Remove anonymous access to invoice data

BTCPayServer/Controllers/InvoiceController.API.cs

@@ -40,16 +40,18 @@ namespace BTCPayServer.Controllers
 
         [HttpGet]
         [Route("invoices/{id}")]
-        [AllowAnonymous]
+        public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id)
-        public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id, string token)
         {
-            var invoice = await _InvoiceRepository.GetInvoice(null, id);
+            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
+            {
+                InvoiceId = id,
+                StoreId = new[] { HttpContext.GetStoreData().Id }
+            })).FirstOrDefault();
             if (invoice == null)
                 throw new BitpayHttpException(404, "Object not found");
             var resp = invoice.EntityToDTO(_NetworkProvider);
             return new DataWrapper<InvoiceResponse>(resp);
         }
-
         [HttpGet]
         [Route("invoices")]
         public async Task<DataWrapper<InvoiceResponse[]>> GetInvoices(

BTCPayServer/Controllers/InvoiceController.UI.cs

@@ -30,11 +30,13 @@ namespace BTCPayServer.Controllers
     {
         [HttpGet]
         [Route("invoices/{invoiceId}")]
+        [Authorize(AuthenticationSchemes = Policies.CookieAuthentication)]
         public async Task<IActionResult> Invoice(string invoiceId)
         {
             var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
             {
                 InvoiceId = invoiceId,
+                UserId = GetUserId(),
                 IncludeAddresses = true,
                 IncludeEvents = true
             })).FirstOrDefault();