Add warning about the tradeoff the paybutton (#3340)

* Add warning about the security tradeoff of the paybutton * Update BTCPayServer/Views/UIStores/PayButtonEnable.cshtml Co-authored-by: d11n <mail@dennisreimann.de> * Move message in column Co-authored-by: d11n <mail@dennisreimann.de>
2025-12-17 22:14:26 +01:00 · 2022-01-24 20:00:42 +09:00
parent 11d6588249
commit e23ddf118e
4 changed files with 55 additions and 15 deletions
--- a/BTCPayServer.Tests/SeleniumTests.cs
+++ b/BTCPayServer.Tests/SeleniumTests.cs
@@ -505,9 +505,21 @@ namespace BTCPayServer.Tests
            s.GoToUrl(invoiceUrl);
            s.Driver.AssertNoError();

-            // Alice should be able to delete the store
            s.Logout();
            s.LogIn(alice);
+
+            // Check if we can enable the payment button
+            s.GoToStore(StoreNavPages.PayButton);
+            s.Driver.FindElement(By.Id("enable-pay-button")).Click();
+            s.Driver.FindElement(By.Id("disable-pay-button")).Click();
+            s.FindAlertMessage();
+            Assert.False(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
+            s.Driver.SetCheckbox(By.Id("AnyoneCanCreateInvoice"), true);
+            s.Driver.FindElement(By.Id("Save")).Click();
+            s.FindAlertMessage();
+            Assert.True(s.Driver.FindElement(By.Id("AnyoneCanCreateInvoice")).Selected);
+
+            // Alice should be able to delete the store
            s.GoToStore(StoreNavPages.General);
            s.Driver.FindElement(By.Id("DeleteStore")).Click();
            s.Driver.WaitForElement(By.Id("ConfirmInput")).SendKeys("DELETE");
--- a/BTCPayServer/Controllers/UIStoresController.cs
+++ b/BTCPayServer/Controllers/UIStoresController.cs
@@ -992,6 +992,17 @@ namespace BTCPayServer.Controllers
            return _UserManager.GetUserId(User);
        }

+        [HttpPost("{storeId}/disable-anyone-can-pay")]
+        public async Task<IActionResult> DisableAnyoneCanCreateInvoice(string storeId)
+        {
+            var blob = CurrentStore.GetStoreBlob();
+            blob.AnyoneCanInvoice = false;
+            CurrentStore.SetStoreBlob(blob);
+            TempData[WellKnownTempData.SuccessMessage] = "Feature disabled";
+            await _Repo.UpdateStore(CurrentStore);
+            return RedirectToAction(nameof(Payment), new { storeId = storeId });
+        }
+
        [Route("{storeId}/paybutton")]
        public async Task<IActionResult> PayButton()
        {
--- a/BTCPayServer/Views/UIStores/PayButton.cshtml
+++ b/BTCPayServer/Views/UIStores/PayButton.cshtml
@@ -127,7 +127,17 @@
 <partial name="_StatusMessage" />

 <h2 class="mt-1 mb-4">@ViewData["Title"]</h2>
+<div class="alert alert-warning alert-dismissible mb-5" role="alert">
+        <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
+            <vc:icon symbol="close" />
+        </button>
+        <p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
+        <p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>

+		<form asp-action="DisableAnyoneCanCreateInvoice" asp-route-storeId="@Context.GetRouteValue("storeId")" method="post">
+			<button name="command" id="disable-pay-button" type="submit" class="btn btn-danger px-4 mt-3" value="Save">Disable payment button</button>
+		</form>
+</div>
 <div id="payButtonCtrl">
    <div class="row">
        <div class="col-lg-7">
--- a/BTCPayServer/Views/UIStores/PayButtonEnable.cshtml
+++ b/BTCPayServer/Views/UIStores/PayButtonEnable.cshtml
@@ -1,4 +1,4 @@
-@{
+@{
 	ViewData.SetActivePage(StoreNavPages.PayButton, "Pay Button", Context.GetStoreData().Id);
 }

@@ -6,13 +6,20 @@

 <div class="row">
 	<div class="col-md-10">
+		<div class="alert alert-warning alert-dismissible mb-5" role="alert">
+			<button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close">
+				<vc:icon symbol="close" />
+			</button>
+			<p><strong>Warning:</strong> This feature should not be activated on a BTCPay Server store processing commercial transactions.</p>
+			<p>By activating this feature, a malicious user can trick you into thinking an order has been processed by creating a new invoice, reusing the same Order Id of another valid order but different amount or currency.</p>
+		</div>
 		<p>
 			To start using Pay Button, you need to enable this feature explicitly.
 			Once you do so, anyone could create an invoice on your store (via API, for example).
 		</p>
 		<form method="post">
 			@Html.Hidden("EnableStore", true)
-            <button name="command" type="submit" value="save" class="btn btn-primary">
+			<button name="command" id="enable-pay-button" type="submit" value="save" class="btn btn-primary">
 				Enable
 			</button>
 		</form>