Merge pull request 'feat: issue free tickets without minting an invoice' (#31 ) from feat/free-tickets into main

Reviewed-on: #31
chore: bump config.json version to 1.6.1-aio.7
2026-06-20 09:51:18 +00:00 · 2026-06-20 09:04:02 +02:00 · 2026-06-20 09:03:44 +02:00 · 2026-06-18 12:18:55 +00:00 · 2026-06-18 14:13:11 +02:00 · 2026-06-18 14:13:10 +02:00
12 changed files with 549 additions and 78 deletions
--- a/init.py
+++ b/init.py
@ -46,6 +46,38 @@ def events_start():
    task1 = create_permanent_unique_task("ext_events", wait_for_paid_invoices)
    scheduled_tasks.append(task1)

+    # Register nostr-transport RPCs. Swallow ImportError on older LNbits
+    # versions that pre-date the transport (the events extension still
+    # works fine via HTTP without it).
+    try:
+        from lnbits.core.services.nostr_transport.dispatcher import (
+            AUTH_WALLET,
+            register_rpc,
+        )
+
+        from .transport_rpcs import (
+            handle_events_list_event_tickets,
+            handle_events_ticket_register,
+        )
+
+        register_rpc(
+            "events_ticket_register", handle_events_ticket_register, AUTH_WALLET
+        )
+        register_rpc(
+            "events_list_event_tickets",
+            handle_events_list_event_tickets,
+            AUTH_WALLET,
+        )
+        logger.info(
+            "[EVENTS] Registered nostr-transport RPCs: "
+            "events_ticket_register, events_list_event_tickets"
+        )
+    except ImportError:
+        logger.info(
+            "[EVENTS] nostr_transport not available on this LNbits — "
+            "ticket scanner over Nostr disabled, HTTP endpoint still works"
+        )
+
    async def _start_nostr_client():
        global nostr_client
        await asyncio.sleep(10)  # Wait for nostrclient to be ready
--- a/config.json
+++ b/config.json
@ -1,6 +1,6 @@
 {
  "id": "events",
-  "version": "1.6.1-aio.1",
+  "version": "1.6.1-aio.7",
  "name": "Events",
  "repo": "https://git.atitlan.io/aiolabs/events",
  "short_description": "Sell and register event tickets",
--- a/crud.py
+++ b/crud.py
@ -139,6 +139,15 @@ async def get_tickets(wallet_ids: str | list[str]) -> list[Ticket]:
    return [Ticket(**_parse_ticket_row(row)) for row in rows]


+async def get_tickets_by_event(event_id: str) -> list[Ticket]:
+    """All ticket rows for the given calendar event id."""
+    rows = await db.fetchall(
+        "SELECT * FROM events.ticket WHERE event = :event_id",
+        {"event_id": event_id},
+    )
+    return [Ticket(**_parse_ticket_row(row)) for row in rows]
+
+
 async def get_tickets_by_user_id(user_id: str) -> list[Ticket]:
    """All tickets owned by the given LNbits user_id."""
    rows = await db.fetchall(
--- a/models.py
+++ b/models.py
@ -183,6 +183,10 @@ class TicketPaymentRequest(BaseModel):
    fiat_payment_request: str | None = None
    fiat_provider: str | None = None
    is_fiat: bool = False
+    # True when the tickets are already issued + paid with no invoice to
+    # settle — free events (price 0) or a 100%-off promo. The client skips
+    # the QR / payment-poll step and goes straight to the ticket QRs.
+    paid: bool = False
    # Row ids created on this invoice — one for single-ticket
    # purchases, N for multi-ticket (each independently scannable at
    # the door). Buyers fetch these after payment to render N QRs in
--- a/nostr_hooks.py
+++ b/nostr_hooks.py
@ -15,25 +15,30 @@ from .nostr_publisher import publish_event_to_nostr
 async def publish_or_delete_nostr_event(event: Event, *, delete: bool = False) -> None:
    """Publish or delete the NIP-52 calendar event for `event`.

-    Pulls the wallet owner's pubkey/prvkey to sign with the user's identity.
-    Failures are logged and swallowed so a Nostr outage doesn't break the
-    HTTP flow that triggered the publish.
+    Resolves a `NostrSigner` for the wallet owner — backend-agnostic
+    (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). The
+    signer abstraction handles the actual key material; this hook
+    only needs `signer.pubkey` for event construction and
+    `await signer.sign_event(...)` for signing. Failures are logged
+    and swallowed so a Nostr outage doesn't break the HTTP flow that
+    triggered the publish.
    """
    try:
-        from lnbits.core.crud.users import get_account
-        from lnbits.core.crud.wallets import get_wallet
+        from lnbits.core.signers import resolve_for_wallet

        from . import nostr_client

-        wallet_obj = await get_wallet(event.wallet)
-        if not wallet_obj:
-            return
-        account = await get_account(wallet_obj.user)
-        if not account or not account.pubkey or not account.prvkey:
+        signer = await resolve_for_wallet(event.wallet)
+        if signer is None:
+            # Wallet missing, account missing, unclassified row, or
+            # ClientSideOnlySigner account (server can't sign for them).
+            # Soft-fail: skip the publish silently. The user can still
+            # publish kind-31922/31923 events client-side once we have
+            # that path.
            return

        nostr_event = await publish_event_to_nostr(
-            nostr_client, event, account.pubkey, account.prvkey, delete=delete
+            nostr_client, event, signer, delete=delete
        )
        if nostr_event and not delete:
            event.nostr_event_id = nostr_event.id
--- a/nostr_publisher.py
+++ b/nostr_publisher.py
@ -1,8 +1,9 @@
 """
 NIP-52 calendar event publishing for the events extension.

