__init__.py

@@ -46,6 +46,38 @@ def events_start():
     task1 = create_permanent_unique_task("ext_events", wait_for_paid_invoices)
     scheduled_tasks.append(task1)
 
+    # Register nostr-transport RPCs. Swallow ImportError on older LNbits
+    # versions that pre-date the transport (the events extension still
+    # works fine via HTTP without it).
+    try:
+        from lnbits.core.services.nostr_transport.dispatcher import (
+            AUTH_WALLET,
+            register_rpc,
+        )
+
+        from .transport_rpcs import (
+            handle_events_list_event_tickets,
+            handle_events_ticket_register,
+        )
+
+        register_rpc(
+            "events_ticket_register", handle_events_ticket_register, AUTH_WALLET
+        )
+        register_rpc(
+            "events_list_event_tickets",
+            handle_events_list_event_tickets,
+            AUTH_WALLET,
+        )
+        logger.info(
+            "[EVENTS] Registered nostr-transport RPCs: "
+            "events_ticket_register, events_list_event_tickets"
+        )
+    except ImportError:
+        logger.info(
+            "[EVENTS] nostr_transport not available on this LNbits — "
+            "ticket scanner over Nostr disabled, HTTP endpoint still works"
+        )
+
     async def _start_nostr_client():
         global nostr_client
         await asyncio.sleep(10)  # Wait for nostrclient to be ready

crud.py

@@ -139,6 +139,15 @@ async def get_tickets(wallet_ids: str | list[str]) -> list[Ticket]:
     return [Ticket(**_parse_ticket_row(row)) for row in rows]
 
 
+async def get_tickets_by_event(event_id: str) -> list[Ticket]:
+    """All ticket rows for the given calendar event id."""
+    rows = await db.fetchall(
+        "SELECT * FROM events.ticket WHERE event = :event_id",
+        {"event_id": event_id},
+    )
+    return [Ticket(**_parse_ticket_row(row)) for row in rows]
+
+
 async def get_tickets_by_user_id(user_id: str) -> list[Ticket]:
     """All tickets owned by the given LNbits user_id."""
     rows = await db.fetchall(

static/js/index.js

@@ -14,6 +14,51 @@ window.PageEvents = {
       settings: {
         auto_approve: false
       },
+      allUsersEventsTable: {
+        // Shown on the admin All Users' Events card. Includes the
+        // wallet owner (`wallet_user_id` resolved server-side) so
+        // cross-tenant rows are attributable to a user.
+        columns: [
+          {
+            name: 'wallet_user_id',
+            align: 'left',
+            label: 'Owner',
+            field: 'wallet_user_id'
+          },
+          {name: 'id', align: 'left', label: 'ID', field: 'id'},
+          {name: 'name', align: 'left', label: 'Name', field: 'name'},
+          {
+            name: 'event_start_date',
+            align: 'left',
+            label: 'Start date',
+            field: 'event_start_date'
+          },
+          {
+            name: 'event_end_date',
+            align: 'left',
+            label: 'End date',
+            field: 'event_end_date'
+          },
+          {
+            name: 'closing_date',
+            align: 'left',
+            label: 'Ticket close',
+            field: 'closing_date'
+          },
+          {
+            name: 'canceled',
+            align: 'left',
+            label: 'Canceled',
+            field: row => {
+              if (row.extra && row.extra.conditional && row.canceled) {
+                return 'Yes'
+              }
+              return 'No'
+            }
+          },
+          {name: 'status', align: 'left', label: 'Status', field: 'status'}
+        ]
+      },
       eventsTable: {
         columns: [
           {name: 'id', align: 'left', label: 'ID', field: 'id'},

