" in LNBITS_AUTH_METHODS %}
<q-card-section>
<div class="text-h6">
<span v-text="$t('instant_access_question')"></span>
<br />
<q-badge
@click="showLogin('user-id-only')"
color="primary"
class="cursor-pointer"
rounded
>
<strong>
<span v-text="$t('login_with_user_id')"></span> </strong
></q-badge>
{% if LNBITS_NEW_ACCOUNTS_ALLOWED %}
<span><span v-text="$t('or')"></span></span>
<q-badge
@click="showRegister('user-id-only')"
color="primary"
class="cursor-pointer"
rounded
>
<strong>
<span v-text="$t('create_new_wallet')"></span>
</strong>
</q-badge>
{%endif%}
</div>
</q-card-section>
<q-separator></q-separator>
<q-card-section
v-if="authAction === 'login' && authMethod === 'user-id-only'"
>
<b> <span v-text="$t('login_with_user_id')"></span> </b><br /><br />
<q-form @submit="loginUsr" class="q-gutter-md">
<q-input
filled
dense
v-model="usr"
label="usr"
type="password"
></q-input>
<div>
<q-btn
unelevated
color="primary"
:disable="usr == ''"
type="submit"
label="Login"
class="full-width"
></q-btn>
</div>
</q-form>
</q-card-section>
{%endif%} {% if "username-password" in LNBITS_AUTH_METHODS %}
<q-card-section
v-if="authAction === 'login' && authMethod === 'username-password'"
>
<div class="q-mb-lg">
<strong>
<span v-text="$t('login_to_account')"></span>
</strong>
</div>
<q-form @submit="login" class="q-gutter-md">
<q-input
filled
dense
v-model="username"
name="username"
:label="$t('username_or_email') + ' *'"
></q-input>
<q-input
filled
dense
v-model="password"
name="password"
:label="$t('password') + ' *'"
type="password"
></q-input>
<div>
<q-btn
:disable="!username || !password"
color="primary"
type="submit"
:label="$t('login')"
class="full-width"
></q-btn>
</div>
</q-form>
</q-card-section>
<q-card-section
v-if="authAction === 'register' && authMethod === 'username-password'"
>
<b> <span v-text="$t('create_account')"></span> </b><br /><br />
<q-form @submit="register" class="q-gutter-md">
<q-input
filled
dense
required
v-model="username"
:label="$t('username') + ' *'"
:rules="[(val) => validateUsername(val) || $t('invalid_username')]"
></q-input>
<q-input
filled
dense
v-model="password"
:label="$t('password') + ' *'"
type="password"
:rules="[(val) => !val || val.length >= 8 || $t('invalid_password')]"
></q-input>
<q-input
filled
dense
v-model="passwordRepeat"
:label="$t('password_repeat') + ' *'"
type="password"
:rules="[(val) => !val || val.length >= 8 || $t('invalid_password')]"
></q-input>
<div>
<q-btn
unelevated
color="primary"
:disable="!password || !passwordRepeat|| !username || (password !== passwordRepeat)"
type="submit"
class="full-width"
:label="$t('create_account')"
></q-btn>
</div>
</q-form>
</q-card-section>
{%endif%} {% if LNBITS_NEW_ACCOUNTS_ALLOWED %}
<q-card-section
v-if="authAction === 'register' && authMethod === 'user-id-only'"
>
<div>
<q-form @submit="createWallet" class="q-gutter-md">
<q-input
filled
dense
v-model="walletName"
:label='$t("name_your_wallet", { name: "{{ SITE_TITLE }} *" })'
></q-input>
<div>
<q-btn
color="primary"
:disable="walletName == ''"
type="submit"
:label="$t('add_wallet')"
class="full-width"
></q-btn>
</div>
</q-form>
</div>
</q-card-section>
{% if "username-password" in LNBITS_AUTH_METHODS %}
<q-card-section
v-if="authAction === 'login' && authMethod === 'username-password'"
>
<div>
<q-btn
color="grey"
outline
:label="$t('register')"
class="full-width"
@click="showRegister('username-password')"
></q-btn>
</div>
</q-card-section>
{%endif%}
<q-separator></q-separator>
{% endif %}
<q-card-section
v-if="authAction === 'login' && authMethod === 'username-password'"
>
<div class="row">
{% if "google-auth" in LNBITS_AUTH_METHODS %}
<div class="col q-pa-sm">
<q-btn
href="/api/v1/auth/google"
type="a"
outline
no-caps
rounded
color="grey"
class="full-width"
>
<q-avatar size="32px" class="q-mr-md">
<q-img
:src="'{{ static_url_for('static', 'images/google-logo.png') }}'"
></q-img>
</q-avatar>
<div>
<span v-text="$t('signin_with_google')"></span>
</div>
</q-btn>
</div>
{%endif%} {% if "github-auth" in LNBITS_AUTH_METHODS %}
<div class="col q-pa-sm">
<q-btn
href="/api/v1/auth/github"
type="a"
outline
no-caps
color="grey"
rounded
class="full-width"
>
<q-avatar size="32px" class="q-mr-md">
<q-img
:src="'{{ static_url_for('static', 'images/github-logo.png') }}'"
></q-img>
</q-avatar>
<div><span v-text="$t('signin_with_github')"></span></div>
</q-btn>
</div>
{%endif%}
</div>
</q-card-section>
<q-card-section v-else>
<div class="row">
<div class="col q-pa-sm">
<q-btn
@click="showLogin('username-password')"
:label="$t('back')"
outline
rounded
color="grey"
class="full-width"
>
</q-btn>
</div>
</div>
</q-card-section>
</q-card>
</div>
</div>
</div>
<!-- Ads -->
<div class="col-12 col-md-3 col-lg-3" v-if="'{{SITE_TITLE}}' == 'LNbits'">
<div class="row q-col-gutter-lg justify-center">
<div class="col-6 col-sm-4 col-md-8 q-gutter-y-sm">
<q-btn
outline
color="grey"
type="a"
href="https://github.com/lnbits/lnbits"
target="_blank"
rel="noopener noreferrer"
:label="$t('view_github')"
class="full-width"
></q-btn>
<q-btn
outline
color="grey"
type="a"
href="https://legend.lnbits.com/paywall/GAqKguK5S8f6w5VNjS9DfK"
target="_blank"
rel="noopener noreferrer"
:label="$t('donate')"
class="full-width q-mb-lg"
></q-btn>
</div>
<div class="col-6 col-sm-4 col-md-8 q-gutter-y-sm">
<q-btn
flat
@ -82,11 +314,7 @@
></q-btn>
<div class="row">
<div class="col">
<a
href="https://github.com/ElementsProject/lightning"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://github.com/ElementsProject/lightning">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/cln.png') }}' : '{{ static_url_for('static', 'images/clnl.png') }}'"
@ -94,11 +322,7 @@
</a>
</div>
<div class="col q-pl-md">
<a
href="https://github.com/lightningnetwork/lnd"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://github.com/lightningnetwork/lnd">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/lnd.png') }}' : '{{ static_url_for('static', 'images/lnd.png') }}'"
@ -109,11 +333,7 @@
<div class="row">
<div class="col">
<a
href="https://opennode.com"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://opennode.com">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/opennode.png') }}' : '{{ static_url_for('static', 'images/opennodel.png') }}'"
@ -121,11 +341,7 @@
</a>
</div>
<div class="col q-pl-md">
<a
href="https://lnpay.co/"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://lnpay.co/">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/lnpay.png') }}' : '{{ static_url_for('static', 'images/lnpayl.png') }}'"
@ -136,11 +352,7 @@
<div class="row">
<div class="col">
<a
href="https://github.com/rootzoll/raspiblitz"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://github.com/rootzoll/raspiblitz">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/blitz.png') }}' : '{{ static_url_for('static', 'images/blitzl.png') }}'"
@ -148,11 +360,7 @@
</a>
</div>
<div class="col q-pl-md">
<a
href="https://start9.com/"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://start9.com/">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/start9.png') }}' : '{{ static_url_for('static', 'images/start9l.png') }}'"
@ -162,11 +370,7 @@
</div>
<div class="row">
<div class="col">
<a
href="https://getumbrel.com/"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://getumbrel.com/">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/umbrel.png') }}' : '{{ static_url_for('static', 'images/umbrell.png') }}'"
@ -174,11 +378,7 @@
</a>
</div>
<div class="col q-pl-md">
<a
href="https://mynodebtc.com"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://mynodebtc.com">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/mynode.png') }}' : '{{ static_url_for('static', 'images/mynodel.png') }}'"
@ -188,11 +388,7 @@
</div>
<div class="row">
<div class="col">
<a
href="https://github.com/shesek/spark-wallet"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://github.com/shesek/spark-wallet">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/spark.png') }}' : '{{ static_url_for('static', 'images/sparkl.png') }}'"
@ -200,11 +396,7 @@
</a>
</div>
<div class="col q-pl-md">
<a
href="https://voltage.cloud"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://voltage.cloud">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/voltage.png') }}' : '{{ static_url_for('static', 'images/voltagel.png') }}'"
@ -214,11 +406,7 @@
</div>
<div class="row">
<div class="col">
<a
href="https://getalby.com"
target="_blank"
rel="noopener noreferrer"
>
<a href="https://getalby.com">
<q-img
contain
:src="($q.dark.isActive) ? '{{ static_url_for('static', 'images/alby.png') }}' : '{{ static_url_for('static', 'images/albyl.png') }}'"

