feat: merge a link's extra into the payout payment (v1.2.2-aio.2)

Adds an optional `extra` (JSON) field to a withdraw link. When the link
is claimed, that `extra` is merged onto the payout payment's `extra`, so
a caller can tag the resulting payment with metadata an external listener
keys on — the link is the only place to attach it (the customer-facing
LNURL-withdraw payout otherwise carries just `{tag, withdrawal_link_id}`).

Motivating use: bitSpire cash-in settlements. The operator's spirekeeper
listener fires a `cash_in` settlement (fee split to the platform) only on
an outbound payment stamped `source=bitspire`; before this there was no
way to stamp an LNURL-withdraw payout, so cash-ins never settled. bitSpire
now creates the cash-in link for the NET amount with
`extra={source, type:cash_in, principal_sats, fee_sats, ...}` and the
settlement fires on claim.

- models: `extra: dict | None` on CreateWithdrawData + WithdrawLink.
  LNbits' db layer (de)serializes dict columns to/from JSON natively
  (same as Payment.extra) — no per-field validator needed.
- migrations_fork.py: `withdraw_link.extra TEXT` under `withdraw_fork`,
  keeping the upstream-tracked migrations.py byte-identical for clean
  rebases (aiolabs/lnbits#8 pattern).
- views_lnurl: `extra={**(link.extra or {}), "tag": ..., "withdrawal_link_id": ...}`
  — the withdraw extension's own keys are written last so a caller cannot
  clobber them.

Verified end-to-end on the dev stack: a stamped link's payout carries the
merged extra and drives a spirekeeper cash_in settlement + super-fee payout.

.github/workflows/release.yml

@@ -7,7 +7,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Create github release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -19,7 +19,7 @@ jobs:
     needs: [release]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ secrets.EXT_GITHUB }}
           repository: lnbits/lnbits-extensions

Makefile

@@ -5,27 +5,27 @@ format: prettier black ruff
 check: mypy pyright checkblack checkruff checkprettier
 
 prettier:
-	poetry run ./node_modules/.bin/prettier --write .
+	uv run ./node_modules/.bin/prettier --write .
 pyright:
-	poetry run ./node_modules/.bin/pyright
+	uv run ./node_modules/.bin/pyright
 
 mypy:
-	poetry run mypy .
+	uv run mypy .
 
 black:
-	poetry run black .
+	uv run black .
 
 ruff:
-	poetry run ruff check . --fix
+	uv run ruff check . --fix
 
 checkruff:
-	poetry run ruff check .
+	uv run ruff check .
 
 checkprettier:
-	poetry run ./node_modules/.bin/prettier --check .
+	uv run ./node_modules/.bin/prettier --check .
 
 checkblack:
-	poetry run black --check .
+	uv run black --check .
 
 checkeditorconfig:
 	editorconfig-checker
@@ -33,14 +33,14 @@ checkeditorconfig:
 test:
 	PYTHONUNBUFFERED=1 \
 	DEBUG=true \
-	poetry run pytest
+	uv run pytest
 install-pre-commit-hook:
 	@echo "Installing pre-commit hook to git"
-	@echo "Uninstall the hook with poetry run pre-commit uninstall"
+	@echo "Uninstall the hook with uv run pre-commit uninstall"
-	poetry run pre-commit install
+	uv run pre-commit install
 
 pre-commit:
-	poetry run pre-commit run --all-files
+	uv run pre-commit run --all-files
 
 
 checkbundle:

__init__.py

@@ -17,4 +17,51 @@ withdraw_ext.include_router(withdraw_ext_generic)
 withdraw_ext.include_router(withdraw_ext_api)
 withdraw_ext.include_router(withdraw_ext_lnurl)
 
-__all__ = ["withdraw_ext", "withdraw_static_files", "db"]
+
+def withdraw_start() -> None:
+    """
+    Register this extension's RPCs with the LNbits nostr transport so an
+    HTTP-allergic client (e.g. lamassu-next ATM) can manage LNURL-withdraw
+    links without touching the HTTP API. Also wires the link-owner
+    resolver so subscribe_payments({tag:"withdraw", link_id:...}) can
+    verify ownership.
+
+    No-op if the core transport module isn't present in the LNbits build.
+    No runtime `if nostr_transport_enabled` guard is needed — when
+    disabled, the relay pool never publishes, so registered RPCs are
+    simply unreachable.
+    """
+    try:
+        from lnbits.core.services.nostr_transport.dispatcher import (
+            AUTH_ACCOUNT,
+            AUTH_WALLET,
+            register_rpc,
+        )
+        from lnbits.core.services.nostr_transport.subscriptions import (
+            register_link_owner_resolver,
+        )
+    except ImportError:
+        return
+
+    from .transport_rpcs import (
+        handle_lnurlw_create_link,
+        handle_lnurlw_delete_link,
+        handle_lnurlw_get_link,
+        handle_lnurlw_list_links,
+        handle_lnurlw_unique_hashes,
+        handle_lnurlw_update_link,
+        resolve_withdraw_owner,
+    )
+
+    register_rpc("lnurlw_create_link", handle_lnurlw_create_link, AUTH_WALLET)
+    register_rpc("lnurlw_get_link", handle_lnurlw_get_link, AUTH_WALLET)
+    register_rpc("lnurlw_list_links", handle_lnurlw_list_links, AUTH_ACCOUNT)
+    register_rpc("lnurlw_unique_hashes", handle_lnurlw_unique_hashes, AUTH_WALLET)
+    register_rpc("lnurlw_update_link", handle_lnurlw_update_link, AUTH_WALLET)
+    register_rpc("lnurlw_delete_link", handle_lnurlw_delete_link, AUTH_WALLET)
+    register_link_owner_resolver(
+        "withdraw", resolve_withdraw_owner, link_extra_key="withdrawal_link_id"
+    )
+
+
+__all__ = ["db", "withdraw_ext", "withdraw_start", "withdraw_static_files"]

config.json

@@ -2,7 +2,8 @@
   "name": "Withdraw Links",
   "short_description": "Make LNURL withdraw links",
   "tile": "/withdraw/static/image/lnurl-withdraw.png",
-  "min_lnbits_version": "0.12.11",
+  "version": "1.2.2-aio.2",
+  "min_lnbits_version": "1.3.0",
   "contributors": [
     {
       "name": "arcbtc",

crud.py

@@ -1,12 +1,10 @@
 from datetime import datetime
-from time import time
-from typing import List, Optional, Tuple
 
 import shortuuid
 from lnbits.db import Database
 from lnbits.helpers import urlsafe_short_hash
 
-from .models import CreateWithdrawData, HashCheck, WithdrawLink
+from .models import CreateWithdrawData, HashCheck, PaginatedWithdraws, WithdrawLink
 
 db = Database("ext_withdraw")
 
@@ -16,107 +14,87 @@ async def create_withdraw_link(
 ) -> WithdrawLink:
     link_id = urlsafe_short_hash()[:22]
     available_links = ",".join([str(i) for i in range(data.uses)])
-    await db.execute(
+    withdraw_link = WithdrawLink(
-        f"""
+        id=link_id,
-        INSERT INTO withdraw.withdraw_link (
+        wallet=wallet_id,
-            id,
+        unique_hash=urlsafe_short_hash(),
-            wallet,
+        k1=urlsafe_short_hash(),
-            title,
+        created_at=datetime.now(),
-            min_withdrawable,
+        open_time=int(datetime.now().timestamp()) + data.wait_time,
-            max_withdrawable,
+        title=data.title,
-            uses,
+        min_withdrawable=data.min_withdrawable,
-            wait_time,
+        max_withdrawable=data.max_withdrawable,
-            is_unique,
+        uses=data.uses,
-            unique_hash,
+        wait_time=data.wait_time,
-            k1,
+        is_unique=data.is_unique,
-            open_time,
+        usescsv=available_links,
-            usescsv,
+        webhook_url=data.webhook_url,
-            webhook_url,
+        webhook_headers=data.webhook_headers,
-            webhook_headers,
+        webhook_body=data.webhook_body,
-            webhook_body,
+        custom_url=data.custom_url,
-            custom_url,
+        extra=data.extra,
-            created_at
+        number=0,
-        )
-        VALUES
-        (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, {db.timestamp_placeholder})
-        """,
-        (
-            link_id,
-            wallet_id,
-            data.title,
-            data.min_withdrawable,
-            data.max_withdrawable,
-            data.uses,
-            data.wait_time,
-            int(data.is_unique),
-            urlsafe_short_hash(),
-            urlsafe_short_hash(),
-            int(datetime.now().timestamp()) + data.wait_time,
-            available_links,
-            data.webhook_url,
-            data.webhook_headers,
-            data.webhook_body,
-            data.custom_url,
-            int(time()),
-        ),
     )
-    link = await get_withdraw_link(link_id, 0)
+    await db.insert("withdraw.withdraw_link", withdraw_link)
-    assert link, "Newly created link couldn't be retrieved"
+    return withdraw_link
+
+
+async def get_withdraw_link(link_id: str, num=0) -> WithdrawLink | None:
+    link = await db.fetchone(
+        "SELECT * FROM withdraw.withdraw_link WHERE id = :id",
+        {"id": link_id},
+        WithdrawLink,
+    )
+    if not link:
+        return None
+
+    link.number = num
     return link
 
 
-async def get_withdraw_link(link_id: str, num=0) -> Optional[WithdrawLink]:
+async def get_withdraw_link_by_hash(unique_hash: str, num=0) -> WithdrawLink | None:
-    row = await db.fetchone(
+    link = await db.fetchone(
-        "SELECT * FROM withdraw.withdraw_link WHERE id = ?", (link_id,)
+        "SELECT * FROM withdraw.withdraw_link WHERE unique_hash = :hash",
+        {"hash": unique_hash},
+        WithdrawLink,
     )
-    if not row:
+    if not link:
         return None
 
-    link = dict(**row)
+    link.number = num
-    link["number"] = num
+    return link
-
-    return WithdrawLink.parse_obj(link)
-
-
-async def get_withdraw_link_by_hash(unique_hash: str, num=0) -> Optional[WithdrawLink]:
-    row = await db.fetchone(
-        "SELECT * FROM withdraw.withdraw_link WHERE unique_hash = ?", (unique_hash,)
-    )
-    if not row:
-        return None
-
-    link = dict(**row)
-    link["number"] = num
-
-    return WithdrawLink.parse_obj(link)
 
 
 async def get_withdraw_links(
-    wallet_ids: List[str], limit: int, offset: int
+    wallet_ids: list[str], limit: int, offset: int
-) -> Tuple[List[WithdrawLink], int]:
+) -> PaginatedWithdraws:
-    rows = await db.fetchall(
+    q = ",".join([f"'{w}'" for w in wallet_ids])
-        """
+
-        SELECT * FROM withdraw.withdraw_link
+    query_str = f"""
-        WHERE wallet IN ({})
+        SELECT * FROM withdraw.withdraw_link WHERE wallet IN ({q})
         ORDER BY open_time DESC
-        LIMIT ? OFFSET ?
-        """.format(
-            ",".join("?" * len(wallet_ids))
-        ),
-        (*wallet_ids, limit, offset),
-    )
-
-    total = await db.fetchone(
         """
-        SELECT COUNT(*) as total FROM withdraw.withdraw_link
-        WHERE wallet IN ({})
-        """.format(
-            ",".join("?" * len(wallet_ids))
-        ),
-        (*wallet_ids,),
-    )
 