-Builds NIP-52 calendar events from the Event model, signs them with the
-creator's Account keypair, and publishes via the NostrClient.
+Builds NIP-52 calendar events from the Event model, signs them via the
+core `NostrSigner` abstraction (backend-agnostic: LocalSigner,
+RemoteBunkerSigner, etc.), and publishes via the NostrClient.

 Kind 31922 is used for date-only events; kind 31923 (time-based) is used
 when event_start_date / event_end_date include a time component.
@ -13,11 +14,12 @@ Reference: https://github.com/nostr-protocol/nips/blob/master/52.md
 import time
 from datetime import datetime, timezone

-import coincurve
+from lnbits.core.signers import NostrSigner
 from loguru import logger

 from .models import Event
 from .nostr.event import NostrEvent
+from .nostr_timestamp import monotonic_created_at


 def _has_time(value: str | None) -> bool:
@ -109,9 +111,15 @@ def build_nip52_event(event: Event, pubkey: str) -> NostrEvent:
        if event.fiat_currency:
            tags.append(["tickets_fiat_currency", event.fiat_currency])

+    # NIP-52 calendar events are replaceable: this d-tag is republished
+    # whenever inventory changes (a ticket sells). Use a strictly-monotonic
+    # created_at anchored on the last published value so a same-second
+    # republish still outranks the prior version and relays push it to open
+    # subscriptions — a bare int(time.time()) can tie and be silently
+    # dropped, stalling clients' live "tickets remaining" badge.
    nostr_event = NostrEvent(
        pubkey=pubkey,
-        created_at=int(time.time()),
+        created_at=monotonic_created_at(event.nostr_event_created_at),
        kind=kind,
        tags=tags,
        content=event.info or "",
@ -142,23 +150,20 @@ def build_nip52_delete_event(event: Event, pubkey: str) -> NostrEvent:
    return nostr_event


-def sign_nostr_event(nostr_event: NostrEvent, private_key_hex: str) -> None:
-    """Sign a NostrEvent in-place using Schnorr signature."""
-    privkey = coincurve.PrivateKey(bytes.fromhex(private_key_hex))
-    sig = privkey.sign_schnorr(bytes.fromhex(nostr_event.id))
-    nostr_event.sig = sig.hex()
-
-
 async def publish_event_to_nostr(
    nostr_client,
    event: Event,
-    account_pubkey: str,
-    account_prvkey: str,
+    signer: NostrSigner,
    delete: bool = False,
 ) -> NostrEvent | None:
    """
    Build, sign, and publish a NIP-52 calendar event (or delete event).

+    Signing routes through the core `NostrSigner` abstraction —
+    `signer.pubkey` for the event identity, `await signer.sign_event(...)`
+    for the Schnorr signature. The signer backend (LocalSigner /
+    RemoteBunkerSigner) is transparent to this function.
+
    Returns the published NostrEvent for metadata storage, or None on failure.
    """
    if not nostr_client:
@ -167,11 +172,25 @@ async def publish_event_to_nostr(

    try:
        if delete:
-            nostr_event = build_nip52_delete_event(event, account_pubkey)
+            nostr_event = build_nip52_delete_event(event, signer.pubkey)
        else:
-            nostr_event = build_nip52_event(event, account_pubkey)
+            nostr_event = build_nip52_event(event, signer.pubkey)
+
+        # Hand the unsigned event to the signer — it fills in `id`,
+        # `pubkey`, and `sig`. The signer's serialization rules match
+        # NIP-01 (same as the local `event_id` property uses), so the
+        # returned id matches what we'd have computed locally.
+        unsigned = {
+            "kind": nostr_event.kind,
+            "created_at": nostr_event.created_at,
+            "tags": nostr_event.tags,
+            "content": nostr_event.content,
+        }
+        signed = await signer.sign_event(unsigned)
+        nostr_event.id = signed["id"]
+        nostr_event.pubkey = signed["pubkey"]
+        nostr_event.sig = signed["sig"]

-        sign_nostr_event(nostr_event, account_prvkey)
        await nostr_client.publish_nostr_event(nostr_event)