8
lnbits/core/templates/core/wallet.html
View File

@ -191,10 +191,7 @@
color="yellow"
text-color="black"
>
<a
class="inherit"
:href="['/', props.row.tag, '/?usr=', user.id].join('')"
>
<a class="inherit" :href="['/', props.row.tag].join('')">
#{{ props.row.tag }}
</a>
</q-badge>
@ -355,7 +352,8 @@
<q-card-section class="text-center">
<p v-text="$t('export_to_phone_desc')"></p>
<qrcode
:value="'{{request.base_url}}' +'wallet?usr={{user.id}}&wal={{wallet.id}}'"
:value="'{{request.base_url}}' +'wallet?wal={{wallet.id}}'"
:options="{width:240}"
></qrcode>
</q-card-section>
</q-card>

1
lnbits/core/templates/node/index.html
View File

@ -249,7 +249,6 @@
},
api: function (method, url, options) {
const params = new URLSearchParams(options?.query)
params.set('usr', this.g.user.id)
return LNbits.api
.request(method, `/node/api/v1${url}?${params}`, {}, options?.data)
.catch(error => {

15
lnbits/core/views/api.py
View File

@ -48,6 +48,7 @@ from lnbits.core.models import (
from lnbits.db import Filters, Page
from lnbits.decorators import (
WalletTypeInfo,
check_access_token,
check_admin,
get_key_type,
parse_filters,
@ -780,7 +781,9 @@ async def websocket_update_get(item_id: str, data: str):
@api_router.post("/api/v1/extension")
async def api_install_extension(
data: CreateExtension, user: User = Depends(check_admin)
data: CreateExtension,
user: User = Depends(check_admin),
access_token: Optional[str] = Depends(check_access_token),
):
release = await InstallableExtension.get_extension_release(
data.ext_id, data.source_repo, data.archive
@ -812,7 +815,7 @@ async def api_install_extension(
await add_installed_extension(ext_info)
# call stop while the old routes are still active
await stop_extension_background_work(data.ext_id, user.id)
await stop_extension_background_work(data.ext_id, user.id, access_token)
if data.ext_id not in settings.lnbits_deactivated_extensions:
settings.lnbits_deactivated_extensions += [data.ext_id]
@ -838,7 +841,11 @@ async def api_install_extension(
@api_router.delete("/api/v1/extension/{ext_id}")
async def api_uninstall_extension(ext_id: str, user: User = Depends(check_admin)):
async def api_uninstall_extension(
ext_id: str,
user: User = Depends(check_admin),
access_token: Optional[str] = Depends(check_access_token),
):
installable_extensions = await InstallableExtension.get_installable_extensions()
extensions = [e for e in installable_extensions if e.id == ext_id]
@ -864,7 +871,7 @@ async def api_uninstall_extension(ext_id: str, user: User = Depends(check_admin)
try:
# call stop while the old routes are still active
await stop_extension_background_work(ext_id, user.id)
await stop_extension_background_work(ext_id, user.id, access_token)
if ext_id not in settings.lnbits_deactivated_extensions:
settings.lnbits_deactivated_extensions += [ext_id]

348
lnbits/core/views/auth_api.py Normal file
View File

@ -0,0 +1,348 @@
from typing import Optional
from fastapi import APIRouter, Depends, HTTPException, Request, status
from fastapi.responses import JSONResponse, RedirectResponse
from fastapi_sso.sso.base import OpenID
from fastapi_sso.sso.github import GithubSSO
from fastapi_sso.sso.google import GoogleSSO
from loguru import logger
from starlette.status import (
HTTP_400_BAD_REQUEST,
HTTP_401_UNAUTHORIZED,
HTTP_403_FORBIDDEN,
HTTP_500_INTERNAL_SERVER_ERROR,
)
from lnbits.decorators import check_user_exists
from lnbits.helpers import (
create_access_token,
is_valid_email_address,
is_valid_username,
)
from lnbits.settings import AuthMethods, settings
# todo: move this class to a `crypto.py` file
from lnbits.wallets.macaroon.macaroon import AESCipher
from ..crud import (
create_account,
create_user,
get_account,
get_account_by_email,
get_account_by_username_or_email,
get_user,
update_account,
update_user_password,
verify_user_password,
)
from ..models import (
CreateUser,
LoginUsernamePassword,
LoginUsr,
UpdateUser,
UpdateUserPassword,
User,
UserConfig,
)
auth_router = APIRouter()
def _init_google_sso() -> Optional[GoogleSSO]:
if not settings.is_auth_method_allowed(AuthMethods.google_auth):
return None
if not settings.is_google_auth_configured:
logger.warning("Google Auth allowed but not configured.")
return None
return GoogleSSO(
settings.google_client_id,
settings.google_client_secret,
None,
allow_insecure_http=True,
)
def _init_github_sso() -> Optional[GithubSSO]:
if not settings.is_auth_method_allowed(AuthMethods.github_auth):
return None
if not settings.is_github_auth_configured:
logger.warning("Github Auth allowed but not configured.")
return None
return GithubSSO(
settings.github_client_id,
settings.github_client_secret,
None,
allow_insecure_http=True,
)
google_sso = _init_google_sso()
github_sso = _init_github_sso()
@auth_router.get("/api/v1/auth", description="Get the authenticated user")
async def get_auth_user(user: User = Depends(check_user_exists)) -> User:
return user
@auth_router.post("/api/v1/auth", description="Login via the username and password")
async def login(data: LoginUsernamePassword) -> JSONResponse:
if not settings.is_auth_method_allowed(AuthMethods.username_and_password):
raise HTTPException(
HTTP_401_UNAUTHORIZED, "Login by 'Username and Password' not allowed."
)
try:
user = await get_account_by_username_or_email(data.username)
if not user:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Invalid credentials.")
if not await verify_user_password(user.id, data.password):
raise HTTPException(HTTP_401_UNAUTHORIZED, "Invalid credentials.")
return _auth_success_response(user.username, user.id)
except HTTPException as e:
raise e
except Exception as e:
logger.debug(e)
raise HTTPException(HTTP_500_INTERNAL_SERVER_ERROR, "Cannot login.")
@auth_router.post("/api/v1/auth/usr", description="Login via the User ID")
async def login_usr(data: LoginUsr) -> JSONResponse:
if not settings.is_auth_method_allowed(AuthMethods.user_id_only):
raise HTTPException(HTTP_401_UNAUTHORIZED, "Login by 'User ID' not allowed.")
try:
user = await get_user(data.usr)
if not user:
raise HTTPException(HTTP_401_UNAUTHORIZED, "User ID does not exist.")
return _auth_success_response(user.username or "", user.id)
except HTTPException as e:
raise e
except Exception as e:
logger.debug(e)
raise HTTPException(HTTP_500_INTERNAL_SERVER_ERROR, "Cannot login.")
@auth_router.get("/api/v1/auth/google", description="Google SSO")
async def login_with_google(request: Request, user_id: Optional[str] = None):
if not google_sso:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Login by 'Google' not allowed.")
google_sso.redirect_uri = str(request.base_url) + "api/v1/auth/google/token"
with google_sso:
state = _encrypt_message(user_id)
return await google_sso.get_login_redirect(state=state)
@auth_router.get("/api/v1/auth/github", description="Github SSO")
async def login_with_github(request: Request, user_id: Optional[str] = None):
if not github_sso:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Login by 'GitHub' not allowed.")
github_sso.redirect_uri = str(request.base_url) + "api/v1/auth/github/token"
with github_sso:
state = _encrypt_message(user_id)
return await github_sso.get_login_redirect(state=state)
@auth_router.get(
"/api/v1/auth/google/token", description="Handle Google OAuth callback"
)
async def handle_google_token(request: Request) -> RedirectResponse:
if not google_sso:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Login by 'Google' not allowed.")
try:
with google_sso:
userinfo = await google_sso.verify_and_process(request)
assert userinfo is not None
user_id = _decrypt_message(google_sso.state)
request.session.pop("user", None)
return await _handle_sso_login(userinfo, user_id)
except HTTPException as e:
raise e
except ValueError as e:
raise HTTPException(HTTP_403_FORBIDDEN, str(e))
except Exception as e:
logger.debug(e)
raise HTTPException(
HTTP_500_INTERNAL_SERVER_ERROR, "Cannot authenticate user with Google Auth."
)
@auth_router.get(
"/api/v1/auth/github/token", description="Handle Github OAuth callback"
)
async def handle_github_token(request: Request) -> RedirectResponse:
if not github_sso:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Login by 'GitHub' not allowed.")
try:
with github_sso:
userinfo = await github_sso.verify_and_process(request)
assert userinfo is not None
user_id = _decrypt_message(github_sso.state)
request.session.pop("user", None)
return await _handle_sso_login(userinfo, user_id)
except HTTPException as e:
raise e
except ValueError as e:
raise HTTPException(HTTP_403_FORBIDDEN, str(e))
except Exception as e:
logger.debug(e)
raise HTTPException(
HTTP_500_INTERNAL_SERVER_ERROR, "Cannot authenticate user with GitHub Auth."
)
@auth_router.post("/api/v1/auth/logout")
async def logout() -> JSONResponse:
response = JSONResponse({"status": "success"}, status_code=status.HTTP_200_OK)
response.delete_cookie("cookie_access_token")
response.delete_cookie("is_lnbits_user_authorized")
response.delete_cookie("is_access_token_expired")
return response
@auth_router.post("/api/v1/auth/register")
async def register(data: CreateUser) -> JSONResponse:
if not settings.is_auth_method_allowed(AuthMethods.username_and_password):
raise HTTPException(
HTTP_401_UNAUTHORIZED, "Register by 'Username and Password' not allowed."
)
if data.password != data.password_repeat:
raise HTTPException(HTTP_400_BAD_REQUEST, "Passwords do not match.")
if not data.username:
raise HTTPException(HTTP_400_BAD_REQUEST, "Missing username.")
if not is_valid_username(data.username):
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid username.")
if data.email and not is_valid_email_address(data.email):
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid email.")
try:
user = await create_user(data)
return _auth_success_response(user.username)
except ValueError as e:
raise HTTPException(HTTP_403_FORBIDDEN, str(e))
except Exception as e:
logger.debug(e)
raise HTTPException(HTTP_500_INTERNAL_SERVER_ERROR, "Cannot create user.")
@auth_router.put("/api/v1/auth/password")
async def update_password(
data: UpdateUserPassword, user: User = Depends(check_user_exists)
) -> Optional[User]:
if not settings.is_auth_method_allowed(AuthMethods.username_and_password):
raise HTTPException(
HTTP_401_UNAUTHORIZED, "Auth by 'Username and Password' not allowed."
)
if data.user_id != user.id:
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid user ID.")
try:
return await update_user_password(data)
except AssertionError as e:
raise HTTPException(HTTP_403_FORBIDDEN, str(e))
except Exception as e:
logger.debug(e)
raise HTTPException(
HTTP_500_INTERNAL_SERVER_ERROR, "Cannot update user password."
)
@auth_router.put("/api/v1/auth/update")
async def update(
data: UpdateUser, user: User = Depends(check_user_exists)
) -> Optional[User]:
if data.user_id != user.id:
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid user ID.")
if data.username and not is_valid_username(data.username):
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid username.")
if data.email != user.email:
raise HTTPException(HTTP_400_BAD_REQUEST, "Email mismatch.")
try:
return await update_account(user.id, data.username, None, data.config)
except AssertionError as e:
raise HTTPException(HTTP_403_FORBIDDEN, str(e))
except Exception as e:
logger.debug(e)
raise HTTPException(HTTP_500_INTERNAL_SERVER_ERROR, "Cannot update user.")
async def _handle_sso_login(userinfo: OpenID, verified_user_id: Optional[str] = None):
email = userinfo.email
if not email or not is_valid_email_address(email):
raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid email.")
redirect_path = "/wallet"
user_config = UserConfig(**dict(userinfo))
user_config.email_verified = True
account = await get_account_by_email(email)
if verified_user_id:
if account:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Email already used.")
account = await get_account(verified_user_id)
if not account:
raise HTTPException(HTTP_401_UNAUTHORIZED, "Cannot verify user email.")
redirect_path = "/account"
if account:
user = await update_account(account.id, email=email, user_config=user_config)
else:
if not settings.new_accounts_allowed:
raise HTTPException(HTTP_400_BAD_REQUEST, "Account creation is disabled.")
user = await create_account(email=email, user_config=user_config)
if not user:
raise HTTPException(HTTP_401_UNAUTHORIZED, "User not found.")
return _auth_redirect_response(redirect_path, email)
def _auth_success_response(
username: Optional[str] = None,
user_id: Optional[str] = None,
email: Optional[str] = None,
) -> JSONResponse:
access_token = create_access_token(
data={"sub": username or "", "usr": user_id, "email": email}
)
response = JSONResponse({"access_token": access_token, "token_type": "bearer"})
response.set_cookie("cookie_access_token", access_token, httponly=True)
response.set_cookie("is_lnbits_user_authorized", "true")
response.delete_cookie("is_access_token_expired")
return response
def _auth_redirect_response(path: str, email: str) -> RedirectResponse:
access_token = create_access_token(data={"sub": "" or "", "email": email})
response = RedirectResponse(path)
response.set_cookie("cookie_access_token", access_token, httponly=True)
response.set_cookie("is_lnbits_user_authorized", "true")
response.delete_cookie("is_access_token_expired")
return response
def _encrypt_message(m: Optional[str] = None) -> Optional[str]:
if not m:
return None
return AESCipher(key=settings.auth_secret_key).encrypt(m.encode())
def _decrypt_message(m: Optional[str] = None) -> Optional[str]:
if not m:
return None
return AESCipher(key=settings.auth_secret_key).decrypt(m)