-    return [WithdrawLink(**row) for row in rows], total["total"]
+    if limit > 0:
+        query_str += """ LIMIT :limit OFFSET :offset"""
+        query_params = {"limit": limit, "offset": offset}
+    else:
+        query_params = {}
+
+    links = await db.fetchall(
+        query_str,
+        query_params,
+        WithdrawLink,
+    )
+    result = await db.execute(
+        f"""
+        SELECT COUNT(*) as total FROM withdraw.withdraw_link
+        WHERE wallet IN ({q})
+        """
+    )
+    result2 = result.mappings().first()
+
+    return PaginatedWithdraws(data=links, total=int(result2.total))
 
 
 async def remove_unique_withdraw_link(link: WithdrawLink, unique_hash: str) -> None:
@@ -125,36 +103,25 @@ async def remove_unique_withdraw_link(link: WithdrawLink, unique_hash: str) -> N
         for x in link.usescsv.split(",")
         if unique_hash != shortuuid.uuid(name=link.id + link.unique_hash + x.strip())
     ]
-    await update_withdraw_link(
+    link.usescsv = ",".join(unique_links)
-        link.id,
+    await update_withdraw_link(link)
-        usescsv=",".join(unique_links),
-    )
 
 
 async def increment_withdraw_link(link: WithdrawLink) -> None:
-    await update_withdraw_link(
+    link.used = link.used + 1
-        link.id,
+    link.open_time = int(datetime.now().timestamp())
-        used=link.used + 1,
+    await update_withdraw_link(link)
-        open_time=link.wait_time + int(datetime.now().timestamp()),
-    )
 
 
-async def update_withdraw_link(link_id: str, **kwargs) -> Optional[WithdrawLink]:
+async def update_withdraw_link(link: WithdrawLink) -> WithdrawLink:
-    if "is_unique" in kwargs:
+    await db.update("withdraw.withdraw_link", link)
-        kwargs["is_unique"] = int(kwargs["is_unique"])
+    return link
-    q = ", ".join([f"{field[0]} = ?" for field in kwargs.items()])
-    await db.execute(
-        f"UPDATE withdraw.withdraw_link SET {q} WHERE id = ?",
-        (*kwargs.values(), link_id),
-    )
-    row = await db.fetchone(
-        "SELECT * FROM withdraw.withdraw_link WHERE id = ?", (link_id,)
-    )
-    return WithdrawLink(**row) if row else None
 
 
 async def delete_withdraw_link(link_id: str) -> None:
-    await db.execute("DELETE FROM withdraw.withdraw_link WHERE id = ?", (link_id,))
+    await db.execute(
+        "DELETE FROM withdraw.withdraw_link WHERE id = :id", {"id": link_id}
+    )
 
 
 def chunks(lst, n):
@@ -165,30 +132,38 @@ def chunks(lst, n):
 async def create_hash_check(the_hash: str, lnurl_id: str) -> HashCheck:
     await db.execute(
         """
-        INSERT INTO withdraw.hash_check (
+        INSERT INTO withdraw.hash_check (id, lnurl_id)
-            id,
+        VALUES (:id, :lnurl_id)
-            lnurl_id
-        )
-        VALUES (?, ?)
         """,
-        (the_hash, lnurl_id),
+        {"id": the_hash, "lnurl_id": lnurl_id},
     )
     hash_check = await get_hash_check(the_hash, lnurl_id)
     return hash_check
 
 
 async def get_hash_check(the_hash: str, lnurl_id: str) -> HashCheck:
-    rowid = await db.fetchone(
+
-        "SELECT * FROM withdraw.hash_check WHERE id = ?", (the_hash,)
+    hash_check = await db.fetchone(
+        """
+            SELECT id as hash, lnurl_id as lnurl
+            FROM withdraw.hash_check WHERE id = :id
+        """,
+        {"id": the_hash},
+        HashCheck,
     )
-    rowlnurl = await db.fetchone(
+    hash_check_lnurl = await db.fetchone(
-        "SELECT * FROM withdraw.hash_check WHERE lnurl_id = ?", (lnurl_id,)
+        """
+            SELECT id as hash, lnurl_id as lnurl
+            FROM withdraw.hash_check WHERE lnurl_id = :id
+        """,
+        {"id": lnurl_id},
+        HashCheck,
     )
-    if not rowlnurl:
+    if not hash_check_lnurl:
         await create_hash_check(the_hash, lnurl_id)
         return HashCheck(lnurl=True, hash=False)
     else:
-        if not rowid:
+        if not hash_check:
             await create_hash_check(the_hash, lnurl_id)
             return HashCheck(lnurl=True, hash=False)
         else:
@@ -196,4 +171,6 @@ async def get_hash_check(the_hash: str, lnurl_id: str) -> HashCheck:
 
 
 async def delete_hash_check(the_hash: str) -> None:
-    await db.execute("DELETE FROM withdraw.hash_check WHERE id = ?", (the_hash,))
+    await db.execute(
+        "DELETE FROM withdraw.hash_check WHERE id = :hash", {"hash": the_hash}
+    )

helpers.py

@@ -0,0 +1,54 @@
+from fastapi import Request
+from lnbits.settings import settings
+from lnurl import Lnurl
+from lnurl import encode as lnurl_encode
+from shortuuid import uuid
+
+from .models import WithdrawLink
+
+
+def create_lnurl(link: WithdrawLink, req: Request) -> Lnurl:
+    if link.is_unique:
+        usescssv = link.usescsv.split(",")
+        tohash = link.id + link.unique_hash + usescssv[link.number]
+        multihash = uuid(name=tohash)
+        url = req.url_for(
+            "withdraw.api_lnurl_multi_response",
+            unique_hash=link.unique_hash,
+            id_unique_hash=multihash,
+        )
+    else:
+        url = req.url_for("withdraw.api_lnurl_response", unique_hash=link.unique_hash)
+
+    try:
+        return lnurl_encode(str(url))
+    except Exception as e:
+        raise ValueError(
+            f"Error creating LNURL with url: `{url!s}`, "
+            "check your webserver proxy configuration."
+        ) from e
+
+
+def create_lnurl_from_baseurl(link: WithdrawLink) -> Lnurl:
+    """
+    Same shape as `create_lnurl`, but composes the callback URL from
+    `settings.lnbits_baseurl` instead of a FastAPI `Request`. Used by
+    the nostr-transport RPC handlers, which have no HTTP request to
+    derive a base URL from.
+    """
+    base = settings.lnbits_baseurl.rstrip("/")
+    if link.is_unique:
+        usescssv = link.usescsv.split(",")
+        tohash = link.id + link.unique_hash + usescssv[link.number]
+        multihash = uuid(name=tohash)
+        url = f"{base}/withdraw/api/v1/lnurl/{link.unique_hash}/{multihash}"
+    else:
+        url = f"{base}/withdraw/api/v1/lnurl/{link.unique_hash}"
+
+    try:
+        return lnurl_encode(url)
+    except Exception as e:
+        raise ValueError(
+            f"Error creating LNURL with url: `{url!s}`, "
+            "check your `LNBITS_BASEURL` configuration."
+        ) from e

migrations.py

@@ -1,6 +1,3 @@
-from time import time
-
-
 async def m001_initial(db):
     """
     Creates an improved withdraw table and migrates the existing data.
@@ -142,10 +139,9 @@ async def m007_add_created_at_timestamp(db):
         "ALTER TABLE withdraw.withdraw_link "
         f"ADD COLUMN created_at TIMESTAMP DEFAULT {db.timestamp_column_default}"
     )
-    # Set created_at to current time for all existing rows
+
+
+async def m008_add_enabled_column(db):
     await db.execute(
-        f"""
+        "ALTER TABLE withdraw.withdraw_link ADD COLUMN enabled BOOLEAN DEFAULT true;"
-        UPDATE withdraw.withdraw_link SET created_at = {db.timestamp_placeholder}
-        """,
-        (int(time()),),
     )

migrations_fork.py

@@ -0,0 +1,44 @@
+"""
+Fork-specific database migrations for the aiolabs withdraw extension.
+
+These migrations are tracked separately under `withdraw_fork` in the
+`dbversions` table (loaded by `lnbits/core/helpers.py:migrate_extension_database`),
+so they do not collide with upstream's `m{NNN}_*` numbering in
+`migrations.py`. Keeping the upstream-tracked file untouched means
+`git pull upstream` stays rebase-clean for schema changes.
+
+Conventions:
+  - Sequential numbering starting from m001.
+  - Each migration is `async def m{NNN}_<description>(db)`.
+  - DDL must be idempotent: a fresh install runs every migration; an
+    install that already carries the column must not crash. Use
+    `_alter_add_column_safe` so re-runs are no-ops.
+"""
+
+
+async def _alter_add_column_safe(db, sql: str) -> None:
+    """ALTER TABLE ADD COLUMN that swallows duplicate-column errors, so a
+    re-run on a DB that already has the column is a silent no-op."""
+    try:
+        await db.execute(sql)
+    except Exception as exc:
+        msg = str(exc).lower()
+        if "duplicate column" in msg or "already exists" in msg:
+            return
+        raise
+
+
+async def m001_aio_withdraw_schema(db):
+    """
+    Apply every aiolabs schema delta on top of upstream withdraw.
+
+    `withdraw_link.extra` — arbitrary JSON merged into the payout payment's
+    `extra` when the link is claimed (see views_lnurl). Lets a caller tag the
+    resulting payment with settlement/attribution metadata an external listener
+    can key on — e.g. bitSpire stamps {source, type, principal_sats, fee_sats,
+    ...} so the spirekeeper cash-in settlement fires off an LNURL-withdraw
+    payout. Stored as TEXT; (de)serialized to a dict by the WithdrawLink model.
+    """
+    await _alter_add_column_safe(
+        db, "ALTER TABLE withdraw.withdraw_link ADD COLUMN extra TEXT"
+    )

models.py

@@ -1,17 +1,7 @@
-import datetime
+from datetime import datetime
 
-import shortuuid
+from fastapi import Query
-from fastapi import Query, Request
+from pydantic import BaseModel, Field
-
-# TODO remove type: ignore when 0.12.11 is released
-from lnurl import (  # type: ignore
-    ClearnetUrl,  # type: ignore
-    Lnurl,
-    LnurlWithdrawResponse,
-    MilliSatoshi,  # type: ignore
-)
-from lnurl import encode as lnurl_encode
-from pydantic import BaseModel
 
 
 class CreateWithdrawData(BaseModel):
@@ -25,11 +15,17 @@ class CreateWithdrawData(BaseModel):
     webhook_headers: str = Query(None)
     webhook_body: str = Query(None)
     custom_url: str = Query(None)
+    enabled: bool = Query(True)
+    # Arbitrary JSON merged into the payout payment's `extra` when this link is
+    # claimed (see views_lnurl). Lets a caller tag the resulting payment with
+    # settlement/attribution metadata an external listener can key on — e.g.
+    # bitSpire stamps {source, type, principal_sats, fee_sats, ...} so the
+    # spirekeeper cash-in settlement fires off an LNURL-withdraw payout.
+    extra: dict | None = None
 
 
 class WithdrawLink(BaseModel):
     id: str
-    created_at: datetime.datetime
     wallet: str = Query(None)
     title: str = Query(None)
     min_withdrawable: int = Query(0)
@@ -42,46 +38,43 @@ class WithdrawLink(BaseModel):
     open_time: int = Query(0)
     used: int = Query(0)
     usescsv: str = Query(None)
-    number: int = Query(0)
+    number: int = Field(default=0, no_database=True)
     webhook_url: str = Query(None)
     webhook_headers: str = Query(None)
     webhook_body: str = Query(None)
     custom_url: str = Query(None)
+    # Persisted as TEXT (JSON); merged into the payout payment's `extra` on
+    # claim. LNbits' db layer (de)serializes dict-typed columns to/from JSON
+    # natively (same as Payment.extra) — no per-field validator needed.
+    extra: dict | None = None
+    created_at: datetime
+    enabled: bool = Query(True)
+    lnurl: str | None = Field(
+        default=None,
+        no_database=True,
+        deprecated=True,
+        description=(
+            "Deprecated: Instead of using this bech32 encoded string, dynamically "
+            "generate your own static link (lud17/bech32) on the client side. "
+            "Example: lnurlw://${window.location.hostname}/lnurlw/${id}"
+        ),
+    )
+    lnurl_url: str | None = Field(
+        default=None,
+        no_database=True,
+        description="The raw LNURL callback URL (use for QR code generation)",
+    )
 