        logger.info(
--- a/nostr_timestamp.py
+++ b/nostr_timestamp.py
@ -0,0 +1,34 @@
+"""Monotonic ``created_at`` for replaceable / addressable Nostr events.
+
+Relays only push a replaceable update to OPEN subscriptions when its
+``created_at`` is strictly newer than the version they already hold.
+``created_at`` is integer seconds, so a publisher that stamps
+``int(time.time())`` can emit two versions within the same wall-clock
+second (e.g. two ticket sales republishing the NIP-52 calendar event) —
+the relay treats the second as not-newer and never propagates it to live
+subscribers (it only surfaces on a reload / fresh REQ).
+
+Returning ``max(now, last_created_at + 1)`` guarantees a strictly
+increasing timestamp across successive publishes of the same replaceable
+event. When enough real seconds have elapsed it tracks wall-clock; only
+same-second (or clock-skewed) republishes get nudged forward.
+
+Mirrors the webapp's ``monotonicCreatedAt`` (src/lib/nostr/timestamp.ts)
+and ``docs/nostr-patterns/replaceable-events.md``.
+"""
+
+import time
+
+
+def monotonic_created_at(last_created_at: int | None, now: int | None = None) -> int:
+    """Strictly-newer ``created_at`` for the next publish of a coord.
+
+    :param last_created_at: ``created_at`` of the previously published
+        version (seconds), or ``None`` if none has been published yet.
+    :param now: Current time in seconds — injectable for tests; defaults
+        to ``int(time.time())``.
+    """
+    base = int(time.time()) if now is None else now
+    if last_created_at is None:
+        return base
+    return max(base, last_created_at + 1)
--- a/static/js/index.js
+++ b/static/js/index.js
@ -14,6 +14,51 @@ window.PageEvents = {
      settings: {
        auto_approve: false
      },
+      allUsersEventsTable: {
+        // Shown on the admin All Users' Events card. Includes the
+        // wallet owner (`wallet_user_id` resolved server-side) so
+        // cross-tenant rows are attributable to a user.
+        columns: [
+          {
+            name: 'wallet_user_id',
+            align: 'left',
+            label: 'Owner',
+            field: 'wallet_user_id'
+          },
+          {name: 'id', align: 'left', label: 'ID', field: 'id'},
+          {name: 'name', align: 'left', label: 'Name', field: 'name'},
+          {
+            name: 'event_start_date',
+            align: 'left',
+            label: 'Start date',
+            field: 'event_start_date'
+          },
+          {
+            name: 'event_end_date',
+            align: 'left',
+            label: 'End date',
+            field: 'event_end_date'
+          },
+          {
+            name: 'closing_date',
+            align: 'left',
+            label: 'Ticket close',
+            field: 'closing_date'
+          },
+          {
+            name: 'canceled',
+            align: 'left',
+            label: 'Canceled',
+            field: row => {
+              if (row.extra && row.extra.conditional && row.canceled) {
+                return 'Yes'
+              }
+              return 'No'
+            }
+          },
+          {name: 'status', align: 'left', label: 'Status', field: 'status'}
+        ]
+      },
      eventsTable: {
        columns: [
          {name: 'id', align: 'left', label: 'ID', field: 'id'},
--- a/static/js/index.vue
+++ b/static/js/index.vue
@ -286,51 +286,6 @@
        </q-card-section>
      </q-card>

