Increase blinded path expiry

Blinded paths should expire when we will start rejecting payments for
the corresponding invoice: this is thus related to the bolt 12 invoice
expiry that we used.

However, when we receive an HTLC, its `cltv_expiry` is set to a future
block height, which must be at least `min_final_expiry_delta` in the
future. Payers may add some additional margin to the current block
height to protect against delays in HTLC relay and protect the privacy
of the payment. So we must add a large enough `cltv_expiry_delta` to
the invoice expiry to account for those.

Author: t-bast

src/commonMain/kotlin/fr/acinq/lightning/payment/OfferManager.kt

@@ -4,12 +4,9 @@ import fr.acinq.bitcoin.ByteVector32
 import fr.acinq.bitcoin.PublicKey
 import fr.acinq.bitcoin.utils.Either.Left
 import fr.acinq.bitcoin.utils.Either.Right
-import fr.acinq.lightning.EncodedNodeId
-import fr.acinq.lightning.Features
+import fr.acinq.lightning.*
 import fr.acinq.lightning.Lightning.randomBytes32
 import fr.acinq.lightning.Lightning.randomKey
-import fr.acinq.lightning.NodeParams
-import fr.acinq.lightning.WalletParams
 import fr.acinq.lightning.crypto.RouteBlinding
 import fr.acinq.lightning.io.OfferInvoiceReceived
 import fr.acinq.lightning.io.OfferNotPaid
@@ -181,8 +178,12 @@ class OfferManager(val nodeParams: NodeParams, val walletParams: WalletParams, v
                     maxHtlc = amount * 2,
                     allowedFeatures = Features.empty
                 )
-                // We assume 10 minutes between each block to convert the invoice expiry to a CLTV expiry for the blinded path.
-                val pathExpiry = (paymentInfo.cltvExpiryDelta + (nodeParams.bolt12InvoiceExpiry.inWholeMinutes.toInt() / 10)).toCltvExpiry(currentBlockHeight.toLong())
+                // Once the invoice expires, the blinded path shouldn't be usable anymore.
+                // We assume 10 minutes between each block to convert the invoice expiry to a cltv_expiry_delta.
+                // When paying the invoice, payers may add any number of blocks to the current block height to protect recipient privacy.
+                // We assume that they won't add more than 720 blocks, which is reasonable because adding a large delta increases the risk
+                // that intermediate nodes reject the payment because they don't want their funds potentially locked for a long duration.
+                val pathExpiry = (paymentInfo.cltvExpiryDelta + CltvExpiryDelta(720) + (nodeParams.bolt12InvoiceExpiry.inWholeMinutes.toInt() / 10)).toCltvExpiry(currentBlockHeight.toLong())
                 val remoteNodePayload = RouteBlindingEncryptedData(
                     TlvStream(
                         RouteBlindingEncryptedDataTlv.OutgoingNodeId(EncodedNodeId.WithPublicKey.Wallet(nodeParams.nodeId)),

src/commonTest/kotlin/fr/acinq/lightning/payment/OfferManagerTestsCommon.kt

@@ -71,17 +71,18 @@ class OfferManagerTestsCommon : LightningTestSuite() {
         val offer = createOffer(aliceOfferManager, amount = 1000.msat)
 
         // Bob sends an invoice request to Alice.
+        val currentBlockHeight = 0
         val payOffer = PayOffer(UUID.randomUUID(), randomKey(), null, 5500.msat, offer, 20.seconds)
         val (_, invoiceRequests) = bobOfferManager.requestInvoice(payOffer)
         assertTrue(invoiceRequests.size == 1)
         val (messageForAlice, nextNodeAlice) = trampolineRelay(invoiceRequests.first(), aliceTrampolineKey)
         assertEquals(Either.Right(EncodedNodeId.WithPublicKey.Wallet(TestConstants.Alice.nodeParams.nodeId)), nextNodeAlice)
         // Alice sends an invoice back to Bob.
-        val invoiceResponse = aliceOfferManager.receiveMessage(messageForAlice, listOf(), 0)
+        val invoiceResponse = aliceOfferManager.receiveMessage(messageForAlice, listOf(), currentBlockHeight)
         assertIs<OnionMessageAction.SendMessage>(invoiceResponse)
         val (messageForBob, nextNodeBob) = trampolineRelay(invoiceResponse.message, aliceTrampolineKey)
         assertEquals(Either.Right(EncodedNodeId.WithPublicKey.Wallet(TestConstants.Bob.nodeParams.nodeId)), nextNodeBob)
-        val payInvoice = bobOfferManager.receiveMessage(messageForBob, listOf(), 0)
+        val payInvoice = bobOfferManager.receiveMessage(messageForBob, listOf(), currentBlockHeight)
         assertIs<OnionMessageAction.PayInvoice>(payInvoice)
         assertEquals(OfferInvoiceReceived(payOffer, payInvoice.invoice), bobOfferManager.eventsFlow.first())
         assertEquals(payOffer, payInvoice.payOffer)
@@ -91,6 +92,10 @@ class OfferManagerTestsCommon : LightningTestSuite() {
         assertEquals(aliceOfferManager.nodeParams.expiryDeltaBlocks + aliceOfferManager.nodeParams.minFinalCltvExpiryDelta, path.paymentInfo.cltvExpiryDelta)
         assertEquals(TestConstants.Alice.nodeParams.htlcMinimum, path.paymentInfo.minHtlc)
         assertEquals(payOffer.amount * 2, path.paymentInfo.maxHtlc)
+        // The blinded path expires long after the invoice expiry to allow senders to add their own expiry delta.
+        val (alicePayload, _) = RouteBlinding.decryptPayload(aliceTrampolineKey, path.route.route.blindingKey, path.route.route.encryptedPayloads.first()).right!!
+        val paymentConstraints = RouteBlindingEncryptedData.read(alicePayload.toByteArray()).right!!.paymentConstraints!!
+        assertTrue(paymentConstraints.maxCltvExpiry > CltvExpiryDelta(720).toCltvExpiry(currentBlockHeight.toLong()))
     }
 
     @Test