Open chill117 opened 2 years ago
Hi! Thanks for the report. This is a bit strange, we require url to be HTTPS and fail if they are HTTP.
A few questions to clarify
Hi! Thanks for the report. This is a bit strange, we require url to be HTTPS and fail if they are HTTP.
A few questions to clarify
- Did you download Muun from the playstore?
- Is the URL TOR? We don't support TOR right now
- Can you share the url with us for testing? If this is sensitive, you can reach out to me directly via champo at muun dot com
LNURL1DP68GURN8GHJ7VTPXSCZ6D3K95URZTF38Q6Z6VF49EJH2TNWVAEX76EWD9HJ7AFLVC75242JYE5KG0TEFCM5YA63FDRHGARRY5E5GFNW85URZV3SXSMNGWPHYECXG0FXWPHR6VPWXYCZVURC85CZUVFSYEEN6VEKV3JRQD3KVGER2ENXVYMNZENZXCCXVVFEXUCXYV3EXUCRSVEJX5CNVWTYVG6RSVMXVYERGD3SXY6NWDESXF3XXVTXX43NYE33XF3JVAPAWU3ZGWQM
https://1a40-66-81-184-15.eu.ngrok.io/u?f=EUR&id=yN7BwQKGttc%3D&n=812047487&pd=&pn=0.10&px=0.10&s=36dd066b25ffa71fb60f1970b29708325169db483fa2460157702bc1f5c2f12c&t=w
The problem could be related to how old the Android OS is on the phone that I used for testing - Android 6.0.
I have done some additional testing, this time with Muun installed on an iPhone. The whole flow worked as expected. So it looks like it's just an issue with Muun on Android.
Hello and thank you for putting your energy and time toward creating a user-friendly Bitcoin Lightning wallet. I have heard good things about the app but I hadn't used it or tested it much until recently.
During my recent testing, I may have discovered an issue with Muun's handling of LNURL withdraw QR codes. Muun is able to read the QR code, it successfully decodes the LNURL-encoded URL, but it fails just before attempting the HTTPS request. I see in my server logs that no request was received - not by the local web server or the ngrok proxy. Muun shows the following error message:
When I change the URL to HTTP it works. But it is also necessary to change the "callback" property of the initial LNURL withdraw response object to HTTP - otherwise Muun fails at the second step.
The LNURL spec says that only HTTPS URLs should be allowed - unless it is a TOR onion URL:
See lud-01
The reasoning to disallow HTTP is to prevent a malicious MITM from stealing funds that are available to anyone who has the LNURL withdraw URL. It's ok to allow HTTP for TOR onion URLs because TOR clients do their own encryption.
Muun version 49.10
Thanks again for your work on Muun! Please let me know if you need anymore info from me.