-      <q-card v-if="isAdmin && allUserEvents.length > 0">
-        <q-card-section>
-          <div class="row items-center no-wrap q-mb-md">
-            <div class="col">
-              <h5 class="text-subtitle1 q-my-none">
-                All Users' Events
-                <q-badge
-                  color="blue"
-                  :label="allUserEvents.length"
-                  class="q-ml-sm"
-                ></q-badge>
-              </h5>
-            </div>
-          </div>
-          <q-table
-            dense
-            flat
-            :rows="allUserEvents"
-            row-key="id"
-            :columns="eventsTable.columns"
-            :pagination="{rowsPerPage: 10}"
-          >
-            <template v-slot:header="props">
-              <q-tr :props="props">
-                <q-th v-for="col in props.cols" :key="col.name" :props="props">
-                  <span v-text="col.label"></span>
-                </q-th>
-              </q-tr>
-            </template>
-            <template v-slot:body="props">
-              <q-tr :props="props">
-                <q-td v-for="col in props.cols" :key="col.name" :props="props">
-                  <q-badge
-                    v-if="col.name === 'status'"
-                    :color="col.value === 'approved' ? 'green' : col.value === 'proposed' ? 'orange' : 'red'"
-                    :label="col.value"
-                  ></q-badge>
-                  <span v-else v-text="col.value"></span>
-                </q-td>
-              </q-tr>
-            </template>
-          </q-table>
-        </q-card-section>
-      </q-card>
-
      <q-card>
        <q-card-section>
          <div class="row items-center no-wrap q-mb-md">
@ -409,6 +364,51 @@
          </q-table>
        </q-card-section>
      </q-card>
+
+      <q-card v-if="isAdmin && allUserEvents.length > 0">
+        <q-card-section>
+          <div class="row items-center no-wrap q-mb-md">
+            <div class="col">
+              <h5 class="text-subtitle1 q-my-none">
+                All Users' Events
+                <q-badge
+                  color="blue"
+                  :label="allUserEvents.length"
+                  class="q-ml-sm"
+                ></q-badge>
+              </h5>
+            </div>
+          </div>
+          <q-table
+            dense
+            flat
+            :rows="allUserEvents"
+            row-key="id"
+            :columns="allUsersEventsTable.columns"
+            :pagination="{rowsPerPage: 10}"
+          >
+            <template v-slot:header="props">
+              <q-tr :props="props">
+                <q-th v-for="col in props.cols" :key="col.name" :props="props">
+                  <span v-text="col.label"></span>
+                </q-th>
+              </q-tr>
+            </template>
+            <template v-slot:body="props">
+              <q-tr :props="props">
+                <q-td v-for="col in props.cols" :key="col.name" :props="props">
+                  <q-badge
+                    v-if="col.name === 'status'"
+                    :color="col.value === 'approved' ? 'green' : col.value === 'proposed' ? 'orange' : 'red'"
+                    :label="col.value"
+                  ></q-badge>
+                  <span v-else v-text="col.value"></span>
+                </q-td>
+              </q-tr>
+            </template>
+          </q-table>
+        </q-card-section>
+      </q-card>
    </div>
    <div class="col-12 col-md-4 col-lg-5 q-gutter-y-md">
      <q-card>
--- a/tests/test_nostr_timestamp.py
+++ b/tests/test_nostr_timestamp.py
@ -0,0 +1,32 @@
+from itertools import pairwise
+
+from ..nostr_timestamp import monotonic_created_at
+
+
+def test_no_prior_uses_now():
+    assert monotonic_created_at(None, now=1000) == 1000
+
+
+def test_same_second_bumps_past_prior():
+    # now == last: a naive int(time.time()) would tie and the relay would
+    # drop the update; we must produce a strictly newer stamp.
+    assert monotonic_created_at(1000, now=1000) == 1001
+
+
+def test_tracks_wallclock_once_seconds_elapse():
+    assert monotonic_created_at(1000, now=1005) == 1005
+
+
+def test_steps_past_future_dated_prior():
+    # clock skew / rapid bursts left the stored value ahead of now
+    assert monotonic_created_at(2000, now=1000) == 2001
+
+
+def test_strictly_increasing_same_second_burst():
+    last = None
+    stamps = []
+    for _ in range(5):
+        last = monotonic_created_at(last, now=1000)  # clock frozen at 1000
+        stamps.append(last)
+    assert stamps == [1000, 1001, 1002, 1003, 1004]
+    assert all(b > a for a, b in pairwise(stamps))
--- a/transport_rpcs.py
+++ b/transport_rpcs.py
@ -0,0 +1,120 @@
+"""
+Nostr-transport RPC handlers for the aiolabs/events extension.
+
+Each handler is registered with `lnbits.core.services.nostr_transport.
+dispatcher.register_rpc` in `events_start()`. The dispatcher resolves
+the caller's Nostr pubkey to an LNbits Account → wallet (`AUTH_WALLET`)
+and passes a `WalletTypeInfo` as the first argument; handlers verify
+event-level ownership on top.
+
+Errors raise `PermissionError` / `ValueError` so the dispatcher maps
+them into `{status: "ERROR", error: <msg>}` responses; any other
+exception falls through to a generic "Internal error" reply.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+
+from lnbits.core.crud import get_user
+from lnbits.core.models import WalletTypeInfo
+from lnbits.core.services.nostr_transport.models import NostrRpcRequest
+
+from .crud import get_event, get_ticket, get_tickets_by_event, update_ticket
+
+
+async def handle_events_ticket_register(
+    auth: WalletTypeInfo,
+    request: NostrRpcRequest,
+) -> dict:
+    """Mark a ticket as registered at the door (organizer flow).
+
+    The Nostr-transport dispatcher already verified the caller signed
+    the kind-21000 RPC event and bound them to `auth.wallet`. This
+    handler adds the event-level check: the ticket's event must be
+    owned by one of the caller's wallets.
+
+    Idempotence mirrors the HTTP endpoint: scanning the same ticket
+    twice fails with "Ticket already registered". The buyer-side flow
+    (notifications etc.) reuses whatever the legacy register endpoint
+    does — we just flip the flag + timestamp.
+    """
+    body = request.body or {}
+    event_id = body.get("event_id")
+    ticket_id = body.get("ticket_id")
+    if not event_id or not ticket_id:
+        raise ValueError("event_id and ticket_id are required")
+
+    ticket = await get_ticket(ticket_id)
+    if not ticket or ticket.event != event_id:
+        raise ValueError("Ticket does not exist on this event")
+    if not ticket.paid:
+        raise PermissionError("Ticket not paid for")
+    if ticket.registered:
+        raise PermissionError("Ticket already registered")
+
+    event = await get_event(event_id)
+    if not event:
+        raise ValueError("Event does not exist")
+
+    user = await get_user(auth.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [auth.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise PermissionError("You do not own this event")
+
+    ticket.registered = True
+    ticket.reg_timestamp = datetime.now(timezone.utc)
+    await update_ticket(ticket)
+    return ticket.dict()
+
+
+async def handle_events_list_event_tickets(
+    auth: WalletTypeInfo,
+    request: NostrRpcRequest,
+) -> dict:
+    """Return paid + registered counts plus the per-ticket roster for
+    one calendar event, organizer-only.
+
+    Backs the door scanner's counts strip and "All scanned" tab so the
+    UI reads authoritative state from the backend instead of relying
+    on per-device localStorage (which diverges the moment a second
+    organizer scans, or the operator switches devices).
+
+    The roster only includes paid tickets — proposed/unpaid rows are
+    irrelevant at the door.
+    """
+    body = request.body or {}
+    event_id = body.get("event_id")
+    if not event_id:
+        raise ValueError("event_id is required")
+
+    event = await get_event(event_id)
+    if not event:
+        raise ValueError("Event does not exist")
+
+    user = await get_user(auth.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [auth.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise PermissionError("You do not own this event")
+
+    tickets = await get_tickets_by_event(event_id)
+    paid_tickets = [t for t in tickets if t.paid]
+    registered_count = sum(1 for t in paid_tickets if t.registered)
+
+    return {
+        "event_id": event_id,
+        "sold": len(paid_tickets),
+        "registered": registered_count,
+        "remaining": len(paid_tickets) - registered_count,
+        "tickets": [
+            {
+                "id": t.id,
+                "name": t.name,
+                "registered": t.registered,
+                "registered_at": (
+                    t.reg_timestamp.isoformat() if t.reg_timestamp else None
+                ),
+            }
+            for t in paid_tickets
+        ],
+    }
--- a/views_api.py
+++ b/views_api.py
@ -47,6 +47,7 @@ from .crud import (
    get_settings,
    get_ticket,
    get_tickets,
+    get_tickets_by_event,
    get_tickets_by_payment_hash,
    get_tickets_by_user_id,
    purge_unpaid_tickets,
@ -65,7 +66,12 @@ from .models import (
    TicketPaymentRequest,
 )
 from .nostr_hooks import publish_or_delete_nostr_event
-from .services import refund_tickets, resend_ticket_email_notification
+from .services import (
+    refund_tickets,
+    resend_ticket_email_notification,
+    send_ticket_notification_in_background,
+    set_ticket_paid,
+)
 from .tasks import deregister_payment_listener, register_payment_listener

