rust-lightning icon indicating copy to clipboard operation
rust-lightning copied to clipboard
verified publisher icon lightningdevkit

Drop user-provided `payer_id` from `InvoiceRequestBuilder`

Open TheBlueMatt opened this issue 1 year ago • 8 comments

We shouldn't have supported this to begin with, and we should drop it before people start using it.

TheBlueMatt avatar Jul 22 '24 13:07 TheBlueMatt

Wouldn't this prevent anyone from using the offers module in a standalone way? They'd be required to use ExpandedKey and PaymentId, which are more ChannelManager-specific.

jkczyz avatar Jul 22 '24 13:07 jkczyz

You could use ExpandedKey and PaymentId without a ChannelManager? PaymentId still retains its meaning here - we use it to derive the per-payment metadata, which users still need to make constant per payment. Similar for ExpandedKey, even if a bit less so - its just some key material, which users still need to deal with but there's just some extra key material there that's not used.

TheBlueMatt avatar Jul 22 '24 15:07 TheBlueMatt

I understand that allowing to override payer_id is a potentially dangerous API, but wonder if we should/need to keep payer_id exposed for inbound payments, e.g., if other implementations choose to use it differently than us?

tnull avatar Jul 22 '24 17:07 tnull

Honestly we should probably kill off payer_id entirely, but mostly I think we want to very, very strongly discourage anyone from using payer_id for the purpose of identifying payers. Its really dangerous to use that way and causes social costs if people do. IMO we should remove it if only so that people who want it come ask us and we can tell them to stop breaking lightning.

TheBlueMatt avatar Jul 22 '24 17:07 TheBlueMatt

Slipping. We should still do this so users don't rely on this API, but there's no super strong reason to do it now.

TheBlueMatt avatar Aug 08 '24 20:08 TheBlueMatt

Was just looking at LNDK's usage. It no longer uses a fixed key to sign in order to fix the caching issue -- the spec was changed to cache based on payer_metadata instead of payer_id, so that should no longer be an issue anyway. However, LNDK does use derived keys from LND for signing. I'm not sure if this is a hard requirement though (cc: @orbitalturtle). Just want to raise that before going forward with this change.

See https://github.com/lndk-org/lndk/pull/133.

jkczyz avatar Aug 16 '24 21:08 jkczyz

@jkczyz Yeah I'm pretty sure it's not a hard requirement for LNDK so moving in that direction should be fine for us! So if I'm understanding right, in the future we'd want to use request_invoice_deriving_payer_id and let LDK derive the payer_id instead of using request_invoice_deriving_metadata?

orbitalturtle avatar Aug 17 '24 02:08 orbitalturtle

Yes, and doing so means you would call build_and_sign instead of build and then sign as attempting to use the latter methods will fail to compile.

jkczyz avatar Aug 17 '24 18:08 jkczyz