[feat] Verify invoice amounts for currency-denominated offers

This completes the invoice handling side of currency conversion support.

When paying an invoice for a currency-denominated offer, and the
invoice request did not specify an explicit amount, we now use the
configured CurrencyConversion to derive the acceptable msat range
for the offer amount.

The invoice is considered valid only if the quoted amount falls within
that acceptable range, preventing the payer from being overcharged due
to exchange-rate differences or unexpected invoice amounts.

Author: shaavan

lightning/src/ln/channelmanager.rs

@@ -5739,6 +5739,13 @@ impl<
 	///   offer, or
 	/// - the refund corresponding to the invoice has already expired.
 	///
+	/// If the invoice corresponds to a currency-denominated offer and the invoice request did not
+	/// specify an explicit amount, the invoice amount is checked against the maximum amount payable
+	/// using the configured currency conversion. [`Bolt12PaymentError::UnverifiableAmount`] is
+	/// returned if the invoice amount could not be verified against the converted offer amount, and
+	/// [`Bolt12PaymentError::ExcessiveAmount`] is returned if the invoice quotes more than the
+	/// maximum amount we are willing to pay for the offer.
+	///
 	/// To retry the payment, request another invoice using a new `payment_id`.
 	///
 	/// Attempting to pay the same invoice twice while the first payment is still pending will
@@ -5751,9 +5758,16 @@ impl<
 	pub fn send_payment_for_bolt12_invoice(
 		&self, invoice: &Bolt12Invoice, context: Option<&OffersContext>,
 	) -> Result<(), Bolt12PaymentError> {
-		match self.flow.verify_bolt12_invoice(invoice, context) {
+		match self.flow.verify_bolt12_invoice(invoice, &self.currency_conversion, context) {
 			Ok(payment_id) => self.send_payment_for_verified_bolt12_invoice(invoice, payment_id),
-			Err(()) => Err(Bolt12PaymentError::UnexpectedInvoice),
+			Err(Bolt12SemanticError::UnexpectedAmount) => {
+				Err(Bolt12PaymentError::UnexpectedInvoice)
+			},
+			Err(Bolt12SemanticError::UnsupportedCurrency)
+			| Err(Bolt12SemanticError::MissingAmount)
+			| Err(Bolt12SemanticError::InvalidAmount) => Err(Bolt12PaymentError::UnverifiableAmount),
+			Err(Bolt12SemanticError::ExcessiveAmount) => Err(Bolt12PaymentError::ExcessiveAmount),
+			_ => Err(Bolt12PaymentError::UnexpectedInvoice),
 		}
 	}
 
@@ -16929,6 +16943,8 @@ impl<
 					},
 					Err(Bolt12PaymentError::UnexpectedInvoice)
 						| Err(Bolt12PaymentError::DuplicateInvoice)
+						| Err(Bolt12PaymentError::UnverifiableAmount)
+						| Err(Bolt12PaymentError::ExcessiveAmount)
 						| Ok(()) => return None,
 				};
 
@@ -17040,9 +17056,9 @@ impl<
 				})
 			},
 			OffersMessage::Invoice(invoice) => {
-				let payment_id = match self.flow.verify_bolt12_invoice(&invoice, context.as_ref()) {
+				let payment_id = match self.flow.verify_bolt12_invoice(&invoice, &self.currency_conversion, context.as_ref()) {
 					Ok(payment_id) => payment_id,
-					Err(()) => return None,
+					Err(_) => return None,
 				};
 
 				let logger = WithContext::for_payment(

lightning/src/ln/outbound_payment.rs

@@ -656,6 +656,20 @@ pub enum Bolt12PaymentError {
 	UnexpectedInvoice,
 	/// Payment for an invoice with the corresponding [`PaymentId`] was already initiated.
 	DuplicateInvoice,
+	/// The invoice was valid for the corresponding [`PaymentId`], but its amount
+	/// could not be verified.
+	///
+	/// This occurs for currency-denominated offers without an explicitly requested
+	/// amount when the offer amount could not be converted to msats because the
+	/// currency was unsupported or the converted amount exceeded supported bounds.
+	UnverifiableAmount,
+	/// The invoice was valid for the corresponding [`PaymentId`], but its amount
+	/// exceeded the maximum acceptable amount derived from the underlying offer.
+	///
+	/// This occurs for currency-denominated offers without an explicitly requested
+	/// amount when the invoice amount was higher than the payer was willing to pay
+	/// after currency conversion.
+	ExcessiveAmount,
 	/// The invoice was valid for the corresponding [`PaymentId`], but required unknown features.
 	UnknownRequiredFeatures,
 	/// The invoice was valid for the corresponding [`PaymentId`], but sending the payment failed.