     @property
     def is_spent(self) -> bool:
         return self.used >= self.uses
 
-    def lnurl(self, req: Request) -> Lnurl:
-        if self.is_unique:
-            usescssv = self.usescsv.split(",")
-            tohash = self.id + self.unique_hash + usescssv[self.number]
-            multihash = shortuuid.uuid(name=tohash)
-            url = str(
-                req.url_for(
-                    "withdraw.api_lnurl_multi_response",
-                    unique_hash=self.unique_hash,
-                    id_unique_hash=multihash,
-                )
-            )
-        else:
-            url = str(
-                req.url_for("withdraw.api_lnurl_response", unique_hash=self.unique_hash)
-            )
-
-        return lnurl_encode(url)
-
-    def lnurl_response(self, req: Request) -> LnurlWithdrawResponse:
-        url = req.url_for("withdraw.api_lnurl_callback", unique_hash=self.unique_hash)
-        return LnurlWithdrawResponse(
-            callback=ClearnetUrl(url, scheme="https"),  # type: ignore
-            k1=self.k1,
-            minWithdrawable=MilliSatoshi(self.min_withdrawable * 1000),
-            maxWithdrawable=MilliSatoshi(self.max_withdrawable * 1000),
-            defaultDescription=self.title,
-        )
-
 
 class HashCheck(BaseModel):
     hash: bool
     lnurl: bool
+
+
+class PaginatedWithdraws(BaseModel):
+    data: list[WithdrawLink]
+    total: int

pyproject.toml

@@ -1,37 +1,34 @@
-[tool.poetry]
+[project]
 name = "lnbits-withdraw"
 version = "0.0.0"
+requires-python = ">=3.10,<3.13"
 description = "LNbits, free and open-source Lightning wallet and accounts system."
-authors = ["Alan Bits <alan@lnbits.com>"]
+authors = [{ name = "Alan Bits", email = "alan@lnbits.com" }]
+urls = { Homepage = "https://lnbits.com", Repository = "https://github.com/lnbits/bitcoinswitch_extension" }
+dependencies = [ "lnbits>1" ]
 
-[tool.poetry.dependencies]
+[tool.poetry]
-python = "^3.10 | ^3.9"
+package-mode = false
-lnbits = "*"
 
-[tool.poetry.group.dev.dependencies]
+[tool.uv]
-black = "^24.3.0"
+dev-dependencies = [
-pytest-asyncio = "^0.21.0"
+    "black",
-pytest = "^7.3.2"
+    "pytest-asyncio",
-mypy = "^1.5.1"
+    "pytest",
-pre-commit = "^3.2.2"
+    "mypy",
-ruff = "^0.3.2"
+    "pre-commit",
-
+    "ruff",
-[build-system]
+    "pytest-md",
-requires = ["poetry-core>=1.0.0"]
-build-backend = "poetry.core.masonry.api"
-
-[[tool.mypy.overrides]]
-module = [
-  "lnbits.*",
-  "lnurl.*",
-  "loguru.*",
-  "fastapi.*",
-  "pydantic.*",
-  "pyqrcode.*",
-  "shortuuid.*",
-  "httpx.*",
 ]
-ignore_missing_imports = "True"
+
+[tool.mypy]
+plugins = ["pydantic.mypy"]
+
+[tool.pydantic-mypy]
+init_forbid_extra = true
+init_typed = true
+warn_required_dynamic_aliases = true
+warn_untyped_fields = true
 
 [tool.pytest.ini_options]
 log_cli = false

static/js/index.js

@@ -1,34 +1,20 @@
-/* global Vue, VueQrcode, _, Quasar, LOCALE, windowMixin, LNbits */
+const mapWithdrawLink = function (obj) {
-
-Vue.component(VueQrcode.name, VueQrcode)
-
-var locationPath = [
-  window.location.protocol,
-  '//',
-  window.location.host,
-  window.location.pathname
-].join('')
-
-var mapWithdrawLink = function (obj) {
   obj._data = _.clone(obj)
-  obj.min_fsat = new Intl.NumberFormat(LOCALE).format(obj.min_withdrawable)
-  obj.max_fsat = new Intl.NumberFormat(LOCALE).format(obj.max_withdrawable)
   obj.uses_left = obj.uses - obj.used
-  obj.print_url = [locationPath, 'print/', obj.id].join('')
-  obj.withdraw_url = [locationPath, obj.id].join('')
   obj._data.use_custom = Boolean(obj.custom_url)
   return obj
 }
 
 const CUSTOM_URL = '/static/images/default_voucher.png'
 
-new Vue({
+window.app = Vue.createApp({
   el: '#vue',
-  mixins: [windowMixin],
+  mixins: [window.windowMixin],
-  data: function () {
+  data() {
     return {
       checker: null,
       withdrawLinks: [],
+      lnurl: '',
       withdrawLinksTable: {
         columns: [
           {name: 'title', align: 'left', label: 'Title', field: 'title'},
@@ -38,7 +24,7 @@ new Vue({
             label: 'Created At',
             field: 'created_at',
             sortable: true,
-            format: function (val, row) {
+            format: function (val) {
               return new Date(val).toLocaleString()
             }
           },
@@ -51,7 +37,7 @@ new Vue({
           {
             name: 'uses',
             align: 'right',
-            label: 'Created',
+            label: 'Uses',
             field: 'uses'
           },
           {
@@ -60,8 +46,13 @@ new Vue({
             label: 'Uses left',
             field: 'uses_left'
           },
-          {name: 'min', align: 'right', label: 'Min (sat)', field: 'min_fsat'},
+          {
-          {name: 'max', align: 'right', label: 'Max (sat)', field: 'max_fsat'}
+            name: 'max_withdrawable',
+            align: 'right',
+            label: 'Max (sat)',
+            field: 'max_withdrawable',
+            format: LNbits.utils.formatSat
+          }
         ],
         pagination: {
           page: 1,
@@ -77,7 +68,8 @@ new Vue({
         data: {
           is_unique: false,
           use_custom: false,
-          has_webhook: false
+          has_webhook: false,
+          enabled: true
         }
       },
       simpleformDialog: {
@@ -87,7 +79,8 @@ new Vue({
           use_custom: false,
           title: 'Vouchers',
           min_withdrawable: 0,
-          wait_time: 1
+          wait_time: 1,
+          enabled: true
         }
       },
       qrCodeDialog: {
@@ -97,14 +90,14 @@ new Vue({
     }
   },
   computed: {
-    sortedWithdrawLinks: function () {
+    sortedWithdrawLinks() {
       return this.withdrawLinks.sort(function (a, b) {
         return b.uses_left - a.uses_left
       })
     }
   },
   methods: {
-    getWithdrawLinks: function (props) {
+    getWithdrawLinks(props) {
       if (props) {
         this.withdrawLinksTable.pagination = props.pagination
       }
@@ -115,8 +108,6 @@ new Vue({
         offset: (pagination.page - 1) * pagination.rowsPerPage
       }
 
-      var self = this
-
       LNbits.api
         .request(
           'GET',
@@ -124,48 +115,46 @@ new Vue({
           this.g.user.wallets[0].inkey
         )
         .then(response => {
-          this.withdrawLinks = response.data.data.map(function (obj) {
+          this.withdrawLinks = response.data.data.map(mapWithdrawLink)
-            return mapWithdrawLink(obj)
-          })
           this.withdrawLinksTable.pagination.rowsNumber = response.data.total
         })
         .catch(error => {
-          clearInterval(self.checker)
+          clearInterval(this.checker)
           LNbits.utils.notifyApiError(error)
         })
     },
-    closeFormDialog: function () {
+    closeFormDialog() {
       this.formDialog.data = {
         is_unique: false,
         use_custom: false,
-        has_webhook: false
+        has_webhook: false,
+        enabled: true
       }
     },
-    simplecloseFormDialog: function () {
+    simplecloseFormDialog() {
       this.simpleformDialog.data = {
         is_unique: false,
-        use_custom: false
+        use_custom: false,
+        enabled: true
       }
     },
-    openQrCodeDialog: function (linkId) {
+    openQrCodeDialog(linkId) {
-      var link = _.findWhere(this.withdrawLinks, {id: linkId})
+      const link = _.findWhere(this.withdrawLinks, {id: linkId})
-
       this.qrCodeDialog.data = _.clone(link)
-      this.qrCodeDialog.data.url =
-        window.location.protocol + '//' + window.location.host
       this.qrCodeDialog.show = true
+      this.activeUrl = link.lnurl_url
     },
-    openUpdateDialog: function (linkId) {
+    openUpdateDialog(linkId) {
-      var link = _.findWhere(this.withdrawLinks, {id: linkId})
+      let link = _.findWhere(this.withdrawLinks, {id: linkId})
       link._data.has_webhook = link._data.webhook_url ? true : false
       this.formDialog.data = _.clone(link._data)
       this.formDialog.show = true
     },
-    sendFormData: function () {
+    sendFormData() {
-      var wallet = _.findWhere(this.g.user.wallets, {
+      const wallet = _.findWhere(this.g.user.wallets, {
         id: this.formDialog.data.wallet
       })
-      var data = _.omit(this.formDialog.data, 'wallet')
+      const data = _.omit(this.formDialog.data, 'wallet')
 
       if (!data.use_custom) {
         data.custom_url = null
@@ -189,11 +178,11 @@ new Vue({
         this.createWithdrawLink(wallet, data)
       }
     },
-    simplesendFormData: function () {
+    simplesendFormData() {
-      var wallet = _.findWhere(this.g.user.wallets, {
+      const wallet = _.findWhere(this.g.user.wallets, {
         id: this.simpleformDialog.data.wallet
       })
-      var data = _.omit(this.simpleformDialog.data, 'wallet')
+      const data = _.omit(this.simpleformDialog.data, 'wallet')
 
       data.wait_time = 1
       data.min_withdrawable = data.max_withdrawable
@@ -214,7 +203,7 @@ new Vue({
         this.createWithdrawLink(wallet, data)
       }
     },
-    updateWithdrawLink: function (wallet, data) {
+    updateWithdrawLink(wallet, data) {
       // Remove webhook info if toggle is set to false
       if (!data.has_webhook) {
         data.webhook_url = null
@@ -241,7 +230,7 @@ new Vue({
           LNbits.utils.notifyApiError(error)
         })
     },
-    createWithdrawLink: function (wallet, data) {
+    createWithdrawLink(wallet, data) {
       LNbits.api
         .request('POST', '/withdraw/api/v1/links', wallet.adminkey, data)
         .then(response => {
@@ -254,21 +243,20 @@ new Vue({
           LNbits.utils.notifyApiError(error)
         })
     },
-    deleteWithdrawLink: function (linkId) {
+    deleteWithdrawLink(linkId) {
-      var self = this
+      const link = _.findWhere(this.withdrawLinks, {id: linkId})
-      var link = _.findWhere(this.withdrawLinks, {id: linkId})
 
