From 9cd2b80779d3aeb7273a0d5f410984b17e4102ae Mon Sep 17 00:00:00 2001
From: Leendert van Beelen <leendert.van.beelen@zooshdigital.com>
Date: Thu, 9 May 2024 18:23:02 +0200
Subject: [PATCH] Only select valid characters from the authenticate header

---
 src/client/axios.ts       | 4 ++--
 test/client/axios.spec.js | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/client/axios.ts b/src/client/axios.ts
index e1f5def..c3a8358 100644
--- a/src/client/axios.ts
+++ b/src/client/axios.ts
@@ -66,8 +66,8 @@ export function setupL402Interceptor(instance: AxiosInstance, wallet: Wallet, st
  */
 function parseHeader(header: string): { header_key: string; invoice: string; macaroon: string } | null {
   const headerKeyMatch = /^(LSAT|L402)/.exec(header);
-  const invoiceMatch = /invoice="([^"]+)"/.exec(header);
-  const macaroonMatch = /macaroon="([^"]+)"/.exec(header);
+  const invoiceMatch = /invoice="([\w|\d]+)"/.exec(header); // Lightning invoice only use alphanumeric characters, see: https://github.com/lightning/bolts/blob/master/11-payment-encoding.md
+  const macaroonMatch = /macaroon="([\w|\d\+\/=_-]+)"/.exec(header); // Base64 URL-safe characters
 
   if (invoiceMatch && macaroonMatch) {
     return {
diff --git a/test/client/axios.spec.js b/test/client/axios.spec.js
index f0b3f9c..5b6b5e1 100644
--- a/test/client/axios.spec.js
+++ b/test/client/axios.spec.js
@@ -72,7 +72,7 @@ class MockWallet extends Wallet {
       const url = 'https://example.com/resource';
       nock('https://example.com')
         .get('/resource')
-        .reply(402, '', { 'www-authenticate': 'L402 invoice="mock-invoice" macaroon="mock-macaroon"' });
+        .reply(402, '', { 'www-authenticate': 'L402 invoice="mockinvoice" macaroon="mock-macaroon"' });
   
       // Mock the successful retry response
       nock('https://example.com')