lightning/src/offers/flow.rs

@@ -503,19 +503,25 @@ impl<MR: MessageRouter, L: Logger> OffersMessageFlow<MR, L> {
 	/// Verifies a [`Bolt12Invoice`] using the provided [`OffersContext`] or the invoice's payer
 	/// metadata, returning the corresponding [`PaymentId`] if successful.
 	///
+	/// This also verifies that the invoice amount is consistent with the underlying
+	/// offer or refund. For currency-denominated offers, this includes validating
+	/// the invoice amount against the payable amount derived using the provided
+	/// [`CurrencyConversion`] when the invoice request did not carry an explicit
+	/// amount.
+	///
 	/// - If an [`OffersContext::OutboundPaymentForOffer`] or
 	///   [`OffersContext::OutboundPaymentForRefund`] with a `nonce` is provided, verification is
 	///   performed using this to form the payer metadata.
 	/// - If no context is provided and the invoice corresponds to a [`Refund`] without blinded paths,
 	///   verification is performed using the [`Bolt12Invoice::payer_metadata`].
 	/// - If neither condition is met, verification fails.
-	pub fn verify_bolt12_invoice(
-		&self, invoice: &Bolt12Invoice, context: Option<&OffersContext>,
-	) -> Result<PaymentId, ()> {
+	pub fn verify_bolt12_invoice<CC: CurrencyConversion>(
+		&self, invoice: &Bolt12Invoice, converter: &CC, context: Option<&OffersContext>,
+	) -> Result<PaymentId, Bolt12SemanticError> {
 		let secp_ctx = &self.secp_ctx;
 		let expanded_key = &self.inbound_payment_key;
 
-		match context {
+		let payment_id = match context {
 			None if invoice.is_for_refund_without_paths() => {
 				invoice.verify_using_metadata(expanded_key, secp_ctx)
 			},
@@ -535,6 +541,11 @@ impl<MR: MessageRouter, L: Logger> OffersMessageFlow<MR, L> {
 			},
 			_ => Err(()),
 		}
+		.map_err(|_| Bolt12SemanticError::UnexpectedAmount)?;
+
+		invoice.verify_amount_acceptable_for_payment(converter)?;
+
+		Ok(payment_id)
 	}
 
 	/// Verifies the provided [`AsyncPaymentsContext`] for an inbound [`HeldHtlcAvailable`] message.

lightning/src/offers/invoice.rs

@@ -1049,6 +1049,42 @@ impl Bolt12Invoice {
 		)
 	}
 
+	/// Verifies that the invoice amount is acceptable for payment relative to the
+	/// underlying offer.
+	///
+	/// For currency-denominated offers where the invoice request did not carry an
+	/// explicit amount, this checks that the invoice amount does not exceed the
+	/// maximum payable amount derived from the provided currency conversion.
+	///
+	/// Invoices for refunds or invoice requests with explicit amounts are assumed
+	/// to have already been validated during parsing.
+	pub fn verify_amount_acceptable_for_payment<CC: CurrencyConversion>(
+		&self, converter: &CC,
+	) -> Result<(), Bolt12SemanticError> {
+		if let InvoiceContents::ForOffer { invoice_request, .. } = &self.contents {
+			if invoice_request.amount_msats().is_none() {
+				let offer_amount = invoice_request
+					.inner
+					.offer
+					.amount()
+					.ok_or(Bolt12SemanticError::MissingAmount)?;
+
+				let (_minimum_unit_msats, maximum_unit_msats) =
+					offer_amount.to_msats_range(converter)?;
+
+				let maximum_msats = maximum_unit_msats
+					.checked_mul(self.quantity().unwrap_or(1))
+					.ok_or(Bolt12SemanticError::InvalidAmount)?;
+
+				if self.amount_msats() > maximum_msats {
+					return Err(Bolt12SemanticError::ExcessiveAmount);
+				}
+			}
+		}
+
+		Ok(())
+	}
+
 	pub(crate) fn as_tlv_stream(&self) -> FullInvoiceTlvStreamRef<'_> {
 		let (
 			payer_tlv_stream,

lightning/src/offers/parse.rs

@@ -180,6 +180,8 @@ pub enum Bolt12SemanticError {
 	InvalidCurrencyCode,
 	/// An amount was provided but was not sufficient in value.
 	InsufficientAmount,
+	/// An amount was provided but exceeded the acceptable value.
+	ExcessiveAmount,
 	/// An amount was provided but was not expected.
 	UnexpectedAmount,
 	/// A currency was provided that is not supported.