DFXswiss · davidleomay · Jun 10, 2026 · Jun 10, 2026 · Jun 11, 2026
@@ -1,3 +1,4 @@
+import { BadRequestException } from '@nestjs/common';
 import { randomBytes } from 'crypto';
 import { Agent } from 'https';
 import { Config } from 'src/config/config';
@@ -26,10 +27,12 @@ import { CoinOnly } from 'src/integration/blockchain/shared/util/blockchain-clie
 import { LightningHelper } from './lightning-helper';
 
 export class LightningClient implements CoinOnly {
-  private readonly lndAgent: Agent;
+  // LND and LNbits both serve the self-signed LND certificate (reached via
+  // private IP on PRD), so requests must be verified against this CA, not the system CAs
+  private readonly tlsAgent: Agent;
 
   constructor(private readonly http: HttpService) {
-    this.lndAgent = new Agent({ ca: Config.blockchain.lightning.certificate });
+    this.tlsAgent = new Agent({ ca: Config.blockchain.lightning.certificate });
   }
 
   // --- LND --- //
@@ -197,11 +200,15 @@ export class LightningClient implements CoinOnly {
 
   // --- LNURLp REWRITE --- //
   async getLnurlpPaymentRequest(linkId: string): Promise<LnurlPayRequestDto> {
+    this.validateLinkId(linkId);
+
     const lnBitsUrl = `${Config.blockchain.lightning.lnbits.lnurlpUrl}/${linkId}`;
     return this.http.get(lnBitsUrl, this.httpLnBitsConfig());
   }
 
   async getLnurlpInvoice(linkId: string, params: any): Promise<LnurlpInvoiceDto> {
+    this.validateLinkId(linkId);
+
     const lnBitsCallbackUrl = `${Config.blockchain.lightning.lnbits.lnurlpApiUrl}/lnurl/cb/${linkId}`;
     return this.http.get<LnurlpInvoiceDto>(lnBitsCallbackUrl, this.httpLnBitsConfig(params));
   }
@@ -215,6 +222,8 @@ export class LightningClient implements CoinOnly {
   }
 
   async getLnurlpLink(linkId: string): Promise<LnurlpLinkDto> {
+    this.validateLinkId(linkId);
+
     return this.http.get<LnurlpLinkDto>(
       `${Config.blockchain.lightning.lnbits.lnurlpApiUrl}/links/${linkId}`,
       this.httpLnBitsConfig(),
@@ -245,7 +254,7 @@ export class LightningClient implements CoinOnly {
   }
 
   async updateLnurlpLink(linkId: string, data: LnurlpLinkUpdateDto): Promise<LnurlpLinkDto> {
-    if (!linkId) throw new Error('LinkId is undefined');
+    this.validateLinkId(linkId);
 
     return this.http.put<LnurlpLinkDto>(
       `${Config.blockchain.lightning.lnbits.lnurlpApiUrl}/links/${linkId}`,
@@ -289,6 +298,8 @@ export class LightningClient implements CoinOnly {
   }
 
   async getLnurlwLink(linkId: string): Promise<LnurlwLinkDto> {
+    this.validateLinkId(linkId);
+
     return this.http.get<LnurlwLinkDto>(
       `${Config.blockchain.lightning.lnbits.lnurlwApiUrl}/links/${linkId}`,
       this.httpLnBitsConfig(),
@@ -328,11 +339,16 @@ export class LightningClient implements CoinOnly {
   // --- LNURLd --- //
 
   async getLnurlDevice(id: string, params: any): Promise<LnurlWithdrawRequestDto> {
+    this.validateLinkId(id);
+
     const url = `${this.getDeviceUrl()}/${id}`;
     return this.http.get(url, this.httpLnBitsConfig(params));
   }
 
   async getLnurlDeviceCallback(id: string, variable: string, params: any): Promise<LnurlwInvoiceDto> {
+    this.validateLinkId(id);
+    this.validateLinkId(variable);
+
     const url = `${this.getDeviceUrl()}/cb/${id}/${variable}`;
     return this.http.get(url, this.httpLnBitsConfig(params));
   }
@@ -343,15 +359,20 @@ export class LightningClient implements CoinOnly {
   }
 
