Remove anonymous access to invoice data

2025-12-17 22:14:26 +01:00 · 2018-12-06 16:58:04 +09:00
parent ab670080c7
commit 1477630c78
2 changed files with 8 additions and 4 deletions
--- a/BTCPayServer/Controllers/InvoiceController.API.cs
+++ b/BTCPayServer/Controllers/InvoiceController.API.cs
@@ -40,16 +40,18 @@ namespace BTCPayServer.Controllers

        [HttpGet]
        [Route("invoices/{id}")]
-        [AllowAnonymous]
-        public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id, string token)
+        public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id)
        {
-            var invoice = await _InvoiceRepository.GetInvoice(null, id);
+            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
+            {
+                InvoiceId = id,
+                StoreId = new[] { HttpContext.GetStoreData().Id }
+            })).FirstOrDefault();
            if (invoice == null)
                throw new BitpayHttpException(404, "Object not found");
            var resp = invoice.EntityToDTO(_NetworkProvider);
            return new DataWrapper<InvoiceResponse>(resp);
        }
-
        [HttpGet]
        [Route("invoices")]
        public async Task<DataWrapper<InvoiceResponse[]>> GetInvoices(
--- a/BTCPayServer/Controllers/InvoiceController.UI.cs
+++ b/BTCPayServer/Controllers/InvoiceController.UI.cs
@@ -30,11 +30,13 @@ namespace BTCPayServer.Controllers
    {
        [HttpGet]
        [Route("invoices/{invoiceId}")]
+        [Authorize(AuthenticationSchemes = Policies.CookieAuthentication)]
        public async Task<IActionResult> Invoice(string invoiceId)
        {
            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
            {
                InvoiceId = invoiceId,
+                UserId = GetUserId(),
                IncludeAddresses = true,
                IncludeEvents = true
            })).FirstOrDefault();