use encrypted request for subscribe notifications

2025-12-19 23:04:22 +01:00 · 2023-11-06 15:30:38 +01:00
parent 4be6d8c6a4
commit 743e880d9c
6 changed files with 167 additions and 72 deletions
--- a/itest/lspd_node.go
+++ b/itest/lspd_node.go
@@ -3,6 +3,7 @@ package itest
 import (
 	"bufio"
 	"context"
+	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"flag"
@@ -18,9 +19,11 @@ import (
 	"github.com/breez/lspd/notifications"
 	lspd "github.com/breez/lspd/rpc"
 	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/ecdsa"
 	"github.com/decred/dcrd/dcrec/secp256k1/v4"
 	ecies "github.com/ecies/go/v2"
 	"github.com/golang/protobuf/proto"
+	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/metadata"
 )

@@ -286,6 +289,38 @@ func RegisterPayment(l LspNode, paymentInfo *lspd.PaymentInformation, continueOn
 	return err
 }

+func SubscribeNotifications(l LspNode, b BreezClient, url string, continueOnError bool) error {
+	first := sha256.Sum256([]byte(url))
+	second := sha256.Sum256(first[:])
+	sig, err := ecdsa.SignCompact(b.Node().PrivateKey(), second[:], true)
+	assert.NoError(b.Harness().T, err)
+
+	request := notifications.SubscribeNotificationsRequest{
+		Url:       url,
+		Signature: sig,
+	}
+	serialized, err := proto.Marshal(&request)
+	lntest.CheckError(l.Harness().T, err)
+
+	encrypted, err := ecies.Encrypt(l.EciesPublicKey(), serialized)
+	lntest.CheckError(l.Harness().T, err)
+
+	ctx := metadata.AppendToOutgoingContext(l.Harness().Ctx, "authorization", "Bearer hello")
+	log.Printf("Subscribing to notifications")
+	_, err = l.NotificationsRpc().SubscribeNotifications(
+		ctx,
+		&notifications.EncryptedNotificationRequest{
+			Blob: encrypted,
+		},
+	)
+
+	if !continueOnError {
+		lntest.CheckError(l.Harness().T, err)
+	}
+
+	return err
+}
+
 type FeeParamSetting struct {
 	Validity     time.Duration
 	MinMsat      uint64
--- a/itest/notification_test.go
+++ b/itest/notification_test.go
@@ -1,7 +1,6 @@
 package itest

 import (
-	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
@@ -10,9 +9,7 @@ import (
 	"time"

 	"github.com/breez/lntest"
-	"github.com/breez/lspd/notifications"
 	lspd "github.com/breez/lspd/rpc"
-	"github.com/btcsuite/btcd/btcec/v2/ecdsa"
 	"github.com/stretchr/testify/assert"
 )

@@ -86,15 +83,7 @@ func testOfflineNotificationPaymentRegistered(p *testParams) {
 	<-time.After(htlcInterceptorDelay)

 	url := "http://" + addr + "/api/v1/notify"
-	first := sha256.Sum256([]byte(url))
-	second := sha256.Sum256(first[:])
-	sig, err := ecdsa.SignCompact(p.BreezClient().Node().PrivateKey(), second[:], true)
-	assert.NoError(p.t, err)
-
-	p.lsp.NotificationsRpc().SubscribeNotifications(p.h.Ctx, &notifications.SubscribeNotificationsRequest{
-		Url:       url,
-		Signature: sig,
-	})
+	SubscribeNotifications(p.lsp, p.BreezClient(), url, false)
 	log.Printf("Alice paying")
 	route := constructRoute(p.lsp.LightningNode(), p.BreezClient().Node(), channelId, lntest.NewShortChanIDFromString("1x0x0"), outerAmountMsat)
 	_, err = alice.PayViaRoute(outerAmountMsat, outerInvoice.paymentHash, outerInvoice.paymentSecret, route)
@@ -149,15 +138,7 @@ func testOfflineNotificationRegularForward(p *testParams) {
 	}()

 	url := "http://" + addr + "/api/v1/notify"
-	first := sha256.Sum256([]byte(url))
-	second := sha256.Sum256(first[:])
-	sig, err := ecdsa.SignCompact(p.BreezClient().Node().PrivateKey(), second[:], true)
-	assert.NoError(p.t, err)
-
-	p.lsp.NotificationsRpc().SubscribeNotifications(p.h.Ctx, &notifications.SubscribeNotificationsRequest{
-		Url:       url,
-		Signature: sig,
-	})
+	SubscribeNotifications(p.lsp, p.BreezClient(), url, false)

 	<-time.After(time.Second * 2)
 	log.Printf("Adding bob's invoice")
@@ -303,15 +284,7 @@ func testOfflineNotificationZeroConfChannel(p *testParams) {
 	}()

 	url := "http://" + addr + "/api/v1/notify"
-	first := sha256.Sum256([]byte(url))
-	second := sha256.Sum256(first[:])
-	sig, err := ecdsa.SignCompact(p.BreezClient().Node().PrivateKey(), second[:], true)
-	assert.NoError(p.t, err)
-
-	p.lsp.NotificationsRpc().SubscribeNotifications(p.h.Ctx, &notifications.SubscribeNotificationsRequest{
-		Url:       url,
-		Signature: sig,
-	})
+	SubscribeNotifications(p.lsp, p.BreezClient(), url, false)

 	log.Printf("Alice paying zero conf invoice")
 	payResp := alice.Pay(invoiceWithHint)
--- a/notifications/notifications.pb.go
+++ b/notifications/notifications.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc        v4.23.4
 // source: notifications.proto

 package notifications
@@ -20,6 +20,53 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

+type EncryptedNotificationRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Blob []byte `protobuf:"bytes,1,opt,name=blob,proto3" json:"blob,omitempty"`
+}
+
+func (x *EncryptedNotificationRequest) Reset() {
+	*x = EncryptedNotificationRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_notifications_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EncryptedNotificationRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EncryptedNotificationRequest) ProtoMessage() {}
+
+func (x *EncryptedNotificationRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_notifications_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EncryptedNotificationRequest.ProtoReflect.Descriptor instead.
+func (*EncryptedNotificationRequest) Descriptor() ([]byte, []int) {
+	return file_notifications_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *EncryptedNotificationRequest) GetBlob() []byte {
+	if x != nil {
+		return x.Blob
+	}
+	return nil
+}
+
 type SubscribeNotificationsRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -32,7 +79,7 @@ type SubscribeNotificationsRequest struct {
 func (x *SubscribeNotificationsRequest) Reset() {
 	*x = SubscribeNotificationsRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_notifications_proto_msgTypes[0]
+		mi := &file_notifications_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -45,7 +92,7 @@ func (x *SubscribeNotificationsRequest) String() string {
 func (*SubscribeNotificationsRequest) ProtoMessage() {}

 func (x *SubscribeNotificationsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_notifications_proto_msgTypes[0]
+	mi := &file_notifications_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -58,7 +105,7 @@ func (x *SubscribeNotificationsRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SubscribeNotificationsRequest.ProtoReflect.Descriptor instead.
 func (*SubscribeNotificationsRequest) Descriptor() ([]byte, []int) {
-	return file_notifications_proto_rawDescGZIP(), []int{0}
+	return file_notifications_proto_rawDescGZIP(), []int{1}
 }

 func (x *SubscribeNotificationsRequest) GetUrl() string {
@@ -84,7 +131,7 @@ type SubscribeNotificationsReply struct {
 func (x *SubscribeNotificationsReply) Reset() {
 	*x = SubscribeNotificationsReply{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_notifications_proto_msgTypes[1]
+		mi := &file_notifications_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -97,7 +144,7 @@ func (x *SubscribeNotificationsReply) String() string {
 func (*SubscribeNotificationsReply) ProtoMessage() {}

 func (x *SubscribeNotificationsReply) ProtoReflect() protoreflect.Message {
-	mi := &file_notifications_proto_msgTypes[1]
+	mi := &file_notifications_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -110,7 +157,7 @@ func (x *SubscribeNotificationsReply) ProtoReflect() protoreflect.Message {

 // Deprecated: Use SubscribeNotificationsReply.ProtoReflect.Descriptor instead.
 func (*SubscribeNotificationsReply) Descriptor() ([]byte, []int) {
-	return file_notifications_proto_rawDescGZIP(), []int{1}
+	return file_notifications_proto_rawDescGZIP(), []int{2}
 }