64
lnbits/core/views/generic.py
View File

@ -165,54 +165,30 @@ async def extensions_install(
)
async def wallet(
request: Request,
usr: UUID4 = Query(...),
user: User = Depends(check_user_exists),
wal: Optional[UUID4] = Query(None),
):
user_id = usr.hex
user = await get_user(user_id)
if not user:
return template_renderer().TemplateResponse(
"error.html", {"request": request, "err": "User does not exist."}
)
if not wal:
if len(user.wallets) == 0:
wallet = await create_wallet(user_id=user.id)
return RedirectResponse(url=f"/wallet?usr={user_id}&wal={wallet.id}")
return RedirectResponse(url=f"/wallet?usr={user_id}&wal={user.wallets[0].id}")
else:
if wal:
wallet_id = wal.hex
elif len(user.wallets) == 0:
wallet = await create_wallet(user_id=user.id)
user = await get_user(user_id=user.id) or user
wallet_id = wallet.id
else:
wallet_id = user.wallets[0].id
userwallet = user.get_wallet(wallet_id)
if not userwallet or userwallet.deleted:
user_wallet = user.get_wallet(wallet_id)
if not user_wallet or user_wallet.deleted:
return template_renderer().TemplateResponse(
"error.html", {"request": request, "err": "Wallet not found"}
)
if (
len(settings.lnbits_allowed_users) > 0
and user_id not in settings.lnbits_allowed_users
and user_id not in settings.lnbits_admin_users
and user_id != settings.super_user
):
return template_renderer().TemplateResponse(
"error.html", {"request": request, "err": "User not authorized."}
)
if user_id == settings.super_user or user_id in settings.lnbits_admin_users:
user.admin = True
if user_id == settings.super_user:
user.super_user = True
logger.debug(f"Access user {user.id} wallet {userwallet.name}")
return template_renderer().TemplateResponse(
"core/wallet.html",
{
"request": request,
"user": user.dict(),
"wallet": userwallet.dict(),
"wallet": user_wallet.dict(),
"service_fee": settings.lnbits_service_fee,
"service_fee_max": settings.lnbits_service_fee_max,
"web_manifest": f"/manifest/{user.id}.webmanifest",
@ -220,6 +196,24 @@ async def wallet(
)
@generic_router.get(
"/account",
response_class=HTMLResponse,
description="show account page",
)
async def account(
request: Request,
user: User = Depends(check_user_exists),
):
return template_renderer().TemplateResponse(
"core/account.html",
{
"request": request,
"user": user.dict(),
},
)
@generic_router.get("/withdraw", response_class=JSONResponse)
async def lnurl_full_withdraw(request: Request):
usr_param = request.query_params.get("usr")

101
lnbits/decorators.py
View File

@ -1,18 +1,27 @@
from http import HTTPStatus
from typing import Literal, Optional, Type
from typing import Annotated, Literal, Optional, Type, Union
from fastapi import Query, Request, Security
from fastapi import Cookie, Depends, Query, Request, Security
from fastapi.exceptions import HTTPException
from fastapi.openapi.models import APIKey, APIKeyIn
from fastapi.security import APIKeyHeader, APIKeyQuery
from fastapi.security import APIKeyHeader, APIKeyQuery, OAuth2PasswordBearer
from fastapi.security.base import SecurityBase
from jose import ExpiredSignatureError, JWTError, jwt
from loguru import logger
from pydantic.types import UUID4
from lnbits.core.crud import get_user, get_wallet_for_key
from lnbits.core.crud import (
get_account,
get_account_by_email,
get_account_by_username,
get_user,
get_wallet_for_key,
)
from lnbits.core.models import User, WalletType, WalletTypeInfo
from lnbits.db import Filter, Filters, TFilterModel
from lnbits.requestvars import g
from lnbits.settings import settings
from lnbits.settings import AuthMethods, settings
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/v1/auth", auto_error=False)
# TODO: fix type ignores
@ -220,44 +229,50 @@ async def require_invoice_key(
return wallet
async def check_user_exists(usr: UUID4) -> User:
g().user = await get_user(usr.hex)
if not g().user:
raise HTTPException(
status_code=HTTPStatus.NOT_FOUND, detail="User does not exist."
)
if (
len(settings.lnbits_allowed_users) > 0
and g().user.id not in settings.lnbits_allowed_users
and g().user.id not in settings.lnbits_admin_users
and g().user.id != settings.super_user
):
raise HTTPException(
status_code=HTTPStatus.UNAUTHORIZED, detail="User not authorized."
)
return g().user
async def check_access_token(
header_access_token: Annotated[Union[str, None], Depends(oauth2_scheme)],
cookie_access_token: Annotated[Union[str, None], Cookie()] = None,
) -> Optional[str]:
return header_access_token or cookie_access_token
async def check_admin(usr: UUID4) -> User:
user = await check_user_exists(usr)
async def check_user_exists(
r: Request,
access_token: Annotated[Optional[str], Depends(check_access_token)],
usr: Optional[UUID4] = None,
) -> User:
if access_token:
account = await _get_account_from_token(access_token)
elif usr and settings.is_auth_method_allowed(AuthMethods.user_id_only):
account = await get_account(usr.hex)
else:
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Missing user ID or access token.")
if not account or not settings.is_user_allowed(account.id):
raise HTTPException(HTTPStatus.UNAUTHORIZED, "User not allowed.")
user = await get_user(account.id)
assert user, "User not found for account."
if not user.admin and r["path"].split("/")[1] in settings.lnbits_admin_extensions:
raise HTTPException(HTTPStatus.FORBIDDEN, "User not authorized for extension.")
return user
async def check_admin(user: Annotated[User, Depends(check_user_exists)]) -> User:
if user.id != settings.super_user and user.id not in settings.lnbits_admin_users:
raise HTTPException(
status_code=HTTPStatus.UNAUTHORIZED,
detail="User not authorized. No admin privileges.",
HTTPStatus.UNAUTHORIZED, "User not authorized. No admin privileges."
)
return user
async def check_super_user(usr: UUID4) -> User:
user = await check_admin(usr)
async def check_super_user(user: Annotated[User, Depends(check_user_exists)]) -> User:
if user.id != settings.super_user:
raise HTTPException(
status_code=HTTPStatus.UNAUTHORIZED,
detail="User not authorized. No super user privileges.",
HTTPStatus.UNAUTHORIZED, "User not authorized. No super user privileges."
)
return user
@ -295,3 +310,23 @@ def parse_filters(model: Type[TFilterModel]):
)
return dependency
async def _get_account_from_token(access_token):
try:
payload = jwt.decode(access_token, settings.auth_secret_key, "HS256")
if "sub" in payload and payload.get("sub"):
return await get_account_by_username(str(payload.get("sub")))
if "usr" in payload and payload.get("usr"):
return await get_account(str(payload.get("usr")))
if "email" in payload and payload.get("email"):
return await get_account_by_email(str(payload.get("email")))
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Data missing for access token.")
except ExpiredSignatureError:
raise HTTPException(
HTTPStatus.UNAUTHORIZED, "Session expired.", {"token-expired": "true"}
)
except JWTError as e:
logger.debug(e)
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Invalid access token.")

