From 4ad04eecb18aacdf72fa64fcb704dec188ab07fe Mon Sep 17 00:00:00 2001
From: Nicolas Burtey <nb@galoy.io>
Date: Sat, 16 Sep 2023 22:16:32 +0100
Subject: [PATCH] chore: almost work e2e

---
 apps/boltcard/bats/e2e-test.bats              |  29 ++++-
 apps/boltcard/bats/gql/user-login.gql         |   9 ++
 .../boltcard/bats/gql/wallets-for-account.gql |  12 ++
 apps/boltcard/bun.lockb                       | Bin 41699 -> 44784 bytes
 apps/boltcard/callback.ts                     | 114 +++++++++++++++++-
 apps/boltcard/config.ts                       |   2 +
 apps/boltcard/knex.ts                         |  17 +--
 apps/boltcard/lnurlw.ts                       |   4 +-
 apps/boltcard/new.ts                          |  16 +--
 apps/boltcard/package.json                    |   2 +
 10 files changed, 177 insertions(+), 28 deletions(-)
 create mode 100644 apps/boltcard/bats/gql/user-login.gql
 create mode 100644 apps/boltcard/bats/gql/wallets-for-account.gql

diff --git a/apps/boltcard/bats/e2e-test.bats b/apps/boltcard/bats/e2e-test.bats
index 1170e173814..9b30e642501 100644
--- a/apps/boltcard/bats/e2e-test.bats
+++ b/apps/boltcard/bats/e2e-test.bats
@@ -1,8 +1,15 @@
+load "../../../test/bats/helpers/setup-and-teardown"
+load "../../../test/bats/helpers/ln"
+
+@test "auth: create user" {
+  login_user "alice" "+16505554321" "000000"
+}
 
 @test "auth: create card" {
-  accountId="b12871e9-01e7-4aec-8597-873ebab7df1f"
+  echo "TOKEN_ALICE=$(read_value "alice")"
+  export TOKEN_ALICE=$(read_value "alice")
 
-  RESPONSE=$(curl -s "http://localhost:3000/createboltcard?accountId=${accountId}")
+  RESPONSE=$(curl -s "http://localhost:3000/createboltcard?token=${TOKEN_ALICE}")
   CALLBACK_URL=$(echo $RESPONSE | jq -r '.url')
 
   # Making the follow-up curl request
@@ -11,9 +18,7 @@
   [[ $(echo $RESPONSE | jq -r '.PROTOCOL_NAME') == "create_bolt_card_response" ]] || exit 1
 }
 
-
 @test "auth: create payment and follow up" {
-  
   P_VALUE="4E2E289D945A66BB13377A728884E867"
   C_VALUE="E19CCB1FED8892CE"
 
@@ -26,6 +31,18 @@
   echo "CALLBACK_URL: $CALLBACK_URL"
   echo "K1_VALUE: $K1_VALUE"
 