static/js/index.vue

@@ -286,51 +286,6 @@
         </q-card-section>
       </q-card>
 
-      <q-card v-if="isAdmin && allUserEvents.length > 0">
-        <q-card-section>
-          <div class="row items-center no-wrap q-mb-md">
-            <div class="col">
-              <h5 class="text-subtitle1 q-my-none">
-                All Users' Events
-                <q-badge
-                  color="blue"
-                  :label="allUserEvents.length"
-                  class="q-ml-sm"
-                ></q-badge>
-              </h5>
-            </div>
-          </div>
-          <q-table
-            dense
-            flat
-            :rows="allUserEvents"
-            row-key="id"
-            :columns="eventsTable.columns"
-            :pagination="{rowsPerPage: 10}"
-          >
-            <template v-slot:header="props">
-              <q-tr :props="props">
-                <q-th v-for="col in props.cols" :key="col.name" :props="props">
-                  <span v-text="col.label"></span>
-                </q-th>
-              </q-tr>
-            </template>
-            <template v-slot:body="props">
-              <q-tr :props="props">
-                <q-td v-for="col in props.cols" :key="col.name" :props="props">
-                  <q-badge
-                    v-if="col.name === 'status'"
-                    :color="col.value === 'approved' ? 'green' : col.value === 'proposed' ? 'orange' : 'red'"
-                    :label="col.value"
-                  ></q-badge>
-                  <span v-else v-text="col.value"></span>
-                </q-td>
-              </q-tr>
-            </template>
-          </q-table>
-        </q-card-section>
-      </q-card>
-
       <q-card>
         <q-card-section>
           <div class="row items-center no-wrap q-mb-md">
@@ -409,6 +364,51 @@
           </q-table>
         </q-card-section>
       </q-card>
+
+      <q-card v-if="isAdmin && allUserEvents.length > 0">
+        <q-card-section>
+          <div class="row items-center no-wrap q-mb-md">
+            <div class="col">
+              <h5 class="text-subtitle1 q-my-none">
+                All Users' Events
+                <q-badge
+                  color="blue"
+                  :label="allUserEvents.length"
+                  class="q-ml-sm"
+                ></q-badge>
+              </h5>
+            </div>
+          </div>
+          <q-table
+            dense
+            flat
+            :rows="allUserEvents"
+            row-key="id"
+            :columns="allUsersEventsTable.columns"
+            :pagination="{rowsPerPage: 10}"
+          >
+            <template v-slot:header="props">
+              <q-tr :props="props">
+                <q-th v-for="col in props.cols" :key="col.name" :props="props">
+                  <span v-text="col.label"></span>
+                </q-th>
+              </q-tr>
+            </template>
+            <template v-slot:body="props">
+              <q-tr :props="props">
+                <q-td v-for="col in props.cols" :key="col.name" :props="props">
+                  <q-badge
+                    v-if="col.name === 'status'"
+                    :color="col.value === 'approved' ? 'green' : col.value === 'proposed' ? 'orange' : 'red'"
+                    :label="col.value"
+                  ></q-badge>
+                  <span v-else v-text="col.value"></span>
+                </q-td>
+              </q-tr>
+            </template>
+          </q-table>
+        </q-card-section>
+      </q-card>
     </div>
     <div class="col-12 col-md-4 col-lg-5 q-gutter-y-md">
       <q-card>

transport_rpcs.py

@@ -0,0 +1,120 @@
+"""
+Nostr-transport RPC handlers for the aiolabs/events extension.
+
+Each handler is registered with `lnbits.core.services.nostr_transport.
+dispatcher.register_rpc` in `events_start()`. The dispatcher resolves
+the caller's Nostr pubkey to an LNbits Account → wallet (`AUTH_WALLET`)
+and passes a `WalletTypeInfo` as the first argument; handlers verify
+event-level ownership on top.
+
+Errors raise `PermissionError` / `ValueError` so the dispatcher maps
+them into `{status: "ERROR", error: <msg>}` responses; any other
+exception falls through to a generic "Internal error" reply.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime, timezone
+
+from lnbits.core.crud import get_user
+from lnbits.core.models import WalletTypeInfo
+from lnbits.core.services.nostr_transport.models import NostrRpcRequest
+
+from .crud import get_event, get_ticket, get_tickets_by_event, update_ticket
+
+
+async def handle_events_ticket_register(
+    auth: WalletTypeInfo,
+    request: NostrRpcRequest,
+) -> dict:
+    """Mark a ticket as registered at the door (organizer flow).
+
+    The Nostr-transport dispatcher already verified the caller signed
+    the kind-21000 RPC event and bound them to `auth.wallet`. This
+    handler adds the event-level check: the ticket's event must be
+    owned by one of the caller's wallets.
+
+    Idempotence mirrors the HTTP endpoint: scanning the same ticket
+    twice fails with "Ticket already registered". The buyer-side flow
+    (notifications etc.) reuses whatever the legacy register endpoint
+    does — we just flip the flag + timestamp.
+    """
+    body = request.body or {}
+    event_id = body.get("event_id")
+    ticket_id = body.get("ticket_id")
+    if not event_id or not ticket_id:
+        raise ValueError("event_id and ticket_id are required")
+
+    ticket = await get_ticket(ticket_id)
+    if not ticket or ticket.event != event_id:
+        raise ValueError("Ticket does not exist on this event")
+    if not ticket.paid:
+        raise PermissionError("Ticket not paid for")
+    if ticket.registered:
+        raise PermissionError("Ticket already registered")
+
+    event = await get_event(event_id)
+    if not event:
+        raise ValueError("Event does not exist")
+
+    user = await get_user(auth.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [auth.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise PermissionError("You do not own this event")
+
+    ticket.registered = True
+    ticket.reg_timestamp = datetime.now(timezone.utc)
+    await update_ticket(ticket)
+    return ticket.dict()
+
+
+async def handle_events_list_event_tickets(
+    auth: WalletTypeInfo,
+    request: NostrRpcRequest,
+) -> dict:
+    """Return paid + registered counts plus the per-ticket roster for
+    one calendar event, organizer-only.
+
+    Backs the door scanner's counts strip and "All scanned" tab so the
+    UI reads authoritative state from the backend instead of relying
+    on per-device localStorage (which diverges the moment a second
+    organizer scans, or the operator switches devices).
+
+    The roster only includes paid tickets — proposed/unpaid rows are
+    irrelevant at the door.
+    """
+    body = request.body or {}
+    event_id = body.get("event_id")
+    if not event_id:
+        raise ValueError("event_id is required")
+
+    event = await get_event(event_id)
+    if not event:
+        raise ValueError("Event does not exist")
+
+    user = await get_user(auth.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [auth.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise PermissionError("You do not own this event")
+
+    tickets = await get_tickets_by_event(event_id)
+    paid_tickets = [t for t in tickets if t.paid]
+    registered_count = sum(1 for t in paid_tickets if t.registered)
+
+    return {
+        "event_id": event_id,
+        "sold": len(paid_tickets),
+        "registered": registered_count,
+        "remaining": len(paid_tickets) - registered_count,
+        "tickets": [
+            {
+                "id": t.id,
+                "name": t.name,
+                "registered": t.registered,
+                "registered_at": (
+                    t.reg_timestamp.isoformat() if t.reg_timestamp else None
+                ),
+            }
+            for t in paid_tickets
+        ],
+    }

views_api.py

@@ -101,9 +101,22 @@ async def api_events_public() -> list[Event]:
 @events_api_router.get("/all")
 async def api_events_all(
     admin: Account = Depends(check_admin),
-) -> list[Event]:
+) -> list[dict]:
-    """All events across all wallets. LNbits admin only."""
+    """All events across all wallets, with each row's wallet owner
-    return await get_all_events()
+    resolved to a user_id. LNbits admin only.
+
+    Returns dicts (not strict `Event` rows) so the response can carry
+    the synthetic `wallet_user_id` column the admin UI uses to attribute
+    each cross-tenant event to a user.
+    """
+    events = await get_all_events()
+    enriched: list[dict] = []
+    for event in events:
+        wallet = await get_wallet(event.wallet)
+        row = event.dict()
+        row["wallet_user_id"] = wallet.user if wallet else None
+        enriched.append(row)
+    return enriched
 
 
 @events_api_router.get("/pending")
@@ -766,7 +779,24 @@ async def api_ticket_resend_email(
 
 
 @tickets_api_router.put("/register/{ticket_id}")
-async def api_event_register_ticket(ticket_id) -> Ticket:
+async def api_event_register_ticket(
+    ticket_id: str,
+    key_info: WalletTypeInfo = Depends(require_admin_key),
+) -> Ticket:
+    """Mark a ticket as registered at the door.
+
+    Auth: wallet admin_key. Caller must own the event the ticket
+    belongs to — we check `event.wallet` against the user's full
+    wallet set so an organizer with multiple wallets can scan
+    regardless of which wallet's key they're using.
+
+    Until v1.6.1-aio.3 this endpoint had no auth, which meant any
+    caller who knew a ticket id could register it. The
+    Nostr-transport flow at `events_ticket_register` is now the
+    preferred call site for the webapp; this HTTP path stays for
+    the legacy LNbits Quasar register page which already sends
+    the wallet admin_key through `LNbits.api.request`.
+    """
     ticket = await get_ticket(ticket_id)
 
     if not ticket:
@@ -774,6 +804,20 @@ async def api_event_register_ticket(ticket_id) -> Ticket:
             status_code=HTTPStatus.NOT_FOUND, detail="Ticket does not exist."
         )
 
+    event = await get_event(ticket.event)
+    if not event:
+        raise HTTPException(
+            status_code=HTTPStatus.NOT_FOUND, detail="Event does not exist."
+        )
+
+    user = await get_user(key_info.wallet.user)
+    owned_wallet_ids = user.wallet_ids if user else [key_info.wallet.id]
+    if event.wallet not in owned_wallet_ids:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="You do not own this event.",
+        )
+
     if not ticket.paid:
         raise HTTPException(
             status_code=HTTPStatus.FORBIDDEN, detail="Ticket not paid for."