 events_api_router = APIRouter(prefix="/api/v1/events")
@ -101,9 +107,22 @@ async def api_events_public() -> list[Event]:
@events_api_router.get("/all")
 async def api_events_all(
    admin: Account = Depends(check_admin),
-) -> list[Event]:
-    """All events across all wallets. LNbits admin only."""
-    return await get_all_events()
+) -> list[dict]:
+    """All events across all wallets, with each row's wallet owner
+    resolved to a user_id. LNbits admin only.
+
+    Returns dicts (not strict `Event` rows) so the response can carry
+    the synthetic `wallet_user_id` column the admin UI uses to attribute
+    each cross-tenant event to a user.
+    """
+    events = await get_all_events()
+    enriched: list[dict] = []
+    for event in events:
+        wallet = await get_wallet(event.wallet)
+        row = event.dict()
+        row["wallet_user_id"] = wallet.user if wallet else None
+        enriched.append(row)
+    return enriched


@events_api_router.get("/pending")
@ -494,6 +513,62 @@ async def api_get_ticket(ticket_id: str) -> Ticket:
    return ticket


+async def _issue_free_tickets(
+    *,
+    event: Event,
+    quantity: int,
+    name: str | None,
+    email: str | None,
+    user_id: str | None,
+    promo_code: str | None,
+    nostr_identifier: str | None,
+    request: Request,
+) -> TicketPaymentRequest:
+    """Issue `quantity` free tickets without minting an invoice.
+
+    Each row is created then run through `set_ticket_paid` — the exact path
+    `on_invoice_paid` drives for a settled payment: it flips `paid`, bumps
+    the sold / available counters under the per-event lock, and republishes
+    the NIP-52 calendar event so connected clients see the new counts.
+    Notifications fire the same way. No invoice exists, so `sats_paid` is 0
+    and these tickets are naturally skipped by `refund_tickets`.
+
+    All rows in the batch share one synthetic `payment_hash` — the join key
+    the poll / WebSocket / My-Tickets lookups use — mirroring how the paid
+    multi-ticket path shares the real invoice hash.
+    """
+    payment_hash = urlsafe_short_hash()
+    ticket_ids: list[str] = []
+    for _ in range(quantity):
+        row_id = urlsafe_short_hash()
+        ticket = await create_ticket(
+            payment_hash=payment_hash,
+            wallet=event.wallet,
+            event=event.id,
+            name=name,
+            email=email,
+            user_id=user_id,
+            ticket_id=row_id,
+            extra={
+                "applied_promo_code": promo_code,
+                "nostr_identifier": nostr_identifier,
+                "ticket_base_url": str(request.base_url).rstrip("/"),
+                "sats_paid": 0,
+            },
+        )
+        await set_ticket_paid(ticket)
+        send_ticket_notification_in_background(ticket)
+        ticket_ids.append(row_id)
+
+    return TicketPaymentRequest(
+        payment_hash=payment_hash,
+        payment_request=None,
+        is_fiat=False,
+        paid=True,
+        ticket_ids=ticket_ids,
+    )
+
+
@tickets_api_router.post("/{event_id}")
 async def api_ticket_create(
    event_id: str, data: CreateTicket, request: Request
@ -557,6 +632,22 @@ async def api_ticket_create(
    # Scale by quantity AFTER the promo applies. One invoice, N tickets.
    price = unit_price * quantity

+    # Free tickets (final charge 0 — a free event or a 100%-off promo).
+    # Short-circuit before any invoice / fiat-provider logic: no Lightning
+    # invoice can settle for 0, so we issue the rows and mark them paid
+    # directly. payment_method is irrelevant here (nothing is charged).
+    if price <= 0:
+        return await _issue_free_tickets(
+            event=event,
+            quantity=quantity,
+            name=name,
+            email=email,
+            user_id=user_id,
+            promo_code=promo_code,
+            nostr_identifier=nostr_identifier,
+            request=request,
+        )
+
    if payment_method == "fiat" and not event.allow_fiat:
        raise HTTPException(
            status_code=HTTPStatus.BAD_REQUEST,
@ -766,7 +857,24 @@ async def api_ticket_resend_email(