-  # Making the follow-up curl request
-  curl -s "${CALLBACK_URL}?k1=${K1_VALUE}"
+  cache_value "k1" "$K1_VALUE"
+  cache_value "CALLBACK_URL" "$CALLBACK_URL"
 }
+
+@test "callback" {
+  K1_VALUE=$(read_value "k1")
+  CALLBACK_URL=$(read_value "CALLBACK_URL")
+
+  invoice_response="$(lnd_outside_2_cli addinvoice --amt 1000)"
+  payment_request=$(echo $invoice_response | jq -r '.payment_request')
+  echo $payment_request
+
+  result=$(curl -s "${CALLBACK_URL}?k1=${K1_VALUE}&pr=${payment_request}")
+  [[ result.status == "OK" ]] || exit 1
+}
\ No newline at end of file
diff --git a/apps/boltcard/bats/gql/user-login.gql b/apps/boltcard/bats/gql/user-login.gql
new file mode 100644
index 00000000000..44b1b124c09
--- /dev/null
+++ b/apps/boltcard/bats/gql/user-login.gql
@@ -0,0 +1,9 @@
+mutation userLogin($input: UserLoginInput!) {
+  userLogin(input: $input) {
+    errors {
+      code
+      message
+    }
+    authToken
+  }
+}
diff --git a/apps/boltcard/bats/gql/wallets-for-account.gql b/apps/boltcard/bats/gql/wallets-for-account.gql
new file mode 100644
index 00000000000..e17a5ccf8f0
--- /dev/null
+++ b/apps/boltcard/bats/gql/wallets-for-account.gql
@@ -0,0 +1,12 @@
+query me {
+  me {
+    defaultAccount {
+      id
+      wallets {
+        id
+        walletCurrency
+        balance
+      }
+    }
+  }
+}
diff --git a/apps/boltcard/bun.lockb b/apps/boltcard/bun.lockb
index 1adae7090c853bbbbe8361e671e6f2684a97f086..fd05e46c4d6d2ac8405b4cf399e2f717d63528ec 100755
GIT binary patch
delta 8844
zcmeHNdt6l2_CM#y00$ie1Y`ge^(wxGr!qWb1`re(!B;gtibNOz1qPVmsWM=`diZK(
zrKaVxw9<TKa=VqKeZ1LC?Nem;W~N>3buF^&7pC|AzU#~!CG*zpbNk%iAHTchd)8TN
z@4fa~Yp=cMoU{G-h}3>sS{XHXT4i(Ai6L!k#*O*lzGuR|pLuQDyB=$E!v~b-l$z6)
zEnYHXr=XO&RhB+sVYMzs5N6uS9EAndMU}-a$-}Ew^_hA=6a;@kXs&lyD~cfB0bUFK
zF;HL7<!)M8tS_x_BntPVO;^alSK4f4LLK-(@Uua=-(7CnpJcI5LA*u~x<OiPEiAE>
zRtwcuyREF&D%5xiLLbQIfckJRP#&$Mz>fZcu-(h0P1RmzD=M&;2*MEPlhLl&>abNh
z>_RBrD@Ho~-BNEig*`%dZdF}SSyELdoWc-n^Aucov<+_hSI_|Pj_TnFJn8{d_62XP
zuY{p?p|+s9f#pMB8uxcJR9f|=cHumD)>B?uZq*mfoG$#?-N5cBaMakX_Hgj{Yxcv1
z-M719D|8@2%(sEELaS9jtF+qgD0g`+utFZN)m?wapK_#uKAYX_S}iq71DzW8XjSfB
zTi`Ei^$c>2+5sLtnzw-GQPzQS(Aptq`V}hK{B6N5e!ZKXg`BM}w>nB}MRwr`cutL-
zpsc^9qO!EoDohvdgTN1hLYr+)DGY9MH<$z319A+a3|w7Mr=MvnYS^N44HzBjQZ%!{
zVP)I%(H?)z1%-uHp3MPa)YxU<q`YvKm?OdVBGowZ_TIf*_Ngg*bE?{A*39BQYRU$p
zJ^OhweD9?$qs6rKC4=-cZo9f6EVKGbVZT>;wWN5RYE5`NZ{>GepJ?sXWr4r$$Ri;q
z65F;6`SAXlv4eAxXPrH@X8*!b@u{oVZ29WwxxI;+X;Ng92Uf)OGG^tEdC6T9LkGP~
z;xp8N>z9<|Z4&!YgSSb(1Dz9LlSD1v2Kgws9B?9YVgMz{CNYy5WRtuYiZYcN(Z?XZ
zK^?M5^6f&&K1OcfV-gq8L0n&;4j+^3?I8#mYGX|fb97Bkksol&1rnkD6m@hpX-rrn
z2}*4Z?qblZ3#H2jc`LXya2nzP&r?S?lQ@u)v?lo>tWCrfMxsV@1>8uQFQ<qJ)S)$r
zb1BK!Bt7p%SG<h!_gJ<Q&{U#BP?Aj@z9zZJTM&{J8T<GGHFW2Q9K;n0x|?JxrkEqr
zMKN+cHTapt<8;u^B>#Y#6x8@oI<zHFlD|o=!i0{7%##jvH^?7@Gl26WQESkKBH4|s
z33C8rwL>W;RPF}hNC<giyx_r5YWMP%pK?nTZ{_d6jpL3ykeq>B=eP)z?rV^%!R0D-
zFkgzq3iLP1Bd|=kiAab13>qsqBc=MJNSl2rIlw4=<x7nq!@5&zfKe{QR>Wor)B=+?
zf^#JRkM%ydOhplE@8w6WJ&aPmA6)@i;YZ1VM(Ma8H3k|rTCBuGy5^N4W%<(;2&y26
zq4_>3@<!b80LUqAB6Wmxr)-}XX=ngl2{LL5vBAagd`lESjlo9gNC3448#R|9hta+%
zay*tSPmrkOK{+^VhTzzu%{{2Kr&04Rgu@giVjv}l8092vB|M~t(gO`rT_CkW_#A|s
zLWq5^K?)3_WSvnn6`M~6r3R*GcHz!7;ziuKMil)My|Me;7`_0UGF{Xn8>C&q)Ea7(
zKXW%h1YuMEo|GJBl#6?+hVmS&2baThAb)~8mlbF%M}`Q(aF<O!25EW-HHI6d%^}np
zZq&Sox-?4lPLX=*D7lwWvg)X@mr=75+Z96HHAT9hqbm@kgmS|__@&5maTf=5U3lW9
zXG1ybrLRDG8>Q$lO73Hn=3o=+W0ZG<sq@?tY>>}^V>6U~nqX{j7(h<ZOvfFf<C`L_
z52w}$qx=C^p`nM8io>vjxza-nGRT$Sc(=exLF%-E%K#@SEw8#;y6Vz;cgjz>5*%xB
zE%bfhIKs+wOYObsO21?$))8-&yxsB+t`w%c)nQhZ!W5f?faoZ4ghDC5hO$0{LMfeS
z^34MN9TEn++TD_}q9H&R(*CX|y&384WJ$EU$G<~a57xF)Zbf-_iFemC<@T6br@%W5
zR*ph3g-Yp6xnUB3=N@5-Qu|}d{igxkZo0ev=cotT+zsFtR4BvvN-4vY6_mT!TT-6H
zYIps=LwOv#TaSI1deez=0|&q%t8>eldeEN+^mMYn^8u!A>;EN+-xy&rz~$#CkG=%J
z1}+f5@p=Sc`J>7*cHQ8r2(D8$XsyDzC@a_oc+kbceVpvfPJqqW4{*5^<zb#zYX3Rq
z>R-9^oQnOwX3g;++@1~UwB}fROaAAV9)2oW(SO(8f7hOpLAPFmoFc#d+ROS)*4|#-
zkPo!ZC(j?BA2sCSron?P5o>F67QQxn@${m<WZ#|terUhUGs}}U4SKcV_1`zxUouqw
z!Eo%-?~hIU==AKPT~}0v_Vqhgc9#JTio)N!{~eyHzf&9!kGB^rF731D!zTkS%-GrX
z-4BCoYrpx+$B*YN_}kLi*G`=OFvi&BmAY{|2I^kYzq)ix(6EO*XW#K<dwy-S&i9Rq
zcP<=$yn>b`hB&L+jgg)ule0d*();0+$6lGV`EX%$ZPI~fKO2*yzufxv_G_1a$lmwV
zq4TB|8n8U5`1!5l9v^j1?matieA4GMIhj|dYTZya%UwL|EfeRDeYxg9aPfZQyR-Lo
z5%vVWd|<=rbv?96hptXK{!!c3IsKlOAJnznyXXCPdQI=Q;Jsb-etSQUJAUd<naeiE
zU2Lb+q!8!sjY(h5-Tr#st`BMrpM3g_muKkPdmcQNb+Y}T-9=X;qF%bRH$!~Of7ep2
zGdKO-sG`+7jt{n-h<vg6k${hvM6EqF9@ePV=~dG}Jx;BRJYy2Z?D%--;cb`hJJ~hc
zS^h_-@1`I2_c*QF;Qh{^(>>3I#vFW9ci8_@{<-_VS&@J6wIhq$OAa6Fv-+ELm&Q$N
zpo_51Q1if^&sTr3ee#*Kr|)b#yrQ>f54q&ExmR|+G*CWvW!u3suLkaGI~Z})QaJL&
zl)APr{?=--+`VvZuMzVaK0j4FV^=5Z)aM8`(&N!SCDLmd>)IYT^X>AN7wbLVSW~|A
z^2y$(AKVpoG<3Ia#V3___I1wo)4h45Y1r?q)0*G*3#jw{bk%#2_q=$l?1?X;f@pnm
z2wgUq#aK#Dw9u3kEp1ISi}Ca|IPZ~Kx;@D(j-ZW67J31kCfO_+XkxO3N>a77A6ycN
zDHaMbYRQ^n7E@?9xTD~LMw-P`Di~>@dXtupfHRSQs)YunX{jdFET+>TaHqfxFq*|t
zRAsc#(sV7o3oeWLnk<x<p`}G8vp9xMg8LNQh%~b}mRiy*^ynxpod;*8*mMhJXKHD6
zx>?Mnv*5l5mz7}_$J43|3q6&krOV(ZQu-+PHyZwpGK-VxYjECU;9sU$yqz{?!as1D
