fix: require admin_key + owner check on PUT /tickets/register

The legacy register endpoint had no auth decorator and no
event-ownership check — any caller who knew a ticket id could
mark it registered. Add require_admin_key (matches the rest of
the wallet-bound endpoints in this file) and verify the caller's
user owns the event the ticket belongs to.

Breaking change for any external integration that hit this
endpoint unauthed; the in-tree Quasar register page
(static/js/register.js) already sends the session admin_key via
LNbits.api.request so it keeps working.

The Nostr-transport flow at events_ticket_register (previous
commit) is the preferred call site for new callers; this HTTP
path stays for the legacy LNbits admin UI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

__init__.py

@@ -46,6 +46,27 @@ def events_start():
     task1 = create_permanent_unique_task("ext_events", wait_for_paid_invoices)
     scheduled_tasks.append(task1)
 
+    # Register nostr-transport RPCs. Swallow ImportError on older LNbits
+    # versions that pre-date the transport (the events extension still
+    # works fine via HTTP without it).
+    try:
+        from lnbits.core.services.nostr_transport.dispatcher import (
+            AUTH_WALLET,
+            register_rpc,
+        )
+
+        from .transport_rpcs import handle_events_ticket_register
+
+        register_rpc(
+            "events_ticket_register", handle_events_ticket_register, AUTH_WALLET
+        )
+        logger.info("[EVENTS] Registered nostr-transport RPC: events_ticket_register")
+    except ImportError:
+        logger.info(
+            "[EVENTS] nostr_transport not available on this LNbits — "
+            "ticket scanner over Nostr disabled, HTTP endpoint still works"
+        )
+
     async def _start_nostr_client():
         global nostr_client
         await asyncio.sleep(10)  # Wait for nostrclient to be ready

transport_rpcs.py

@@ -0,0 +1,68 @@
+"""
+Nostr-transport RPC handlers for the aiolabs/events extension.
+
+Each handler is registered with `lnbits.core.services.nostr_transport.
+dispatcher.register_rpc` in `events_start()`. The dispatcher resolves
+the caller's Nostr pubkey to an LNbits Account → wallet (`AUTH_WALLET`)
+and passes a `WalletTypeInfo` as the first argument; handlers verify
+event-level ownership on top.
+
+Errors raise `PermissionError` / `ValueError` so the dispatcher maps
+them into `{status: "ERROR", error: <msg>}` responses; any other
+exception falls through to a generic "Internal error" reply.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+
+from lnbits.core.crud import get_user
+from lnbits.core.models import WalletTypeInfo
+from lnbits.core.services.nostr_transport.models import NostrRpcRequest
+
+from .crud import get_event, get_ticket, update_ticket
+
+
+async def handle_events_ticket_register(
+    auth: WalletTypeInfo,
+    request: NostrRpcRequest,
+) -> dict:
+    """Mark a ticket as registered at the door (organizer flow).
+
+    The Nostr-transport dispatcher already verified the caller signed
+    the kind-21000 RPC event and bound them to `auth.wallet`. This
+    handler adds the event-level check: the ticket's event must be
+    owned by one of the caller's wallets.
+
+    Idempotence mirrors the HTTP endpoint: scanning the same ticket
+    twice fails with "Ticket already registered". The buyer-side flow
+    (notifications etc.) reuses whatever the legacy register endpoint
+    does — we just flip the flag + timestamp.
+    """
+    body = request.body or {}
+    event_id = body.get("event_id")
+    ticket_id = body.get("ticket_id")
+    if not event_id or not ticket_id:
+        raise ValueError("event_id and ticket_id are required")
+
+    ticket = await get_ticket(ticket_id)
+    if not ticket or ticket.event != event_id:
+        raise ValueError("Ticket does not exist on this event")
+    if not ticket.paid:
+        raise PermissionError("Ticket not paid for")
+    if ticket.registered:
+        raise PermissionError("Ticket already registered")
+
+    event = await get_event(event_id)
+    if not event:
+        raise ValueError("Event does not exist")
+
+    user = await get_user(auth.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [auth.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise PermissionError("You do not own this event")
+
+    ticket.registered = True
+    ticket.reg_timestamp = datetime.now(timezone.utc)
+    await update_ticket(ticket)
+    return ticket.dict()

views_api.py

@@ -766,7 +766,24 @@ async def api_ticket_resend_email(
 
 
 @tickets_api_router.put("/register/{ticket_id}")
-async def api_event_register_ticket(ticket_id) -> Ticket:
+async def api_event_register_ticket(
+    ticket_id: str,
+    key_info: WalletTypeInfo = Depends(require_admin_key),
+) -> Ticket:
+    """Mark a ticket as registered at the door.
+
+    Auth: wallet admin_key. Caller must own the event the ticket
+    belongs to — we check `event.wallet` against the user's full
+    wallet set so an organizer with multiple wallets can scan
+    regardless of which wallet's key they're using.
+
+    Until v1.6.1-aio.3 this endpoint had no auth, which meant any
+    caller who knew a ticket id could register it. The
+    Nostr-transport flow at `events_ticket_register` is now the
+    preferred call site for the webapp; this HTTP path stays for
+    the legacy LNbits Quasar register page which already sends
+    the wallet admin_key through `LNbits.api.request`.
+    """
     ticket = await get_ticket(ticket_id)
 
     if not ticket:
@@ -774,6 +791,20 @@ async def api_event_register_ticket(ticket_id) -> Ticket:
             status_code=HTTPStatus.NOT_FOUND, detail="Ticket does not exist."
         )
 
+    event = await get_event(ticket.event)
+    if not event:
+        raise HTTPException(
+            status_code=HTTPStatus.NOT_FOUND, detail="Event does not exist."
+        )
+
+    user = await get_user(key_info.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [key_info.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="You do not own this event.",
+        )
+
     if not ticket.paid:
         raise HTTPException(
             status_code=HTTPStatus.FORBIDDEN, detail="Ticket not paid for."