lnbits-exts/satmachineadmin
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions 2

Refactor DCA API endpoints to use superuser authentication: Updated all relevant DCA-related API endpoints to require check_super_user instead of require_admin_key, enhancing security. Adjusted client-side API calls to remove wallet admin key usage, ensuring session-based superuser authentication is utilized. Updated documentation in CLAUDE.md to reflect these changes.

Browse source
This commit is contained in:
padreug 2025-06-26 13:18:01 +02:00
parent dfc2dd695c
commit 8871f24cec
4 changed files with 87 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

15
CLAUDE.md
View file

@ -68,7 +68,8 @@ The Satoshi Machine Admin extension follows LNBits architecture patterns:
- Use `:attribute='value'` for binding, `v-html='value'` for HTML content
2. **API Patterns**:
- Always include wallet key (inkey/adminkey) as third parameter in API calls
- Admin extension uses session-based superuser authentication (no API keys)
- Client extension uses wallet admin keys for user-specific operations
- Use `LNbits.api.request()` for all API calls
- Destructure responses: `const {data} = await LNbits.api.request(...)`
@ -79,10 +80,12 @@ The Satoshi Machine Admin extension follows LNBits architecture patterns:
### The Magical G Object
The global `this.g` object provides access to:
- `this.g.user` - Complete user data including wallets array
- `this.g.user.wallets[0].inkey` - Invoice key for API calls
- `this.g.user.wallets[0].adminkey` - Admin key for privileged operations
- `this.g.user.wallets[0].inkey` - Invoice key (client extension only)
- `this.g.user.wallets[0].adminkey` - Admin key (client extension only)
- `this.g.wallet` - Currently selected wallet
**Note**: Admin extension uses superuser session authentication, not wallet keys.
### Built-in Utilities
- Currency conversion: `/api/v1/currencies`, `/api/v1/conversion`
- QR code generation: `/api/v1/qrcode/{data}` or Quasar VueQrcode component
@ -208,9 +211,11 @@ commission_amount = 266800 - 258835 = 7,965 sats (to commission wallet)
- **Error Handling**: Graceful failure with detailed logging
### Security Considerations
- **Superuser Authentication**: Admin extension requires LNBits superuser login
- **Wallet Admin Keys**: Client extension uses wallet admin keys for user operations
- **Database Access**: Only superusers can write to satoshimachine database
- SSH tunnel encryption for database connectivity
- Read-only database permissions
- Wallet key validation for all financial operations
- Read-only database permissions for Lamassu access
- Input sanitization and type validation
- Audit logging for all administrative actions