21
lnbits/helpers.py
View File

@ -1,9 +1,12 @@
import json
import re
from datetime import datetime, timedelta
from pathlib import Path
from typing import Any, List, Optional, Type
import jinja2
import shortuuid
from jose import jwt
from pydantic import BaseModel
from pydantic.schema import field_schema
@ -58,6 +61,7 @@ def template_renderer(additional_folders: Optional[List] = None) -> Jinja2Templa
t.env.globals["LNBITS_QR_LOGO"] = settings.lnbits_qr_logo
t.env.globals["LNBITS_VERSION"] = settings.version
t.env.globals["LNBITS_NEW_ACCOUNTS_ALLOWED"] = settings.new_accounts_allowed
t.env.globals["LNBITS_AUTH_METHODS"] = settings.auth_allowed_methods
t.env.globals["LNBITS_ADMIN_UI"] = settings.lnbits_admin_ui
t.env.globals["LNBITS_SERVICE_FEE"] = settings.lnbits_service_fee
t.env.globals["LNBITS_SERVICE_FEE_MAX"] = settings.lnbits_service_fee_max
@ -166,3 +170,20 @@ def update_query(table_name: str, model: BaseModel, where: str = "WHERE id = ?")
"""
query = ", ".join([f"{field} = ?" for field in model.dict().keys()])
return f"UPDATE {table_name} SET {query} {where}"
def is_valid_email_address(email: str) -> bool:
email_regex = r"[A-Za-z0-9\._%+-]+@[A-Za-z0-9\.-]+\.[A-Za-z]{2,63}"
return re.fullmatch(email_regex, email) is not None
def is_valid_username(username: str) -> bool:
username_regex = r"(?=[a-zA-Z0-9._]{2,20}$)(?!.*[_.]{2})[^_.].*[^_.]"
return re.fullmatch(username_regex, username) is not None
def create_access_token(data: dict):
expire = datetime.utcnow() + timedelta(minutes=settings.auth_token_expire_minutes)
to_encode = data.copy()
to_encode.update({"exp": expire})
return jwt.encode(to_encode, settings.auth_secret_key, "HS256")

25
lnbits/middleware.py
View File

@ -1,6 +1,5 @@
from http import HTTPStatus
from typing import Any, List, Tuple, Union
from urllib.parse import parse_qs
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse, JSONResponse
@ -41,13 +40,6 @@ class InstalledExtensionMiddleware:
await response(scope, receive, send)
return
if not self._user_allowed_to_extension(top_path, scope):
response = self._response_by_accepted_type(
headers, "User not authorized.", HTTPStatus.FORBIDDEN
)
await response(scope, receive, send)
return
# static resources do not require redirect
if rest[0:1] == ["static"]:
await self.app(scope, receive, send)
@ -68,23 +60,6 @@ class InstalledExtensionMiddleware:
await self.app(scope, receive, send)
def _user_allowed_to_extension(self, ext_name: str, scope) -> bool:
if ext_name not in settings.lnbits_admin_extensions:
return True
if "query_string" not in scope:
return True
# parse the URL query string into a `dict`
q = parse_qs(scope["query_string"].decode("UTF-8"))
user = q.get("usr", [""])[0]
if not user:
return True
if user == settings.super_user or user in settings.lnbits_admin_users:
return True
return False
def _response_by_accepted_type(
self, headers: List[Any], msg: str, status_code: HTTPStatus
) -> Union[HTMLResponse, JSONResponse]:

55
lnbits/settings.py
View File

@ -4,6 +4,8 @@ import importlib
import importlib.metadata
import inspect
import json
from enum import Enum
from hashlib import sha256
from os import path
from sqlite3 import Row
from time import time
@ -308,6 +310,45 @@ class EnvSettings(LNbitsSettings):
return self.lnbits_extensions_path == "lnbits"
class AuthMethods(Enum):
user_id_only = "user-id-only"
username_and_password = "username-password"
google_auth = "google-auth"
github_auth = "github-auth"
class AuthSettings(LNbitsSettings):
auth_secret_key: str = Field(default="")
auth_token_expire_minutes: int = Field(default=30)
auth_allowed_methods: List[str] = Field(
default=[
AuthMethods.user_id_only.value,
AuthMethods.username_and_password.value,
]
)
def is_auth_method_allowed(self, method: AuthMethods):
return method.value in self.auth_allowed_methods
class GoogleAuthSettings(LNbitsSettings):
google_client_id: str = Field(default="")
google_client_secret: str = Field(default="")
@property
def is_google_auth_configured(self):
return self.google_client_id != "" and self.google_client_secret != ""
class GitHubAuthSettings(LNbitsSettings):
github_client_id: str = Field(default="")
github_client_secret: str = Field(default="")
@property
def is_github_auth_configured(self):
return self.github_client_id != "" and self.github_client_secret != ""
class SaaSSettings(LNbitsSettings):
lnbits_saas_callback: Optional[str] = Field(default=None)
lnbits_saas_secret: Optional[str] = Field(default=None)
@ -356,6 +397,9 @@ class ReadOnlySettings(
SaaSSettings,
PersistenceSettings,
SuperUserSettings,
AuthSettings,
GoogleAuthSettings,
GitHubAuthSettings,
):
lnbits_admin_ui: bool = Field(default=False)
@ -384,6 +428,14 @@ class Settings(EditableSettings, ReadOnlySettings, TransientSettings, BaseSettin
case_sensitive = False
json_loads = list_parse_fallback
def is_user_allowed(self, user_id: str):
return (
len(self.lnbits_allowed_users) == 0
or user_id in self.lnbits_allowed_users
or user_id in self.lnbits_admin_users
or user_id == self.super_user
)
class SuperSettings(EditableSettings):
super_user: str
@ -432,6 +484,9 @@ settings = Settings()
settings.lnbits_path = str(path.dirname(path.realpath(__file__)))
settings.version = importlib.metadata.version("lnbits")
settings.auth_secret_key = (
settings.auth_secret_key or sha256(settings.super_user.encode("utf-8")).hexdigest()
)
if not settings.user_agent:
settings.user_agent = f"LNbits/{settings.version}"

20
lnbits/static/bundle.min.js vendored
View File

File diff suppressed because one or more lines are too long

20
lnbits/static/i18n/en.js
View File

@ -189,5 +189,23 @@ window.localisation.en = {
hour: 'hour',
disable_server_log: 'Disable Server Log',
enable_server_log: 'Enable Server Log',
coming_soon: 'Feature coming soon'
coming_soon: 'Feature coming soon',
session_has_expired: 'Your session has expired. Please login again.',
instant_access_question: 'Want instant access?',
login_with_user_id: 'Login with user ID',
or: 'or',
create_new_wallet: 'Create New Wallet',
login_to_account: 'Login to your account',
create_account: 'Create account',
signin_with_google: 'Sign in with Google',
signin_with_github: 'Sign in with GitHub',
username_or_email: 'Username or Email',
password: 'Password',
password_repeat: 'Password repeat',
invalid_password: 'Password must have at least 8 characters',
login: 'Login',
register: 'Register',
username: 'Username',
invalid_username: 'Invalid Username',
back: 'Back'
}

BIN
lnbits/static/images/github-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
lnbits/static/images/google-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 982 B

80
lnbits/static/js/account.js Normal file
View File

@ -0,0 +1,80 @@
new Vue({
el: '#vue',
mixins: [windowMixin],
data: function () {
return {
user: null,
hasUsername: false,
passwordData: {
show: false,
oldPassword: null,
newPassword: null,
newPasswordRepeat: null
}
}
},
methods: {
updateAccount: async function () {
try {
const {data} = await LNbits.api.request(
'PUT',
'/api/v1/auth/update',
null,
{
user_id: this.user.id,
username: this.user.username,
email: this.user.email,
config: this.user.config
}
)
this.user = data
this.$q.notify({
type: 'positive',
message: 'Account updated.'
})
} catch (e) {
LNbits.utils.notifyApiError(e)
}
},
updatePassword: async function () {
try {
const {data} = await LNbits.api.request(
'PUT',
'/api/v1/auth/password',
null,
{
user_id: this.user.id,
password_old: this.passwordData.oldPassword,
password: this.passwordData.newPassword,
password_repeat: this.passwordData.newPasswordRepeat
}
)
this.user = data
this.passwordData.show = false
this.$q.notify({
type: 'positive',
message: 'Password updated.'
})
} catch (e) {
LNbits.utils.notifyApiError(e)
}
},
showChangePassword: function () {
this.passwordData = {
show: true,
oldPassword: null,
newPassword: null,
newPasswordRepeat: null
}
}
},
created: async function () {
try {
const {data} = await LNbits.api.getAuthenticatedUser()
this.user = data
this.hasUsername = !!data.username
} catch (e) {
LNbits.utils.notifyApiError(e)
}
}
})

