From 2774ee8021d00a1ad71d0b643db6eb3a4f46b144 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?dni=20=E2=9A=A1?= <office@dnilabs.com>
Date: Mon, 30 Mar 2026 11:30:49 +0200
Subject: [PATCH] fix: enforce check minimum

---
 views_lnurl.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/views_lnurl.py b/views_lnurl.py
index 160e916..f893427 100644
--- a/views_lnurl.py
+++ b/views_lnurl.py
@@ -3,6 +3,7 @@
 
 import httpx
 import shortuuid
+from bolt11 import decode as decode_bolt11
 from fastapi import APIRouter, Request
 from fastapi.responses import JSONResponse
 from lnbits.core.crud import update_payment
@@ -96,6 +97,16 @@ async def api_lnurl_callback(
     if not link.enabled:
         return LnurlErrorResponse(reason="Withdraw link is disabled.")
 
+    bolt11 = decode_bolt11(pr)
+    if not bolt11.amount_msat:
+        return LnurlErrorResponse(reason="0 amount invoices are not supported.")
+
+    if (
+        link.min_withdrawable * 1000 > bolt11.amount_msat
+        or bolt11.amount_msat > link.max_withdrawable * 1000
+    ):
+        return LnurlErrorResponse(reason="Amount not within limits.")
+
     if link.is_spent:
         return LnurlErrorResponse(reason="withdraw is spent.")