[feat] Verify invoice amounts for currency-denominated offers

This completes the invoice handling side of currency conversion support.

When paying an invoice for a currency-denominated offer, and the
invoice request did not specify an explicit amount, we now use the
configured CurrencyConversion to derive the acceptable msat range
for the offer amount.

The invoice is considered valid only if the quoted amount falls within
that acceptable range, preventing the payer from being overcharged due
to exchange-rate differences or unexpected invoice amounts.

Author: shaavan

lightning/src/ln/channelmanager.rs

@@ -5861,6 +5861,13 @@ impl<
 	///   offer, or
 	/// - the refund corresponding to the invoice has already expired.
 	///
+	/// If the invoice corresponds to a currency-denominated offer and the invoice request did not
+	/// specify an explicit amount, the invoice amount is checked against the maximum amount payable
+	/// using the configured currency conversion. [`Bolt12PaymentError::UnverifiableAmount`] is
+	/// returned if the invoice amount could not be verified against the converted offer amount, and
+	/// [`Bolt12PaymentError::ExcessiveAmount`] is returned if the invoice quotes more than the
+	/// maximum amount we are willing to pay for the offer.
+	///
 	/// To retry the payment, request another invoice using a new `payment_id`.
 	///
 	/// Attempting to pay the same invoice twice while the first payment is still pending will
@@ -5873,9 +5880,16 @@ impl<
 	pub fn send_payment_for_bolt12_invoice(
 		&self, invoice: &Bolt12Invoice, context: Option<&OffersContext>,
 	) -> Result<(), Bolt12PaymentError> {
-		match self.flow.verify_bolt12_invoice(invoice, context) {
+		match self.flow.verify_bolt12_invoice(invoice, &self.currency_conversion, context) {
 			Ok(payment_id) => self.send_payment_for_verified_bolt12_invoice(invoice, payment_id),
-			Err(()) => Err(Bolt12PaymentError::UnexpectedInvoice),
+			Err(Bolt12SemanticError::UnexpectedAmount) => {
+				Err(Bolt12PaymentError::UnexpectedInvoice)
+			},
+			Err(Bolt12SemanticError::UnsupportedCurrency)
+			| Err(Bolt12SemanticError::MissingAmount)
+			| Err(Bolt12SemanticError::InvalidAmount) => Err(Bolt12PaymentError::UnverifiableAmount),
+			Err(Bolt12SemanticError::ExcessiveAmount) => Err(Bolt12PaymentError::ExcessiveAmount),
+			_ => Err(Bolt12PaymentError::UnexpectedInvoice),
 		}
 	}
 
@@ -17473,9 +17487,9 @@ impl<
 				})
 			},
 			OffersMessage::Invoice(invoice) => {
-				let payment_id = match self.flow.verify_bolt12_invoice(&invoice, context.as_ref()) {
+				let payment_id = match self.flow.verify_bolt12_invoice(&invoice, &self.currency_conversion, context.as_ref()) {
 					Ok(payment_id) => payment_id,
-					Err(()) => return None,
+					Err(_) => return None,
 				};
 
 				let logger = WithContext::for_payment(

lightning/src/offers/flow.rs

@@ -487,19 +487,25 @@ impl<MR: MessageRouter, L: Logger> OffersMessageFlow<MR, L> {
 	/// Verifies a [`Bolt12Invoice`] using the invoice's payer metadata, returning the
 	/// corresponding [`PaymentId`] if successful.
 	///
+	/// This also verifies that the invoice amount is consistent with the underlying
+	/// offer or refund. For currency-denominated offers, this includes validating
+	/// the invoice amount against the payable amount derived using the provided
+	/// [`CurrencyConversion`] when the invoice request did not carry an explicit
+	/// amount.
+	///
 	/// - If an [`OffersContext::OutboundPaymentForOffer`] or
 	///   [`OffersContext::OutboundPaymentForRefund`] is provided, the extracted [`PaymentId`] must
 	///   also match the context's `payment_id`.
 	/// - If no context is provided, the invoice must correspond to a [`Refund`] without blinded
 	///   paths.
 	/// - If neither condition is met, verification fails.
-	pub fn verify_bolt12_invoice(
-		&self, invoice: &Bolt12Invoice, context: Option<&OffersContext>,
-	) -> Result<PaymentId, ()> {
+	pub fn verify_bolt12_invoice<CC: CurrencyConversion>(
+		&self, invoice: &Bolt12Invoice, converter: &CC, context: Option<&OffersContext>,
+	) -> Result<PaymentId, Bolt12SemanticError> {
 		let secp_ctx = &self.secp_ctx;
 		let expanded_key = &self.inbound_payment_key;
 
-		match context {
+		let payment_id = match context {
 			None if invoice.is_for_refund_without_paths() => {
 				invoice.verify_using_metadata(expanded_key, secp_ctx)
 			},
@@ -523,6 +529,11 @@ impl<MR: MessageRouter, L: Logger> OffersMessageFlow<MR, L> {
 			},
 			_ => Err(()),
 		}
+		.map_err(|_| Bolt12SemanticError::UnexpectedAmount)?;
+
+		invoice.verify_amount_acceptable_for_payment(converter)?;
+
+		Ok(payment_id)
 	}
 
 	/// Verifies the provided [`AsyncPaymentsContext`] for an inbound [`HeldHtlcAvailable`] message.

lightning/src/offers/invoice.rs

@@ -1034,6 +1034,42 @@ impl Bolt12Invoice {
 		self.contents.verify(&self.bytes, metadata, key, iv_bytes, secp_ctx)
 	}
 
+	/// Verifies that the invoice amount is acceptable for payment relative to the
+	/// underlying offer.
+	///
+	/// For currency-denominated offers where the invoice request did not carry an
+	/// explicit amount, this checks that the invoice amount does not exceed the
+	/// maximum payable amount derived from the provided currency conversion.
+	///
+	/// Invoices for refunds or invoice requests with explicit amounts are assumed
+	/// to have already been validated during parsing.
+	pub fn verify_amount_acceptable_for_payment<CC: CurrencyConversion>(
+		&self, converter: &CC,
+	) -> Result<(), Bolt12SemanticError> {
+		if let InvoiceContents::ForOffer { invoice_request, .. } = &self.contents {
+			if invoice_request.amount_msats().is_none() {
+				let offer_amount = invoice_request
+					.inner
+					.offer
+					.amount()
+					.ok_or(Bolt12SemanticError::MissingAmount)?;
+
+				let (_minimum_unit_msats, maximum_unit_msats) =
+					offer_amount.to_msats_range(converter)?;
+
+				let maximum_msats = maximum_unit_msats
+					.saturating_mul(self.quantity().unwrap_or(1))
+					.min(MAX_VALUE_MSAT);
+
+				if self.amount_msats() > maximum_msats {
+					return Err(Bolt12SemanticError::ExcessiveAmount);
+				}
+			}
+		}
+
+		Ok(())
+	}
+
 	pub(crate) fn as_tlv_stream(&self) -> FullInvoiceTlvStreamRef<'_> {
 		let (
 			payer_tlv_stream,