Asynchronous Bolt12Invoice payment

[jkczyz]

Users such as Fedimint would like to examine a Bolt12Invoice before paying it. Add a UserConfig option for deferring payment of those invoices when received. When set, a new Event::InvoiceReceived is generated instead and payment can be made using ChannelManager::send_payment_for_bolt12_invoice.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 76.27119% with 28 lines in your changes missing coverage. Please review.

Project coverage is 90.02%. Comparing base (a666401) to head (97c1d65).
Report is 24 commits behind head on main.

Files	Patch %	Lines
lightning/src/events/mod.rs	0.00%	18 Missing ⚠️
lightning/src/ln/channelmanager.rs	80.00%	5 Missing ⚠️
lightning/src/offers/invoice.rs	0.00%	4 Missing ⚠️
lightning/src/ln/offers_tests.rs	98.57%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3078      +/-   ##
==========================================
+ Coverage   89.82%   90.02%   +0.20%     
==========================================
  Files         119      121       +2     
  Lines       97987   100303    +2316     
  Branches    97987   100303    +2316     
==========================================
+ Hits        88014    90297    +2283     
- Misses       7397     7427      +30     
- Partials     2576     2579       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[TheBlueMatt]

LGTM (modulo failing fuzz test), but remind me again why they want to examine invoices for outbound payments?

[jkczyz]

LGTM (modulo failing fuzz test), but remind me again why they want to examine invoices for outbound payments?

Sorry for the delay. Wanted to double check with them on the specifics. The gateway's lightning node requests the invoice on the users behalf. The user doesn't trust the gateway so needs to confirm that the amount is expected and that it is paying the right entity (i.e., the containing offer is expected and thus the invoice has the right signature).

[TheBlueMatt]

Right, thanks, I guess the user needs to actually transfer the ecash to the gateway (conditional on the payment preimage) but they want to validate the payment_hash/amount pair in the invoice first.

[tnull]

@jkczyz I think this needs a (assumingly minor) rebase.

[jkczyz]

Rebased

[TheBlueMatt]

Should we mention how long the user has to pay the invoice before it'll time out and they'll have to start again (and is that gonna be an issue for fedi)?

[TheBlueMatt]

Wait, don't we expire the payment based on StaleExpiration too? As if we'd never received the invoice.

[jkczyz]

Oh, right. I forgot that that's checked at time of payment.

[jkczyz]

Ended up reverting those changes and re-writing the send_payment_for_bolt12_invoice accordingly.

[TheBlueMatt]

Did you forget to push this?

[jkczyz]

Seems to be there: f2721af

[TheBlueMatt]

Oh I interpreted "re-writing the send_payment_for_bolt12_invoice accordingly" comment as you changed it so we don't time out, rather than rewriting the docs.

[jkczyz]

Hmmm...send_payment_for_bolt12_invoice docs were changed to clarify when a Bolt12PaymentError::UnexpectedInvoice can occur, including the timeout scenarios. StaleExpiration is not explicitly mentioned because it is pub(crate). I did remove the invoice-level expiration part since that's really a detail surfaced by Event::PaymentFailed, which is linked in the send_payment_for_bolt12_invoice docs.

[TheBlueMatt]

Right, I just read the comment without looking at the code, I had expected a behavior change based on the comment, rather than doc changes. But doc changes are fine too :)

[tnull]

LGTM, just a few questions and nits.

[tnull]

I'm probably missing something, but isn't path_id a TLV field in the encrypted_data_tlv stream? Are we positive it will always fit in 32 bytes?

[jkczyz]

This is the path_id from the BlindedPath that we created for receiving the message. So, currently yes though we never set it. It's only in the Responder for logging purposes, which given the previous sentence means it's not very useful at the moment. 😛

Though that is a good point considering we are likely going to change it to a Vec and start using it as part of #3085. I'm wondering how useful logging it really is unless we also log it when creating the blinded path, too.

[tnull]

Right, I was wondering if it indeed is variable-length whether we should switch the type now before we actually start to serialize objects? I guess the field is TLV anyways and from a brief look it even might work out, but not entirely sure if WithoutLength is byte identical with the [u8; 32] serialization?

[jkczyz]

@TheBlueMatt Any thoughts on where we should go with this?

[TheBlueMatt]

If we don't set it maybe we drop it from our logging (even if we intend to set it later)? Its not really clear to me what users have useful to do with a path_id?

[TheBlueMatt]

(If we want to do that we can do that in a followup PR as long as it comes before the next release, I imagine)

[jkczyz]

It's useful for correlating an onion message to the blinded path it was sent over -- but only if the path_id of the latter is actually logged, too -- and with any response to that onion message. But seeing that data encoded in the path_id will be given to the handler in #3085, then any logging responsibility could be moved to the handler instead, if desired, and use handler-specific concepts rather than opaque bytes.

I'm not sure where that leaves Responder. It would just a wrapper around BlindedPath with methods for converting to a ResponseInstruction. Those methods could be moved to BlindedPath, but that would add an onion_message module dependency to blinded_path, which doesn't feel right. Maybe the wrapper is fine to keep?

[TheBlueMatt]

then any logging responsibility could be moved to the handler instead, if desired, and use handler-specific concepts rather than opaque bytes.

Right, as a user I really want this info to come to me in the form of an offer_id or a payment_id. path_id is yet another token I have to correlate with something I know.

I'm not sure where that leaves Responder. It would just a wrapper around BlindedPath with methods for converting to a ResponseInstruction. Those methods could be moved to BlindedPath, but that would add an onion_message module dependency to blinded_path, which doesn't feel right. Maybe the wrapper is fine to keep?

I'd say its fine to keep the wrapper, its a separate concept. What it has internally doesn't matter too much.

[tnull]

nit: Could tick true/false here.

[jkczyz]

Done in a separate commit throughout this file along with other literal values. Also noticed that some of the doc formatting wasn't carrying over to the rustdocs without adding some newlines.

[TheBlueMatt]

Looks like CI is very sad :(

[TheBlueMatt]

This is relatively fast, won't this be an issue for fedi where we need to do another network round-trip (maybe to a mobile device) to provide the invoice?

[jkczyz]

Timer ticks for ChannelManager should be one minute. And this may actually be up to two timer ticks as implemented. So really at least one full timer tick.

rust-lightning/lightning/src/ln/outbound_payment.rs

Lines 1596 to 1608 in b8cdde8

	let is_stale = match expiration {
	StaleExpiration::AbsoluteTimeout(absolute_expiry) => {
	*absolute_expiry <= duration_since_epoch
	},
	StaleExpiration::TimerTicks(timer_ticks_remaining) => {
	if *timer_ticks_remaining > 0 {
	*timer_ticks_remaining -= 1;
	false
	} else {
	true
	}
	},
	};

[TheBlueMatt]

Yea, I guess that seemed kinda fast to me, but maybe its fine.

[TheBlueMatt]

LGTM

[jkczyz]

Went ahead and squashed the fixups.

[TheBlueMatt]

We can deal with the path_id question in a followup, as long as its in the same release.

[TheBlueMatt]

We should add a TLV stream here to read from for new values...eventually. I havent spent a lot of CPU time on the current fuzzer so not any reason to do it now, but we should do it for future changes.