zEVF2#iCOS38~%ZtO5$kvHx~YlHjC3~H@KtVg2tG|yQp9c{L6uV;O-{>Z1`t}f7xcS
zfDVB>1#ZAtvsg$~W8vR8_y^8PeRJSnF8s?ei^X&j+^671n9X7-wV2^w9{dA0hhoRU
zzwz*IoLMZVv*5l5mz8T4ZL})aB39C8xK>emo<*#tHMrX8Yg`>PcDzNbp^doKQpfmW
zXB3{XDo^e$=Y3FpIQS3Boc~t?yT|3nQk37)V}2-`Q(>)Vy>HRUi9N)hT!Y@iBOV^7
znz^m|r7?{9PU<24zqsyQcH1`H-n6MpMV}e994C}IO06(E=irW0kspD%s5}RXpJTbG
zZw~w$%ddf4_$`9laK99Qb=cgL-y$XgTq*&s^91lBs`ROH%b-7uzs4$W0sOkb%3|EF
z1KthfQ#FvXZ4u@8Or(taH0U$Hv%n63pTySzj{)m}4Z!2T6Tn7b6R;WB0&E5N6)PFQ
zJ1&2s5KKS@Fbc>7vVhU_wXH{NF7Czy69D#P5-=IK4Y&ia0Q?3R3-E(;IQdsbIwNs6
z2tcCoM^5GS%Ma8a;P--Ez;nQEU=Oet*axud6+jihuOS?7etY6q!KuI+fM182fMOsX
z;3tb70B<4uB2~k0N<6jGfZ+iD&<_QM0XkqVz)Pe7Xao`fepKPf<B918@La3}@Ht(1
zVGaTf26_S^Kq7ZW@tfzOJ|k=5<BSo*BkZM(RvY!M3JBu7;2fF_uo{liU`nle+8K>I
zHi|7*4f_X56nMQ`J`2<e%m8?&$OrBM?gYjHJX2$U(E!gDJIgbd222GwVm!NMfai$k
zi{}zfI{7=EGW|)Qi2!@gp^O7~A~_-)xe<Um2rJ^0Q3ucNRL2IWgL5izO7Y+vQP!Ob
zu)&;SiTwV`!gL@9$O9$=69CS%a3BoeOq=NDx$X|&c7P2~jZ!^iebWJUtO(#}bv85&
z{7it`=VE-J0AP=~6L&}hxB>Hp0DI2~_KV8UrWE*Ry2?;j3vf<xVs`}wB14r-<!t9n
zuLNv>9Y~vp3(AYj>4JR-1v(<V#QeCZn5Y=aa7>6-PixfA^OEFh?)n0StZi05;9swy
zRgN&RKRxS+$MeBihfbVLKj2zNK{fH>{WP{FH|$|3(W38;=dX_6WgL3VL(Gqj!ar;p
zw7Vu(Tu%R}(Tz|~yT+afm+ze0)+C8dv256l^RV-IUv7VU!&$*ygCHKD+}d2pTSJf4
zhKT;OzqVKmrCxRM;t-mMYaK1ZHJ%RE6~nl`^*TIYq~KaZx7Wvu+o{T_qfPapPW8}9
zJ!O!@{P-wDMYw)!rJhqLHL+31+?zw?C&mts&_~232<j1+dZvLsaZw3Tv2lWW=%t==
zpk@SIbYdWDMWL;zw4!+7vembJv}n~qKQTWBF+z=cGNvAdz<Wd`3MrwUovDW<ig8NB
zernvyND*uk*Ux$0dBrR9la3c2;#ks&dQT}|OQ-7Nq&ZsZ)(|2!X=z|XoOGX-rZtQU
zUyIq3(Rtrf=Nh{kc7E%g0IcWDTJmiUp+7f-N;|dm9lEq?X~O&v>4=sx8{?!lEzM{N
zp_PrH(pfD%(-<OsrKQ&!<HFTrIL}Y}zM1ROZMUK_j&nleODmyr*xb-?_3UolykVO2
zul>(iNkrBlVpzra%HI@656umghWOHRbK}C*^S_x>pKN*V!iq#mM2xs8jtc4TXz+_p
z6wO=k%Z)<k4|lmZ&h4Ajp`{n*H%l&yBper3G{uFh=YiVb@29mt@X>rs4JR{Fwmpzu
zYzmP&0_g!~h~ybW?M)%>RP5&rmDUB3(HRn^o*Q~Sw(8CP_gvWI?vF`Vvew-_Ts=0N
z`)ym2^XbYd?6i`%!nR;~#rexls}q#goF^%PkK?I7+&s%YkKyXM;U9MyTZ?WR8NnkA
zkBWmM%G9n^=X;Bef)~UksK<*P+J5_k(w=CS#QveK1IP2et_Q<tksirER=_!g>5hsY
z&PR?-3zTv9EcjQ)&8CO%ne^kaN2q6(6M8&ybV-BpuQy_L5}Q7@#^zPg)0Pd~pPD3z
z{QJn|ewwo|cZ7OMx%@=lh>QV6Pja3ikf>MBF%K_&=dEeqp3uQ+Bo(LWV{~z$E=)cD
z?6fuUZi@N?)OV3i>fMV*E{gN<T%n96c&?!OMQOP)Zg$E}ml!|qiN=Un*RT7mVYn+O
zD=n_D&GJc8PF<rbi}?&!Us+IXw^q9sx4zn1Rb#a~_Fi37>SMV{7_E=KNutLN1j`)7
zjcIBP>n_q4*$QjQtrZS^g{{aMU1-Dq6R5V??fO|(M_~!AS{@$cI>PUyGBzP9k<Kpd
ztMAkj)txwfJVs08(O9cn*TyAb)O??2fT9`gZ&c~yq6{wM>PiY6b;bIcYI<Txc-(ca
z49#yadfqh^U+SzgON+|%g|>=XYqh=9Rzdy`h7bLT)Xv>+Zfb{-F?48gUoCI3Xu(7u
zLwOJPcm86G(40dB6+GYY6WeuSR7}LYc@elvx_%c6L*2qy#9zHdC-oLaD7Uf0*(uj;
XnBt)8KH-L#V-!OO<6i5^rhxwiO<h!q