42
static/js/index.js
View file

@ -163,10 +163,10 @@ window.app = Vue.createApp({
// Configuration Methods
async getLamassuConfig() {
try {
const {data} = await LNbits.api.request(
const { data } = await LNbits.api.request(
'GET',
'/satmachineadmin/api/v1/dca/config',
this.g.user.wallets[0].adminkey
null
)
this.lamassuConfig = data
@ -208,10 +208,10 @@ window.app = Vue.createApp({
ssh_private_key: this.configDialog.data.ssh_private_key
}
const {data: config} = await LNbits.api.request(
const { data: config } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/config',
this.g.user.wallets[0].adminkey,
null,
data
)
@ -254,7 +254,7 @@ window.app = Vue.createApp({
const { data } = await LNbits.api.request(
'GET',
'/satmachineadmin/api/v1/dca/clients',
this.g.user.wallets[0].adminkey
null
)
// Fetch balance data for each client
@ -264,7 +264,7 @@ window.app = Vue.createApp({
const { data: balance } = await LNbits.api.request(
'GET',
`/satmachineadmin/api/v1/dca/clients/${client.id}/balance`,
this.g.user.wallets[0].adminkey
null
)
return {
...client,
@ -300,7 +300,7 @@ window.app = Vue.createApp({
const { data: newDeposit } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/deposits',
this.g.user.wallets[0].adminkey,
null,
data
)
@ -328,7 +328,7 @@ window.app = Vue.createApp({
const { data: balance } = await LNbits.api.request(
'GET',
`/satmachineadmin/api/v1/dca/clients/${client.id}/balance`,
this.g.user.wallets[0].adminkey
null
)
this.clientDetailsDialog.data = client
this.clientDetailsDialog.balance = balance
@ -344,7 +344,7 @@ window.app = Vue.createApp({
const { data } = await LNbits.api.request(
'GET',
'/satmachineadmin/api/v1/dca/deposits',
this.g.user.wallets[0].adminkey
null
)
this.deposits = data
} catch (error) {
@ -375,7 +375,7 @@ window.app = Vue.createApp({
const { data: updatedDeposit } = await LNbits.api.request(
'PUT',
`/satmachineadmin/api/v1/dca/deposits/${this.depositFormDialog.data.id}`,
this.g.user.wallets[0].adminkey,
null,
{ status: this.depositFormDialog.data.status, notes: data.notes }
)
const index = this.deposits.findIndex(d => d.id === updatedDeposit.id)
@ -387,7 +387,7 @@ window.app = Vue.createApp({
const { data: newDeposit } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/deposits',
this.g.user.wallets[0].adminkey,
null,
data
)
this.deposits.unshift(newDeposit)
@ -419,7 +419,7 @@ window.app = Vue.createApp({
const { data: updatedDeposit } = await LNbits.api.request(
'PUT',
`/satmachineadmin/api/v1/dca/deposits/${deposit.id}/status`,
this.g.user.wallets[0].adminkey,
null,
{ status: 'confirmed', notes: 'Confirmed by admin - money placed in machine' }
)
const index = this.deposits.findIndex(d => d.id === deposit.id)
@ -459,10 +459,10 @@ window.app = Vue.createApp({
async testDatabaseConnection() {
this.testingConnection = true
try {
const {data} = await LNbits.api.request(
const { data } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/test-connection',
this.g.user.wallets[0].adminkey
null
)
// Show detailed results in a dialog
@ -505,10 +505,10 @@ window.app = Vue.createApp({
async manualPoll() {
this.runningManualPoll = true
try {
const {data} = await LNbits.api.request(
const { data } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/manual-poll',
this.g.user.wallets[0].adminkey
null
)
this.lastPollTime = new Date().toLocaleString()
@ -533,10 +533,10 @@ window.app = Vue.createApp({
async testTransaction() {
this.runningTestTransaction = true
try {
const {data} = await LNbits.api.request(
const { data } = await LNbits.api.request(
'POST',
'/satmachineadmin/api/v1/dca/test-transaction',
this.g.user.wallets[0].adminkey
null
)
// Show detailed results in a dialog
@ -589,7 +589,7 @@ window.app = Vue.createApp({
const { data } = await LNbits.api.request(
'GET',
'/satmachineadmin/api/v1/dca/transactions',
this.g.user.wallets[0].adminkey
null
)
this.lamassuTransactions = data
} catch (error) {
@ -602,7 +602,7 @@ window.app = Vue.createApp({
const { data: distributions } = await LNbits.api.request(
'GET',
`/satmachineadmin/api/v1/dca/transactions/${transaction.id}/distributions`,
this.g.user.wallets[0].adminkey
null
)
this.distributionDialog.transaction = transaction
@ -637,7 +637,7 @@ window.app = Vue.createApp({
// If SSH tunnel is enabled, validate SSH fields
if (data.use_ssh_tunnel) {
const sshValid = data.ssh_host && data.ssh_username &&
(data.ssh_password || data.ssh_private_key)
(data.ssh_password || data.ssh_private_key)
return basicValid && sshValid
}

6
views.py
View file

@ -3,7 +3,7 @@
from fastapi import APIRouter, Depends, Request
from fastapi.responses import HTMLResponse
from lnbits.core.models import User
from lnbits.decorators import check_user_exists
from lnbits.decorators import check_super_user
from lnbits.helpers import template_renderer
satmachineadmin_generic_router = APIRouter()
@ -13,9 +13,9 @@ def satmachineadmin_renderer():
return template_renderer(["satmachineadmin/templates"])
# DCA Admin page
# DCA Admin page - Requires superuser access
@satmachineadmin_generic_router.get("/", response_class=HTMLResponse)
async def index(req: Request, user: User = Depends(check_user_exists)):
async def index(req: Request, user: User = Depends(check_super_user)):
return satmachineadmin_renderer().TemplateResponse(
"satmachineadmin/index.html", {"request": req, "user": user.json()}
)

