fix(v2)(security): wallet IDOR + settlement-processing concurrency
Closes the HIGH-severity security finding from the v2 branch review:
operator A could register a machine pointing at operator B's wallet_id
(or update their machine to do so), then drain B's wallet via the
settlement processor's pay_invoice call. LNbits' pay_invoice doesn't
enforce caller identity at the backend layer — wallet_id is trusted as
the source-of-truth for the source wallet.
Two-layer defence:
1. **API layer.** New _assert_wallet_owned_by helper in views_api.py
refuses any wallet_id from the request body that doesn't resolve to a
wallet owned by the authenticated operator. Applied on
api_create_machine and api_update_machine. Pattern lifted from the
existing api_settle_client_balance which already did this for
funding_wallet_id (260-265 in the original file).
2. **DB layer.** m007 adds a UNIQUE index on dca_machines.wallet_id —
even if a future endpoint forgets the API check, the DB rejects two
rows claiming the same wallet. CREATE UNIQUE INDEX is portable across
SQLite and PostgreSQL (ALTER TABLE ADD CONSTRAINT is not on SQLite).
Same commit also addresses concurrency findings H1+H2+H3 from the
architectural review (race conditions on process_settlement +
no retry path for errored settlements):
- m007 also adds processing_claim TEXT to dca_settlements.
- crud.claim_settlement_for_processing does optimistic-lock via
UPDATE ... SET status='processing', processing_claim=:token
WHERE id=:id AND status='pending' (portable; no UPDATE...RETURNING).
Read-back compares the token; only one concurrent caller wins.
- crud.reset_settlement_for_retry voids failed legs and flips
'errored' → 'pending' so process_settlement re-runs them. Completed
legs are LEFT IN PLACE — we never re-pay sats that already moved.
- crud.mark_settlement_status clears processing_claim on terminal
states so a fresh claim attempt won't see a stale token.
- distribution.process_settlement now uses the claim instead of the
status-read-and-check pattern. Concurrent listener re-fires +
partial-dispense recomputes can't double-pay legs.
- New endpoint:
POST /api/v1/dca/settlements/{id}/retry (operator-scoped)
Refuses if status != 'errored' (400). Resets, then re-runs
process_settlement via the claim path.
DcaSettlement gains a processing_claim: Optional[str] field. Visible to
operators in settlement detail; stale claims (status='processing' for
many minutes) are a "processor crashed mid-flight" signal — operator
can manually mark errored + retry.
32 routes registered. 72/72 tests pass.
Refs: aiolabs/satmachineadmin#9 — closes the v2-branch security finding
and HIGH-priority concurrency findings from the internal review.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
d0a947b7e6
commit
3ede66ff92
5 changed files with 169 additions and 7 deletions
53
views_api.py
53
views_api.py
|
|
@ -37,6 +37,7 @@ from .crud import (
|
|||
get_settlements_for_operator,
|
||||
get_super_config,
|
||||
replace_commission_splits,
|
||||
reset_settlement_for_retry,
|
||||
update_dca_client,
|
||||
update_deposit,
|
||||
update_deposit_status,
|
||||
|
|
@ -45,6 +46,7 @@ from .crud import (
|
|||
)
|
||||
from .distribution import (
|
||||
apply_partial_dispense_and_redistribute,
|
||||
process_settlement,
|
||||
settle_lp_balance,
|
||||
)
|
||||
from .models import (
|
||||
|
|
@ -73,6 +75,19 @@ from .models import (
|
|||
satmachineadmin_api_router = APIRouter()
|
||||
|
||||
|
||||
async def _assert_wallet_owned_by(wallet_id: str, user_id: str) -> None:
|
||||
"""Defence-in-depth: refuse to bind any DB row to a wallet the caller
|
||||
doesn't own. Used on every endpoint that accepts a wallet_id from the
|
||||
request body. The DB-side UNIQUE on dca_machines.wallet_id (m007) is a
|
||||
second line of defence; this check is the primary gate."""
|
||||
wallet = await get_wallet(wallet_id)
|
||||
if wallet is None or wallet.user != user_id:
|
||||
raise HTTPException(
|
||||
HTTPStatus.BAD_REQUEST,
|
||||
"wallet_id is not owned by the authenticated operator",
|
||||
)
|
||||
|
||||
|
||||
# =============================================================================
|
||||
# Machines
|
||||
# =============================================================================
|
||||
|
|
@ -82,6 +97,7 @@ satmachineadmin_api_router = APIRouter()
|
|||
async def api_create_machine(
|
||||
data: CreateMachineData, user: User = Depends(check_user_exists)
|
||||
) -> Machine:
|
||||
await _assert_wallet_owned_by(data.wallet_id, user.id)
|
||||
return await create_machine(user.id, data)
|
||||
|
||||
|
||||
|
|
@ -117,6 +133,8 @@ async def api_update_machine(
|
|||
machine = await get_machine(machine_id)
|
||||
if machine is None or machine.operator_user_id != user.id:
|
||||
raise HTTPException(HTTPStatus.NOT_FOUND, "Machine not found")
|
||||
if data.wallet_id is not None:
|
||||
await _assert_wallet_owned_by(data.wallet_id, user.id)
|
||||
updated = await update_machine(machine_id, data)
|
||||
if updated is None:
|
||||
raise HTTPException(HTTPStatus.NOT_FOUND, "Machine not found")
|
||||
|
|
@ -451,6 +469,41 @@ async def api_partial_dispense(
|
|||
raise HTTPException(HTTPStatus.BAD_REQUEST, str(exc)) from exc
|
||||
|
||||
|
||||
@satmachineadmin_api_router.post(
|
||||
"/api/v1/dca/settlements/{settlement_id}/retry",
|
||||
response_model=DcaSettlement,
|
||||
)
|
||||
async def api_retry_settlement(
|
||||
settlement_id: str, user: User = Depends(check_user_exists)
|
||||
) -> DcaSettlement:
|
||||
"""Operator retry path for an errored settlement.
|
||||
|
||||
Voids any failed legs (completed legs are NEVER re-paid — Lightning
|
||||
sats already moved) and flips status 'errored' → 'pending', then
|
||||
re-invokes process_settlement. The optimistic-lock claim guards
|
||||
against a concurrent listener re-fire racing this retry."""
|
||||
settlement = await get_settlement(settlement_id)
|
||||
if settlement is None:
|
||||
raise HTTPException(HTTPStatus.NOT_FOUND, "Settlement not found")
|
||||
machine = await get_machine(settlement.machine_id)
|
||||
if machine is None or machine.operator_user_id != user.id:
|
||||
raise HTTPException(HTTPStatus.NOT_FOUND, "Settlement not found")
|
||||
if settlement.status != "errored":
|
||||
raise HTTPException(
|
||||
HTTPStatus.BAD_REQUEST,
|
||||
f"settlement status must be 'errored' to retry "
|
||||
f"(currently '{settlement.status}')",
|
||||
)
|
||||
updated = await reset_settlement_for_retry(settlement_id)
|
||||
if updated is None or updated.status != "pending":
|
||||
raise HTTPException(
|
||||
HTTPStatus.INTERNAL_SERVER_ERROR, "failed to reset settlement"
|
||||
)
|
||||
await process_settlement(settlement_id)
|
||||
after = await get_settlement(settlement_id)
|
||||
return after if after is not None else updated
|
||||
|
||||
|
||||
@satmachineadmin_api_router.post(
|
||||
"/api/v1/dca/settlements/{settlement_id}/notes",
|
||||
response_model=DcaSettlement,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue