feat(v2): collision guard — refuse machines whose npub matches an operator account (#32)
Some checks failed
ci.yml / feat(v2): collision guard — refuse machines whose npub matches an operator account (#32) (pull_request) Failing after 0s
Some checks failed
ci.yml / feat(v2): collision guard — refuse machines whose npub matches an operator account (#32) (pull_request) Failing after 0s
Adds `_assert_no_pubkey_collision` to `views_api`, wired into `api_create_machine` between the wallet-ownership guard and the `create_machine` CRUD call. Refuses with HTTP 400 + operator-actionable error message if the supplied `machine_npub` matches any existing LNbits operator account's `accounts.pubkey`. ## Why this matters Reproducer 2026-05-30T21:33Z (coord-log archive `2026-05-31-pre-rotation.md`): Greg's operator account `accounts.pubkey` had been seeded as the same value as Sintra's `dca_machines.machine_npub` (`522a4538…`) during manual setup. The collision masked the routing bug for days — lnbits' nostr-transport `auth.py:resolve_nostr_auth` was routing inbound kind-21000 RPCs from the ATM directly to Greg's wallet *by coincidence* of the matching pubkey. When Greg's account migrated to `RemoteBunkerSigner` and got a fresh pubkey, the coincidence broke + `auto-account-from-npub` fired for the orphaned ATM npub. A real $20 test cash-out silently landed on a fresh auto-account wallet (`a94b564f…`); satmachineadmin lost the settlement entirely — no `dca_settlements` row, no DCA distribution, no commission split. The proper architectural fix is path B / `aiolabs/satmachineadmin#20` (S6, in-progress with lnbits — coord-log `2026-05-31T15:25Z`). This guard is the complementary preventive layer: stops a future operator from re-entering the broken state by registering a machine whose npub collides with an existing account. ## What's in this commit - **`views_api._assert_no_pubkey_collision`** — canonicalises the input npub (accepts hex or `npub1…` bech32) via `normalize_public_key`, queries `lnbits.core.crud.users.get_account_by_pubkey` (which itself lowercases internally), raises HTTPException(400) on hit. Error message names the canonical pubkey prefix, explains the pubkey-collision dependency that breaks on operator pubkey rotation, + points to the `lamassu-next provision-atm` remediation path + this issue for context. - **Wired into `api_create_machine`** after `_assert_wallet_owned_by` + before `create_machine`. `api_update_machine` is unaffected because `UpdateMachineData` doesn't allow npub changes on existing rows. - **`tests/test_collision_guard.py`** — 7 unit tests covering hex / bech32 / uppercase-hex inputs all canonicalise to the same lookup, the no-collision case returns silently, error message asserts (truncated pubkey + remediation hint). Uses pytest monkeypatch to isolate the assertion logic from a live `get_account_by_pubkey` DB call — matches the assertion-style pattern of `tests/test_nostr_attribution.py`. - **`CLAUDE.md`** — new "No-collision invariant" subsection under Security Considerations: documents the rule + the SQL check operators can run on existing installs + the `ATM_PRIVATE_KEY`-unset remediation + cross-refs to `#20` and `#32`. ## Regtest SQL check result Ran the diagnostic SQL against the regtest LNbits + satmachineadmin DBs: - 1 active `dca_machines.machine_npub`: `522a4538…` (Greg's Sintra) - 1 collision found: the auto-account orphan `a94b564f…` (username = None — auto-account signature) created during yesterday's silent-drop failure mode. NOT a legitimate operator account. Greg's actual operator account `ac35c9fc…` carries pubkey `197a4cf4…` post-bunker migration, no collision there. The orphan is operational cleanup (sweep + delete), separate from this code fix. No real-operator collisions remain on the regtest instance. ## Test status 162 passed, 1 pre-existing async-plugin failure unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
44f6c0b1bd
commit
05c1105897
3 changed files with 199 additions and 0 deletions
43
views_api.py
43
views_api.py
|
|
@ -9,8 +9,10 @@ from http import HTTPStatus
|
|||
|
||||
from fastapi import APIRouter, Depends, HTTPException
|
||||
from lnbits.core.crud import get_wallet
|
||||
from lnbits.core.crud.users import get_account_by_pubkey
|
||||
from lnbits.core.models import User
|
||||
from lnbits.decorators import check_super_user, check_user_exists
|
||||
from lnbits.utils.nostr import normalize_public_key
|
||||
|
||||
from .cassette_transport import (
|
||||
CassetteTransportError,
|
||||
|
|
@ -105,6 +107,46 @@ async def _assert_wallet_owned_by(wallet_id: str, user_id: str) -> None:
|
|||
)
|
||||
|
||||
|
||||
async def _assert_no_pubkey_collision(machine_npub: str) -> None:
|
||||
"""Defence-in-depth: refuse to register a machine whose npub matches
|
||||
any LNbits operator account's pubkey.
|
||||
|
||||
Such a collision causes lnbits' nostr-transport `auth.py:resolve_
|
||||
nostr_auth` to route inbound kind-21000 RPCs from the ATM directly
|
||||
to that operator's wallet — works by coincidence, but breaks silently
|
||||
the moment the operator's pubkey rotates (because the auto-account-
|
||||
from-npub flow then fires for the ATM's now-orphaned npub, and the
|
||||
invoice lands on a fresh auto-account wallet instead). Reproducer:
|
||||
Greg's Sintra silent-drop on 2026-05-30T21:33Z. See
|
||||
aiolabs/satmachineadmin#32 for the failure mode + this guard's
|
||||
design rationale.
|
||||
|
||||
Path B (`#20` roster-lookup) is the architectural fix at the
|
||||
routing layer; this guard prevents new operators from inadvertently
|
||||
setting up the collision in the first place. Two layers of defence.
|
||||
|
||||
Idempotent on the same caller re-attempting machine creation with
|
||||
the same npub (the second attempt hits the dca_machines.machine_npub
|
||||
UNIQUE on m001, not this guard — they only collide with operator-
|
||||
account pubkeys, not other machine npubs).
|
||||
"""
|
||||
canonical = normalize_public_key(machine_npub).lower()
|
||||
matching = await get_account_by_pubkey(canonical)
|
||||
if matching is not None:
|
||||
raise HTTPException(
|
||||
HTTPStatus.BAD_REQUEST,
|
||||
(
|
||||
f"machine_npub {canonical[:12]}... collides with an "
|
||||
f"existing LNbits operator account's pubkey. Registering "
|
||||
"an ATM under this npub would silently route invoices via "
|
||||
"a pubkey-collision dependency that breaks on operator "
|
||||
"pubkey rotation. Use a fresh ATM keypair: lamassu-next "
|
||||
"`provision-atm` regenerates one with `ATM_PRIVATE_KEY` "
|
||||
"unset. See aiolabs/satmachineadmin#32."
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# Machines
|
||||
# =============================================================================
|
||||
|
|
@ -115,6 +157,7 @@ async def api_create_machine(
|
|||
data: CreateMachineData, user: User = Depends(check_user_exists)
|
||||
) -> Machine:
|
||||
await _assert_wallet_owned_by(data.wallet_id, user.id)
|
||||
await _assert_no_pubkey_collision(data.machine_npub)
|
||||
machine = await create_machine(user.id, data)
|
||||
return machine
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue