Add LNURL-auth support

benthecarman · benthecarman · commit 343d570f213b · 2026-02-27T15:09:46.000-06:00
Implements LNURL-auth (LUD-04) specification for secure, privacy-preserving
authentication with Lightning services using domain-specific key derivation.

I used LUD-05 for deriving the keys to mimic what we do for VSS auth.
diff --git a/Cargo.toml b/Cargo.toml
@@ -56,7 +56,7 @@ bdk_esplora = { version = "0.22.0", default-features = false, features = ["async
 bdk_electrum = { version = "0.23.0", default-features = false, features = ["use-rustls-ring"]}
 bdk_wallet = { version = "2.3.0", default-features = false, features = ["std", "keys-bip39"]}
 
-bitreq = { version = "0.3", default-features = false, features = ["async-https"] }
+bitreq = { version = "0.3", default-features = false, features = ["async-https", "json-using-serde"] }
 rustls = { version = "0.23", default-features = false }
 rusqlite = { version = "0.31.0", features = ["bundled"] }
 bitcoin = "0.32.7"
diff --git a/bindings/ldk_node.udl b/bindings/ldk_node.udl
@@ -166,6 +166,8 @@ interface Node {
 	UnifiedPayment unified_payment();
 	LSPS1Liquidity lsps1_liquidity();
 	[Throws=NodeError]
+	void lnurl_auth(string lnurl);
+	[Throws=NodeError]
 	void connect(PublicKey node_id, SocketAddress address, boolean persist);
 	[Throws=NodeError]
 	void disconnect(PublicKey node_id);
@@ -364,6 +366,9 @@ enum NodeError {
 	"InvalidBlindedPaths",
 	"AsyncPaymentServicesDisabled",
 	"HrnParsingFailed",
+	"LnurlAuthFailed",
+	"LnurlAuthTimeout",
+	"InvalidLnurl",
 };
 
 dictionary NodeStatus {
diff --git a/src/builder.rs b/src/builder.rs
@@ -68,6 +68,7 @@ use crate::io::{
 use crate::liquidity::{
 	LSPS1ClientConfig, LSPS2ClientConfig, LSPS2ServiceConfig, LiquiditySourceBuilder,
 };
+use crate::lnurl_auth::LnurlAuth;
 use crate::logger::{log_error, LdkLogger, LogLevel, LogWriter, Logger};
 use crate::message_handler::NodeCustomMessageHandler;
 use crate::payment::asynchronous::om_mailbox::OnionMessageMailbox;
@@ -1765,6 +1766,8 @@ fn build_with_store_internal(
 		None
 	};
 
+	let lnurl_auth = Arc::new(LnurlAuth::new(xprv, Arc::clone(&logger)));
+
 	let (stop_sender, _) = tokio::sync::watch::channel(());
 	let (background_processor_stop_sender, _) = tokio::sync::watch::channel(());
 	let is_running = Arc::new(RwLock::new(false));
@@ -1810,6 +1813,7 @@ fn build_with_store_internal(
 		scorer,
 		peer_store,
 		payment_store,
+		lnurl_auth,
 		is_running,
 		node_metrics,
 		om_mailbox,
diff --git a/src/config.rs b/src/config.rs
@@ -107,6 +107,9 @@ pub(crate) const EXTERNAL_PATHFINDING_SCORES_SYNC_TIMEOUT_SECS: u64 = 5;
 // The timeout after which we abort a parsing/looking up an HRN resolution.
 pub(crate) const HRN_RESOLUTION_TIMEOUT_SECS: u64 = 5;
 
+// The timeout after which we abort an LNURL-auth operation.
+pub(crate) const LNURL_AUTH_TIMEOUT_SECS: u64 = 15;
+
 #[derive(Debug, Clone)]
 /// Represents the configuration of an [`Node`] instance.
 ///
diff --git a/src/error.rs b/src/error.rs
@@ -131,6 +131,12 @@ pub enum Error {
 	AsyncPaymentServicesDisabled,
 	/// Parsing a Human-Readable Name has failed.
 	HrnParsingFailed,
+	/// LNURL-auth authentication failed.
+	LnurlAuthFailed,
+	/// LNURL-auth authentication timed out.
+	LnurlAuthTimeout,
+	/// The provided lnurl is invalid.
+	InvalidLnurl,
 }
 
 impl fmt::Display for Error {
@@ -213,6 +219,9 @@ impl fmt::Display for Error {
 			Self::HrnParsingFailed => {
 				write!(f, "Failed to parse a human-readable name.")
 			},
+			Self::LnurlAuthFailed => write!(f, "LNURL-auth authentication failed."),
+			Self::LnurlAuthTimeout => write!(f, "LNURL-auth authentication timed out."),
+			Self::InvalidLnurl => write!(f, "The provided lnurl is invalid."),
 		}
 	}
 }
diff --git a/src/io/vss_store.rs b/src/io/vss_store.rs
@@ -43,6 +43,7 @@ use vss_client::util::storable_builder::{EntropySource, StorableBuilder};
 
 use crate::entropy::NodeEntropy;
 use crate::io::utils::check_namespace_key_validity;
+use crate::lnurl_auth::LNURL_AUTH_HARDENED_CHILD_INDEX;
 
 type CustomRetryPolicy = FilteredRetryPolicy<
 	JitteredRetryPolicy<
@@ -68,7 +69,6 @@ impl_writeable_tlv_based_enum!(VssSchemaVersion,
 );
 
 const VSS_HARDENED_CHILD_INDEX: u32 = 877;
-const VSS_LNURL_AUTH_HARDENED_CHILD_INDEX: u32 = 138;
 const VSS_SCHEMA_VERSION_KEY: &str = "vss_schema_version";
 