delta 6795
zcmeHLdvH|M8NcVkLUuQs2jsEIhC)=rBP8Snc`WQE;T5=f@^FD5xJfn-Lb4$nAc=uZ
zfJi_Hgile>Dv!#e*eWt~NUUR-mX5ZLqn*m|2f}134p_C?k+w;z?eDvHFGZytJGJd}
z#yk7F-~G<xd!KvHo{!&=e{)gZmpo<DL-)S$+e57%j978BFtqZXmG_^@E|0HyV!Ao`
zCEJ@Hy|H%5QAxeLeXjAg^hS-5qzdo4mP&VXRa1@DvZJqW{ECx8lENjav$e(3ScUc{
z!CS!Z0Sy852WV4GQe9(9meheUX0(HE@_N@vwcsPbmxJ=W;sA{xqZseL&mc*`Xl?dX
z)_UujrDl)MyKbXLsvadt<I%nf)WowuSzE2!hxw9pXtX9xm%h$h<@SNGL7oxgYCJ98
zrWT)Mrk!GvUk<bmjnsNQtxZtmlQz1W+gO?h2D8mAZB3q}I-fKFCb8Crx&}{DRfQA@
zp8I_*?v@QckIw~$tx-VPdY={=DI>s#gW}ie@g!B(HT!HW4Vu*w3uJ}2Ae{%qhSDxM
z!E`mizHOobIl-SBn7%$R>l)(EYVyWtYBNANl-EF6$|X>CIx#?}qLIxX9ILfo4$wHX
zv)K)vmRfHWgoEeQ-o#**zoD_IuE`^nOBc})hK5S7x4sSr_Xh?X2ZgLoC{q<TyEi3O
zc&pm3MQIAxMr(p9+FCpiFCD~qHq>2N>EUcVXr+M>35$2eXw4i6wi~6wk@u~L)$G$t
z?#rd-t=Le_bM%rc!FXus430gUHgdi=d)}~8p0sZi3i9@~VBZ&cInWbN*+EY6U24Pq
z8ujBomWG0y#s!$11(7ldW2Uhm+#+y-IWdCzjZQIxhH&3R*(Rs)C5W4=j?Ob>%72w<
zz~tZoCa3UGw%I98QJdLm7#bl-`83;PH`-Bv`T7Lo<^U&AS5T&SjoN~p#uSw5%-bWX
z!KHv3K^I`o0dTqC3<P!J617>JBAWUwPGdKg2SUS!TC+xinMI!&?P3zOg*e4J>JM?s
zCq`3yki&Qr3#U|*Z_X6i)E4SAdV?e>M{Q#_Pti~)2PHeq$pXTh#`}>Z4$27C&R!Zq
z&rc{j+-dv(J$Ce%s4Fgu`oo=ag^7m8I*d&yEjC<GUU;VAFgORjY_iK&%`_0<kf#RI
zFi1@><wQD+Powx87%Y(p%QRjAr={S6DbpB%`r#0(DUg?2C@0DxAGA<A$S*830AdQE
z;V6fp0HvKpn}h6fX9%@NI}FdEA%#9e*stJ;704VoLqaIRs9IAUO6^wYM*|zHcFS*s
z(y-MbOJS4~<1nOzsiue6jg5HXC<!$eC&6)^G`p^1aIC`^hSfCfwxC(zG=RnyG_rC7
zU5Lt*Uks-ln}f2fVbo(ykxRzVfX!ie6e~BMUXHRG-p3O{6=F9`#!Aa!GmRDebX)UN
z;AW{x1d8tcv6M5;VZ0BoSRR598Z+h95j23tqiED@<Rn}Mw@8(DPo!2ys_ljfa2Z^k
z@_|Si{*FVw8c8|h9fmPj)Cd#exj2dj#yjN0Q8bM9n`lRzgY9yBG__A~7&c<n=hEzO
zyYWYON`n<6IP3BabO#~VR%(xT$ZN6oL5^E#INo8rZq<`4Vls{6@IuJY=NZeuX$8R9
zIsgu#39-wUV<_idhcP-<>mEs5A2r~#`sj+zG@b^>3l;{T?-n?1weiSIn>JGGdk7ro
zTrE)J>Dzt0&VC1uBdlgxPK=}Wi8+3(5sAU?K4etAnDW~OIa4pDSfdicpti$F_4-#R
z%Y)16bq8Jf<pzF}OOv#5ccm<7GJuzllo%LyC*^(=t0br)A(}c8g6@JaKTk~N8?HMk
zKF(5++WJL`H=<Mmu=LVE|39N6F=i=%WiGh`<C*gO3cTvoCOmwFa-0MElz)q|qFPP-
zU1+^#NgW1o9M=T~GG)t~0{oqnBhU;mZ3*;$9XgsmOpK<#BnC0~6Q^#af<b!#*0vkq
z_B{Y!ccZLzuiC3op8q7k^PdT{Gi5o413Xjq?ihg2gY<p%v#LEv5`8v#yqbp7XyHqz
z{LCwY@gH6le%0PPmILd)+cNp)Rt4lIsalv)dxGgM%Y&E9w@c*PCBjRDUtqVF#_6*$
zNmnd%Znh$(kZ`!@3A=?n4n-u=8E^%&EEMTfL=w53F8UL=i{PeHc&>|1&bH8oTt%eP
