feat: multi-ticket purchases as N rows sharing one payment_hash

Replaces the previous "one row, N seats via extra.quantity" model
with proper one-row-per-attendee semantics. Each attendee gets a
unique scannable id; the door PUT /register/{ticket_id} marks
them registered independently — so a buyer can purchase 3 tickets,
hand 2 QRs to friends arriving separately, and each attendee can
enter on their own schedule.

Schema (migrations_fork.py m002):
- ticket.payment_hash: new TEXT column shared across all rows of
  a multi-ticket purchase. Backfilled `payment_hash = id` for
  pre-migration rows (id WAS the payment_hash by invariant).

Wire:
- TicketPaymentRequest grows `ticket_ids: list[str]` so the
  webapp gets every scannable id back in the create response.
- POST /tickets/{event_id}/{payment_hash} polling endpoint now
  reports `ticket_ids` (every row) + keeps `ticket_id` for
  back-compat.
- api_ticket_create loops quantity times; the first row reuses
  payment_hash as id (preserves legacy `id == payment_hash`
  invariant for single-ticket purchases), the rest get
  urlsafe_short_hash() uuids.

Payment flow:
- on_invoice_paid fetches all rows by payment_hash and marks each
  paid via set_ticket_paid, which now increments event.sold by 1
  per row (was N per row via extra.quantity — simpler now). The
  per-event asyncio lock still serializes counter + republish so
  concurrent multi-ticket purchases for the same event don't
  reorder the published Nostr state.
- Each paid row triggers its own send_ticket_notification_in_
  background call — no-op for buyers without nostr_identifier /
  email, useful when the buyer set those on the row.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crud.py

@@ -41,8 +41,19 @@ async def create_ticket(
     email: str | None = None,
     user_id: str | None = None,
     extra: dict | None = None,
+    ticket_id: str | None = None,
 ) -> Ticket:
+    """Persist one ticket row.
+
+    `payment_hash` is the LNbits invoice hash shared across all rows
+    of a multi-ticket purchase. `ticket_id` is the row primary key /
+    scannable id; defaults to `payment_hash` for single-ticket
+    purchases so the legacy id == payment_hash invariant holds.
+    Multi-ticket callers pass a unique uuid here so each attendee
+    gets a distinct scannable QR.
+    """
     now = datetime.now(timezone.utc)
+    row_id = ticket_id or payment_hash
 
     # name/email columns are NOT NULL in the schema, so we store "" when only
     # user_id is supplied. _parse_ticket_row reverses this on read.
@@ -54,7 +65,7 @@ async def create_ticket(
         db_email = email or ""
 
     db_ticket = Ticket(
-        id=payment_hash,
+        id=row_id,
         wallet=wallet,
         event=event,
         name=db_name,
@@ -65,11 +76,12 @@ async def create_ticket(
         reg_timestamp=now,
         time=now,
         extra=TicketExtra(**extra) if extra else TicketExtra(),
+        payment_hash=payment_hash,
     )
     await db.insert("events.ticket", db_ticket)
 
     return Ticket(
-        id=payment_hash,
+        id=row_id,
         wallet=wallet,
         event=event,
         name=name,
@@ -80,6 +92,7 @@ async def create_ticket(
         reg_timestamp=now,
         time=now,
         extra=TicketExtra(**extra) if extra else TicketExtra(),
+        payment_hash=payment_hash,
     )
 
 
@@ -93,6 +106,21 @@ async def update_ticket(ticket: Ticket) -> Ticket:
     return ticket
 
 
+async def get_tickets_by_payment_hash(payment_hash: str) -> list[Ticket]:
+    """All ticket rows sharing the given LNbits invoice payment_hash.
+
+    For a single-ticket purchase returns one row (legacy invariant
+    `id == payment_hash` still holds). For a multi-ticket purchase
+    returns the N rows created with shared `payment_hash` but
+    distinct `id`s — each attendee's scannable QR.
+    """
+    rows = await db.fetchall(
+        "SELECT * FROM events.ticket WHERE payment_hash = :ph",
+        {"ph": payment_hash},
+    )
+    return [Ticket(**_parse_ticket_row(row)) for row in rows]
+
+
 async def get_ticket(payment_hash: str) -> Ticket | None:
     row = await db.fetchone(
         "SELECT * FROM events.ticket WHERE id = :id",

migrations_fork.py

@@ -103,3 +103,28 @@ async def m001_aio_event_schema(db):
     await _alter_add_column_safe(
         db, "ALTER TABLE events.events ADD COLUMN categories TEXT"
     )
+
+
+async def m002_ticket_payment_hash(db):
+    """
+    Add `ticket.payment_hash` for multi-ticket purchases.
+
+    Multi-ticket purchases land as N rows sharing one LNbits invoice
+    (so each attendee gets a distinct scannable QR but the buyer
+    pays once). `ticket.id` stays the row primary key — for legacy
+    single-purchase rows it equals payment_hash; for multi-purchase
+    children it's a uuid generated at create-time. `payment_hash`
+    is the new join key for invoice lookup.
+
+    Backfill existing rows from id so the
+    GET-tickets-by-payment-hash path keeps working for pre-migration
+    data (id was the payment_hash by invariant before this column).
+    """
+    await _alter_add_column_safe(
+        db, "ALTER TABLE events.ticket ADD COLUMN payment_hash TEXT"
+    )
+    await db.execute(
+        "UPDATE events.ticket SET payment_hash = id "
+        "WHERE payment_hash IS NULL OR payment_hash = ''"
+    )
+

