aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 06:24:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add warning about the tradeoff the paybutton (#3340)

Browse Source 
* Add warning about the security tradeoff of the paybutton

* Update BTCPayServer/Views/UIStores/PayButtonEnable.cshtml

Co-authored-by: d11n <mail@dennisreimann.de>

* Move message in column

Co-authored-by: d11n <mail@dennisreimann.de>
This commit is contained in:
Nicolas Dorier
2022-01-24 20:00:42 +09:00
committed by GitHub
parent 11d6588249
commit e23ddf118e
4 changed files with 55 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
BTCPayServer.Tests/SeleniumTests.cs
View File

@@ -505,9 +505,21 @@ namespace BTCPayServer.Tests
s.GoToUrl(invoiceUrl); s.GoToUrl(invoiceUrl);
s.Driver.AssertNoError(); s.Driver.AssertNoError();
// Alice should be able to delete the store
s.Logout(); s.Logout();
s.LogIn(alice); s.LogIn(alice);
// Check if we can enable the payment button
s.GoToStore(StoreNavPages.PayButton);
s.Driver.FindElement(By.Id("enable-pay-button")).Click();
s.Driver.FindElement(By.Id("disable-pay-button")).Click();
s.FindAlertMessage();
Assert.False(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
s.Driver.SetCheckbox(By.Id("AnyoneCanCreateInvoice"), true);
s.Driver.FindElement(By.Id("Save")).Click();
s.FindAlertMessage();
Assert.True(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
// Alice should be able to delete the store
s.GoToStore(StoreNavPages.General); s.GoToStore(StoreNavPages.General);
s.Driver.FindElement(By.Id("DeleteStore")).Click(); s.Driver.FindElement(By.Id("DeleteStore")).Click();
s.Driver.WaitForElement(By.Id("ConfirmInput")).SendKeys("DELETE"); s.Driver.WaitForElement(By.Id("ConfirmInput")).SendKeys("DELETE");

11
BTCPayServer/Controllers/UIStoresController.cs
View File

@@ -992,6 +992,17 @@ namespace BTCPayServer.Controllers
return _UserManager.GetUserId(User); return _UserManager.GetUserId(User);
} }
[HttpPost("{storeId}/disable-anyone-can-pay")]
public async Task<IActionResult> DisableAnyoneCanCreateInvoice(string storeId)
{
var blob = CurrentStore.GetStoreBlob();
blob.AnyoneCanInvoice = false;
CurrentStore.SetStoreBlob(blob);
TempData[WellKnownTempData.SuccessMessage] = "Feature disabled";
await _Repo.UpdateStore(CurrentStore);
return RedirectToAction(nameof(Payment), new { storeId = storeId });
}
[Route("{storeId}/paybutton")] [Route("{storeId}/paybutton")]
public async Task<IActionResult> PayButton() public async Task<IActionResult> PayButton()
{ {

10
BTCPayServer/Views/UIStores/PayButton.cshtml
View File

@@ -127,7 +127,17 @@
<partial name="_StatusMessage" /> <partial name="_StatusMessage" />
<h2 class="mt-1 mb-4">@ViewData["Title"]</h2> <h2 class="mt-1 mb-4">@ViewData["Title"]</h2>
<div class="alert alert-warning alert-dismissible mb-5" role="alert">
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
<vc:icon symbol="close" />
</button>
<p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
<p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>
<form asp-action="DisableAnyoneCanCreateInvoice" asp-route-storeId="@Context.GetRouteValue("storeId")" method="post">
<button name="command" id="disable-pay-button" type="submit" class="btn btn-danger px-4 mt-3" value="Save">Disable payment button</button>
</form>
</div>
<div id="payButtonCtrl"> <div id="payButtonCtrl">
<div class="row"> <div class="row">
<div class="col-lg-7"> <div class="col-lg-7">

11
BTCPayServer/Views/UIStores/PayButtonEnable.cshtml
View File

@@ -1,4 +1,4 @@
@{ @{
ViewData.SetActivePage(StoreNavPages.PayButton, "Pay Button", Context.GetStoreData().Id); ViewData.SetActivePage(StoreNavPages.PayButton, "Pay Button", Context.GetStoreData().Id);
} }
@@ -6,13 +6,20 @@
<div class="row"> <div class="row">
<div class="col-md-10"> <div class="col-md-10">
<div class="alert alert-warning alert-dismissible mb-5" role="alert">
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
<vc:icon symbol="close" />
</button>
<p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
<p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>
</div>
<p> <p>
To start using Pay Button, you need to enable this feature explicitly. To start using Pay Button, you need to enable this feature explicitly.
Once you do so, anyone could create an invoice on your store (via API, for example). Once you do so, anyone could create an invoice on your store (via API, for example).
</p> </p>
<form method="post"> <form method="post">
@Html.Hidden("EnableStore", true) @Html.Hidden("EnableStore", true)
<button name="command" type="submit" value="save" class="btn btn-primary"> <button name="command" id="enable-pay-button" type="submit" value="save" class="btn btn-primary">
Enable Enable
</button> </button>
</form> </form>