 // We set this to a small number of threads that would still allow to make some progress if one
@@ -902,7 +902,7 @@ impl VssStoreBuilder {
 		let lnurl_auth_xprv = vss_xprv
 			.derive_priv(
 				&secp_ctx,
-				&[ChildNumber::Hardened { index: VSS_LNURL_AUTH_HARDENED_CHILD_INDEX }],
+				&[ChildNumber::Hardened { index: LNURL_AUTH_HARDENED_CHILD_INDEX }],
 			)
 			.map_err(|_| VssStoreBuildError::KeyDerivationFailed)?;
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -96,6 +96,7 @@ pub mod graph;
 mod hex_utils;
 pub mod io;
 pub mod liquidity;
+mod lnurl_auth;
 pub mod logger;
 mod message_handler;
 pub mod payment;
@@ -124,7 +125,8 @@ pub use builder::NodeBuilder as Builder;
 use chain::ChainSource;
 use config::{
 	default_user_config, may_announce_channel, AsyncPaymentsRole, ChannelConfig, Config,
-	NODE_ANN_BCAST_INTERVAL, PEER_RECONNECTION_INTERVAL, RGS_SYNC_INTERVAL,
+	LNURL_AUTH_TIMEOUT_SECS, NODE_ANN_BCAST_INTERVAL, PEER_RECONNECTION_INTERVAL,
+	RGS_SYNC_INTERVAL,
 };
 use connection::ConnectionManager;
 pub use error::Error as NodeError;
@@ -148,6 +150,7 @@ use lightning::util::persist::KVStoreSync;
 use lightning::util::wallet_utils::Wallet as LdkWallet;
 use lightning_background_processor::process_events_async;
 use liquidity::{LSPS1Liquidity, LiquiditySource};
+use lnurl_auth::LnurlAuth;
 use logger::{log_debug, log_error, log_info, log_trace, LdkLogger, Logger};
 use payment::asynchronous::om_mailbox::OnionMessageMailbox;
 use payment::asynchronous::static_invoice_store::StaticInvoiceStore;
@@ -220,6 +223,7 @@ pub struct Node {
 	scorer: Arc<Mutex<Scorer>>,
 	peer_store: Arc<PeerStore<Arc<Logger>>>,
 	payment_store: Arc<PaymentStore>,
+	lnurl_auth: Arc<LnurlAuth>,
 	is_running: Arc<RwLock<bool>>,
 	node_metrics: Arc<RwLock<NodeMetrics>>,
 	om_mailbox: Option<Arc<OnionMessageMailbox>>,
@@ -1005,6 +1009,26 @@ impl Node {
 		))
 	}
 
+	/// Authenticates the user via [LNURL-auth] for the given LNURL string.
+	///
+	/// [LNURL-auth]: https://github.com/lnurl/luds/blob/luds/04.md
+	pub fn lnurl_auth(&self, lnurl: String) -> Result<(), Error> {
+		let auth = Arc::clone(&self.lnurl_auth);
+		self.runtime.block_on(async move {
+			let res = tokio::time::timeout(
+				Duration::from_secs(LNURL_AUTH_TIMEOUT_SECS),
+				auth.authenticate(&lnurl),
+			)
+			.await;
+
+			match res {
+				Ok(Ok(())) => Ok(()),
+				Ok(Err(e)) => Err(e),
+				Err(_) => Err(Error::LnurlAuthTimeout),
+			}
+		})
+	}
+
 	/// Returns a liquidity handler allowing to request channels via the [bLIP-51 / LSPS1] protocol.
 	///
 	/// [bLIP-51 / LSPS1]: https://github.com/lightning/blips/blob/master/blip-0051.md
diff --git a/src/lnurl_auth.rs b/src/lnurl_auth.rs

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,12 @@ pub enum Error {`
`131`	`131`	`AsyncPaymentServicesDisabled,`
`132`	`132`	`/// Parsing a Human-Readable Name has failed.`
`133`	`133`	`HrnParsingFailed,`
	`134`	`+ /// LNURL-auth authentication failed.`
	`135`	`+ LnurlAuthFailed,`
	`136`	`+ /// LNURL-auth authentication timed out.`
	`137`	`+ LnurlAuthTimeout,`
	`138`	`+ /// The provided lnurl is invalid.`
	`139`	`+ InvalidLnurl,`
`134`	`140`	`}`
`135`	`141`
`136`	`142`	`impl fmt::Display for Error {`
`@@ -213,6 +219,9 @@ impl fmt::Display for Error {`
`213`	`219`	`Self::HrnParsingFailed => {`
`214`	`220`	`write!(f, "Failed to parse a human-readable name.")`
`215`	`221`	`},`
	`222`	`+ Self::LnurlAuthFailed => write!(f, "LNURL-auth authentication failed."),`
	`223`	`+ Self::LnurlAuthTimeout => write!(f, "LNURL-auth authentication timed out."),`
	`224`	`+ Self::InvalidLnurl => write!(f, "The provided lnurl is invalid."),`
`216`	`225`	`}`
`217`	`226`	`}`
`218`	`227`	`}`