z1#rt97Mhr+h;&+?=b|8|h291?gW~gDbRJxHz9KT|EpWBD7Md|f!IrLTj*F~$7P=13
zPN{QU^eVW=<|<+~4T5XUx6r(Kif~fjJQq!#W1(B%@+fb<i!OtEcD^F!&?n$}=2~dk
z0!7TDBMV%VHP1qZ0!1vKvH};~0Cx`DLJ|w%-+cJDP!S590avg9{w-2O5xEz^KX4bp
zl~A|>{|exrqKGoO0B-q0_*bZiCA7W}{w;!k;FeK*5&Q$!U8D#Xy#=mTfq%t{SV3LI
z@UIa5fh(uf68H!1u@Xf*K!e~~i{M|WBGyn}Df}yjf8gAdR|fyUJzJ)TO8Nv`PYL{6
ztOySsSq%S5;olNP)KJ+H_y_JBxH=L`;a?g2TdIh9Is>j?G5lMmhz4>mgMZ*IE-UwM
z$Gf-ltt0jPYCRKpb^I6G{QoP(0ljN9m%mAm`D0e!=xJriuTY<BtoX`3@)dm9_)j2@
z)lUzCX%J)oFYjkRTzNdk)Y`}{OOn+~6E`aUN<4B^@kg95ooAnUAH-J`z+?DB&L45U
zJOGd3c_{$*^PY(*&zleM#rq#_!yiWpdtY@9Z+W;4vTW+^j0LX+SXhA<H@?=BY14fF
zVLTlHjsm>7;0?$=pbyv&5b!AQ7;pf19C!ja2pj@<V>um21=4{GAQQ*}vVk1H4$KDd
zS4zqS@_>9`t|U#B=HY>zSpXCO3jqZv1bEjF3&a8ANVHB;xAMGUF#{n$C~yq;9`G!1
z95?}-1Wo}QG7fn)z<V$^z#%IFih*8$cYHoz6)*|lzXsSxNgPIwT0Kw#OqQf2(iA*Q
z1^9mgZyg(eM!*Yjo;U|4fWIl-zym-MfPa2`mL}mJn}mO1Qp$SVa9!~s4G9(x9@)+c
z;6W;CJMCYMC!V|<Z~^xN%YdZ-2atp61URT1+{FO?`KW;}11$wO8FK)(p5w`}<|HBT
z{AW*18XG+wNCen1b}*TD@6+(Wmg`Db5Kq#T=ibrB2I$H;`!fMn&dON$41f*hYS0yO
zb#N7M@;Tw0d@ce`wvGQiEW*RWKm&JjzKQ@gKsQSFkd-U}*fY)}N9#^Qxg1vlJf5Sl
z0$`7M4v*LSnJ)*XLBF&H_&UPe8268aRiTgTBN*T!Gy@I5I$$lpMaBimg<21Uwcv(J
zZtSMmj;WN}kvLk`ny9&>)TX~v$5~cM*QXquFN@V_$up9%{30lPbGnU#WWhUi@YZY6
zw!Zp5$RaH{C7EMhPHQ&Dh+1mfoGv=(2b+t;4*D}%9;L`FMK=9l?q@x}eq-gQZ^p=C
zOJL$2+Po#krXT2CFaGG%ubv*1(4Pvyi04T<v!zHL8oA$Z6*9&6YlNA){OQ6*=Wws3
zo4DUc<2q|>`bqGywHr6IeO^9JwLLW*)~%vvI%7mN^>?O=L-a~d42|lFCDYbe`Jjms
zwx-4D$CvNS$-DAS+3+b@q`+&=X1{6w?nv6Xb)0<BL?^cv$~cMb?6%5RO%%2*O}=TO
zxgfVp^z_448HdXI!G)XYhr6tFbz5wlez0oZSmS^D+UJQZI5nATc&eEqwx`AE2g9Ro
z#J^r-3O=Jcp2h*sHPh9dI3d{{8>gQpKiM(OaQ&x$9F#?Ba_S5YyUR>3Y%i2OX8Ih$
z^wa2y6(_o0cyDhOYh(W<oLf_2ciI<>x6+H<TkmKoeYjBbqcGrroMEO>J33`mN1BWi
z=^yV%ldpx-$2+Vu^%G_1>fdi1p7YFe2sS4Sy7V*X51yZWB;wq%$$=iM?YuGM=&=Se
z(9{zvUm8QZd#pD7w0iVYeXrlU?Y*Oc8CczFvS$8ciTe5VL!VyC_MdKA&JLrl;PBvB
z3fcK3hxNqt?ktwo=%&e9dME8F3#2ekKd^r7dB;H2(peK&Vn%WrN<q!)AwAXCqNwVT
zw3+(3_K@YCbCJ1+KZfaebz?PlPQVRs>dxtc9$)=S_or&brzWRo@LBikk7%l^zoyy(
zdUyBYFRG5y&&o^3KK|;CHpjbvk6Lgn9o}QbD(v4=WYdqrd*3Xckw3BO1lJCNgb?{D
zzBfkfA$#v#*B`G>l;KJ8_QuF7Vrf@zn&~`$b8wySrl0rbnr;MG<tT;ioj}eGgODg?
iZ-k}MTjfb|dwfZi4em-xJr;MiV{fkMZ1YoF#{3PX8S0?`

