aiolabs/events
8
0
Fork 0
Code Issues 19 Pull requests Projects Releases 2 Packages Wiki Activity Actions

feat: organizer ticket scanning over nostr-transport + secure legacy HTTP register endpoint #19

Merged
padreug merged 5 commits from ticket-scanner-nostr into main 2026-05-24 16:54:01 +00:00
Conversation 0 Commits 5 Files changed 6 +32 -1
1 changed files with 32 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 1d8dacbaa3 - Show all commits

fix: require admin_key + owner check on PUT /tickets/register
Some checks failed
lint.yml / fix: require admin_key + owner check on PUT /tickets/register (pull_request) Failing after 0s
Details

Prev Next 
The legacy register endpoint had no auth decorator and no
event-ownership check — any caller who knew a ticket id could
mark it registered. Add require_admin_key (matches the rest of
the wallet-bound endpoints in this file) and verify the caller's
user owns the event the ticket belongs to.

Breaking change for any external integration that hit this
endpoint unauthed; the in-tree Quasar register page
(static/js/register.js) already sends the session admin_key via
LNbits.api.request so it keeps working.

The Nostr-transport flow at events_ticket_register (previous
commit) is the preferred call site for new callers; this HTTP
path stays for the legacy LNbits admin UI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Padreug 2026-05-24 16:32:29 +02:00
commit 1d8dacbaa3

33
views_api.py
View file

@ -766,7 +766,24 @@ async def api_ticket_resend_email(
@tickets_api_router.put("/register/{ticket_id}") @tickets_api_router.put("/register/{ticket_id}")
async def api_event_register_ticket(ticket_id) -> Ticket: async def api_event_register_ticket(
ticket_id: str,
key_info: WalletTypeInfo = Depends(require_admin_key),
) -> Ticket:
"""Mark a ticket as registered at the door.
Auth: wallet admin_key. Caller must own the event the ticket
belongs to we check `event.wallet` against the user's full
wallet set so an organizer with multiple wallets can scan
regardless of which wallet's key they're using.
Until v1.6.1-aio.3 this endpoint had no auth, which meant any
caller who knew a ticket id could register it. The
Nostr-transport flow at `events_ticket_register` is now the
preferred call site for the webapp; this HTTP path stays for
the legacy LNbits Quasar register page which already sends
the wallet admin_key through `LNbits.api.request`.
"""
ticket = await get_ticket(ticket_id) ticket = await get_ticket(ticket_id)
if not ticket: if not ticket:
@ -774,6 +791,20 @@ async def api_event_register_ticket(ticket_id) -> Ticket:
status_code=HTTPStatus.NOT_FOUND, detail="Ticket does not exist." status_code=HTTPStatus.NOT_FOUND, detail="Ticket does not exist."
) )
event = await get_event(ticket.event)
if not event:
raise HTTPException(
status_code=HTTPStatus.NOT_FOUND, detail="Event does not exist."
)
user = await get_user(key_info.wallet.user)
owned_wallet_ids = user.wallet_ids if user else [key_info.wallet.id]
if event.wallet not in owned_wallet_ids:
raise HTTPException(
status_code=HTTPStatus.FORBIDDEN,
detail="You do not own this event.",
)
if not ticket.paid: if not ticket.paid:
raise HTTPException( raise HTTPException(
status_code=HTTPStatus.FORBIDDEN, detail="Ticket not paid for." status_code=HTTPStatus.FORBIDDEN, detail="Ticket not paid for."