18
lnbits/static/js/admin.js
View File

@ -175,7 +175,7 @@ new Vue({
},
restartServer() {
LNbits.api
.request('GET', '/admin/api/v1/restart/?usr=' + this.g.user.id)
.request('GET', '/admin/api/v1/restart/')
.then(response => {
this.$q.notify({
type: 'positive',
@ -192,7 +192,7 @@ new Vue({
LNbits.api
.request(
'PUT',
'/admin/api/v1/topup/?usr=' + this.g.user.id,
'/admin/api/v1/topup/',
this.g.user.wallets[0].adminkey,
this.wallet
)
@ -229,11 +229,7 @@ new Vue({
},
getAudit() {
LNbits.api
.request(
'GET',
'/admin/api/v1/audit/?usr=' + this.g.user.id,
this.g.user.wallets[0].adminkey
)
.request('GET', '/admin/api/v1/audit/', this.g.user.wallets[0].adminkey)
.then(response => {
this.auditData = response.data
})
@ -245,7 +241,7 @@ new Vue({
LNbits.api
.request(
'GET',
'/admin/api/v1/settings/?usr=' + this.g.user.id,
'/admin/api/v1/settings/',
this.g.user.wallets[0].adminkey
)
.then(response => {
@ -266,7 +262,7 @@ new Vue({
LNbits.api
.request(
'PUT',
'/admin/api/v1/settings/?usr=' + this.g.user.id,
'/admin/api/v1/settings/',
this.g.user.wallets[0].adminkey,
data
)
@ -294,7 +290,7 @@ new Vue({
.confirmDialog('Are you sure you want to restore settings to default?')
.onOk(() => {
LNbits.api
.request('DELETE', '/admin/api/v1/settings/?usr=' + this.g.user.id)
.request('DELETE', '/admin/api/v1/settings/')
.then(response => {
this.$q.notify({
type: 'positive',
@ -310,7 +306,7 @@ new Vue({
})
},
downloadBackup() {
window.open('/admin/api/v1/backup/?usr=' + this.g.user.id, '_blank')
window.open('/admin/api/v1/backup/', '_blank')
}
}
})

76
lnbits/static/js/base.js
View File

@ -69,6 +69,41 @@ window.LNbits = {
name: name
})
},
register: function (username, email, password, password_repeat) {
return axios({
method: 'POST',
url: '/api/v1/auth/register',
data: {
username,
email,
password,
password_repeat
}
})
},
login: function (username, password) {
return axios({
method: 'POST',
url: '/api/v1/auth',
data: {username, password}
})
},
loginUsr: function (usr) {
return axios({
method: 'POST',
url: '/api/v1/auth/usr',
data: {usr}
})
},
logout: function () {
return axios({
method: 'POST',
url: '/api/v1/auth/logout'
})
},
getAuthenticatedUser: function () {
return this.request('get', '/api/v1/auth')
},
getWallet: function (wallet) {
return this.request('get', '/api/v1/wallet', wallet.inkey)
},
@ -76,7 +111,7 @@ window.LNbits = {
return this.request('post', '/api/v1/wallet', wallet.adminkey, {
name: name
}).then(res => {
window.location = '/wallet?usr=' + res.data.user + '&wal=' + res.data.id
window.location = '/wallet?wal=' + res.data.id
})
},
updateWallet: function (name, wallet) {
@ -200,7 +235,7 @@ window.LNbits = {
newWallet.fsat = new Intl.NumberFormat(window.LOCALE).format(
newWallet.sat
)
newWallet.url = ['/wallet?usr=', data.user, '&wal=', data.id].join('')
newWallet.url = `/wallet?&wal=${data.id}`
return newWallet
},
payment: function (data) {
@ -385,6 +420,12 @@ window.windowMixin = {
}
},
computed: {
isUserAuthorized() {
return this.$q.cookies.get('is_lnbits_user_authorized')
}
},
methods: {
activeLanguage: function (lang) {
return window.i18n.locale === lang
@ -409,9 +450,36 @@ window.windowMixin = {
position: position || 'bottom'
})
})
},
checkUsrInUrl: async function () {
const params = new URLSearchParams(window.location.search)
const usr = params.get('usr')
if (!usr) {
return
}
if (!this.isUserAuthorized) {
await LNbits.api.loginUsr(usr)
}
params.delete('usr')
const cleanQueryPrams = params.size ? `?${params.toString()}` : ''
window.history.replaceState(
{},
document.title,
window.location.pathname + cleanQueryPrams
)
},
logout: async function () {
try {
await LNbits.api.logout()
window.location = '/'
} catch (e) {
LNbits.utils.notifyApiError(e)
}
}
},
created: function () {
created: async function () {
if (
this.$q.localStorage.getItem('lnbits.darkMode') == true ||
this.$q.localStorage.getItem('lnbits.darkMode') == false
@ -494,6 +562,8 @@ window.windowMixin = {
)
this.g.extensions = extensions
await this.checkUsrInUrl()
}
}
}

8
lnbits/static/js/components.js
View File

@ -116,7 +116,7 @@ Vue.component('lnbits-extension-list', {
<q-item v-for="extension in userExtensions" :key="extension.code"
clickable
:active="extension.isActive"
tag="a" :href="[extension.url, '?usr=', user.id].join('')">
tag="a" :href="extension.url">
<q-item-section side>
<q-avatar size="md">
<q-img
@ -181,7 +181,7 @@ Vue.component('lnbits-manage', {
<q-list v-if="user" dense class="lnbits-drawer__q-list">
<q-item-label header v-text="$t('manage')"></q-item-label>
<div v-if="user.admin">
<q-item v-if='showAdmin' clickable tag="a" :href="['/admin?usr=', user.id].join('')">
<q-item v-if='showAdmin' clickable tag="a" href="/admin">
<q-item-section side>
<q-icon name="admin_panel_settings" color="grey-5" size="md"></q-icon>
</q-item-section>
@ -189,7 +189,7 @@ Vue.component('lnbits-manage', {
<q-item-label lines="1" class="text-caption" v-text="$t('server')"></q-item-label>
</q-item-section>
</q-item>
<q-item v-if='showNode' clickable tag="a" :href="['/node?usr=', user.id].join('')">
<q-item v-if='showNode' clickable tag="a" href="/node">
<q-item-section side>
<q-icon name="developer_board" color="grey-5" size="md"></q-icon>
</q-item-section>
@ -198,7 +198,7 @@ Vue.component('lnbits-manage', {
</q-item-section>
</q-item>
</div>
<q-item clickable tag="a" :href="['/extensions?usr=', user.id].join('')">
<q-item clickable tag="a" href="/extensions">
<q-item-section side>
<q-icon name="extension" color="grey-5" size="md"></q-icon>
</q-item-section>

69
lnbits/static/js/index.js
View File

@ -8,15 +8,72 @@ new Vue({
data: {},
description: ''
},
walletName: ''
authAction: 'login',
authMethod: 'username-password',
usr: '',
username: '',
email: '',
password: '',
passwordRepeat: '',
walletName: '',
signup: false
}
},
computed: {
formatDescription() {
return LNbits.utils.convertMarkdown(this.description)
},
isUserAuthorized() {
return this.$q.cookies.get('is_lnbits_user_authorized')
},
isAccessTokenExpired() {
return this.$q.cookies.get('is_access_token_expired')
}
},
methods: {
showLogin: function (authMethod) {
this.authAction = 'login'
this.authMethod = authMethod
},
showRegister: function (authMethod) {
this.user = ''
this.username = null
this.password = null
this.passwordRepeat = null
this.authAction = 'register'
this.authMethod = authMethod
},
register: async function () {
try {
await LNbits.api.register(
this.username,
this.email,
this.password,
this.passwordRepeat
)
window.location.href = '/wallet'
} catch (e) {
LNbits.utils.notifyApiError(e)
}
},
login: async function () {
try {
await LNbits.api.login(this.username, this.password)
window.location.href = '/wallet'
} catch (e) {
LNbits.utils.notifyApiError(e)
}
},
loginUsr: async function () {
try {
await LNbits.api.loginUsr(this.usr)
this.usr = ''
window.location.href = '/wallet'
} catch (e) {
LNbits.utils.notifyApiError(e)
}
},
createWallet: function () {
LNbits.api.createAccount(this.walletName).then(res => {
window.location = '/wallet?usr=' + res.data.user + '&wal=' + res.data.id
@ -28,9 +85,19 @@ new Vue({
message: 'Processing...',
icon: null
})
},
validateUsername: function (val) {
const usernameRegex = new RegExp(
'^(?=[a-zA-Z0-9._]{2,20}$)(?!.*[_.]{2})[^_.].*[^_.]$'
)
return usernameRegex.test(val)
}
},
created() {
this.description = SITE_DESCRIPTION
if (this.isUserAuthorized) {
window.location.href = '/wallet'
}
}
})

2
lnbits/static/js/service-worker.js
View File

@ -1,6 +1,6 @@
// update cache version every time there is a new deployment
// so the service worker reinitializes the cache
const CACHE_VERSION = 86
const CACHE_VERSION = 88
const CURRENT_CACHE = `lnbits-${CACHE_VERSION}-`
const getApiKey = request => {

