getAlby · rolznz · Dec 18, 2024 · Dec 19, 2024 · Dec 19, 2024 · Dec 23, 2024
diff --git a/api/api.go b/api/api.go
@@ -883,6 +883,8 @@ func (api *api) GetWalletCapabilities(ctx context.Context) (*WalletCapabilitiesR
 	if len(notificationTypes) > 0 {
 		scopes = append(scopes, constants.NOTIFICATIONS_SCOPE)
 	}
+	// add always-supported capabilities
+	scopes = append(scopes, constants.SUPERUSER_SCOPE)
 
 	return &WalletCapabilitiesResponse{
 		Methods:           methods,

diff --git a/apps/apps_service.go b/apps/apps_service.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/getAlby/hub/constants"
@@ -44,6 +45,14 @@ func (svc *appsService) CreateApp(name string, pubkey string, maxAmountSat uint6
 		return nil, "", errors.New("isolated app cannot have sign_message scope")
 	}
 
+	if budgetRenewal == "" {
+		budgetRenewal = constants.BUDGET_RENEWAL_NEVER
+	}
+
+	if !slices.Contains(constants.GetBudgetRenewals(), budgetRenewal) {
+		return nil, "", fmt.Errorf("invalid budget renewal. Must be one of %s", strings.Join(constants.GetBudgetRenewals(), ","))
+	}
+
 	var pairingPublicKey string
 	var pairingSecretKey string
 	if pubkey == "" {

diff --git a/constants/constants.go b/constants/constants.go
@@ -19,6 +19,16 @@ const (
 	BUDGET_RENEWAL_NEVER   = "never"
 )
 
+func GetBudgetRenewals() []string {
+	return []string{
+		BUDGET_RENEWAL_DAILY,
+		BUDGET_RENEWAL_WEEKLY,
+		BUDGET_RENEWAL_MONTHLY,
+		BUDGET_RENEWAL_YEARLY,
+		BUDGET_RENEWAL_NEVER,
+	}
+}
+
 const (
 	PAY_INVOICE_SCOPE       = "pay_invoice" // also covers pay_keysend and multi_* payment methods
 	GET_BALANCE_SCOPE       = "get_balance"
@@ -28,6 +38,7 @@ const (
 	LIST_TRANSACTIONS_SCOPE = "list_transactions"
 	SIGN_MESSAGE_SCOPE      = "sign_message"
 	NOTIFICATIONS_SCOPE     = "notifications" // covers all notification types
+	SUPERUSER_SCOPE         = "superuser"
 )
 
 // limit encoded metadata length, otherwise relays may have trouble listing multiple transactions

diff --git a/frontend/src/components/Permissions.tsx b/frontend/src/components/Permissions.tsx
@@ -1,4 +1,4 @@
-import { BrickWall, PlusCircle } from "lucide-react";
+import { AlertTriangleIcon, BrickWall, PlusCircle } from "lucide-react";
 import React from "react";
 import BudgetAmountSelect from "src/components/BudgetAmountSelect";
 import BudgetRenewalSelect from "src/components/BudgetRenewalSelect";
@@ -132,6 +132,20 @@ const Permissions: React.FC<PermissionsProps> = ({
         </>
       )}
 
+      {permissions.scopes.includes("superuser") && (
+        <>
+          <div className="flex items-center gap-2 mb-2">
+            <AlertTriangleIcon className="w-4 h-4" />
+            <p className="text-sm font-medium">Superuser Access</p>
+          </div>
+
+          <p className="mb-4">
+            This app can create other app connections. Please make sure you
+            trust this app.
+          </p>
+        </>
+      )}
+
       {!permissions.isolated && permissions.scopes.includes("pay_invoice") && (
         <>
           {!readOnly && !budgetReadOnly ? (

diff --git a/frontend/src/components/Scopes.tsx b/frontend/src/components/Scopes.tsx
@@ -52,7 +52,7 @@ const Scopes: React.FC<ScopesProps> = ({
   onScopesChanged,
 }) => {
   const fullAccessScopes: Scope[] = React.useMemo(() => {
-    return [...capabilities.scopes];
+    return capabilities.scopes.filter((scope) => scope !== "superuser");
   }, [capabilities.scopes]);
 
   const readOnlyScopes: Scope[] = React.useMemo(() => {
@@ -87,10 +87,17 @@ const Scopes: React.FC<ScopesProps> = ({
   }, [capabilities.scopes]);
 
   const [scopeGroup, setScopeGroup] = React.useState<ScopeGroup>(() => {
-    if (isolated && scopes.length === capabilities.scopes.length) {
+    if (
+      isolated &&
+      scopes.length === fullAccessScopes.length &&
+      scopes.every((scope) => fullAccessScopes.includes(scope))
+    ) {
       return "isolated";
     }
-    if (scopes.length === capabilities.scopes.length) {
+    if (
+      scopes.length === fullAccessScopes.length &&
+      scopes.every((scope) => fullAccessScopes.includes(scope))
+    ) {
       return "full_access";
     }
     if (

diff --git a/frontend/src/types.ts b/frontend/src/types.ts
@@ -1,6 +1,7 @@
 import {
   Bell,
   CirclePlus,
+  Crown,
   HandCoins,
   Info,
   LucideIcon,
@@ -47,7 +48,8 @@ export type Scope =
   | "lookup_invoice"
   | "list_transactions"
   | "sign_message"
-  | "notifications"; // covers all notification types
+  | "notifications" // covers all notification types
+  | "superuser";
 
 export type Nip47NotificationType = "payment_received" | "payment_sent";
 
