The client's payment handler executes blindly without requiring a verified request correlation. The recent fix successfully drops correlated notifications (where the e tag is present but invalid). However, if a notification is sent without an e tag (an uncorrelated notification), correlatedEventId is undefined. This bypasses the new check in nostr-client-transport.ts entirely, forwards it as 'unknown' to client-payments.ts, and still executes the payment handler blindly.
To Reproduce
- Send a
payment_required notification to the client without an e tag.
- The notification bypasses the
correlatedEventId check since correlatedEventId evaluates to undefined.
client-payments.ts receives 'unknown' as requestEventId and pending evaluates to undefined.- The handler still evaluates
handler.canHandle(req) and executes handler.handle(req).
Expected behavior
The client must enforce correlation. If pending is undefined (or requestEventId === 'unknown'), the payment request should be immediately rejected or dropped.
The client's payment handler executes blindly without requiring a verified request correlation. The recent fix successfully drops correlated notifications (where the
etag is present but invalid). However, if a notification is sent without anetag (an uncorrelated notification),correlatedEventIdisundefined. This bypasses the new check innostr-client-transport.tsentirely, forwards it as'unknown'toclient-payments.ts, and still executes the payment handler blindly.To Reproduce
payment_requirednotification to the client without anetag.correlatedEventIdcheck sincecorrelatedEventIdevaluates toundefined.client-payments.tsreceives'unknown'asrequestEventIdandpendingevaluates toundefined.handler.canHandle(req)and executeshandler.handle(req).Expected behavior
The client must enforce correlation. If
pendingisundefined(orrequestEventId === 'unknown'), the payment request should be immediately rejected or dropped.