Expose fallback tx off receiver session history #799
Conversation
Pull Request Test Coverage Report for Build 15874355723Details
💛 - Coveralls |
Let's get extract for broadcast after the typestate that checks broadcast. I would prefer a separate PR because that requires separate review to this. |
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [payjoin#799](payjoin#799)
|
Drafting till we resolve #799 (comment) |
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [payjoin#799](payjoin#799)
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [#799](#799)
SGTM, but I also don't really think the
Hmm, I think that's a bug in the spec honestly.
Yes, and... Given the purpose of But perhaps we want a way of getting the unchecked PSBT that has "unsafe" in the name, and still make that available in |
How would this be possible? The sender provides all sigs. They wouldn't have sigs for any receiver inputs. |
arminsabouri
force-pushed
the
798-expose-fallback-tx-using-receiver-session-history-object
branch
from
1c9bbb9 to
feb8abf
Compare
If a `MaybeInputsOwned` session event is present in the log then we know the session has persisted a "broadcastable" fallback tx by virute of successfully transitioning past `UncheckedProposal` via calling `check_broadcast_suitability` and persisting the result. This commit explicitly does not use the unchecked session event because the fallback at that typestate may fail consensus or policy checks.
arminsabouri
force-pushed
the
798-expose-fallback-tx-using-receiver-session-history-object
branch
from
feb8abf to
979ca78
Compare
|
Rebased and pushed |
Wouldnt the receiver have to sign? I suppose if its not clear what the fallback is they could mistakenly build a flow where the users sign it. On a similar note, perhaps it should be move to |
The only thing I can think of is two concurrent sessions with cross talk which seems like a tagging attack... After one session succeeds the sender sends the payjoin tx as if it was a proposal tx, which from a loss of funds perspective is safe. But honestly I didn't think about it too much when posting this, just took the docs for that typestate at face value. The check is from BIP 78's receiver checklist but I don't see any example |
arminsabouri
deleted the
798-expose-fallback-tx-using-receiver-session-history-object
branch
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [payjoin#799](payjoin#799)
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [#799](payjoin/rust-payjoin#799)
Per BIP-77: > At any point, either party may choose to broadcast the fallback > transaction described by the Original PSBT instead of proceeding. However, the fallback transaction available at the `UncheckedProposal` typestate may not be "broadcastable". Only after transitioning to `MaybeInputsOwned` via `check_broadcast_suitability` can we determine with high confidence that the fallback is valid for broadcast. Related PR: [#799](payjoin/rust-payjoin#799)
5 participants
If a
MaybeInputsOwnedsession event is present in the log then we know the session has persisted a "broadcastable" fallback tx by virute of successfully transitioning pastUncheckedProposalviacheck_broadcast_suitabilityand persisting the result. This commit explicitly does not use the unchecked session event because the fallback at that typestate may fail consensus or policy checks.I'm not a fan of the double find_map in
SessionHistory. We could pub(crate) the v1 psbt onMaybeInputsOwnedand duplicate a tiny bit of code (self.psbt.clone().extract_tx_unchecked_fee_rate()).But something else seems a bit off to me. why is
extract_tx_to_schedule_broadcastis on the unchecked typestate?According to Bip77
Wouldn't it make more sense for
extract_tx_to_schedule_broadcastto live on theMaybeInputsOwnedtype state?Resolves #798