   // --- HELPER METHODS --- //
+  private validateLinkId(linkId: string): void {
+    if (!/^[\w-]+$/.test(linkId)) throw new BadRequestException('Invalid link id');
+  }
+
   private httpLnBitsConfig(params?: any): HttpRequestConfig {
     return {
+      httpsAgent: this.tlsAgent,
       params: { 'api-key': Config.blockchain.lightning.lnbits.apiKey, ...params },
     };
   }
 
   private httpLndConfig(): HttpRequestConfig {
     return {
-      httpsAgent: this.lndAgent,
+      httpsAgent: this.tlsAgent,
       headers: { 'Grpc-Metadata-macaroon': Config.blockchain.lightning.lnd.adminMacaroon },
     };
   }

@@ -5,6 +5,7 @@ import { LetterService } from 'src/integration/letter/letter.service';
 import { RoleGuard } from 'src/shared/auth/role.guard';
 import { UserActiveGuard } from 'src/shared/auth/user-active.guard';
 import { UserRole } from 'src/shared/auth/user-role.enum';
+import { DepositService } from 'src/subdomains/supporting/address-pool/deposit/deposit.service';
 import { MailContext, MailType } from 'src/subdomains/supporting/notification/enums';
 import { NotificationService } from 'src/subdomains/supporting/notification/services/notification.service';
 import { AdminService } from './admin.service';
@@ -18,6 +19,7 @@ export class AdminController {
     private readonly adminService: AdminService,
     private readonly notificationService: NotificationService,
     private readonly letterService: LetterService,
+    private readonly depositService: DepositService,
   ) {}
 
   @Post('mail')
@@ -46,4 +48,12 @@ export class AdminController {
   async payout(@Body() request: PayoutRequestDto): Promise<void> {
     return this.adminService.payout(request);
   }
+
+  @Post('lightning/rotate-webhook-secrets')
+  @ApiBearerAuth()
+  @ApiExcludeEndpoint()
+  @UseGuards(AuthGuard(), RoleGuard(UserRole.ADMIN), UserActiveGuard())
+  async rotateLightningWebhookSecrets(): Promise<void> {
+    return this.depositService.updateLightningDepositWebhook();
+  }
 }
@@ -4,6 +4,7 @@ import { SharedModule } from 'src/shared/shared.module';
 import { BuyCryptoModule } from 'src/subdomains/core/buy-crypto/buy-crypto.module';
 import { ReferralModule } from 'src/subdomains/core/referral/referral.module';
 import { SellCryptoModule } from 'src/subdomains/core/sell-crypto/sell-crypto.module';
+import { AddressPoolModule } from 'src/subdomains/supporting/address-pool/address-pool.module';
 import { BankModule } from 'src/subdomains/supporting/bank/bank.module';
 import { DexModule } from 'src/subdomains/supporting/dex/dex.module';
 import { NotificationModule } from 'src/subdomains/supporting/notification/notification.module';
@@ -26,6 +27,7 @@ import { AdminService } from './admin.service';
     PayInModule,
     DexModule,
     PayoutModule,
+    AddressPoolModule,
   ],
   controllers: [AdminController],
   providers: [AdminService],

@@ -1,3 +1,4 @@
+import { BadRequestException } from '@nestjs/common';
 import { Test, TestingModule } from '@nestjs/testing';
 import { mock } from 'jest-mock-extended';
 import { HttpService } from 'src/shared/services/http.service';
@@ -134,4 +135,21 @@ describe('LnurlForward', () => {
       expect(result).toEqual({ status: 'OK' });
     });
   });
+
+  describe('Path traversal prevention', () => {
+    it.each(['api%2fv1%2flinks', 'api%252fv1%252flinks', '../foo', 'foo/bar', '..%2fwallet'])(
+      'rejects malicious lnurlp id: %s',
+      async (id) => {
+        await expect(lnurlpForward.lnUrlPForward(id, undefined)).rejects.toThrow(BadRequestException);
+      },
+    );
+
+    it.each(['api%2fv1%2flinks', '../foo', 'foo/bar'])('rejects malicious lnurlp callback id: %s', async (id) => {
+      await expect(lnurlpForward.lnUrlPCallbackForward(id, {})).rejects.toThrow(BadRequestException);
+    });
+
+    it.each(['api%2fv1%2flinks', '../foo', 'foo/bar'])('rejects malicious lnurlw id: %s', async (id) => {
+      await expect(lnurlwForward.lnUrlWForward(id)).rejects.toThrow(BadRequestException);
+    });
+  });
 });