models.py

@@ -133,6 +133,9 @@ class CreateTicket(BaseModel):
     nostr_identifier: str | None = None
     payment_method: str | None = None
     fiat_provider: str | None = None
+    # Number of tickets to buy on this single invoice. Bounded so a
+    # bad client can't run away with the organizer's capacity.
+    quantity: int = Field(default=1, ge=1, le=10)
 
     @root_validator
     def validate_identifiers(cls, values):
@@ -158,6 +161,11 @@ class Ticket(BaseModel):
     time: datetime
     reg_timestamp: datetime
     extra: TicketExtra = Field(default_factory=TicketExtra)
+    # Shared LNbits invoice payment_hash. Equals `id` for single-ticket
+    # purchases (legacy + post-migration default). Multi-ticket
+    # purchases create N rows sharing one payment_hash so each attendee
+    # gets a distinct scannable id while the buyer pays once.
+    payment_hash: str | None = None
 
 
 class PublicTicket(BaseModel):
@@ -175,3 +183,8 @@ class TicketPaymentRequest(BaseModel):
     fiat_payment_request: str | None = None
     fiat_provider: str | None = None
     is_fiat: bool = False
+    # Row ids created on this invoice — one for single-ticket
+    # purchases, N for multi-ticket (each independently scannable at
+    # the door). Buyers fetch these after payment to render N QRs in
+    # My Tickets.
+    ticket_ids: list[str] = Field(default_factory=list)

tasks.py

@@ -4,7 +4,7 @@ from lnbits.core.models import Payment
 from lnbits.tasks import register_invoice_listener
 from loguru import logger
 
-from .crud import get_ticket
+from .crud import get_ticket, get_tickets_by_payment_hash
 from .models import Ticket
 from .services import send_ticket_notification_in_background, set_ticket_paid
 
@@ -37,13 +37,32 @@ async def on_invoice_paid(payment: Payment) -> None:
     if not payment.extra or "events" != payment.extra.get("tag"):
         return
 
-    ticket = await get_ticket(payment.payment_hash)
-    if not ticket:
-        logger.warning(f"Ticket for payment {payment.payment_hash} not found.")
+    # Multi-ticket purchases land as N rows sharing this payment_hash;
+    # each one needs to be marked paid + counted against capacity, and
+    # each gets its own buyer notification (mostly a no-op when all
+    # rows are owned by the same buyer, but cheap and consistent).
+    tickets = await get_tickets_by_payment_hash(payment.payment_hash)
+    if not tickets:
+        # Backstop for any legacy row created before the payment_hash
+        # column was populated by the migration backfill.
+        legacy = await get_ticket(payment.payment_hash)
+        if legacy:
+            tickets = [legacy]
+
+    if not tickets:
+        logger.warning(f"No tickets for payment {payment.payment_hash}.")
         return
 
-    ticket = await set_ticket_paid(ticket)
-    send_ticket_notification_in_background(ticket)
+    paid_tickets: list[Ticket] = []
+    for ticket in tickets:
+        paid_tickets.append(await set_ticket_paid(ticket))
+
+    for paid_ticket in paid_tickets:
+        send_ticket_notification_in_background(paid_ticket)
+
+    # Wake up the WebSocket / poll listeners. Forward the first paid
+    # ticket so the existing single-ticket subscribers still work; the
+    # webapp re-fetches all ids via the polling endpoint anyway.
     if payment_listeners.get(payment.payment_hash):
         for paid_ticket_queue in payment_listeners[payment.payment_hash]:
-            paid_ticket_queue.put_nowait(ticket)
+            paid_ticket_queue.put_nowait(paid_tickets[0])

views_api.py

@@ -17,6 +17,7 @@ from lnbits.core.crud.wallets import get_wallet
 from lnbits.core.models import Account, User, WalletTypeInfo
 from lnbits.core.models.payments import CreateInvoice
 from lnbits.core.services import create_payment_request
+from lnbits.helpers import urlsafe_short_hash
 from lnbits.decorators import (
     check_admin,
     check_user_exists,
@@ -46,6 +47,7 @@ from .crud import (
     get_settings,
     get_ticket,
     get_tickets,
+    get_tickets_by_payment_hash,
     get_tickets_by_user_id,
     purge_unpaid_tickets,
     update_event,
@@ -508,8 +510,16 @@ async def api_ticket_create(
         )
     if event.canceled:
         raise HTTPException(status_code=HTTPStatus.GONE, detail="Event is canceled.")
-    if event.amount_tickets > 0 and event.sold >= event.amount_tickets:
+    quantity = data.quantity
+    if event.amount_tickets > 0:
+        if event.sold >= event.amount_tickets:
             raise HTTPException(status_code=HTTPStatus.GONE, detail="Event is sold out.")
+        remaining = event.amount_tickets - event.sold
+        if quantity > remaining:
+            raise HTTPException(
+                status_code=HTTPStatus.BAD_REQUEST,
+                detail=f"Only {remaining} ticket(s) remaining for this event.",
+            )
 