40
views_api.py
View file

@ -5,9 +5,9 @@ from typing import Optional
from fastapi import APIRouter, Depends, Request
from lnbits.core.crud import get_user
from lnbits.core.models import WalletTypeInfo
from lnbits.core.models import User, WalletTypeInfo
from lnbits.core.services import create_invoice
from lnbits.decorators import require_admin_key
from lnbits.decorators import check_super_user
from starlette.exceptions import HTTPException
from .crud import (
@ -59,7 +59,7 @@ satmachineadmin_api_router = APIRouter()
@satmachineadmin_api_router.get("/api/v1/dca/clients")
async def api_get_dca_clients(
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> list[DcaClient]:
"""Get all DCA clients"""
return await get_dca_clients()
@ -68,7 +68,7 @@ async def api_get_dca_clients(
@satmachineadmin_api_router.get("/api/v1/dca/clients/{client_id}")
async def api_get_dca_client(
client_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> DcaClient:
"""Get a specific DCA client"""
client = await get_dca_client(client_id)
@ -83,12 +83,10 @@ async def api_get_dca_client(
# Admin extension only reads existing clients and manages their deposits
@satmachineadmin_api_router.get("/api/v1/dca/clients/{client_id}/balance")
async def api_get_client_balance(
client_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> ClientBalanceSummary:
"""Get client balance summary"""
client = await get_dca_client(client_id)
@ -105,7 +103,7 @@ async def api_get_client_balance(
@satmachineadmin_api_router.get("/api/v1/dca/deposits")
async def api_get_deposits(
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> list[DcaDeposit]:
"""Get all deposits"""
return await get_all_deposits()
@ -114,7 +112,7 @@ async def api_get_deposits(
@satmachineadmin_api_router.get("/api/v1/dca/deposits/{deposit_id}")
async def api_get_deposit(
deposit_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> DcaDeposit:
"""Get a specific deposit"""
deposit = await get_deposit(deposit_id)
@ -128,7 +126,7 @@ async def api_get_deposit(
@satmachineadmin_api_router.post("/api/v1/dca/deposits", status_code=HTTPStatus.CREATED)
async def api_create_deposit(
data: CreateDepositData,
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
) -> DcaDeposit:
"""Create a new deposit"""
# Verify client exists
@ -145,7 +143,7 @@ async def api_create_deposit(
async def api_update_deposit_status(
deposit_id: str,
data: UpdateDepositStatusData,
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
) -> DcaDeposit:
"""Update deposit status (e.g., confirm deposit)"""
deposit = await get_deposit(deposit_id)
@ -168,7 +166,7 @@ async def api_update_deposit_status(
@satmachineadmin_api_router.post("/api/v1/dca/test-connection")
async def api_test_database_connection(
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
):
"""Test connection to Lamassu database with detailed reporting"""
try:
@ -191,7 +189,7 @@ async def api_test_database_connection(
@satmachineadmin_api_router.post("/api/v1/dca/manual-poll")
async def api_manual_poll(
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
):
"""Manually trigger a poll of the Lamassu database"""
try:
@ -237,7 +235,7 @@ async def api_manual_poll(
@satmachineadmin_api_router.post("/api/v1/dca/test-transaction")
async def api_test_transaction(
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
crypto_atoms: int = 103,
commission_percentage: float = 0.03,
discount: float = 0.0,
@ -303,7 +301,7 @@ async def api_test_transaction(
@satmachineadmin_api_router.get("/api/v1/dca/transactions")
async def api_get_lamassu_transactions(
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> list[StoredLamassuTransaction]:
"""Get all processed Lamassu transactions"""
return await get_all_lamassu_transactions()
@ -312,7 +310,7 @@ async def api_get_lamassu_transactions(
@satmachineadmin_api_router.get("/api/v1/dca/transactions/{transaction_id}")
async def api_get_lamassu_transaction(
transaction_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> StoredLamassuTransaction:
"""Get a specific Lamassu transaction with details"""
transaction = await get_lamassu_transaction(transaction_id)
@ -328,7 +326,7 @@ async def api_get_lamassu_transaction(
)
async def api_get_transaction_distributions(
transaction_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> list[dict]:
"""Get distribution details for a specific Lamassu transaction"""
# Get the stored transaction
@ -371,7 +369,7 @@ async def api_get_transaction_distributions(
@satmachineadmin_api_router.get("/api/v1/dca/config")
async def api_get_lamassu_config(
wallet: WalletTypeInfo = Depends(require_admin_key),
wallet: WalletTypeInfo = Depends(check_super_user),
) -> Optional[LamassuConfig]:
"""Get active Lamassu database configuration"""
return await get_active_lamassu_config()
@ -380,7 +378,7 @@ async def api_get_lamassu_config(
@satmachineadmin_api_router.post("/api/v1/dca/config", status_code=HTTPStatus.CREATED)
async def api_create_lamassu_config(
data: CreateLamassuConfigData,
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
) -> LamassuConfig:
"""Create/update Lamassu database configuration"""
return await create_lamassu_config(data)
@ -390,7 +388,7 @@ async def api_create_lamassu_config(
async def api_update_lamassu_config(
config_id: str,
data: UpdateLamassuConfigData,
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
) -> LamassuConfig:
"""Update Lamassu database configuration"""
config = await get_lamassu_config(config_id)
@ -411,7 +409,7 @@ async def api_update_lamassu_config(
@satmachineadmin_api_router.delete("/api/v1/dca/config/{config_id}")
async def api_delete_lamassu_config(
config_id: str,
wallet: WalletTypeInfo = Depends(require_admin_key),
user: User = Depends(check_super_user),
):
"""Delete Lamassu database configuration"""
config = await get_lamassu_config(config_id)