 var File_notifications_proto protoreflect.FileDescriptor
@@ -118,25 +165,28 @@ var File_notifications_proto protoreflect.FileDescriptor
 var file_notifications_proto_rawDesc = []byte{
 	0x0a, 0x13, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0d, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x73, 0x22, 0x4f, 0x0a, 0x1d, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62,
-	0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x69, 0x67, 0x6e, 0x61,
-	0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x69, 0x67, 0x6e,
-	0x61, 0x74, 0x75, 0x72, 0x65, 0x22, 0x1d, 0x0a, 0x1b, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69,
-	0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52,
-	0x65, 0x70, 0x6c, 0x79, 0x32, 0x85, 0x01, 0x0a, 0x0d, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x74, 0x0a, 0x16, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72,
-	0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x12, 0x2c, 0x2e, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a,
-	0x2e, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x53,
-	0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42, 0x25, 0x5a, 0x23,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x72, 0x65, 0x65, 0x7a,
-	0x2f, 0x6c, 0x73, 0x70, 0x64, 0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x6f, 0x6e, 0x73, 0x22, 0x32, 0x0a, 0x1c, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x6c, 0x6f, 0x62, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0c, 0x52, 0x04, 0x62, 0x6c, 0x6f, 0x62, 0x22, 0x4f, 0x0a, 0x1d, 0x53, 0x75, 0x62, 0x73,
+	0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
+	0x6e, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x6c,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x6c, 0x12, 0x1c, 0x0a, 0x09, 0x73,
+	0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09,
+	0x73, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x22, 0x1d, 0x0a, 0x1b, 0x53, 0x75, 0x62,
+	0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x32, 0x84, 0x01, 0x0a, 0x0d, 0x4e, 0x6f, 0x74,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x73, 0x0a, 0x16, 0x53, 0x75,
+	0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x2b, 0x2e, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4e, 0x6f,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x2a, 0x2e, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x73, 0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x4e, 0x6f, 0x74, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x65, 0x70, 0x6c, 0x79, 0x22, 0x00, 0x42,
+	0x25, 0x5a, 0x23, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x72,
+	0x65, 0x65, 0x7a, 0x2f, 0x6c, 0x73, 0x70, 0x64, 0x2f, 0x6e, 0x6f, 0x74, 0x69, 0x66, 0x69, 0x63,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -151,14 +201,15 @@ func file_notifications_proto_rawDescGZIP() []byte {
 	return file_notifications_proto_rawDescData
 }

-var file_notifications_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_notifications_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_notifications_proto_goTypes = []interface{}{
-	(*SubscribeNotificationsRequest)(nil), // 0: notifications.SubscribeNotificationsRequest
-	(*SubscribeNotificationsReply)(nil),   // 1: notifications.SubscribeNotificationsReply
+	(*EncryptedNotificationRequest)(nil),  // 0: notifications.EncryptedNotificationRequest
+	(*SubscribeNotificationsRequest)(nil), // 1: notifications.SubscribeNotificationsRequest
+	(*SubscribeNotificationsReply)(nil),   // 2: notifications.SubscribeNotificationsReply
 }
 var file_notifications_proto_depIdxs = []int32{
-	0, // 0: notifications.Notifications.SubscribeNotifications:input_type -> notifications.SubscribeNotificationsRequest
-	1, // 1: notifications.Notifications.SubscribeNotifications:output_type -> notifications.SubscribeNotificationsReply
+	0, // 0: notifications.Notifications.SubscribeNotifications:input_type -> notifications.EncryptedNotificationRequest
+	2, // 1: notifications.Notifications.SubscribeNotifications:output_type -> notifications.SubscribeNotificationsReply
 	1, // [1:2] is the sub-list for method output_type
 	0, // [0:1] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
@@ -173,7 +224,7 @@ func file_notifications_proto_init() {
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_notifications_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SubscribeNotificationsRequest); i {
+			switch v := v.(*EncryptedNotificationRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -185,6 +236,18 @@ func file_notifications_proto_init() {
 			}
 		}
 		file_notifications_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SubscribeNotificationsRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_notifications_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*SubscribeNotificationsReply); i {
 			case 0:
 				return &v.state
@@ -203,7 +266,7 @@ func file_notifications_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_notifications_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   2,
+			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/notifications/notifications.proto
+++ b/notifications/notifications.proto
@@ -5,10 +5,14 @@ option go_package = "github.com/breez/lspd/notifications";
 package notifications;

 service Notifications {
-    rpc SubscribeNotifications(SubscribeNotificationsRequest)
+    rpc SubscribeNotifications(EncryptedNotificationRequest)
        returns (SubscribeNotificationsReply) {}
 }  