       LNbits.utils
         .confirmDialog('Are you sure you want to delete this withdraw link?')
-        .onOk(function () {
+        .onOk(() => {
           LNbits.api
             .request(
               'DELETE',
               '/withdraw/api/v1/links/' + linkId,
-              _.findWhere(self.g.user.wallets, {id: link.wallet}).adminkey
+              _.findWhere(this.g.user.wallets, {id: link.wallet}).adminkey
             )
-            .then(function (response) {
+            .then(() => {
-              self.withdrawLinks = _.reject(self.withdrawLinks, function (obj) {
+              this.withdrawLinks = _.reject(this.withdrawLinks, function (obj) {
                 return obj.id === linkId
               })
             })
@@ -277,7 +265,7 @@ new Vue({
             })
         })
     },
-    writeNfcTag: async function (lnurl) {
+    async writeNfcTag(lnurl) {
       try {
         if (typeof NDEFReader == 'undefined') {
           throw {
@@ -321,7 +309,7 @@ new Vue({
       )
     }
   },
-  created: function () {
+  created() {
     if (this.g.user.wallets.length) {
       this.getWithdrawLinks()
       this.checker = setInterval(this.getWithdrawLinks, 300000)

templates/withdraw/_api_docs.html

@@ -24,7 +24,7 @@
         <h5 class="text-caption q-mt-sm q-mb-none">Curl example</h5>
         <code
           >curl -X GET {{ request.base_url }}withdraw/api/v1/links -H
-          "X-Api-Key: {{ user.wallets[0].inkey }}"
+          "X-Api-Key: <span v-text="g.user.wallets[0].inkey"></span>"
         </code>
       </q-card-section>
     </q-card>
@@ -51,8 +51,8 @@
         <h5 class="text-caption q-mt-sm q-mb-none">Curl example</h5>
         <code
           >curl -X GET {{ request.base_url
-          }}withdraw/api/v1/links/&lt;withdraw_id&gt; -H "X-Api-Key: {{
+          }}withdraw/api/v1/links/&lt;withdraw_id&gt; -H "X-Api-Key:
-          user.wallets[0].inkey }}"
+          <span v-text="g.user.wallets[0].inkey"></span>"
         </code>
       </q-card-section>
     </q-card>
@@ -86,7 +86,7 @@
           "max_withdrawable": &lt;integer&gt;, "uses": &lt;integer&gt;,
           "wait_time": &lt;integer&gt;, "is_unique": &lt;boolean&gt;,
           "webhook_url": &lt;string&gt;}' -H "Content-type: application/json" -H
-          "X-Api-Key: {{ user.wallets[0].adminkey }}"
+          "X-Api-Key: <span v-text="g.user.wallets[0].adminkey"></span>"
         </code>
       </q-card-section>
     </q-card>
@@ -122,8 +122,8 @@
           &lt;string&gt;, "min_withdrawable": &lt;integer&gt;,
           "max_withdrawable": &lt;integer&gt;, "uses": &lt;integer&gt;,
           "wait_time": &lt;integer&gt;, "is_unique": &lt;boolean&gt;}' -H
-          "Content-type: application/json" -H "X-Api-Key: {{
+          "Content-type: application/json" -H "X-Api-Key:
-          user.wallets[0].adminkey }}"
+          <span v-text="g.user.wallets[0].adminkey"></span>"
         </code>
       </q-card-section>
     </q-card>
@@ -147,8 +147,8 @@
         <h5 class="text-caption q-mt-sm q-mb-none">Curl example</h5>
         <code
           >curl -X DELETE {{ request.base_url
-          }}withdraw/api/v1/links/&lt;withdraw_id&gt; -H "X-Api-Key: {{
+          }}withdraw/api/v1/links/&lt;withdraw_id&gt; -H "X-Api-Key:
-          user.wallets[0].adminkey }}"
+          <span v-text="g.user.wallets[0].adminkey"></span>"
         </code>
       </q-card-section>
     </q-card>
@@ -176,7 +176,7 @@
         <code
           >curl -X GET {{ request.base_url
           }}withdraw/api/v1/links/&lt;the_hash&gt;/&lt;lnurl_id&gt; -H
-          "X-Api-Key: {{ user.wallets[0].inkey }}"
+          "X-Api-Key: <span v-text="g.user.wallets[0].inkey"></span>"
         </code>
       </q-card-section>
     </q-card>

templates/withdraw/csv.html

@@ -1,12 +0,0 @@
-{% extends "print.html" %} {% block page %} {% for page in link %} {% for threes
-in page %} {% for one in threes %} {{one}}, {% endfor %} {% endfor %} {% endfor
-%} {% endblock %} {% block scripts %}
-<script>
-  new Vue({
-    el: '#vue',
-    data: function () {
-      return {}
-    }
-  })
-</script>
-{% endblock %}

templates/withdraw/display.html

@@ -4,29 +4,32 @@
     <q-card class="q-pa-lg">
       <q-card-section class="q-pa-none">
         <div class="text-center">
-          {% if link.is_spent %}
+          <q-badge v-if="spent" color="red" class="q-mb-md"
-          <q-badge color="red" class="q-mb-md">Withdraw is spent.</q-badge>
+            >Withdraw is spent.</q-badge
-          {% endif %}
+          >
-          <a class="text-secondary" href="lightning:{{ lnurl }}">
+          <q-badge v-if="spent" color="red" class="q-mb-md"
-            <q-responsive :ratio="1" class="q-mx-md">
+            >Withdraw is spent.</q-badge
-              <qrcode
+          >
-                :value="this.here + '/?lightning={{lnurl }}'"
+          <q-badge v-else-if="!enabled" color="grey" class="q-mb-md"
-                :options="{width: 800}"
+            >Withdraw is disabled.</q-badge
-                class="rounded-borders"
+          >
-              >
+          <a v-else class="text-secondary" :href="link">
-              </qrcode>
+            <lnbits-qrcode-lnurl
-            </q-responsive>
+              prefix="lnurlw"
+              :url="url"
+              @update:lnurl="v => lnurl = v"
+            ></lnbits-qrcode-lnurl>
           </a>
         </div>
         <div class="row q-mt-lg q-gutter-sm">
-          <q-btn outline color="grey" @click="copyText('{{ lnurl }}')"
+          <q-btn outline color="grey" @click="copyText(lnurl)"
             >Copy LNURL</q-btn
           >
           <q-btn
             outline
             color="grey"
             icon="nfc"
-            @click="writeNfcTag(' {{ lnurl }} ')"
+            @click="writeNfcTag(lnurl)"
             :disable="nfcTagWriting"
           ></q-btn>
         </div>
@@ -52,15 +55,16 @@
 </div>
 {% endblock %} {% block scripts %}
 <script>
-  Vue.component(VueQrcode.name, VueQrcode)
+  window.app = Vue.createApp({
-
-  new Vue({
     el: '#vue',
-    mixins: [windowMixin],
+    mixins: [window.windowMixin],
-    data: function () {
+    data() {
       return {
-        here: location.protocol + '//' + location.host,
+        spent: {{ 'true' if spent else 'false' }},
-        nfcTagWriting: false
+        url: '{{ lnurl_url }}',
+        lnurl: '',
+        nfcTagWriting: false,
+        enabled: {{ 'true' if enabled else 'false' }}
       }
     }
   })

