From b4fce8b00b845ee74ff5cdcb50389cf8620f1976 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Thu, 4 May 2023 17:20:37 +0200
Subject: [PATCH] fix internal invoice check (#1681)

* fix internal invoice check

* return error

* make format
---
 lnbits/core/services.py | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lnbits/core/services.py b/lnbits/core/services.py
index 7bb5668d..7f754251 100644
--- a/lnbits/core/services.py
+++ b/lnbits/core/services.py
@@ -35,6 +35,7 @@ from .crud import (
     create_wallet,
     delete_wallet_payment,
     get_account,
+    get_standalone_payment,
     get_super_settings,
     get_wallet,
     get_wallet_payment,
@@ -66,7 +67,6 @@ async def create_invoice(
     internal: Optional[bool] = False,
     conn: Optional[Connection] = None,
 ) -> Tuple[str, str]:
-
     if not amount > 0:
         raise InvoiceFailure("Amountless invoices not supported.")
 
@@ -157,6 +157,18 @@ async def pay_invoice(
         # check_internal() returns the checking_id of the invoice we're waiting for (pending only)
         internal_checking_id = await check_internal(invoice.payment_hash, conn=conn)
         if internal_checking_id:
+            # perform additional checks on the internal payment
+            # the payment hash is not enough to make sure that this is the same invoice
+            internal_invoice = await get_standalone_payment(
+                internal_checking_id, incoming=True, conn=conn
+            )
+            assert internal_invoice is not None
+            if (
+                internal_invoice.amount != invoice.amount_msat
+                or internal_invoice.bolt11 != payment_request
+            ):
+                raise PaymentFailure("Invalid invoice.")
+
             logger.debug(f"creating temporary internal payment with id {internal_id}")
             # create a new payment from this wallet
             await create_payment(