2
lnbits/static/js/wallet.js
View File

@ -350,7 +350,7 @@ new Vue({
LNbits.api
.request(
'PUT',
'/admin/api/v1/topup/?usr=' + this.g.user.id,
'/admin/api/v1/topup/',
this.g.user.wallets[0].adminkey,
{
amount: credit,

50
lnbits/templates/base.html
View File

@ -248,6 +248,56 @@
>
<q-tooltip><span v-text="$t('toggle_darkmode')"></span></q-tooltip>
</q-btn>
<q-btn-dropdown
v-if="isUserAuthorized"
dense
flat
round
size="sm"
class="q-pl-sm"
>
<template v-slot:label>
<div>
{%if user and user.config and user.config.picture%}
<img src="{{user.config.picture}}" style="max-width: 32px" />
{%else%}
<q-icon name="account_circle" />
{%endif%}
</div>
</template>
<q-list>
<q-item clickable v-close-popup
><q-item-section>
<q-icon name="person" />
</q-item-section>
<q-item-section>
<!-- todo: no word break -->
<q-item-label>
<a
style="text-decoration: none; color: inherit"
href="/account"
><span> My Account</span></a
>
</q-item-label>
</q-item-section>
<q-item-section>
<q-item-label> </q-item-label>
</q-item-section>
</q-item>
<q-separator></q-separator>
<q-item clickable v-close-popup @click="logout"
><q-item-section>
<q-icon name="logout" />
</q-item-section>
<q-item-section>
<q-item-label> Logout </q-item-label>
</q-item-section>
<q-item-section>
<q-item-label> </q-item-label>
</q-item-section>
</q-item>
</q-list>
</q-btn-dropdown>
</q-toolbar>
</q-header>

12
lnbits/templates/error.html
View File

@ -18,6 +18,13 @@
https://t.me/lnbits
</h4>
<br />
<q-btn
@click="goBack"
color="grey"
outline
label="Back"
class="full-width"
></q-btn>
</center>
</q-card-section>
</q-card>
@ -31,6 +38,11 @@
mixins: [windowMixin],
data: function () {
return {}
},
methods: {
goBack: function () {
window.history.back()
}
}
})
</script>

1
lnbits/wallets/macaroon/macaroon.py
View File

@ -39,6 +39,7 @@ def load_macaroon(macaroon: str) -> str:
return macaroon
# todo: move to its own (crypto.py) file
class AESCipher:
"""This class is compatible with crypto-js/aes.js