templates/withdraw/index.html

@@ -1,7 +1,5 @@
 {% extends "base.html" %} {% from "macros.jinja" import window_vars with context
-%} {% block scripts %} {{ window_vars(user) }}
+%} {% block page %}
-<script src="/withdraw/static/js/index.js"></script>
-{% endblock %} {% block page %}
 <div class="row q-col-gutter-md">
   <div class="col-12 col-md-7 q-gutter-y-md">
     <q-card>
@@ -9,7 +7,11 @@
         <q-btn unelevated color="primary" @click="simpleformDialog.show = true"
           >Quick vouchers</q-btn
         >
-        <q-btn unelevated color="primary" @click="formDialog.show = true"
+        <q-btn
+          unelevated
+          color="primary"
+          @click="formDialog.show = true"
+          class="q-ml-md"
           >Advanced withdraw link(s)</q-btn
         >
       </q-card-section>
@@ -28,68 +30,70 @@
         <q-table
           dense
           flat
-          :data="sortedWithdrawLinks"
+          :rows="sortedWithdrawLinks"
           row-key="id"
           :columns="withdrawLinksTable.columns"
-          :pagination.sync="withdrawLinksTable.pagination"
+          v-model:pagination="withdrawLinksTable.pagination"
           @request="getWithdrawLinks"
         >
-          {% raw %}
           <template v-slot:header="props">
             <q-tr :props="props">
               <q-th auto-width></q-th>
               <q-th auto-width></q-th>
-              <q-th v-for="col in props.cols" :key="col.name" :props="props">
+              <q-th auto-width></q-th>
-                {{ col.label }}
+              <q-th
-              </q-th>
+                v-for="col in props.cols"
+                :key="col.name"
+                :props="props"
+                v-text="col.label"
+              ></q-th>
               <q-th auto-width></q-th>
             </q-tr>
           </template>
           <template v-slot:body="props">
             <q-tr :props="props">
+              <q-td auto-width>
+                <q-icon
+                  name="power_settings_new"
+                  :color="props.row.enabled ? 'green' : 'red'"
+                  size="xs"
+                >
+                  <q-tooltip>
+                    <span
+                      v-text="props.row.enabled ? 'Withdraw link is enabled' : 'Withdraw link is disabled'"
+                    ></span>
+                  </q-tooltip>
+                </q-icon>
+              </q-td>
               <q-td auto-width>
                 <q-btn
                   unelevated
                   dense
                   size="xs"
                   icon="launch"
-                  :color="($q.dark.isActive) ? 'grey-7' : 'grey-5'"
                   type="a"
-                  :href="props.row.withdraw_url"
+                  :href="'/withdraw/' + props.row.id"
                   target="_blank"
                 >
-                  <q-tooltip> shareable link </q-tooltip></q-btn
+                  <q-tooltip>Shareable link</q-tooltip></q-btn
-                >
-                <q-btn
-                  unelevated
-                  dense
-                  size="xs"
-                  icon="web_asset"
-                  :color="($q.dark.isActive) ? 'grey-7' : 'grey-5'"
-                  type="a"
-                  :href="'/withdraw/img/' + props.row.id"
-                  target="_blank"
-                  ><q-tooltip> embeddable image </q-tooltip></q-btn
                 >
                 <q-btn
                   unelevated
                   dense
                   size="xs"
                   icon="reorder"
-                  :color="($q.dark.isActive) ? 'grey-7' : 'grey-5'"
                   type="a"
                   :href="'/withdraw/csv/' + props.row.id"
                   target="_blank"
-                  ><q-tooltip> csv list </q-tooltip></q-btn
+                  ><q-tooltip>CSV download</q-tooltip></q-btn
                 >
                 <q-btn
                   unelevated
                   dense
                   size="xs"
                   icon="visibility"
-                  :color="($q.dark.isActive) ? 'grey-7' : 'grey-5'"
                   @click="openQrCodeDialog(props.row.id)"
-                  ><q-tooltip> view LNURL </q-tooltip></q-btn
+                  ><q-tooltip>view LNURL</q-tooltip></q-btn
                 >
               </q-td>
               <q-td auto-width>
@@ -110,17 +114,22 @@
                   color="pink"
                 ></q-btn>
               </q-td>
-              <q-td v-for="col in props.cols" :key="col.name" :props="props">
+              <q-td
-                {{ col.value }}
+                v-for="col in props.cols"
+                :key="col.name"
+                :props="props"
+                v-text="col.value"
+              >
               </q-td>
               <q-td>
                 <q-icon v-if="props.row.webhook_url" size="14px" name="http">
-                  <q-tooltip>Webhook to {{ props.row.webhook_url}}</q-tooltip>
+                  <q-tooltip
+                    >Webhook to <span v-text="props.row.webhook_url"></span
+                  ></q-tooltip>
                 </q-icon>
               </q-td>
             </q-tr>
           </template>
-          {% endraw %}
         </q-table>
       </q-card-section>
     </q-card>
@@ -130,7 +139,7 @@
     <q-card>
       <q-card-section>
         <h6 class="text-subtitle1 q-my-none">
-          {{SITE_TITLE}} LNURL-withdraw extension
+          LNbits LNURL withdraw extension
         </h6>
       </q-card-section>
       <q-card-section class="q-pa-none">
@@ -243,6 +252,20 @@
           hint="Custom data as JSON string, will get posted along with webhook 'body' field."
         ></q-input>
         <q-list>
+          <q-item tag="label" class="rounded-borders">
+            <q-item-section avatar>
+              <q-checkbox
+                v-model="formDialog.data.enabled"
+                color="primary"
+              ></q-checkbox>
+            </q-item-section>
+            <q-item-section>
+              <q-item-label>Enable / Disable </q-item-label>
+              <q-item-label caption
+                >You can enable or disable these vouchers</q-item-label
+              >
+            </q-item-section>
+          </q-item>
           <q-item tag="label" class="rounded-borders">
             <q-item-section avatar>
               <q-checkbox
@@ -355,6 +378,20 @@
           label="Number of vouchers"
         ></q-input>
         <q-list>
+          <q-item tag="label" class="rounded-borders">
+            <q-item-section avatar>
+              <q-checkbox
+                v-model="simpleformDialog.data.enabled"
+                color="primary"
+              ></q-checkbox>
+            </q-item-section>
+            <q-item-section>
+              <q-item-label>Enable / Disable </q-item-label>
+              <q-item-label caption
+                >You can enable or disable these vouchers</q-item-label
+              >
+            </q-item-section>
+          </q-item>
           <q-item tag="label" class="rounded-borders">
             <q-item-section avatar>
               <q-checkbox
@@ -404,63 +441,61 @@
 
   <q-dialog v-model="qrCodeDialog.show" position="top">
     <q-card v-if="qrCodeDialog.data" class="q-pa-lg lnbits__dialog-card">
-      <q-responsive :ratio="1" class="q-mx-xl q-mb-md">
+      <lnbits-qrcode-lnurl
-        <qrcode
+        :url="activeUrl"
-          :value="qrCodeDialog.data.url + '/?lightning=' + qrCodeDialog.data.lnurl"
+        @update:lnurl="v => lnurl = v"
-          :options="{width: 800}"
+        prefix="lnurlw"
-          class="rounded-borders"
+      ></lnbits-qrcode-lnurl>
-        ></qrcode>
-        {% raw %}
-      </q-responsive>
       <p style="word-break: break-all">
-        <strong>ID:</strong> {{ qrCodeDialog.data.id }}<br />
+        <strong>ID:</strong> <span v-text="qrCodeDialog.data.id"></span><br />
-        <strong>Unique:</strong> {{ qrCodeDialog.data.is_unique }}<span
+        <strong>Unique:</strong>
-          v-if="qrCodeDialog.data.is_unique"
+        <span v-text="qrCodeDialog.data.is_unique"></span>
-          class="text-deep-purple"
+        <span v-if="qrCodeDialog.data.is_unique" class="text-deep-purple">
-        >
           (QR code will change after each withdrawal)</span
         ><br />
-        <strong>Max. withdrawable:</strong> {{
+        <strong>Max. withdrawable:</strong>
-        qrCodeDialog.data.max_withdrawable }} sat<br />
+        <span v-text="qrCodeDialog.data.max_withdrawable"></span> sat<br />
-        <strong>Wait time:</strong> {{ qrCodeDialog.data.wait_time }} seconds<br />
+        <strong>Wait time:</strong>
-        <strong>Withdraws:</strong> {{ qrCodeDialog.data.used }} / {{
+        <span v-text="qrCodeDialog.data.wait_time"></span> seconds<br />
-        qrCodeDialog.data.uses }}
+        <strong>Withdraws:</strong>
+        <span v-text="qrCodeDialog.data.used"></span>/
+        <span v-text="qrCodeDialog.data.uses"></span><br />
         <q-linear-progress
           :value="qrCodeDialog.data.used / qrCodeDialog.data.uses"
           color="primary"
           class="q-mt-sm"
         ></q-linear-progress>
       </p>
-      {% endraw %}
       <div class="row q-mt-lg q-gutter-sm">
         <q-btn
           outline
           color="grey"
-          @click="copyText(qrCodeDialog.data.lnurl, 'LNURL copied to clipboard!')"
+          @click="copyText(lnurl, 'LNURL copied to clipboard!')"
           class="q-ml-sm"
           >Copy LNURL</q-btn
         >
-        <q-btn
-          outline
-          color="grey"
-          icon="link"
-          @click="copyText(qrCodeDialog.data.withdraw_url, 'Link copied to clipboard!')"
-          ><q-tooltip>Copy sharable link</q-tooltip>
-        </q-btn>
         <q-btn
           outline
           color="grey"
           icon="nfc"
-          @click="writeNfcTag(qrCodeDialog.data.lnurl)"
+          @click="writeNfcTag(lnurl)"
           :disable="nfcTagWriting"
           ><q-tooltip>Write to NFC</q-tooltip></q-btn
         >
+        <q-btn
+          outline
+          color="grey"
+          icon="link"
+          :href="'/withdraw/' + qrCodeDialog.data.id"
+          target="_blank"
+          ><q-tooltip>Open sharable link</q-tooltip>
+        </q-btn>
         <q-btn
           outline
           color="grey"
           icon="print"
           type="a"
-          :href="qrCodeDialog.data.print_url"
+          :href="'/withdraw/print/' + qrCodeDialog.data.id"
           target="_blank"
           ><q-tooltip>Print</q-tooltip></q-btn
         >
@@ -469,4 +504,6 @@
     </q-card>
   </q-dialog>
 </div>
+{% endblock %}{% block scripts %} {{ window_vars(user) }}
+<script src="{{ static_url_for('withdraw/static', path='js/index.js') }}"></script>
 {% endblock %}

templates/withdraw/print_qr.html

@@ -4,22 +4,21 @@
   <div class="" id="vue">
     {% for page in link %}
     <page size="A4" id="pdfprint">
-      <table style="width: 100%">
+      <div class="full-height content-center">
-        {% for threes in page %}
+        {% for row in page %}
-        <tr style="height: 59.4mm">
+        <div class="row" style="max-height: 54mm">
-          {% for one in threes %}
+          {% for one in row %}
-          <td style="width: 105mm">
+          <div class="col-6">
-            <center>
+            <lnbits-qrcode
-              <qrcode
+              style="width: 50mm"
-                :value="theurl + '/?lightning={{one}}'"
+              :value="theurl + '/?lightning={{one}}'"
-                :options="{width: 150}"
+              :show-buttons="false"
-              ></qrcode>
+            ></lnbits-qrcode>
-            </center>
+          </div>
-          </td>
           {% endfor %}
-        </tr>
+        </div>
         {% endfor %}
-      </table>
+      </div>
     </page>
     {% endfor %}
   </div>
@@ -53,11 +52,9 @@
 </style>
 {% endblock %} {% block scripts %}
 <script>
-  Vue.component(VueQrcode.name, VueQrcode)
+  window.app = Vue.createApp({
-
-  new Vue({
     el: '#vue',
-    data: function () {
+    data() {
       return {
         theurl: location.protocol + '//' + location.host,
         printDialog: {

templates/withdraw/print_qr_custom.html

@@ -6,13 +6,14 @@
     <page size="A4" id="pdfprint">
       {% for one in page %}
       <div class="wrapper">
-        <img src="{{custom_url}}" alt="..." />
+        <img class="lnurlw_design" src="{{custom_url}}" alt="..." />
         <span>{{ amt }} sats</span>
         <div class="lnurlw">
-          <qrcode
+          <lnbits-qrcode
             :value="theurl + '/?lightning={{one}}'"
-            :options="{width: 95, margin: 1}"
+            :show-buttons="false"
-          ></qrcode>
+            :options="{width: 150}"
+          ></lnbits-qrcode>
         </div>
       </div>
       {% endfor %}
@@ -52,7 +53,7 @@
     top: calc(3.2mm + 1rem);
     right: calc(4mm + 1rem);
   }
-  .wrapper img {
+  .wrapper img.lnurlw_design {
     display: block;
     width: 187mm;
     height: auto;
@@ -61,9 +62,10 @@
   .wrapper .lnurlw {
     display: block;
     position: absolute;
-    top: calc(7.3mm + 1rem);
+    top: calc(3mm + 1rem);
-    left: calc(7.5mm + 1rem);
+    left: calc(6mm + 1rem);
     transform: rotate(45deg);
+    width: 27mm;
   }
 