diff --git a/apps/boltcard/callback.ts b/apps/boltcard/callback.ts
index 363f187fd74..5c157239dfc 100644
--- a/apps/boltcard/callback.ts
+++ b/apps/boltcard/callback.ts
@@ -1,7 +1,75 @@
 import express from "express"
 
+import { gql, GraphQLClient } from "graphql-request"
+
 import { boltcardRouter } from "./router"
-import { fetchByK1 } from "./knex"
+import { fetchByCardId, fetchByK1 } from "./knex"
+import { apiUrl } from "./config"
+
+type GetUsdWalletIdQuery = {
+  readonly __typename: "Query"
+  readonly me?: {
+    readonly __typename: "User"
+    readonly defaultAccount: {
+      readonly __typename: "ConsumerAccount"
+      readonly id: string
+      readonly defaultWalletId: string
+      readonly wallets: ReadonlyArray<
+        | {
+            readonly __typename: "BTCWallet"
+            readonly id: string
+            readonly walletCurrency: WalletCurrency
+            readonly balance: number
+          }
+        | {
+            readonly __typename: "UsdWallet"
+            readonly id: string
+            readonly walletCurrency: WalletCurrency
+            readonly balance: number
+          }
+      >
+    }
+  } | null
+}
+
+type LnInvoicePaymentSendMutation = {
+  readonly __typename: "Mutation"
+  readonly lnInvoicePaymentSend: {
+    readonly __typename: "PaymentSendPayload"
+    readonly status?: string | null
+    readonly errors: ReadonlyArray<{
+      readonly __typename: "GraphQLApplicationError"
+      readonly message: string
+    }>
+  }
+}
+
+const getUsdWalletIdQuery = gql`
+  query getUsdWalletId {
+    me {
+      defaultAccount {
+        id
+        defaultWalletId
+        wallets {
+          id
+          walletCurrency
+          balance
+        }
+      }
+    }
+  }
+`
+
+const lnInvoicePaymentSendMutation = gql`
+  mutation lnInvoicePaymentSend($input: LnInvoicePaymentInput!) {
+    lnInvoicePaymentSend(input: $input) {
+      errors {
+        message
+      }
+      status
+    }
+  }
+`
 