@tickets_api_router.put("/register/{ticket_id}")
-async def api_event_register_ticket(ticket_id) -> Ticket:
+async def api_event_register_ticket(
+    ticket_id: str,
+    key_info: WalletTypeInfo = Depends(require_admin_key),
+) -> Ticket:
+    """Mark a ticket as registered at the door.
+
+    Auth: wallet admin_key. Caller must own the event the ticket
+    belongs to — we check `event.wallet` against the user's full
+    wallet set so an organizer with multiple wallets can scan
+    regardless of which wallet's key they're using.
+
+    Until v1.6.1-aio.3 this endpoint had no auth, which meant any
+    caller who knew a ticket id could register it. The
+    Nostr-transport flow at `events_ticket_register` is now the
+    preferred call site for the webapp; this HTTP path stays for
+    the legacy LNbits Quasar register page which already sends
+    the wallet admin_key through `LNbits.api.request`.
+    """
    ticket = await get_ticket(ticket_id)

    if not ticket:
@ -774,6 +882,20 @@ async def api_event_register_ticket(ticket_id) -> Ticket:
            status_code=HTTPStatus.NOT_FOUND, detail="Ticket does not exist."
        )

+    event = await get_event(ticket.event)
+    if not event:
+        raise HTTPException(
+            status_code=HTTPStatus.NOT_FOUND, detail="Event does not exist."
+        )
+
+    user = await get_user(key_info.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [key_info.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="You do not own this event.",
+        )
+
    if not ticket.paid:
        raise HTTPException(
            status_code=HTTPStatus.FORBIDDEN, detail="Ticket not paid for."
@ -788,3 +910,52 @@ async def api_event_register_ticket(ticket_id) -> Ticket:
    ticket.reg_timestamp = datetime.now(timezone.utc)
    ticket = await update_ticket(ticket)
    return ticket
+
+
+@tickets_api_router.get("/event/{event_id}/stats")
+async def api_event_ticket_stats(
+    event_id: str,
+    key_info: WalletTypeInfo = Depends(require_admin_key),
+) -> dict:
+    """Door-scanner roster + counts for one event, organizer-only.
+
+    Mirrors the `events_list_event_tickets` nostr-transport RPC for
+    callers that don't hold a raw user prvkey (the webapp post-#9, in
+    particular). Auth: wallet admin_key + the event's wallet must be
+    in the caller's wallet set.
+    """
+    event = await get_event(event_id)
+    if not event:
+        raise HTTPException(
+            status_code=HTTPStatus.NOT_FOUND, detail="Event does not exist."
+        )
+
+    user = await get_user(key_info.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [key_info.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="You do not own this event.",
+        )
+
+    tickets = await get_tickets_by_event(event_id)
+    paid_tickets = [t for t in tickets if t.paid]
+    registered_count = sum(1 for t in paid_tickets if t.registered)
+
+    return {
+        "event_id": event_id,
+        "sold": len(paid_tickets),
+        "registered": registered_count,
+        "remaining": len(paid_tickets) - registered_count,
+        "tickets": [
+            {
+                "id": t.id,
+                "name": t.name,
+                "registered": t.registered,
+                "registered_at": (
+                    t.reg_timestamp.isoformat() if t.reg_timestamp else None
+                ),
+            }
+            for t in paid_tickets
+        ],
+    }
Author	SHA1	Message	Date
padreug	fe9f005b53	Merge pull request 'feat: issue free tickets without minting an invoice' (#31 ) from feat/free-tickets into main Some checks failed lint.yml / Merge pull request 'feat: issue free tickets without minting an invoice' (#31) from feat/free-tickets into main (push) Failing after 0s Details Reviewed-on: #31	2026-06-20 09:51:18 +00:00
Padreug	2093e63020	chore: bump config.json version to 1.6.1-aio.7 Some checks failed lint.yml / chore: bump config.json version to 1.6.1-aio.7 (pull_request) Failing after 0s Details Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 09:04:02 +02:00
Padreug	9d7efd7662	feat: issue free tickets without minting an invoice Free events (price_per_ticket == 0) tried to mint a 0-amount Lightning invoice via create_payment_request — an invoice that can't settle, and which the invoice listener would never mark paid, so the ticket never became scannable. api_ticket_create now short-circuits when the final charge is 0 (a free event or a 100%-off promo, computed after promo + quantity) before any invoice / fiat-provider logic: _issue_free_tickets creates the N rows and runs each through the existing set_ticket_paid — the same path on_invoice_paid drives for a settled payment (flip paid, bump sold/available under the per-event lock, republish the NIP-52 event) — plus the ticket notification. The response carries a new TicketPaymentRequest.paid=True with no payment_request so the client skips the QR / payment-poll and goes straight to the ticket QRs. No invoice means sats_paid=0, so free tickets are naturally skipped by refund_tickets. All rows in a batch share one synthetic payment_hash — the join key the poll / WebSocket / My-Tickets lookups use — mirroring the paid multi-ticket path. Self-service forfeit (#28), abuse/identity limits (#29) and pay-what-you-want/donation tickets (#30) are tracked as follow-ups. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-20 09:03:44 +02:00
padreug	f8059516f8	Merge pull request 'fix: publish NIP-52 events with monotonic created_at (#26 )' (#27 ) from fix/monotonic-created-at into main Some checks failed lint.yml / Merge pull request 'fix: publish NIP-52 events with monotonic created_at (#26)' (#27) from fix/monotonic-created-at into main (push) Failing after 0s Details Reviewed-on: #27	2026-06-18 12:18:55 +00:00
Padreug	cfc2e38a5e	chore: bump config.json version to 1.6.1-aio.6 Some checks failed lint.yml / chore: bump config.json version to 1.6.1-aio.6 (pull_request) Failing after 0s Details Marks the monotonic created_at fix (#26). aio semver stays ahead of the upstream 1.6.1 tag per fork versioning rules. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 14:13:11 +02:00
Padreug	b5c87c60b4	fix: publish NIP-52 events with monotonic created_at (#26 ) NIP-52 calendar events (31922/31923) are replaceable and republished whenever inventory changes (a ticket sells). build_nip52_event stamped created_at=int(time.time()); relays only push a replacement to OPEN subscriptions when created_at is strictly newer, so two republishes in the same wall-clock second tie and the second is silently dropped for live subscribers — clients' "tickets remaining" badge stalls until a reload. Same root cause as the webapp fix (aiolabs/webapp#122). - Add monotonic_created_at() in nostr_timestamp.py = max(now, last+1), mirroring the webapp helper + docs/nostr-patterns/replaceable-events.md. - Anchor it on the already-persisted Event.nostr_event_created_at (set after each publish in nostr_hooks.py). The kind-5 delete event is not replaceable, so it keeps plain int(time.time()). - Unit tests mirror the webapp's timestamp suite. Concurrent same-second sales reading the same stored anchor can still collide; full hardening (row-level lock) is noted as follow-up in #26. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-18 14:13:10 +02:00
padreug	fd12476b90	Merge pull request 'feat(signer): nostr publish via resolve_for_wallet + door-scanner stats endpoint' (#24 ) from signer-abstraction into main Some checks failed lint.yml / Merge pull request 'feat(signer): nostr publish via resolve_for_wallet + door-scanner stats endpoint' (#24) from signer-abstraction into main (push) Failing after 0s Details Reviewed-on: #24	2026-06-07 17:11:43 +00:00
Padreug	1fb96bfe3c	chore: bump config.json version to 1.6.1-aio.5 Some checks failed lint.yml / chore: bump config.json version to 1.6.1-aio.5 (pull_request) Failing after 0s Details Releases the door-scanner stats endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-03 19:48:18 +02:00
Padreug	4238b41f10	feat: GET /tickets/event/{event_id}/stats for door-scanner roster Mirrors the events_list_event_tickets nostr-transport RPC for callers that don't hold a raw user prvkey (the webapp post-#9, in particular — useTicketScanner.refreshStats now has a working HTTP path). Auth: wallet admin_key + the event's wallet must be in the caller's wallet set, matching the register endpoint's owner check. Without this endpoint the activities scanner page loaded its initial counts (via no-op fallbacks) but every post-scan refreshStats returned 404, leaving the Scanned counter stuck at 0 even though registrations landed correctly. Surfaced by aio-demo manual test on 2026-06-03. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-03 19:47:49 +02:00
Padreug	66076d6ca7	feat(signer): migrate Nostr publishing off account.prvkey → resolve_for_wallet (#23 ) Closes aiolabs/events#23. Pre-cascade prerequisite for aiolabs/lnbits#17 (signer abstraction phase 1), which lands an m002 startup job that NULLs the legacy `accounts.prvkey` column. After this migration, the events extension reads no plaintext nsec and works with any NostrSigner backend (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). ## What changed ### nostr_hooks.py — publish_or_delete_nostr_event Was: pulled `(account.pubkey, account.prvkey)` from the wallet owner, passed both to `publish_event_to_nostr`. Hard-skipped publish when `account.prvkey` was None. Now: calls `await resolve_for_wallet(event.wallet)` (the DRY helper from aiolabs/lnbits#23 — wallet → account → signer → can_sign-check in one call, returns None on any soft-fail). Passes the resolved `NostrSigner` to the publisher. Soft-skip on None (wallet missing, account unclassified, or ClientSideOnlySigner where the server has no signing authority) — matching previous "no prvkey" behavior. ### nostr_publisher.py — publish_event_to_nostr Was: accepted `(account_pubkey, account_prvkey)` and signed via a local `sign_nostr_event` helper that called `coincurve.PrivateKey .sign_schnorr` directly on the plaintext nsec. Now: accepts `signer: NostrSigner`. Builds the unsigned event dict (`kind`/`created_at`/`tags`/`content`), hands it to `await signer.sign_event(...)`, reconstructs the local `NostrEvent` model from the signed dict (`id`/`pubkey`/`sig` fields). The signer backend (LocalSigner / RemoteBunkerSigner) is transparent. Removed the `sign_nostr_event` helper entirely — the signer abstraction handles all signing now. Dropped the `coincurve` import; no direct crypto in this extension. ## Acceptance - [x] keypair helper replaced (nostr_hooks no longer touches account.prvkey) - [x] publish_event_to_nostr accepts NostrSigner instead of (pubkey, prvkey) - [x] extension-local Schnorr code removed (sign_nostr_event gone) - [x] re-grep `events/`: zero `account.prvkey` references - [x] version bumped: 1.6.1-aio.3 → 1.6.1-aio.4 Manual smoke testing + tag + catalog entry follow the migration landing; will run against the regtest stack with lnbits on `issue-18-phase-2.3` (which validates both LocalSigner and RemoteBunkerSigner signing paths end-to-end). ## Cross-references - aiolabs/events#23 — issue this commit closes - aiolabs/lnbits#17 — the cascading signer-abstraction PR - aiolabs/lnbits#23 — the resolve_for_wallet helper this uses - aiolabs/lnbits#26 — phase 2.3 (sign_event over bunker, validated against aiolabs/nsecbunkerd@fb1c239) - aiolabs/lnbits#21 — umbrella audit identifying 5 affected extensions Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 21:55:56 +02:00
