fix: derive lnurl auth from app seed path

ovitrif · claude · ovitrif · commit cfae6669554f · 2026-02-11T00:40:53.000+01:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "vss-rust-client-ffi"
-version = "0.5.4"
+version = "0.5.5"
 edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
diff --git a/src/implementation.rs b/src/implementation.rs
@@ -151,25 +151,28 @@ impl VssClient {
     ) -> Result<Self, VssError> {
         let secp = Secp256k1::new();
 
-        // Derive LDK keys from full 64-byte seed (matching ldk-node's key derivation)
-        let ldk_master_xprv =
-            Xpriv::new_master(Network::Bitcoin, &seed).map_err(|e| VssError::ConnectionError {
-                error_details: format!("Failed to create master key: {}", e),
+        // Derive app keys from truncated 32-byte seed (backward compatible with v0.4.0)
+        let truncated_seed: [u8; 32] = seed[..32].try_into().unwrap();
+        let app_master_xprv =
+            Xpriv::new_master(Network::Bitcoin, &truncated_seed).map_err(|e| {
+                VssError::ConnectionError {
+                    error_details: format!("Failed to create app master key: {}", e),
+                }
             })?;
-
-        let ldk_vss_xprv = ldk_master_xprv
+        let app_vss_xprv = app_master_xprv
             .derive_priv(
                 &secp,
                 &[ChildNumber::Hardened {
                     index: VSS_HARDENED_CHILD_INDEX,
                 }],
             )
             .map_err(|e| VssError::ConnectionError {
-                error_details: format!("Failed to derive VSS key: {}", e),
+                error_details: format!("Failed to derive app VSS key: {}", e),
             })?;
+        let app_vss_seed_bytes: [u8; 32] = app_vss_xprv.private_key.secret_bytes();
 
-        // LNURL auth uses the full seed derivation path
-        let lnurl_auth_xprv = ldk_vss_xprv
+        // LNURL auth from app path (matches v0.4.0 server identity)
+        let lnurl_auth_xprv = app_vss_xprv
             .derive_priv(
                 &secp,
                 &[ChildNumber::Hardened {
@@ -188,27 +191,22 @@ impl VssClient {
 
         let header_provider = Arc::new(lnurl_auth_jwt_provider);
 
-        let ldk_vss_seed_bytes: [u8; 32] = ldk_vss_xprv.private_key.secret_bytes();
-
-        // Derive app keys from truncated 32-byte seed (backward compatible with old app version)
-        let truncated_seed: [u8; 32] = seed[..32].try_into().unwrap();
-        let app_master_xprv =
-            Xpriv::new_master(Network::Bitcoin, &truncated_seed).map_err(|e| {
-                VssError::ConnectionError {
-                    error_details: format!("Failed to create app master key: {}", e),
-                }
+        // Derive LDK keys from full 64-byte seed (matching ldk-node's key derivation)
+        let ldk_master_xprv =
+            Xpriv::new_master(Network::Bitcoin, &seed).map_err(|e| VssError::ConnectionError {
+                error_details: format!("Failed to create LDK master key: {}", e),
             })?;
-        let app_vss_xprv = app_master_xprv
+        let ldk_vss_xprv = ldk_master_xprv
             .derive_priv(
                 &secp,
                 &[ChildNumber::Hardened {
                     index: VSS_HARDENED_CHILD_INDEX,
                 }],
             )
             .map_err(|e| VssError::ConnectionError {
-                error_details: format!("Failed to derive app VSS key: {}", e),
+                error_details: format!("Failed to derive LDK VSS key: {}", e),
             })?;
-        let app_vss_seed_bytes: [u8; 32] = app_vss_xprv.private_key.secret_bytes();
+        let ldk_vss_seed_bytes: [u8; 32] = ldk_vss_xprv.private_key.secret_bytes();
 
         Self::new_with_header_provider(
             base_url,