@@ -64,6 +66,7 @@ export const scopeIconMap: ScopeIconMap = {
   pay_invoice: HandCoins,
   sign_message: PenLine,
   notifications: Bell,
+  superuser: Crown,
 };
 
 export type WalletCapabilities = {
@@ -89,6 +92,7 @@ export const scopeDescriptions: Record<Scope, string> = {
   pay_invoice: "Send payments",
   sign_message: "Sign messages",
   notifications: "Receive wallet notifications",
+  superuser: "Create other app connections",
 };
 
 export const expiryOptions: Record<string, number> = {

diff --git a/nip47/controllers/create_connection_controller.go b/nip47/controllers/create_connection_controller.go
@@ -0,0 +1,107 @@
+package controllers
+
+import (
+	"context"
+	"slices"
+	"time"
+
+	"github.com/getAlby/hub/constants"
+	"github.com/getAlby/hub/logger"
+	"github.com/getAlby/hub/nip47/models"
+	"github.com/getAlby/hub/nip47/permissions"
+	"github.com/nbd-wtf/go-nostr"
+	"github.com/sirupsen/logrus"
+)
+
+type createConnectionBudgetParams struct {
+	Budget        uint64 `json:"budget"`
+	RenewalPeriod string `json:"renewal_period"`
+}
+
+type createConnectionParams struct {
+	Pubkey    string                       `json:"pubkey"` // pubkey of the app connection
+	Name      string                       `json:"name"`
+	Methods   []string                     `json:"methods"`
+	Budget    createConnectionBudgetParams `json:"budget"`
+	ExpiresAt *uint64                      `json:"expires_at"` // unix timestamp
+	Isolated  bool                         `json:"isolated"`
+	Metadata  map[string]interface{}       `json:"metadata,omitempty"`
+}
+
+type createConnectionResponse struct {
+	// pubkey is given, user requesting already knows relay.
+	WalletPubkey string `json:"wallet_pubkey"`
+}
+
+func (controller *nip47Controller) HandleCreateConnectionEvent(ctx context.Context, nip47Request *models.Request, requestEventId uint, publishResponse publishFunc) {
+	params := &createConnectionParams{}
+	resp := decodeRequest(nip47Request, params)
+	if resp != nil {
+		publishResponse(resp, nostr.Tags{})
+		return
+	}
+
+	logger.Logger.WithFields(logrus.Fields{
+		"request_event_id": requestEventId,
+		"params":           params,
+	}).Info("creating app")
+
+	var expiresAt *time.Time
+	if params.ExpiresAt != nil {
+		expiresAtUnsigned := *params.ExpiresAt
+		expiresAtValue := time.Unix(int64(expiresAtUnsigned), 0)
+		expiresAt = &expiresAtValue
+	}
+
+	// TODO: verify the LNClient supports the methods
+	supportedMethods := controller.lnClient.GetSupportedNIP47Methods()
+	if slices.ContainsFunc(params.Methods, func(method string) bool {
+		return !slices.Contains(supportedMethods, method)
+	}) {
+		publishResponse(&models.Response{
+			ResultType: nip47Request.Method,
+			Error: &models.Error{
+				Code:    constants.ERROR_INTERNAL,
+				Message: "One or more methods are not supported by the current LNClient",
+			},
+		}, nostr.Tags{})
+		return
+	}
+	scopes, err := permissions.RequestMethodsToScopes(params.Methods)
+
+	// ensure there is at least one scope
+	if len(scopes) == 0 {
+		publishResponse(&models.Response{
+			ResultType: nip47Request.Method,
+			Error: &models.Error{
+				Code:    constants.ERROR_INTERNAL,
+				Message: "No methods provided",
+			},
+		}, nostr.Tags{})
+		return
+	}
+
+	app, _, err := controller.appsService.CreateApp(params.Name, params.Pubkey, params.Budget.Budget, params.Budget.RenewalPeriod, expiresAt, scopes, params.Isolated, params.Metadata)
+	if err != nil {
+		logger.Logger.WithFields(logrus.Fields{
+			"request_event_id": requestEventId,
+		}).WithError(err).Error("Failed to create app")
+		publishResponse(&models.Response{
+			ResultType: nip47Request.Method,
+			Error: &models.Error{
+				Code:    constants.ERROR_INTERNAL,
+				Message: err.Error(),
+			},
+		}, nostr.Tags{})
+		return
+	}
+
+	responsePayload := createConnectionResponse{
+		WalletPubkey: *app.WalletPubkey,
+	}
+
+	publishResponse(&models.Response{
+		ResultType: nip47Request.Method,
+		Result:     responsePayload,
+	}, nostr.Tags{})
+}