   @media print {
@@ -83,17 +85,15 @@
     .wrapper .lnurlw {
       display: block;
       position: absolute;
-      top: 7.3mm;
+      top: 3mm;
-      left: 7.5mm;
+      left: 6mm;
       transform: rotate(45deg);
     }
   }
 </style>
 {% endblock %} {% block scripts %}
 <script>
-  Vue.component(VueQrcode.name, VueQrcode)
+  window.app = Vue.createApp({
-
-  new Vue({
     el: '#vue',
     data: function () {
       return {

transport_rpcs.py

@@ -0,0 +1,225 @@
+"""
+Nostr-transport RPC handlers for the withdraw (LNURL-withdraw) extension.
+
+Names mirror the Lightning.Pub `withdraw.*` contract that the lamassu-next
+ATM consumes (see ~/dev/shocknet/lamassu-next/packages/lightning/src/client.ts
+lines ~301–351). That keeps the lamassu-next-side adapter a pure name
+translation — no semantic reshaping.
+
+Auth model (set in `__init__.py:withdraw_start`):
+- create / get / update / delete  → AUTH_WALLET; the calling pubkey must
+  own the wallet the link is scoped to. *_get / *_update / *_delete also
+  verify the link's stored `wallet` matches the caller's wallet id.
+
+`resolve_withdraw_owner` is registered with the core subscription module
+under tag `"withdraw"` and extras-key `"withdrawal_link_id"` (matching
+where the extension stamps the link id on settlement — see
+`views_lnurl.py:144`). That lets `subscribe_payments({tag:"withdraw",
+link_id:...})` enforce ownership without core importing this module.
+"""
+
+from __future__ import annotations
+
+from lnbits.core.crud.wallets import get_wallets
+from lnbits.core.models import Account
+from lnbits.core.models.wallets import WalletTypeInfo
+from lnbits.core.services.nostr_transport.models import NostrRpcRequest
+from shortuuid import uuid
+
+from .crud import (
+    create_withdraw_link,
+    delete_withdraw_link,
+    get_withdraw_link,
+    get_withdraw_links,
+    update_withdraw_link,
+)
+from .helpers import create_lnurl_from_baseurl
+from .models import CreateWithdrawData, WithdrawLink
+
+
+async def handle_lnurlw_create_link(
+    auth: WalletTypeInfo, request: NostrRpcRequest
+) -> dict:
+    body = request.body or {}
+    data = CreateWithdrawData(**body)
+    link = await create_withdraw_link(data, auth.wallet.id)
+    return _to_dict(_populate_lnurl(link))
+
+
+async def handle_lnurlw_get_link(
+    auth: WalletTypeInfo, request: NostrRpcRequest
+) -> dict:
+    link_id = _require_id(request)
+    link = await _require_owned_link(link_id, auth.wallet.id)
+    return _to_dict(_populate_lnurl(link))
+
+
+async def handle_lnurlw_update_link(
+    auth: WalletTypeInfo, request: NostrRpcRequest
+) -> dict:
+    link_id = _require_id(request)
+    link = await _require_owned_link(link_id, auth.wallet.id)
+    body = request.body or {}
+    _MUTABLE = {
+        "title",
+        "min_withdrawable",
+        "max_withdrawable",
+        "uses",
+        "wait_time",
+        "is_unique",
+        "webhook_url",
+        "webhook_headers",
+        "webhook_body",
+        "custom_url",
+        "enabled",
+    }
+    for k, v in body.items():
+        if k in _MUTABLE:
+            setattr(link, k, v)
+    updated = await update_withdraw_link(link)
+    return _to_dict(_populate_lnurl(updated))
+
+
+async def handle_lnurlw_delete_link(
+    auth: WalletTypeInfo, request: NostrRpcRequest
+) -> dict:
+    link_id = _require_id(request)
+    await _require_owned_link(link_id, auth.wallet.id)
+    await delete_withdraw_link(link_id)
+    return {"ok": True}
+
+
+async def handle_lnurlw_list_links(auth: Account, request: NostrRpcRequest) -> dict:
+    """List withdraw links across all wallets owned by the calling account.
+    Useful for ATMs to re-discover their links after a reconnect.
+
+    Body fields:
+      - limit: int (0 means no limit; default 0)
+      - offset: int (default 0)
+    If `request.wallet_id` is set and is one of the caller's wallets,
+    narrow to just that wallet.
+    """
+    body = request.body or {}
+    limit = int(body.get("limit") or 0)
+    offset = int(body.get("offset") or 0)
+
+    wallets = await get_wallets(auth.id)
+    wallet_ids = [w.id for w in wallets]
+    if not wallet_ids:
+        return {"data": [], "total": 0}
+    if request.wallet_id and request.wallet_id in wallet_ids:
+        wallet_ids = [request.wallet_id]
+
+    page = await get_withdraw_links(wallet_ids, limit, offset)
+    return {
+        "data": [_to_dict(_populate_lnurl(link)) for link in page.data],
+        "total": page.total,
+    }
+
+
+async def handle_lnurlw_unique_hashes(
+    auth: WalletTypeInfo, request: NostrRpcRequest
+) -> dict:
+    """
+    For a `is_unique=True` link, return the per-use `id_unique_hash`
+    values that the ATM uses to generate distinct QR codes — one per
+    unredeemed slot. Mirrors the formula in `helpers.py:create_lnurl`
+    exactly so an ATM never has to re-implement the derivation:
+
+        id_unique_hash = shortuuid.uuid(name=link.id + link.unique_hash + index)
+
+    `link.usescsv` is the canonical list of *unredeemed* slot indexes;
+    after a customer claims a slot it gets removed there (see
+    `crud.remove_unique_withdraw_link`). The hashes returned here are
+    therefore exactly the ones still claimable.
+
+    Response:
+      {
+        "link_id": str,
+        "unique_hash": str,            # base hash
+        "is_unique": bool,
+        "unredeemed_hashes": [         # one entry per remaining slot
+          {"index": str, "id_unique_hash": str}, ...
+        ]
+      }
+
+    For `is_unique=False` links the list is empty and `unique_hash`
+    alone identifies the callback path
+    (`/withdraw/api/v1/lnurl/<unique_hash>`). For `is_unique=True`
+    each callback path is
+    `/withdraw/api/v1/lnurl/<unique_hash>/<id_unique_hash>`.
+    """
+    link_id = _require_id(request)
+    link = await _require_owned_link(link_id, auth.wallet.id)
+
+    unredeemed = []
+    if link.is_unique:
+        # usescsv is comma-separated; split and skip empties (after the
+        # last slot is consumed it becomes the empty string).
+        for index_str in [s for s in link.usescsv.split(",") if s.strip()]:
+            tohash = link.id + link.unique_hash + index_str
+            unredeemed.append(
+                {
+                    "index": index_str.strip(),
+                    "id_unique_hash": uuid(name=tohash),
+                }
+            )
+
+    return {
+        "link_id": link.id,
+        "unique_hash": link.unique_hash,
+        "is_unique": link.is_unique,
+        "unredeemed_hashes": unredeemed,
+    }
+
+
+async def resolve_withdraw_owner(link_id: str) -> str | None:
+    """For the core subscription module: link_id -> wallet_id (or None)."""
+    link = await get_withdraw_link(link_id)
+    return link.wallet if link else None
+
+
+# ---------------------------------------------------------------------------
+# helpers
+# ---------------------------------------------------------------------------
+
+
+def _require_id(request: NostrRpcRequest) -> str:
+    body = request.body or {}
+    link_id = body.get("id")
+    if not link_id:
+        raise ValueError("withdraw: body.id is required")
+    return str(link_id)
+
+
+async def _require_owned_link(link_id: str, wallet_id: str):
+    link = await get_withdraw_link(link_id)
+    if link is None:
+        raise ValueError(f"withdraw: link not found: {link_id}")
+    if link.wallet != wallet_id:
+        raise PermissionError("withdraw: link does not belong to caller's wallet")
+    return link
+
+
+def _populate_lnurl(link: WithdrawLink) -> WithdrawLink:
+    """
+    Compose `lnurl` / `lnurl_url` from `settings.lnbits_baseurl` so
+    nostr-transport responses match the HTTP `views_api` shape, where
+    these fields are populated from `request.url_for(...)`. Without
+    this, consumers (ATMs, etc.) would have to re-derive the callback
+    URL themselves from a separately-provisioned LNbits HTTPS URL —
+    duplicating state LNbits already knows. See aiolabs/withdraw#1.
+    """
+    try:
+        encoded = create_lnurl_from_baseurl(link)
+        link.lnurl = str(encoded.bech32)
+        link.lnurl_url = str(encoded.url)
+    except ValueError:
+        pass
+    return link
+
+
+def _to_dict(link) -> dict:
+    import json
+
+    return json.loads(link.json())

views.py

@@ -1,7 +1,6 @@
+import io
 from http import HTTPStatus
-from io import BytesIO
 
-import pyqrcode
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.responses import HTMLResponse, StreamingResponse
 from lnbits.core.models import User
@@ -9,6 +8,7 @@ from lnbits.decorators import check_user_exists
 from lnbits.helpers import template_renderer
 
 from .crud import chunks, get_withdraw_link
+from .helpers import create_lnurl
 
 withdraw_ext_generic = APIRouter()
 
@@ -20,7 +20,7 @@ def withdraw_renderer():
 @withdraw_ext_generic.get("/", response_class=HTMLResponse)
 async def index(request: Request, user: User = Depends(check_user_exists)):
     return withdraw_renderer().TemplateResponse(
-        "withdraw/index.html", {"request": request, "user": user.dict()}
+        "withdraw/index.html", {"request": request, "user": user.json()}
     )
 
 
@@ -32,39 +32,22 @@ async def display(request: Request, link_id):
         raise HTTPException(
             status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
         )
+
+    try:
+        lnurl = create_lnurl(link, request)
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=str(exc),
+        ) from exc
+
     return withdraw_renderer().TemplateResponse(
         "withdraw/display.html",
         {
             "request": request,
-            "link": link.dict(),
+            "spent": link.is_spent,
-            "lnurl": link.lnurl(req=request),
+            "lnurl_url": str(lnurl.url),
-            "unique": True,
+            "enabled": link.enabled,
-        },
-    )
-
-
-@withdraw_ext_generic.get("/img/{link_id}", response_class=StreamingResponse)
-async def img(request: Request, link_id):
-    link = await get_withdraw_link(link_id, 0)
-    if not link:
-        raise HTTPException(
-            status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
-        )
-    qr = pyqrcode.create(link.lnurl(request))
-    stream = BytesIO()
-    qr.svg(stream, scale=3)
-    stream.seek(0)
-
-    async def _generator(stream: BytesIO):
-        yield stream.getvalue()
-
-    return StreamingResponse(
-        _generator(stream),
-        headers={
-            "Content-Type": "image/svg+xml",
-            "Cache-Control": "no-cache, no-store, must-revalidate",
-            "Pragma": "no-cache",
-            "Expires": "0",
         },
     )
 
@@ -76,14 +59,11 @@ async def print_qr(request: Request, link_id):
         raise HTTPException(
             status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
         )
-        # response.status_code = HTTPStatus.NOT_FOUND
-        # return "Withdraw link does not exist."
 
     if link.uses == 0:
-
         return withdraw_renderer().TemplateResponse(
             "withdraw/print_qr.html",
-            {"request": request, "link": link.dict(), "unique": False},
+            {"request": request, "link": link.json(), "unique": False},
         )
     links = []
     count = 0
@@ -94,7 +74,14 @@ async def print_qr(request: Request, link_id):
             raise HTTPException(
                 status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
             )
-        links.append(str(linkk.lnurl(request)))
+        try:
+            lnurl = create_lnurl(linkk, request)
+        except ValueError as exc:
+            raise HTTPException(
+                status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                detail=str(exc),
+            ) from exc
+        links.append(str(lnurl.bech32))
         count = count + 1
     page_link = list(chunks(links, 2))
     linked = list(chunks(page_link, 5))
@@ -123,29 +110,37 @@ async def csv(request: Request, link_id):
         raise HTTPException(
             status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
         )
-        # response.status_code = HTTPStatus.NOT_FOUND
-        # return "Withdraw link does not exist."
 
     if link.uses == 0:
-
+        raise HTTPException(
-        return withdraw_renderer().TemplateResponse(
+            status_code=HTTPStatus.BAD_REQUEST, detail="Withdraw is spent."
-            "withdraw/csv.html",
-            {"request": request, "link": link.dict(), "unique": False},
         )
-    links = []
-    count = 0
 
+    buffer = io.StringIO()
+    count = 0
     for _ in link.usescsv.split(","):
         linkk = await get_withdraw_link(link_id, count)
         if not linkk:
             raise HTTPException(
                 status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
             )
-        links.append(str(linkk.lnurl(request)))
+        try:
-        count = count + 1
+            lnurl = create_lnurl(linkk, request)
-    page_link = list(chunks(links, 2))
+        except ValueError as exc:
-    linked = list(chunks(page_link, 5))
+            raise HTTPException(
+                status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+                detail=str(exc),
+            ) from exc
+        buffer.write(f"{lnurl.bech32!s}\n")
+        count += 1
 
-    return withdraw_renderer().TemplateResponse(
+    # Move buffer cursor to the beginning
-        "withdraw/csv.html", {"request": request, "link": linked, "unique": True}
+    buffer.seek(0)
+
+    return StreamingResponse(
+        buffer,
+        media_type="text/csv",
+        headers={
+            "Content-Disposition": f"attachment; filename=withdraw-links-{link_id}.csv"
+        },
     )

views_api.py

@@ -1,11 +1,10 @@
 import json
 from http import HTTPStatus
-from typing import Optional
 
 from fastapi import APIRouter, Depends, HTTPException, Query, Request
 from lnbits.core.crud import get_user
-from lnbits.decorators import WalletTypeInfo, get_key_type, require_admin_key
+from lnbits.core.models import SimpleStatus, WalletTypeInfo
-from lnurl.exceptions import InvalidUrl as LnurlInvalidUrl
+from lnbits.decorators import require_admin_key, require_invoice_key
 
 from .crud import (
     create_withdraw_link,
@@ -15,46 +14,48 @@ from .crud import (
     get_withdraw_links,
     update_withdraw_link,
 )
-from .models import CreateWithdrawData
+from .helpers import create_lnurl
+from .models import CreateWithdrawData, HashCheck, PaginatedWithdraws, WithdrawLink
 
 withdraw_ext_api = APIRouter(prefix="/api/v1")
 
 
 @withdraw_ext_api.get("/links", status_code=HTTPStatus.OK)
 async def api_links(
-    req: Request,
+    request: Request,
-    wallet: WalletTypeInfo = Depends(get_key_type),
+    key_info: WalletTypeInfo = Depends(require_invoice_key),
     all_wallets: bool = Query(False),
     offset: int = Query(0),
     limit: int = Query(0),
-):
+) -> PaginatedWithdraws:
-    wallet_ids = [wallet.wallet.id]
+    wallet_ids = [key_info.wallet.id]
 
     if all_wallets:
-        user = await get_user(wallet.wallet.user)
+        user = await get_user(key_info.wallet.user)
         wallet_ids = user.wallet_ids if user else []
 
-    try:
+    links = await get_withdraw_links(wallet_ids, limit, offset)
-        links, total = await get_withdraw_links(wallet_ids, limit, offset)
-        return {
-            "data": [{**link.dict(), **{"lnurl": link.lnurl(req)}} for link in links],
-            "total": total,
-        }
 
-    except LnurlInvalidUrl as exc:
+    for linkk in links.data:
-        raise HTTPException(
+        try:
-            status_code=HTTPStatus.UPGRADE_REQUIRED,
+            lnurl = create_lnurl(linkk, request)
-            detail="""
+        except ValueError as exc:
-                LNURLs need to be delivered over a publically
+            raise HTTPException(
-                accessible `https` domain or Tor.
+                status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
-            """,
+                detail=str(exc),
-        ) from exc
+            ) from exc
+        linkk.lnurl = str(lnurl.bech32)
+        linkk.lnurl_url = str(lnurl.url)
+
+    return links
 
 
 @withdraw_ext_api.get("/links/{link_id}", status_code=HTTPStatus.OK)
 async def api_link_retrieve(
-    link_id: str, request: Request, wallet: WalletTypeInfo = Depends(get_key_type)
+    request: Request,
-):
+    link_id: str,
+    key_info: WalletTypeInfo = Depends(require_invoice_key),
+) -> WithdrawLink:
     link = await get_withdraw_link(link_id, 0)
 
     if not link:
@@ -62,21 +63,31 @@ async def api_link_retrieve(
             detail="Withdraw link does not exist.", status_code=HTTPStatus.NOT_FOUND
         )
 
-    if link.wallet != wallet.wallet.id:
+    if link.wallet != key_info.wallet.id:
         raise HTTPException(
             detail="Not your withdraw link.", status_code=HTTPStatus.FORBIDDEN
         )
-    return {**link.dict(), **{"lnurl": link.lnurl(request)}}
+
+    try:
+        lnurl = create_lnurl(link, request)
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=str(exc),
+        ) from exc
+    link.lnurl = str(lnurl.bech32)
+    link.lnurl_url = str(lnurl.url)
+    return link
 
 
 @withdraw_ext_api.post("/links", status_code=HTTPStatus.CREATED)
-@withdraw_ext_api.put("/links/{link_id}", status_code=HTTPStatus.OK)
+@withdraw_ext_api.put("/links/{link_id}")
 async def api_link_create_or_update(
-    req: Request,
+    request: Request,
     data: CreateWithdrawData,
-    link_id: Optional[str] = None,
+    link_id: str | None = None,
-    wallet: WalletTypeInfo = Depends(require_admin_key),
+    key_info: WalletTypeInfo = Depends(require_admin_key),
-):
+) -> WithdrawLink:
     if data.uses > 250:
         raise HTTPException(detail="250 uses max.", status_code=HTTPStatus.BAD_REQUEST)
 
@@ -115,12 +126,11 @@ async def api_link_create_or_update(
             raise HTTPException(
                 detail="Withdraw link does not exist.", status_code=HTTPStatus.NOT_FOUND
             )
-        if link.wallet != wallet.wallet.id:
+        if link.wallet != key_info.wallet.id:
             raise HTTPException(
                 detail="Not your withdraw link.", status_code=HTTPStatus.FORBIDDEN
             )
 
-        data_dict = data.dict()
         if link.uses > data.uses:
             if data.uses - link.used <= 0:
                 raise HTTPException(
@@ -128,33 +138,45 @@ async def api_link_create_or_update(
                     status_code=HTTPStatus.BAD_REQUEST,
                 )
             numbers = link.usescsv.split(",")
-            usescsv = ",".join(numbers[: data.uses - link.used])
+            link.usescsv = ",".join(numbers[: data.uses - link.used])
-            data_dict["usescsv"] = usescsv
 
         if link.uses < data.uses:
             numbers = link.usescsv.split(",")
-
             if numbers[-1] == "":
                 current_number = int(link.uses)
                 numbers[-1] = str(link.uses)
             else:
                 current_number = int(numbers[-1])
-
             while len(numbers) < (data.uses - link.used):
                 current_number += 1
                 numbers.append(str(current_number))
-            usescsv = ",".join(numbers)
+            link.usescsv = ",".join(numbers)
-            data_dict["usescsv"] = usescsv
 
-        link = await update_withdraw_link(link_id, **data_dict)
+        for k, v in data.dict().items():
+            if v is not None:
+                setattr(link, k, v)
+
+        link = await update_withdraw_link(link)
     else:
-        link = await create_withdraw_link(wallet_id=wallet.wallet.id, data=data)
+        link = await create_withdraw_link(wallet_id=key_info.wallet.id, data=data)
-    assert link
+    try:
-    return {**link.dict(), **{"lnurl": link.lnurl(req)}}
+        lnurl = create_lnurl(link, request)
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
+            detail=str(exc),
+        ) from exc
+
+    link.lnurl = str(lnurl.bech32)
+    link.lnurl_url = str(lnurl.url)
+
+    return link
 
 
-@withdraw_ext_api.delete("/links/{link_id}", status_code=HTTPStatus.OK)
+@withdraw_ext_api.delete("/links/{link_id}")
-async def api_link_delete(link_id, wallet: WalletTypeInfo = Depends(require_admin_key)):
+async def api_link_delete(
+    link_id: str, key_info: WalletTypeInfo = Depends(require_admin_key)
+) -> SimpleStatus:
     link = await get_withdraw_link(link_id)
 
     if not link:
@@ -162,20 +184,20 @@ async def api_link_delete(link_id, wallet: WalletTypeInfo = Depends(require_admi
             detail="Withdraw link does not exist.", status_code=HTTPStatus.NOT_FOUND
         )
 
-    if link.wallet != wallet.wallet.id:
+    if link.wallet != key_info.wallet.id:
         raise HTTPException(
             detail="Not your withdraw link.", status_code=HTTPStatus.FORBIDDEN
         )
 
     await delete_withdraw_link(link_id)
-    return {"success": True}
+    return SimpleStatus(success=True, message="Withdraw link deleted.")
 
 
 @withdraw_ext_api.get(
     "/links/{the_hash}/{lnurl_id}",
     status_code=HTTPStatus.OK,
-    dependencies=[Depends(get_key_type)],
+    dependencies=[Depends(require_invoice_key)],
 )
-async def api_hash_retrieve(the_hash, lnurl_id):
+async def api_hash_retrieve(the_hash, lnurl_id) -> HashCheck:
     hash_check = await get_hash_check(the_hash, lnurl_id)
     return hash_check

views_lnurl.py

@@ -1,17 +1,23 @@
 import json
 from datetime import datetime
-from http import HTTPStatus
-from typing import Callable, Optional
-from urllib.parse import urlparse
 
 import httpx
 import shortuuid
-from fastapi import APIRouter, HTTPException, Request, Response
+from bolt11 import decode as decode_bolt11
+from fastapi import APIRouter, Request
 from fastapi.responses import JSONResponse
-from fastapi.routing import APIRoute
+from lnbits.core.crud import update_payment
-from lnbits.core.crud import update_payment_extra
+from lnbits.core.models import Payment
 from lnbits.core.services import pay_invoice
+from lnurl import (
+    CallbackUrl,
+    LnurlErrorResponse,
+    LnurlSuccessResponse,
+    LnurlWithdrawResponse,
+    MilliSatoshi,
+)
 from loguru import logger
+from pydantic import parse_obj_as
 
 from .crud import (
     create_hash_check,
@@ -22,28 +28,7 @@ from .crud import (
 )
 from .models import WithdrawLink
 
