X cashu refund #44
X cashu refund #44
Conversation
There was a problem hiding this comment.
Bug: Authorization Parameter Overwritten
The auth parameter in the get_bearer_token_key function is immediately overwritten by re-reading the Authorization header from the request. This makes the passed auth parameter useless and can lead to incorrect behavior if the caller expects the provided value to be used.
router/proxy.py#L371-L373
Lines 371 to 373 in a287a73
Bug: Cashu Refund: Balance Conversion & API Key Deletion Errors
The x_cashu_refund function has two bugs. First, key.balance (in millisatoshis) is passed directly to WALLET.send(), which expects satoshis. This unit mismatch, inconsistent with other wallet operations, could lead to sending 1000x the intended amount. The balance should be converted using key.balance // 1000. Second, the API key is deleted and the session committed before confirming the WALLET.send() operation's success, risking permanent balance loss if the send fails.
router/cashu.py#L205-L211
Lines 205 to 211 in a287a73
Bug: Missing Argument Causes Function Error
The validate_bearer_key function is called with only three arguments when processing the X-Cashu header in the proxy function. It expects four arguments: bearer_key, session, refund_address, and key_expiry_time. The omission of key_expiry_time will result in a TypeError.
router/proxy.py#L337-L338
Lines 337 to 338 in a287a73
BugBot free trial expires on July 22, 2025
You have used $0.00 of your $50.00 spend limit so far. Manage your spend limit in the Cursor dashboard.
Was this report helpful? Give feedback by reacting with 👍 or 👎
|
maybe/not sure if it makes sense to also set the
basically always send |
No description provided.