     name = data.name
     email = data.email
@@ -531,7 +541,7 @@ async def api_ticket_create(
                 status_code=HTTPStatus.BAD_REQUEST,
                 detail="Invalid Nostr identifier.",
             ) from exc
-    price = event.price_per_ticket
+    unit_price = event.price_per_ticket
     extra: dict[str, Any] = {"tag": "events", "name": name, "email": email}
 
     if promo_code:
@@ -543,7 +553,9 @@ async def api_ticket_create(
         # get the promocode
         promo = next(pc for pc in event.extra.promo_codes if pc.code == promo_code)
         extra["promo_code"] = promo.code
-        price = event.price_per_ticket * (1 - promo.discount_percent / 100)
+        unit_price = event.price_per_ticket * (1 - promo.discount_percent / 100)
+    # Scale by quantity AFTER the promo applies. One invoice, N tickets.
+    price = unit_price * quantity
 
     if payment_method == "fiat" and not event.allow_fiat:
         raise HTTPException(
@@ -600,6 +612,15 @@ async def api_ticket_create(
             extra=extra,
         ),
     )
+    # Multi-ticket purchases land as N rows sharing the LNbits invoice
+    # payment_hash but with distinct `id`s — one independently
+    # scannable QR per attendee. The first row reuses payment_hash as
+    # its id so the legacy single-purchase invariant
+    # (`id == payment_hash`) still holds for quantity == 1 callers.
+    ticket_ids: list[str] = []
+    sats_per_ticket = payment.sat // quantity if quantity else payment.sat
+    for index in range(quantity):
+        row_id = payment.payment_hash if index == 0 else urlsafe_short_hash()
         await create_ticket(
             payment_hash=payment.payment_hash,
             wallet=event.wallet,
@@ -607,14 +628,16 @@ async def api_ticket_create(
             name=name,
             email=email,
             user_id=user_id,
+            ticket_id=row_id,
             extra={
                 "applied_promo_code": promo_code,
                 "refund_address": refund_address,
                 "nostr_identifier": nostr_identifier,
                 "ticket_base_url": str(request.base_url).rstrip("/"),
-            "sats_paid": payment.sat,
+                "sats_paid": sats_per_ticket,
             },
         )
+        ticket_ids.append(row_id)
 
     return TicketPaymentRequest(
         payment_hash=payment.payment_hash,
@@ -622,30 +645,34 @@ async def api_ticket_create(
         fiat_payment_request=getattr(payment, "extra", {}).get("fiat_payment_request"),
         fiat_provider=getattr(payment, "fiat_provider", None) or fiat_provider,
         is_fiat=bool(getattr(payment, "fiat_provider", None) or fiat_provider),
+        ticket_ids=ticket_ids,
     )
 
 
 @tickets_api_router.post("/{event_id}/{payment_hash}")
 async def api_ticket_payment_status(event_id: str, payment_hash: str) -> dict:
-    """Poll-style payment confirmation for a pending ticket.
+    """Poll-style payment confirmation for a pending ticket purchase.
 
-    The webapp's `useTicketPurchase` polls this every 2s after firing
-    `Pay with Wallet` (or after presenting the QR for an external
-    wallet) until `paid: true` comes back, then advances to the
-    ticket-QR success state. The companion WebSocket at
-    `/tickets/ws/{payment_hash}` is more efficient for pushes — this
-    endpoint is the fallback for clients that can't open a relay-side
-    socket.
+    The webapp polls this every 2s after presenting the invoice until
+    `paid: true` comes back, then advances to the success state. The
+    companion WebSocket at `/tickets/ws/{payment_hash}` is more
+    efficient for pushes — this endpoint is the fallback.
 
-    Returns `{paid: bool, ticket_id?: str}` so the client can hand off
-    to the ticket-detail flow without an extra GET. A missing /
-    cross-event ticket returns `paid: false` rather than 404 so the
-    poll loop doesn't have to special-case the not-yet-created race.
+    Returns `{paid, ticket_ids: [...]}` so multi-ticket buyers get
+    every scannable id back in one response (one for single-ticket
+    purchases). A missing / cross-event purchase returns
+    `paid: false` rather than 404 so the poll doesn't have to
+    special-case the not-yet-created race.
     """
-    ticket = await get_ticket(payment_hash)
-    if not ticket or ticket.event != event_id:
+    tickets = await get_tickets_by_payment_hash(payment_hash)
+    relevant = [t for t in tickets if t.event == event_id]
+    if not relevant:
         return {"paid": False}
-    return {"paid": ticket.paid, "ticket_id": ticket.id}
+    return {
+        "paid": all(t.paid for t in relevant),
+        "ticket_id": relevant[0].id,  # back-compat with single-ticket clients
+        "ticket_ids": [t.id for t in relevant],
+    }
 
 
 @tickets_api_router.websocket("/ws/{payment_hash}")