+message EncryptedNotificationRequest {
+    bytes blob = 1;
+}
+
 message SubscribeNotificationsRequest {
    string url = 1;
    bytes signature = 2;
--- a/notifications/notifications_grpc.pb.go
+++ b/notifications/notifications_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc             v4.23.4
 // source: notifications.proto

 package notifications
@@ -22,7 +22,7 @@ const _ = grpc.SupportPackageIsVersion7
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
 type NotificationsClient interface {
-	SubscribeNotifications(ctx context.Context, in *SubscribeNotificationsRequest, opts ...grpc.CallOption) (*SubscribeNotificationsReply, error)
+	SubscribeNotifications(ctx context.Context, in *EncryptedNotificationRequest, opts ...grpc.CallOption) (*SubscribeNotificationsReply, error)
 }

 type notificationsClient struct {
@@ -33,7 +33,7 @@ func NewNotificationsClient(cc grpc.ClientConnInterface) NotificationsClient {
 	return &notificationsClient{cc}
 }

-func (c *notificationsClient) SubscribeNotifications(ctx context.Context, in *SubscribeNotificationsRequest, opts ...grpc.CallOption) (*SubscribeNotificationsReply, error) {
+func (c *notificationsClient) SubscribeNotifications(ctx context.Context, in *EncryptedNotificationRequest, opts ...grpc.CallOption) (*SubscribeNotificationsReply, error) {
 	out := new(SubscribeNotificationsReply)
 	err := c.cc.Invoke(ctx, "/notifications.Notifications/SubscribeNotifications", in, out, opts...)
 	if err != nil {
@@ -46,7 +46,7 @@ func (c *notificationsClient) SubscribeNotifications(ctx context.Context, in *Su
 // All implementations must embed UnimplementedNotificationsServer
 // for forward compatibility
 type NotificationsServer interface {
-	SubscribeNotifications(context.Context, *SubscribeNotificationsRequest) (*SubscribeNotificationsReply, error)
+	SubscribeNotifications(context.Context, *EncryptedNotificationRequest) (*SubscribeNotificationsReply, error)
 	mustEmbedUnimplementedNotificationsServer()
 }

@@ -54,7 +54,7 @@ type NotificationsServer interface {
 type UnimplementedNotificationsServer struct {
 }

-func (UnimplementedNotificationsServer) SubscribeNotifications(context.Context, *SubscribeNotificationsRequest) (*SubscribeNotificationsReply, error) {
+func (UnimplementedNotificationsServer) SubscribeNotifications(context.Context, *EncryptedNotificationRequest) (*SubscribeNotificationsReply, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method SubscribeNotifications not implemented")
 }
 func (UnimplementedNotificationsServer) mustEmbedUnimplementedNotificationsServer() {}
@@ -71,7 +71,7 @@ func RegisterNotificationsServer(s grpc.ServiceRegistrar, srv NotificationsServe
 }

 func _Notifications_SubscribeNotifications_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(SubscribeNotificationsRequest)
+	in := new(EncryptedNotificationRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
@@ -83,7 +83,7 @@ func _Notifications_SubscribeNotifications_Handler(srv interface{}, ctx context.
 		FullMethod: "/notifications.Notifications/SubscribeNotifications",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(NotificationsServer).SubscribeNotifications(ctx, req.(*SubscribeNotificationsRequest))
+		return srv.(NotificationsServer).SubscribeNotifications(ctx, req.(*EncryptedNotificationRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
--- a/notifications/server.go
+++ b/notifications/server.go
@@ -7,7 +7,10 @@ import (
 	"fmt"
 	"log"

+	lspdrpc "github.com/breez/lspd/rpc"
 	"github.com/btcsuite/btcd/btcec/v2/ecdsa"
+	ecies "github.com/ecies/go/v2"
+	"github.com/golang/protobuf/proto"
 )

 var ErrInvalidSignature = fmt.Errorf("invalid signature")
@@ -26,8 +29,25 @@ func NewNotificationsServer(store Store) NotificationsServer {

 func (s *server) SubscribeNotifications(
 	ctx context.Context,
-	request *SubscribeNotificationsRequest,
+	in *EncryptedNotificationRequest,
 ) (*SubscribeNotificationsReply, error) {
+	node, _, err := lspdrpc.GetNode(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ecies.Decrypt(node.EciesPrivateKey, in.Blob)
+	if err != nil {
+		return nil, fmt.Errorf("ecies.Decrypt(%x) error: %w", in.Blob, err)
+	}
+
+	var request SubscribeNotificationsRequest
+	err = proto.Unmarshal(data, &request)
+	if err != nil {
+		log.Printf("proto.Unmarshal(%x) error: %v", data, err)
+		return nil, fmt.Errorf("proto.Unmarshal(%x) error: %w", data, err)
+	}
+
 	first := sha256.Sum256([]byte(request.Url))
 	second := sha256.Sum256(first[:])
 	pubkey, wasCompressed, err := ecdsa.RecoverCompact(