232
poetry.lock generated
View File

@ -1,4 +1,4 @@
# This file is automatically @generated by Poetry 1.7.0 and should not be changed by hand.
# This file is automatically @generated by Poetry 1.7.1 and should not be changed by hand.
[[package]]
name = "anyio"
@ -64,6 +64,36 @@ files = [
[package.extras]
tests = ["PyHamcrest (>=2.0.2)", "mypy", "pytest (>=4.6)", "pytest-benchmark", "pytest-cov", "pytest-flake8"]
[[package]]
name = "bcrypt"
version = "4.1.1"
description = "Modern password hashing for your software and your servers"
optional = false
python-versions = ">=3.7"
files = [
{file = "bcrypt-4.1.1-cp37-abi3-macosx_10_12_universal2.whl", hash = "sha256:196008d91201bbb1aa4e666fee5e610face25d532e433a560cabb33bfdff958b"},
{file = "bcrypt-4.1.1-cp37-abi3-macosx_13_0_universal2.whl", hash = "sha256:2e197534c884336f9020c1f3a8efbaab0aa96fc798068cb2da9c671818b7fbb0"},
{file = "bcrypt-4.1.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d573885b637815a7f3a3cd5f87724d7d0822da64b0ab0aa7f7c78bae534e86dc"},
{file = "bcrypt-4.1.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bab33473f973e8058d1b2df8d6e095d237c49fbf7a02b527541a86a5d1dc4444"},
{file = "bcrypt-4.1.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:fb931cd004a7ad36a89789caf18a54c20287ec1cd62161265344b9c4554fdb2e"},
{file = "bcrypt-4.1.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:12f40f78dcba4aa7d1354d35acf45fae9488862a4fb695c7eeda5ace6aae273f"},
{file = "bcrypt-4.1.1-cp37-abi3-musllinux_1_1_aarch64.whl", hash = "sha256:2ade10e8613a3b8446214846d3ddbd56cfe9205a7d64742f0b75458c868f7492"},
{file = "bcrypt-4.1.1-cp37-abi3-musllinux_1_1_x86_64.whl", hash = "sha256:f33b385c3e80b5a26b3a5e148e6165f873c1c202423570fdf45fe34e00e5f3e5"},
{file = "bcrypt-4.1.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:755b9d27abcab678e0b8fb4d0abdebeea1f68dd1183b3f518bad8d31fa77d8be"},
{file = "bcrypt-4.1.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:a7a7b8a87e51e5e8ca85b9fdaf3a5dc7aaf123365a09be7a27883d54b9a0c403"},
{file = "bcrypt-4.1.1-cp37-abi3-win32.whl", hash = "sha256:3d6c4e0d6963c52f8142cdea428e875042e7ce8c84812d8e5507bd1e42534e07"},
{file = "bcrypt-4.1.1-cp37-abi3-win_amd64.whl", hash = "sha256:14d41933510717f98aac63378b7956bbe548986e435df173c841d7f2bd0b2de7"},
{file = "bcrypt-4.1.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:24c2ebd287b5b11016f31d506ca1052d068c3f9dc817160628504690376ff050"},
{file = "bcrypt-4.1.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:476aa8e8aca554260159d4c7a97d6be529c8e177dbc1d443cb6b471e24e82c74"},
{file = "bcrypt-4.1.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:12611c4b0a8b1c461646228344784a1089bc0c49975680a2f54f516e71e9b79e"},
{file = "bcrypt-4.1.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:c6450538a0fc32fb7ce4c6d511448c54c4ff7640b2ed81badf9898dcb9e5b737"},
{file = "bcrypt-4.1.1.tar.gz", hash = "sha256:df37f5418d4f1cdcff845f60e747a015389fa4e63703c918330865e06ad80007"},
]
[package.extras]
tests = ["pytest (>=3.2.1,!=3.3.0)"]
typecheck = ["mypy"]
[[package]]
name = "bech32"
version = "1.2.0"
@ -686,6 +716,25 @@ files = [
{file = "distlib-0.3.7.tar.gz", hash = "sha256:9dafe54b34a028eafd95039d5e5d4851a13734540f1331060d31c9916e7147a8"},
]
[[package]]
name = "dnspython"
version = "2.4.2"
description = "DNS toolkit"
optional = false
python-versions = ">=3.8,<4.0"
files = [
{file = "dnspython-2.4.2-py3-none-any.whl", hash = "sha256:57c6fbaaeaaf39c891292012060beb141791735dbb4004798328fc2c467402d8"},
{file = "dnspython-2.4.2.tar.gz", hash = "sha256:8dcfae8c7460a2f84b4072e26f1c9f4101ca20c071649cb7c34e8b6a93d58984"},
]
[package.extras]
dnssec = ["cryptography (>=2.6,<42.0)"]
doh = ["h2 (>=4.1.0)", "httpcore (>=0.17.3)", "httpx (>=0.24.1)"]
doq = ["aioquic (>=0.9.20)"]
idna = ["idna (>=2.1,<4.0)"]
trio = ["trio (>=0.14,<0.23)"]
wmi = ["wmi (>=1.5.1,<2.0.0)"]
[[package]]
name = "ecdsa"
version = "0.18.0"
@ -704,6 +753,21 @@ six = ">=1.9.0"
gmpy = ["gmpy"]
gmpy2 = ["gmpy2"]
[[package]]
name = "email-validator"
version = "2.1.0.post1"
description = "A robust email address syntax and deliverability validation library."
optional = false
python-versions = ">=3.8"
files = [
{file = "email_validator-2.1.0.post1-py3-none-any.whl", hash = "sha256:c973053efbeddfef924dc0bd93f6e77a1ea7ee0fce935aea7103c7a3d6d2d637"},
{file = "email_validator-2.1.0.post1.tar.gz", hash = "sha256:a4b0bd1cf55f073b924258d19321b1f3aa74b4b5a71a42c305575dba920e1a44"},
]
[package.dependencies]
dnspython = ">=2.0.0"
idna = ">=2.0.0"
[[package]]
name = "embit"
version = "0.7.0"
@ -769,6 +833,23 @@ typing-extensions = ">=4.5.0"
[package.extras]
all = ["email-validator (>=2.0.0)", "httpx (>=0.23.0)", "itsdangerous (>=1.1.0)", "jinja2 (>=2.11.2)", "orjson (>=3.2.1)", "pydantic-extra-types (>=2.0.0)", "pydantic-settings (>=2.0.0)", "python-multipart (>=0.0.5)", "pyyaml (>=5.3.1)", "ujson (>=4.0.1,!=4.0.2,!=4.1.0,!=4.2.0,!=4.3.0,!=5.0.0,!=5.1.0)", "uvicorn[standard] (>=0.12.0)"]
[[package]]
name = "fastapi-sso"
version = "0.9.1"
description = "FastAPI plugin to enable SSO to most common providers (such as Facebook login, Google login and login via Microsoft Office 365 Account)"
optional = false
python-versions = ">=3.8,<4.0"
files = [
{file = "fastapi_sso-0.9.1-py3-none-any.whl", hash = "sha256:94ad5a3e5710bef423c829224358740aa349d8934ce58cf943364d9bb18e6aeb"},
{file = "fastapi_sso-0.9.1.tar.gz", hash = "sha256:0a9a3abdbb5ed20787ff47b749cd23e25a48e8a42230767a1f897f585223337f"},
]
[package.dependencies]
fastapi = ">=0.80"
httpx = ">=0.23.0"
oauthlib = ">=3.1.0"
pydantic = {version = ">=1.8.0", extras = ["email"]}
[[package]]
name = "filelock"
version = "3.13.1"
@ -964,6 +1045,17 @@ files = [
{file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"},
]
[[package]]
name = "itsdangerous"
version = "2.1.2"
description = "Safely pass data to untrusted environments and back."
optional = false
python-versions = ">=3.7"
files = [
{file = "itsdangerous-2.1.2-py3-none-any.whl", hash = "sha256:2c2349112351b88699d8d4b6b075022c0808887cb7ad10069318a8b0bc88db44"},
{file = "itsdangerous-2.1.2.tar.gz", hash = "sha256:5dbbc68b317e5e42f327f9021763545dc3fc3bfe22e6deb96aaf1fc38874156a"},
]
[[package]]
name = "jinja2"
version = "3.0.1"
@ -1168,6 +1260,16 @@ files = [
{file = "MarkupSafe-2.1.3-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:5bbe06f8eeafd38e5d0a4894ffec89378b6c6a625ff57e3028921f8ff59318ac"},
{file = "MarkupSafe-2.1.3-cp311-cp311-win32.whl", hash = "sha256:dd15ff04ffd7e05ffcb7fe79f1b98041b8ea30ae9234aed2a9168b5797c3effb"},
{file = "MarkupSafe-2.1.3-cp311-cp311-win_amd64.whl", hash = "sha256:134da1eca9ec0ae528110ccc9e48041e0828d79f24121a1a146161103c76e686"},
{file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:f698de3fd0c4e6972b92290a45bd9b1536bffe8c6759c62471efaa8acb4c37bc"},
{file = "MarkupSafe-2.1.3-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aa57bd9cf8ae831a362185ee444e15a93ecb2e344c8e52e4d721ea3ab6ef1823"},
{file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ffcc3f7c66b5f5b7931a5aa68fc9cecc51e685ef90282f4a82f0f5e9b704ad11"},
{file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:47d4f1c5f80fc62fdd7777d0d40a2e9dda0a05883ab11374334f6c4de38adffd"},
{file = "MarkupSafe-2.1.3-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1f67c7038d560d92149c060157d623c542173016c4babc0c1913cca0564b9939"},
{file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:9aad3c1755095ce347e26488214ef77e0485a3c34a50c5a5e2471dff60b9dd9c"},
{file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:14ff806850827afd6b07a5f32bd917fb7f45b046ba40c57abdb636674a8b559c"},
{file = "MarkupSafe-2.1.3-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8f9293864fe09b8149f0cc42ce56e3f0e54de883a9de90cd427f191c346eb2e1"},
{file = "MarkupSafe-2.1.3-cp312-cp312-win32.whl", hash = "sha256:715d3562f79d540f251b99ebd6d8baa547118974341db04f5ad06d5ea3eb8007"},
{file = "MarkupSafe-2.1.3-cp312-cp312-win_amd64.whl", hash = "sha256:1b8dd8c3fd14349433c79fa8abeb573a55fc0fdd769133baac1f5e07abf54aeb"},
{file = "MarkupSafe-2.1.3-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:8e254ae696c88d98da6555f5ace2279cf7cd5b3f52be2b5cf97feafe883b58d2"},
{file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb0932dc158471523c9637e807d9bfb93e06a95cbf010f1a38b98623b929ef2b"},
{file = "MarkupSafe-2.1.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9402b03f1a1b4dc4c19845e5c749e3ab82d5078d16a2a4c2cd2df62d57bb0707"},
@ -1292,6 +1394,22 @@ files = [
[package.dependencies]
setuptools = "*"
[[package]]
name = "oauthlib"
version = "3.2.2"
description = "A generic, spec-compliant, thorough implementation of the OAuth request-signing logic"
optional = false
python-versions = ">=3.6"
files = [
{file = "oauthlib-3.2.2-py3-none-any.whl", hash = "sha256:8139f29aac13e25d502680e9e19963e83f16838d48a0d71c287fe40e7067fbca"},
{file = "oauthlib-3.2.2.tar.gz", hash = "sha256:9859c40929662bec5d64f34d01c99e093149682a3f38915dc0655d5a633dd918"},
]
[package.extras]
rsa = ["cryptography (>=3.0.0)"]
signals = ["blinker (>=1.4.0)"]
signedtoken = ["cryptography (>=3.0.0)", "pyjwt (>=2.0.0,<3)"]
[[package]]
name = "openapi-schema-validator"
version = "0.6.2"
@ -1350,6 +1468,23 @@ files = [
{file = "packaging-23.1.tar.gz", hash = "sha256:a392980d2b6cffa644431898be54b0045151319d1e7ec34f0cfed48767dd334f"},
]
[[package]]
name = "passlib"
version = "1.7.4"
description = "comprehensive password hashing framework supporting over 30 schemes"
optional = false
python-versions = "*"
files = [
{file = "passlib-1.7.4-py2.py3-none-any.whl", hash = "sha256:aa6bca462b8d8bda89c70b382f0c298a20b5560af6cbfa2dce410c0a2fb669f1"},
{file = "passlib-1.7.4.tar.gz", hash = "sha256:defd50f72b65c5402ab2c573830a6978e5f202ad0d984793c8dde2c4152ebe04"},
]
[package.extras]
argon2 = ["argon2-cffi (>=18.2.0)"]
bcrypt = ["bcrypt (>=3.1.0)"]
build-docs = ["cloud-sptheme (>=1.10.1)", "sphinx (>=1.6)", "sphinxcontrib-fulltoc (>=1.2.0)"]
totp = ["cryptography"]
[[package]]
name = "pathable"
version = "0.4.3"
@ -1524,6 +1659,17 @@ files = [
[package.dependencies]
cryptography = ">=2.5"
[[package]]
name = "pyasn1"
version = "0.5.1"
description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)"
optional = false
python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7"
files = [
{file = "pyasn1-0.5.1-py2.py3-none-any.whl", hash = "sha256:4439847c58d40b1d0a573d07e3856e95333f1976294494c325775aeca506eb58"},
{file = "pyasn1-0.5.1.tar.gz", hash = "sha256:6d391a96e59b23130a5cfa74d6fd7f388dbbe26cc8f1edf39fdddf08d9d6676c"},
]
[[package]]
name = "pycparser"
version = "2.21"
@ -1622,6 +1768,7 @@ files = [
]
[package.dependencies]
email-validator = {version = ">=1.0.3", optional = true, markers = "extra == \"email\""}
typing-extensions = ">=4.2.0"
[package.extras]
@ -1802,6 +1949,27 @@ files = [
[package.extras]
cli = ["click (>=5.0)"]
[[package]]
name = "python-jose"
version = "3.3.0"
description = "JOSE implementation in Python"
optional = false
python-versions = "*"
files = [
{file = "python-jose-3.3.0.tar.gz", hash = "sha256:55779b5e6ad599c6336191246e95eb2293a9ddebd555f796a65f838f07e5d78a"},
{file = "python_jose-3.3.0-py2.py3-none-any.whl", hash = "sha256:9b1376b023f8b298536eedd47ae1089bcdb848f1535ab30555cd92002d78923a"},
]
[package.dependencies]
ecdsa = "!=0.15"
pyasn1 = "*"
rsa = "*"
[package.extras]
cryptography = ["cryptography (>=3.4.0)"]
pycrypto = ["pyasn1", "pycrypto (>=2.6.0,<2.7.0)"]
pycryptodome = ["pyasn1", "pycryptodome (>=3.3.1,<4.0.0)"]
[[package]]
name = "pywebpush"
version = "1.14.0"
@ -1831,6 +1999,7 @@ files = [
{file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:69b023b2b4daa7548bcfbd4aa3da05b3a74b772db9e23b982788168117739938"},
{file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:81e0b275a9ecc9c0c0c07b4b90ba548307583c125f54d5b6946cfee6360c733d"},
{file = "PyYAML-6.0.1-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ba336e390cd8e4d1739f42dfe9bb83a3cc2e80f567d8805e11b46f4a943f5515"},
{file = "PyYAML-6.0.1-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:326c013efe8048858a6d312ddd31d56e468118ad4cdeda36c719bf5bb6192290"},
{file = "PyYAML-6.0.1-cp310-cp310-win32.whl", hash = "sha256:bd4af7373a854424dabd882decdc5579653d7868b8fb26dc7d0e99f823aa5924"},
{file = "PyYAML-6.0.1-cp310-cp310-win_amd64.whl", hash = "sha256:fd1592b3fdf65fff2ad0004b5e363300ef59ced41c2e6b3a99d4089fa8c5435d"},
{file = "PyYAML-6.0.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6965a7bc3cf88e5a1c3bd2e0b5c22f8d677dc88a455344035f03399034eb3007"},
@ -1838,8 +2007,15 @@ files = [
{file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:42f8152b8dbc4fe7d96729ec2b99c7097d656dc1213a3229ca5383f973a5ed6d"},
{file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:062582fca9fabdd2c8b54a3ef1c978d786e0f6b3a1510e0ac93ef59e0ddae2bc"},
{file = "PyYAML-6.0.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2b04aac4d386b172d5b9692e2d2da8de7bfb6c387fa4f801fbf6fb2e6ba4673"},
{file = "PyYAML-6.0.1-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e7d73685e87afe9f3b36c799222440d6cf362062f78be1013661b00c5c6f678b"},
{file = "PyYAML-6.0.1-cp311-cp311-win32.whl", hash = "sha256:1635fd110e8d85d55237ab316b5b011de701ea0f29d07611174a1b42f1444741"},
{file = "PyYAML-6.0.1-cp311-cp311-win_amd64.whl", hash = "sha256:bf07ee2fef7014951eeb99f56f39c9bb4af143d8aa3c21b1677805985307da34"},
{file = "PyYAML-6.0.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:855fb52b0dc35af121542a76b9a84f8d1cd886ea97c84703eaa6d88e37a2ad28"},
{file = "PyYAML-6.0.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:40df9b996c2b73138957fe23a16a4f0ba614f4c0efce1e9406a184b6d07fa3a9"},
{file = "PyYAML-6.0.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c22bec3fbe2524cde73d7ada88f6566758a8f7227bfbf93a408a9d86bcc12a0"},
{file = "PyYAML-6.0.1-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:8d4e9c88387b0f5c7d5f281e55304de64cf7f9c0021a3525bd3b1c542da3b0e4"},
{file = "PyYAML-6.0.1-cp312-cp312-win32.whl", hash = "sha256:d483d2cdf104e7c9fa60c544d92981f12ad66a457afae824d146093b8c294c54"},
{file = "PyYAML-6.0.1-cp312-cp312-win_amd64.whl", hash = "sha256:0d3304d8c0adc42be59c5f8a4d9e3d7379e6955ad754aa9d6ab7a398b59dd1df"},
{file = "PyYAML-6.0.1-cp36-cp36m-macosx_10_9_x86_64.whl", hash = "sha256:50550eb667afee136e9a77d6dc71ae76a44df8b3e51e41b77f6de2932bfe0f47"},
{file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1fe35611261b29bd1de0070f0b2f47cb6ff71fa6595c077e42bd0c419fa27b98"},
{file = "PyYAML-6.0.1-cp36-cp36m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:704219a11b772aea0d8ecd7058d0082713c3562b4e271b849ad7dc4a5c90c13c"},
@ -1856,6 +2032,7 @@ files = [
{file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a0cd17c15d3bb3fa06978b4e8958dcdc6e0174ccea823003a106c7d4d7899ac5"},
{file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:28c119d996beec18c05208a8bd78cbe4007878c6dd15091efb73a30e90539696"},
{file = "PyYAML-6.0.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7e07cbde391ba96ab58e532ff4803f79c4129397514e1413a7dc761ccd755735"},
{file = "PyYAML-6.0.1-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:49a183be227561de579b4a36efbb21b3eab9651dd81b1858589f796549873dd6"},
{file = "PyYAML-6.0.1-cp38-cp38-win32.whl", hash = "sha256:184c5108a2aca3c5b3d3bf9395d50893a7ab82a38004c8f61c258d4428e80206"},
{file = "PyYAML-6.0.1-cp38-cp38-win_amd64.whl", hash = "sha256:1e2722cc9fbb45d9b87631ac70924c11d3a401b2d7f410cc0e3bbf249f2dca62"},
{file = "PyYAML-6.0.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:9eb6caa9a297fc2c2fb8862bc5370d0303ddba53ba97e71f08023b6cd73d16a8"},
@ -1863,6 +2040,7 @@ files = [
{file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5773183b6446b2c99bb77e77595dd486303b4faab2b086e7b17bc6bef28865f6"},
{file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b786eecbdf8499b9ca1d697215862083bd6d2a99965554781d0d8d1ad31e13a0"},
{file = "PyYAML-6.0.1-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:bc1bf2925a1ecd43da378f4db9e4f799775d6367bdb94671027b73b393a7c42c"},
{file = "PyYAML-6.0.1-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:04ac92ad1925b2cff1db0cfebffb6ffc43457495c9b3c39d3fcae417d7125dc5"},
{file = "PyYAML-6.0.1-cp39-cp39-win32.whl", hash = "sha256:faca3bdcf85b2fc05d06ff3fbc1f83e1391b3e724afa3feba7d13eeab355484c"},
{file = "PyYAML-6.0.1-cp39-cp39-win_amd64.whl", hash = "sha256:510c9deebc5c0225e8c96813043e62b680ba2f9c50a08d3724c7f28a747d1486"},
{file = "PyYAML-6.0.1.tar.gz", hash = "sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43"},
@ -2041,6 +2219,20 @@ files = [
{file = "rpds_py-0.10.3.tar.gz", hash = "sha256:fcc1ebb7561a3e24a6588f7c6ded15d80aec22c66a070c757559b57b17ffd1cb"},
]
[[package]]
name = "rsa"
version = "4.9"
description = "Pure-Python RSA implementation"
optional = false
python-versions = ">=3.6,<4"
files = [
{file = "rsa-4.9-py3-none-any.whl", hash = "sha256:90260d9058e514786967344d0ef75fa8727eed8a7d2e43ce9f4bcf1b536174f7"},
{file = "rsa-4.9.tar.gz", hash = "sha256:e38464a49c6c85d7f1351b0126661487a7e0a14a50f1675ec50eb34d4f20ef21"},
]
[package.dependencies]
pyasn1 = ">=0.1.3"
[[package]]
name = "ruff"
version = "0.0.291"
@ -2287,6 +2479,17 @@ files = [
{file = "tomli-2.0.1.tar.gz", hash = "sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f"},
]
[[package]]
name = "types-passlib"
version = "1.7.7.13"
description = "Typing stubs for passlib"
optional = false
python-versions = "*"
files = [
{file = "types-passlib-1.7.7.13.tar.gz", hash = "sha256:f152639f1f2103d7f59a56e2aec5f9398a75a80830991d0d68aac5c2b9c32a77"},
{file = "types_passlib-1.7.7.13-py3-none-any.whl", hash = "sha256:414b5ee9c88313357c9261cfcf816509b1e8e4673f0796bd61e9ef249f6fe076"},
]
[[package]]
name = "types-protobuf"
version = "4.24.0.4"
@ -2298,6 +2501,31 @@ files = [
{file = "types_protobuf-4.24.0.4-py3-none-any.whl", hash = "sha256:131ab7d0cbc9e444bc89c994141327dcce7bcaeded72b1acb72a94827eb9c7af"},
]
[[package]]
name = "types-pyasn1"
version = "0.5.0.1"
description = "Typing stubs for pyasn1"
optional = false
python-versions = ">=3.7"
files = [
{file = "types-pyasn1-0.5.0.1.tar.gz", hash = "sha256:023e903f5920ec9585555235f95bb2d2756b7b58023d3f94890ee8d1d4d9d1ff"},
{file = "types_pyasn1-0.5.0.1-py3-none-any.whl", hash = "sha256:1bbbe3fcf16a65064e4a5bd7f1be43c375ba241054f8f361b5e6c61c8deb3935"},
]
[[package]]
name = "types-python-jose"
version = "3.3.4.8"
description = "Typing stubs for python-jose"
optional = false
python-versions = "*"
files = [
{file = "types-python-jose-3.3.4.8.tar.gz", hash = "sha256:3c316675c3cee059ccb9aff87358254344915239fa7f19cee2787155a7db14ac"},
{file = "types_python_jose-3.3.4.8-py3-none-any.whl", hash = "sha256:95592273443b45dc5cc88f7c56aa5a97725428753fb738b794e63ccb4904954e"},
]
[package.dependencies]
types-pyasn1 = "*"
[[package]]
name = "typing-extensions"
version = "4.8.0"
@ -2655,4 +2883,4 @@ liquid = ["wallycore"]
[metadata]
lock-version = "2.0"
python-versions = "^3.10 | ^3.9"
content-hash = "6b44b6f3fc338be751d3c647964ae2138e928dbe479670dd04a2f274a5b03cc0"
content-hash = "4a78121f7d578c2896ba3fd63d9a14878692c72c1d421914b859bfc32d896bc7"

