Rewrite the CanUseHotWallet, check if the derivationscheme is actually a hotwallet, before retrieving the seed

BTCPayServer/Controllers/GreenField/StoreOnChainWalletsController.cs

@@ -388,7 +388,7 @@ namespace BTCPayServer.Controllers.GreenField
             var signingKeyStr = await explorerClient
                 .GetMetadataAsync<string>(derivationScheme.AccountDerivation,
                     WellknownMetadataKeys.MasterHDKey);
-            if (signingKeyStr is null)
+            if (!derivationScheme.IsHotWallet || signingKeyStr is null)
             {
                 return this.CreateAPIError("not-available",
                     $"{cryptoCode} sending services are not currently available");
@@ -403,7 +403,7 @@ namespace BTCPayServer.Controllers.GreenField
             var accountKey = signingKey.Derive(rootedKeyPath.KeyPath);
 
             var changed = psbt.PSBT.PSBTChanged(() => psbt.PSBT.SignAll(derivationScheme.AccountDerivation, accountKey,
-                rootedKeyPath, new SigningOptions() {EnforceLowR = !(signingContext?.EnforceLowR is false)}));
+                rootedKeyPath, new SigningOptions() {EnforceLowR = signingContext?.EnforceLowR is bool v ? v : psbt.Suggestions.ShouldEnforceLowR }));
 
             if (!changed)
             {
@@ -465,17 +465,6 @@ namespace BTCPayServer.Controllers.GreenField
             return await _authorizationService.CanUseHotWallet(_cssThemeManager.Policies, User);
         }
 
-        private async Task<ExtKey> GetWallet(DerivationSchemeSettings derivationScheme)
-        {
-            if (!derivationScheme.IsHotWallet)
-                return null;
-
-            var result = await _explorerClientProvider.GetExplorerClient(derivationScheme.Network.CryptoCode)
-                .GetMetadataAsync<string>(derivationScheme.AccountDerivation,
-                    WellknownMetadataKeys.MasterHDKey);
-            return string.IsNullOrEmpty(result) ? null : ExtKey.Parse(result, derivationScheme.Network.NBitcoinNetwork);
-        }
-
         private bool IsInvalidWalletRequest(string cryptoCode, out BTCPayNetwork network,
             out DerivationSchemeSettings derivationScheme, out IActionResult actionResult)
         {

BTCPayServer/Extensions/AuthorizationExtensions.cs

@@ -1,9 +1,11 @@
 using System.Security.Claims;
 using System.Threading.Tasks;
+using BTCPayServer.Abstractions.Constants;
 using BTCPayServer.Client;
 using BTCPayServer.Security.Bitpay;
 using BTCPayServer.Security.GreenField;
 using BTCPayServer.Services;
+using CsvHelper.Configuration.Attributes;
 using Microsoft.AspNetCore.Authorization;
 
 namespace BTCPayServer
@@ -15,8 +17,19 @@ namespace BTCPayServer
             PoliciesSettings policiesSettings,
             ClaimsPrincipal user)
         {
-            return (await authorizationService.AuthorizeAsync(user, Policies.CanModifyServerSettings))
+            if (!user.Identity.IsAuthenticated)
-                .Succeeded ? (true, true) : (policiesSettings?.AllowHotWalletForAll is true, policiesSettings?.AllowHotWalletRPCImportForAll is true);
+                return (false, false);
+            var claimUser = user.Identity as ClaimsIdentity;
+            if (claimUser is null)
+                return (false, false);
+
+            bool isAdmin = false;
+            if (claimUser.AuthenticationType == AuthenticationSchemes.Cookie)
+                isAdmin = user.IsInRole(Roles.ServerAdmin);
+            else if (claimUser.AuthenticationType == GreenFieldConstants.AuthenticationType)
+                isAdmin = (await authorizationService.AuthorizeAsync(user, Policies.CanModifyServerSettings)).Succeeded;
+            return isAdmin ? (true, true) : 
+                   (policiesSettings?.AllowHotWalletForAll is true, policiesSettings?.AllowHotWalletRPCImportForAll is true);
         }
     }
 }