-
-class LNURLErrorResponseHandler(APIRoute):
-    def get_route_handler(self) -> Callable:
-        original_route_handler = super().get_route_handler()
-
-        async def custom_route_handler(request: Request) -> Response:
-            try:
-                response = await original_route_handler(request)
-                return response
-            except HTTPException as exc:
-                logger.debug(f"HTTPException: {exc}")
-                response = JSONResponse(
-                    status_code=200,
-                    content={"status": "ERROR", "reason": f"{exc.detail}"},
-                )
-                return response
-
-        return custom_route_handler
-
-
 withdraw_ext_lnurl = APIRouter(prefix="/api/v1/lnurl")
-withdraw_ext_lnurl.route_class = LNURLErrorResponseHandler
 
 
 @withdraw_ext_lnurl.get(
@@ -51,45 +36,35 @@ withdraw_ext_lnurl.route_class = LNURLErrorResponseHandler
     response_class=JSONResponse,
     name="withdraw.api_lnurl_response",
 )
-async def api_lnurl_response(request: Request, unique_hash: str):
+async def api_lnurl_response(
+    request: Request, unique_hash: str
+) -> LnurlWithdrawResponse | LnurlErrorResponse:
     link = await get_withdraw_link_by_hash(unique_hash)
 
     if not link:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="Withdraw link does not exist.")
-            status_code=HTTPStatus.NOT_FOUND, detail="Withdraw link does not exist."
+
-        )
+    if not link.enabled:
+        return LnurlErrorResponse(reason="Withdraw link is disabled.")
 
     if link.is_spent:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="Withdraw is spent.")
-            status_code=HTTPStatus.NOT_FOUND, detail="Withdraw is spent."
-        )
 
     if link.is_unique:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="This link requires an id_unique_hash.")
-            status_code=HTTPStatus.NOT_FOUND,
-            detail="This link requires an id_unique_hash.",
-        )
 
     url = str(
         request.url_for("withdraw.api_lnurl_callback", unique_hash=link.unique_hash)
     )
 
-    # Check if url is .onion and change to http
+    callback_url = parse_obj_as(CallbackUrl, url)
-    if urlparse(url).netloc.endswith(".onion"):
+    return LnurlWithdrawResponse(
-        # change url string scheme to http
+        callback=callback_url,
-        url = url.replace("https://", "http://")
+        k1=link.k1,
-
+        minWithdrawable=MilliSatoshi(link.min_withdrawable * 1000),
-    return {
+        maxWithdrawable=MilliSatoshi(link.max_withdrawable * 1000),
-        "tag": "withdrawRequest",
+        defaultDescription=link.title,
-        "callback": url,
+    )
-        "k1": link.k1,
-        "minWithdrawable": link.min_withdrawable * 1000,
-        "maxWithdrawable": link.max_withdrawable * 1000,
-        "defaultDescription": link.title,
-        "webhook_url": link.webhook_url,
-        "webhook_headers": link.webhook_headers,
-        "webhook_body": link.webhook_body,
-    }
 
 
 @withdraw_ext_lnurl.get(
@@ -113,60 +88,69 @@ async def api_lnurl_callback(
     unique_hash: str,
     k1: str,
     pr: str,
-    id_unique_hash: Optional[str] = None,
+    id_unique_hash: str | None = None,
-):
+) -> LnurlErrorResponse | LnurlSuccessResponse:
-
     link = await get_withdraw_link_by_hash(unique_hash)
     if not link:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="withdraw link not found.")
-            status_code=HTTPStatus.NOT_FOUND, detail="withdraw not found."
+
-        )
+    if not link.enabled:
+        return LnurlErrorResponse(reason="Withdraw link is disabled.")
+
+    bolt11 = decode_bolt11(pr)
+    if not bolt11.amount_msat:
+        return LnurlErrorResponse(reason="0 amount invoices are not supported.")
+
+    if (
+        link.min_withdrawable * 1000 > bolt11.amount_msat
+        or bolt11.amount_msat > link.max_withdrawable * 1000
+    ):
+        return LnurlErrorResponse(reason="Amount not within limits.")
 
     if link.is_spent:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="withdraw is spent.")
-            status_code=HTTPStatus.METHOD_NOT_ALLOWED, detail="withdraw is spent."
-        )
 
     if link.k1 != k1:
-        raise HTTPException(status_code=HTTPStatus.BAD_REQUEST, detail="k1 is wrong.")
+        return LnurlErrorResponse(reason="k1 is wrong.")
 
     now = int(datetime.now().timestamp())
 
-    if now < link.open_time:
+    if now < link.open_time + link.wait_time:
-        raise HTTPException(
+        return LnurlErrorResponse(
-            status_code=HTTPStatus.BAD_REQUEST,
+            reason=f"Wait {link.open_time + link.wait_time - now} seconds."
-            detail=f"wait link open_time {link.open_time - now} seconds.",
         )
 
     if not id_unique_hash and link.is_unique:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="id_unique_hash is required for this link.")
-            status_code=HTTPStatus.BAD_REQUEST,
-            detail="id_unique_hash is required for this link.",
-        )
 
     if id_unique_hash:
         if check_unique_link(link, id_unique_hash):
             await remove_unique_withdraw_link(link, id_unique_hash)
         else:
-            raise HTTPException(
+            return LnurlErrorResponse(reason="id_unique_hash not found.")
-                status_code=HTTPStatus.NOT_FOUND, detail="withdraw not found."
-            )
 
     # Create a record with the id_unique_hash or unique_hash, if it already exists,
     # raise an exception thus preventing the same LNURL from being processed twice.
     try:
         await create_hash_check(id_unique_hash or unique_hash, k1)
-    except Exception as exc:
+    except Exception:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="LNURL already being processed.")
-            status_code=HTTPStatus.BAD_REQUEST, detail="LNURL already being processed."
-        ) from exc
 
     try:
-        payment_hash = await pay_invoice(
+        payment = await pay_invoice(
             wallet_id=link.wallet,
             payment_request=pr,
             max_sat=link.max_withdrawable,
-            extra={"tag": "withdraw", "withdrawal_link_id": link.id},
+            # Merge the link's caller-supplied `extra` onto the payout so an
+            # external listener can key on it (e.g. bitSpire cash-in
+            # settlements via spirekeeper). The withdraw extension's own
+            # `tag`/`withdrawal_link_id` are written last so a caller cannot
+            # clobber them.
+            extra={
+                **(link.extra or {}),
+                "tag": "withdraw",
+                "withdrawal_link_id": link.id,
+            },
         )
         await increment_withdraw_link(link)
         # If the payment succeeds, delete the record with the unique_hash.
@@ -175,14 +159,12 @@ async def api_lnurl_callback(
         await delete_hash_check(id_unique_hash or unique_hash)
 
         if link.webhook_url:
-            await dispatch_webhook(link, payment_hash, pr)
+            await dispatch_webhook(link, payment, pr)
-        return {"status": "OK"}
+        return LnurlSuccessResponse()
     except Exception as exc:
         # If payment fails, delete the hash stored so another attempt can be made.
         await delete_hash_check(id_unique_hash or unique_hash)
-        raise HTTPException(
+        return LnurlErrorResponse(reason=f"withdraw not working. {exc!s}")
-            status_code=HTTPStatus.BAD_REQUEST, detail=f"withdraw not working. {exc!s}"
-        ) from exc
 
 
 def check_unique_link(link: WithdrawLink, unique_hash: str) -> bool:
@@ -193,14 +175,14 @@ def check_unique_link(link: WithdrawLink, unique_hash: str) -> bool:
 
 
 async def dispatch_webhook(
-    link: WithdrawLink, payment_hash: str, payment_request: str
+    link: WithdrawLink, payment: Payment, payment_request: str
 ) -> None:
     async with httpx.AsyncClient() as client:
         try:
             r: httpx.Response = await client.post(
                 link.webhook_url,
                 json={
-                    "payment_hash": payment_hash,
+                    "payment_hash": payment.payment_hash,
                     "payment_request": payment_request,
                     "lnurlw": link.id,
                     "body": json.loads(link.webhook_body) if link.webhook_body else "",
@@ -210,24 +192,17 @@ async def dispatch_webhook(
                 ),
                 timeout=40,
             )
-            await update_payment_extra(
+            payment.extra["wh_success"] = r.is_success
-                payment_hash=payment_hash,
+            payment.extra["wh_message"] = r.reason_phrase
-                extra={
+            payment.extra["wh_response"] = r.text
-                    "wh_success": r.is_success,
+            await update_payment(payment)
-                    "wh_message": r.reason_phrase,
-                    "wh_response": r.text,
-                },
-                outgoing=True,
-            )
         except Exception as exc:
             # webhook fails shouldn't cause the lnurlw to fail
             # since invoice is already paid
             logger.error(f"Caught exception when dispatching webhook url: {exc!s}")
-            await update_payment_extra(
+            payment.extra["wh_success"] = False
-                payment_hash=payment_hash,
+            payment.extra["wh_message"] = str(exc)
-                extra={"wh_success": False, "wh_message": str(exc)},
+            await update_payment(payment)
-                outgoing=True,
-            )
 
 
 # FOR LNURLs WHICH ARE UNIQUE
@@ -238,38 +213,28 @@ async def dispatch_webhook(
 )
 async def api_lnurl_multi_response(
     request: Request, unique_hash: str, id_unique_hash: str
-):
+) -> LnurlWithdrawResponse | LnurlErrorResponse:
     link = await get_withdraw_link_by_hash(unique_hash)
 
     if not link:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="Withdraw link does not exist.")
-            status_code=HTTPStatus.NOT_FOUND, detail="LNURL-withdraw not found."
+
-        )
+    if not link.enabled:
+        return LnurlErrorResponse(reason="Withdraw link is disabled.")
 
     if link.is_spent:
-        raise HTTPException(
+        return LnurlErrorResponse(reason="Withdraw is spent.")
-            status_code=HTTPStatus.NOT_FOUND, detail="Withdraw is spent."
-        )
 
     if not check_unique_link(link, id_unique_hash):
-        raise HTTPException(
+        return LnurlErrorResponse(reason="id_unique_hash not found for this link.")
-            status_code=HTTPStatus.NOT_FOUND, detail="LNURL-withdraw not found."
-        )
 
-    url = str(
+    url = request.url_for("withdraw.api_lnurl_callback", unique_hash=link.unique_hash)
-        request.url_for("withdraw.api_lnurl_callback", unique_hash=link.unique_hash)
+
+    callback_url = parse_obj_as(CallbackUrl, f"{url!s}?id_unique_hash={id_unique_hash}")
+    return LnurlWithdrawResponse(
+        callback=callback_url,
+        k1=link.k1,
+        minWithdrawable=MilliSatoshi(link.min_withdrawable * 1000),
+        maxWithdrawable=MilliSatoshi(link.max_withdrawable * 1000),
+        defaultDescription=link.title,
     )
-
-    # Check if url is .onion and change to http
-    if urlparse(url).netloc.endswith(".onion"):
-        # change url string scheme to http
-        url = url.replace("https://", "http://")
-
-    return {
-        "tag": "withdrawRequest",
-        "callback": f"{url}?id_unique_hash={id_unique_hash}",
-        "k1": link.k1,
-        "minWithdrawable": link.min_withdrawable * 1000,
-        "maxWithdrawable": link.max_withdrawable * 1000,
-        "defaultDescription": link.title,
-    }