Padreug	37fad05c1f	chore: bump config.json version to 1.6.1-aio.3 Some checks failed lint.yml / chore: bump config.json version to 1.6.1-aio.3 (push) Failing after 0s Details	2026-05-24 18:56:07 +02:00
padreug	26b1be8ff0	Merge pull request 'feat: organizer ticket scanning over nostr-transport + secure legacy HTTP register endpoint' (#19 ) from ticket-scanner-nostr into main Some checks failed lint.yml / Merge pull request 'feat: organizer ticket scanning over nostr-transport + secure legacy HTTP register endpoint' (#19) from ticket-scanner-nostr into main (push) Failing after 0s Details Reviewed-on: #19	2026-05-24 16:54:00 +00:00
Padreug	3606fd9a0a	feat(admin): Owner column on All Users' Events card Some checks failed lint.yml / feat(admin): Owner column on All Users' Events card (pull_request) Failing after 0s Details Adds the event's wallet owner (user_id) as the first column of the admin-only All Users' Events table so cross-tenant rows are attributable at a glance. Server-side join: GET /events/all now resolves each event.wallet -> wallet.user and stamps the result on the response as wallet_user_id. Frontend gets a dedicated allUsersEventsTable.columns definition so the user's own-events table stays unchanged. Follow-up #22 covers letting the admin actually edit those events once attributed.	2026-05-24 18:51:51 +02:00
Padreug	66d263ef14	ui(admin): Tickets card above All Users' Events on the admin index Some checks failed lint.yml / ui(admin): Tickets card above All Users' Events on the admin index (pull_request) Failing after 0s Details The Tickets table is what an organiser actually scans during day-of operations — it deserves the top slot. All Users' Events stays one section down for the cross-tenant audit view (admin-only anyway).	2026-05-24 18:46:18 +02:00
Padreug	02071e6541	feat: events_list_event_tickets RPC for organizer ticket roster Second nostr-transport handler on this branch. Returns paid + registered counts plus the per-ticket roster (id, name, registered status, timestamp) for one calendar event, organizer-only. Backs the door scanner's counts strip and "scanned" list with backend truth so a second organizer scanning on another device, an operator switching from mobile to laptop mid-event, or a refresh in incognito all see the same numbers instead of diverging from a per-device localStorage cache. Same authorisation posture as events_ticket_register: dispatcher binds caller pubkey to wallet via AUTH_WALLET, handler verifies the event's wallet is in the caller's wallet set. Only paid tickets land in the response — proposed/unpaid rows are irrelevant at the door. Webapp consumes this in aiolabs/webapp#73.	2026-05-24 18:45:48 +02:00
Padreug	1d8dacbaa3	fix: require admin_key + owner check on PUT /tickets/register Some checks failed lint.yml / fix: require admin_key + owner check on PUT /tickets/register (pull_request) Failing after 0s Details The legacy register endpoint had no auth decorator and no event-ownership check — any caller who knew a ticket id could mark it registered. Add require_admin_key (matches the rest of the wallet-bound endpoints in this file) and verify the caller's user owns the event the ticket belongs to. Breaking change for any external integration that hit this endpoint unauthed; the in-tree Quasar register page (static/js/register.js) already sends the session admin_key via LNbits.api.request so it keeps working. The Nostr-transport flow at events_ticket_register (previous commit) is the preferred call site for new callers; this HTTP path stays for the legacy LNbits admin UI. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 16:32:29 +02:00
Padreug	2b3d9df11d	feat: events_ticket_register RPC over nostr transport Organizer-side ticket scanning over LNbits's freshly-merged nostr-transport (kind 21000, NIP-44 v2). The organizer signs the RPC event with their Nostr key; the transport dispatcher resolves pubkey → Account → wallet (AUTH_WALLET) and the handler verifies event-level ownership (event.wallet ∈ caller_user.wallet_ids) before flipping `registered = True`. Idempotence + state transitions mirror the legacy HTTP endpoint: "Ticket not paid for" / "Ticket already registered" / "Ticket does not exist on this event" / "You do not own this event" come back as ERROR responses. Registration in events_start() is guarded with try/except ImportError so the extension still loads on older LNbits versions that pre-date the transport (HTTP path stays the fallback there). Webapp uses this as the new primary scan call site instead of the legacy HTTP endpoint — see companion webapp PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 16:32:18 +02:00