aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 06:24:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add warning about the tradeoff the paybutton (#3340)

Browse Source 
* Add warning about the security tradeoff of the paybutton

* Update BTCPayServer/Views/UIStores/PayButtonEnable.cshtml

Co-authored-by: d11n <mail@dennisreimann.de>

* Move message in column

Co-authored-by: d11n <mail@dennisreimann.de>
This commit is contained in:
Nicolas Dorier
2022-01-24 20:00:42 +09:00
committed by GitHub
parent 11d6588249
commit e23ddf118e
4 changed files with 55 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
BTCPayServer.Tests/SeleniumTests.cs
View File

@@ -505,9 +505,21 @@ namespace BTCPayServer.Tests
s.GoToUrl(invoiceUrl); s.GoToUrl(invoiceUrl);
s.Driver.AssertNoError(); s.Driver.AssertNoError();
// Alice should be able to delete the store
s.Logout(); s.Logout();
s.LogIn(alice); s.LogIn(alice);
// Check if we can enable the payment button
s.GoToStore(StoreNavPages.PayButton);
s.Driver.FindElement(By.Id("enable-pay-button")).Click();
s.Driver.FindElement(By.Id("disable-pay-button")).Click();
s.FindAlertMessage();
Assert.False(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
s.Driver.SetCheckbox(By.Id("AnyoneCanCreateInvoice"), true);
s.Driver.FindElement(By.Id("Save")).Click();
s.FindAlertMessage();
Assert.True(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
// Alice should be able to delete the store
s.GoToStore(StoreNavPages.General); s.GoToStore(StoreNavPages.General);
s.Driver.FindElement(By.Id("DeleteStore")).Click(); s.Driver.FindElement(By.Id("DeleteStore")).Click();
s.Driver.WaitForElement(By.Id("ConfirmInput")).SendKeys("DELETE"); s.Driver.WaitForElement(By.Id("ConfirmInput")).SendKeys("DELETE");

11
BTCPayServer/Controllers/UIStoresController.cs
View File

@@ -992,6 +992,17 @@ namespace BTCPayServer.Controllers
return _UserManager.GetUserId(User); return _UserManager.GetUserId(User);
} }
[HttpPost("{storeId}/disable-anyone-can-pay")]
public async Task<IActionResult> DisableAnyoneCanCreateInvoice(string storeId)
{
var blob = CurrentStore.GetStoreBlob();
blob.AnyoneCanInvoice = false;
CurrentStore.SetStoreBlob(blob);
TempData[WellKnownTempData.SuccessMessage] = "Feature disabled";
await _Repo.UpdateStore(CurrentStore);
return RedirectToAction(nameof(Payment), new { storeId = storeId });
}
[Route("{storeId}/paybutton")] [Route("{storeId}/paybutton")]
public async Task<IActionResult> PayButton() public async Task<IActionResult> PayButton()
{ {

10
BTCPayServer/Views/UIStores/PayButton.cshtml
View File

@@ -127,7 +127,17 @@
<partial name="_StatusMessage" /> <partial name="_StatusMessage" />
<h2 class="mt-1 mb-4">@ViewData["Title"]</h2> <h2 class="mt-1 mb-4">@ViewData["Title"]</h2>
<div class="alert alert-warning alert-dismissible mb-5" role="alert">
<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
<vc:icon symbol="close" />
</button>
<p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
<p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>
<form asp-action="DisableAnyoneCanCreateInvoice" asp-route-storeId="@Context.GetRouteValue("storeId")" method="post">
<button name="command" id="disable-pay-button" type="submit" class="btn btn-danger px-4 mt-3" value="Save">Disable payment button</button>
</form>
</div>
<div id="payButtonCtrl"> <div id="payButtonCtrl">
<div class="row"> <div class="row">
<div class="col-lg-7"> <div class="col-lg-7">

35
BTCPayServer/Views/UIStores/PayButtonEnable.cshtml
View File

@@ -1,20 +1,27 @@
@{ @{
ViewData.SetActivePage(StoreNavPages.PayButton, "Pay Button", Context.GetStoreData().Id); ViewData.SetActivePage(StoreNavPages.PayButton, "Pay Button", Context.GetStoreData().Id);
} }
<h2 class="mt-1 mb-4">@ViewData["Title"]</h2> <h2 class="mt-1 mb-4">@ViewData["Title"]</h2>
<div class="row"> <div class="row">
<div class="col-md-10"> <div class="col-md-10">
<p> <div class="alert alert-warning alert-dismissible mb-5" role="alert">
To start using Pay Button, you need to enable this feature explicitly. <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
Once you do so, anyone could create an invoice on your store (via API, for example). <vc:icon symbol="close" />
</p> </button>
<form method="post"> <p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
@Html.Hidden("EnableStore", true) <p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>
<button name="command" type="submit" value="save" class="btn btn-primary"> </div>
Enable <p>
</button> To start using Pay Button, you need to enable this feature explicitly.
</form> Once you do so, anyone could create an invoice on your store (via API, for example).
</div> </p>
<form method="post">
@Html.Hidden("EnableStore", true)
<button name="command" id="enable-pay-button" type="submit" value="save" class="btn btn-primary">
Enable
</button>
</form>
</div>
</div> </div>