9
pyproject.toml
View File

@ -34,6 +34,12 @@ websocket-client = "1.6.3"
pycryptodomex = "3.19.0"
packaging = "23.1"
bolt11 = "2.0.5"
# needed for new login methods: username-password, google-auth, github-auth
bcrypt = "^4.1.1"
python-jose = "^3.3.0"
passlib = "^1.7.4"
itsdangerous = "^2.1.2"
fastapi-sso = "^0.9.1"
# needed for boltz, lnurldevice, watchonly extensions
embit = "0.7.0"
# needed for cashu, lnurlp, nostrclient, nostrmarket, nostrrelay extensions
@ -61,6 +67,8 @@ ruff = "^0.0.291"
# not our dependency but needed indirectly by openapi-spec-validator
# we want to use 0.10.3 because newer versions are broken on nix
rpds-py = "0.10.3"
types-passlib = "^1.7.7.13"
types-python-jose = "^3.3.4.8"
[build-system]
requires = ["poetry-core>=1.0.0"]
@ -109,6 +117,7 @@ module = [
"pyln.client.*",
"py_vapid.*",
"pywebpush.*",
"fastapi_sso.sso.*",
]
ignore_missing_imports = "True"

2
tests/core/views/test_generic.py
View File

@ -49,7 +49,7 @@ async def test_get_extensions_wrong_user(client):
async def test_get_extensions_no_user(client):
response = await client.get("extensions")
# bad request
assert response.status_code == 400, f"{response.url} {response.status_code}"
assert response.status_code == 401, f"{response.url} {response.status_code}"
# check GET /extensions: enable extension

5
tests/core/views/test_node_api.py
View File

@ -41,8 +41,9 @@ async def public_node_client(node_client):
@pytest.mark.asyncio
async def test_node_info_not_found(client):
response = await client.get("/node/api/v1/info")
async def test_node_info_not_found(client, from_super_user):
settings.lnbits_node_ui = False
response = await client.get("/node/api/v1/info", params={"usr": from_super_user.id})
assert response.status_code == HTTPStatus.SERVICE_UNAVAILABLE