 boltcardRouter.get("/callback", async (req: express.Request, res: express.Response) => {
   const k1 = req?.query?.k1
@@ -20,11 +88,47 @@ boltcardRouter.get("/callback", async (req: express.Request, res: express.Respon
   }
 
   const payment = await fetchByK1(k1)
-  console.log(payment)
-  // fetch user from k1
-  //   payInvoice(pr)
+  const { cardId } = payment
+
+  const card = await fetchByCardId(cardId)
+
+  const graphQLClient = new GraphQLClient(apiUrl, {
+    headers: {
+      authorization: `Bearer ${card.token}`,
+    },
+  })
+
+  const data = await graphQLClient.request<GetUsdWalletIdQuery>(getUsdWalletIdQuery)
+  const wallets = data.me?.defaultAccount.wallets
 
-  res.json({ status: "OK" })
+  if (!wallets) {
+    res.status(400).send({ status: "ERROR", reason: "no wallets found" })
+    return
+  }
+
+  const usdWallet = wallets.find((wallet) => wallet.walletCurrency === "USD")
+  const usdWalletId = usdWallet?.id
+
+  console.log({ usdWallet, wallets })
+
+  if (!usdWalletId) {
+    res.status(400).send({ status: "ERROR", reason: "no usd wallet found" })
+    return
+  }
+
+  const result = await graphQLClient.request<LnInvoicePaymentSendMutation>({
+    document: lnInvoicePaymentSendMutation,
+    variables: { input: { walletId: usdWalletId, paymentRequest: pr } },
+  })
+
+  if (result.lnInvoicePaymentSend.status === "SUCCESS") {
+    res.json({ status: "OK" })
+  } else {
+    res.status(400).send({
+      status: "ERROR",
+      reason: `payment failed: ${result.lnInvoicePaymentSend.errors[0].message}`,
+    })
+  }
 })
 
 const callback = "dummy"
diff --git a/apps/boltcard/config.ts b/apps/boltcard/config.ts
index 03eb0d416dc..59bc0e4620a 100644
--- a/apps/boltcard/config.ts
+++ b/apps/boltcard/config.ts
@@ -1,5 +1,7 @@
 export const serverUrl = process.env.SERVER_URL ?? "http://localhost:3000"
 
+export const apiUrl = process.env.API_URL ?? "http://localhost:4002/graphql"
+
 const AES_DECRYPT_KEY = process.env.AES_DECRYPT_KEY ?? "0c3b25d92b38ae443229dd59ad34b85d"
 
 export const aesDecryptKey = Buffer.from(AES_DECRYPT_KEY, "hex")
diff --git a/apps/boltcard/knex.ts b/apps/boltcard/knex.ts
index df953d44481..66736f23266 100644
--- a/apps/boltcard/knex.ts
+++ b/apps/boltcard/knex.ts
@@ -38,7 +38,8 @@ export async function createTable() {
 
         // if a card is resetted, the uid would stay the same
         table.string("uid").notNullable().index()
-        table.uuid("accountId").notNullable().index()
+        table.string("token").notNullable()
+
         table.integer("ctr").notNullable()
         table.boolean("enabled").notNullable().defaultTo(true)
 
@@ -59,7 +60,7 @@ export async function createTable() {
       table.string("oneTimeCode").notNullable().index().unique()
       table.timestamp("created_at").defaultTo(knex.fn.now())
       table.string("status").defaultTo("init") // init, fetched, used
-      table.uuid("accountId").notNullable()
+      table.string("token").notNullable()
 
       table.string("k0AuthKey").notNullable()
       table.string("k2CmacKey").notNullable().index().unique()
@@ -94,7 +95,7 @@ export async function fetchByCardId(cardId: string) {
 
 export interface CardInitInput {
   oneTimeCode: string
-  accountId: string
+  token: string
   k0AuthKey: string
   k2CmacKey: string
   k3: string
@@ -103,7 +104,7 @@ export interface CardInitInput {
 
 export async function createCardInit(cardData: CardInitInput) {
   try {
-    const { oneTimeCode, k0AuthKey, k2CmacKey, k3, k4, accountId } = cardData
+    const { oneTimeCode, k0AuthKey, k2CmacKey, k3, k4, token } = cardData
 
     const result = await knex("CardInit").insert({
       oneTimeCode,
@@ -111,7 +112,7 @@ export async function createCardInit(cardData: CardInitInput) {
       k2CmacKey,
       k3,
       k4,
-      accountId,
+      token,
     })
 
     return result
@@ -128,12 +129,12 @@ interface CardInput {
   k3: string
   k4: string
   ctr: number
-  accountId: string
+  token: string
 }
 
 export async function createCard(cardData: CardInput) {
   try {
-    const { uid, k0AuthKey, k2CmacKey, k3, k4, ctr, accountId } = cardData
+    const { uid, k0AuthKey, k2CmacKey, k3, k4, ctr, token } = cardData
 
     const [result] = await knex("Card")
       .insert({
@@ -143,7 +144,7 @@ export async function createCard(cardData: CardInput) {
         k3,
         k4,
         ctr,
-        accountId,
+        token,
       })
       .returning("*")
 
diff --git a/apps/boltcard/lnurlw.ts b/apps/boltcard/lnurlw.ts
index 6a822fc8a70..02359a9799e 100644
--- a/apps/boltcard/lnurlw.ts
+++ b/apps/boltcard/lnurlw.ts
@@ -99,10 +99,10 @@ boltcardRouter.get("/ln", async (req: express.Request, res: express.Response) =>
     const result = await maybeSetupCard({ uidRaw, ctrRawInverseBytes, ba_c })
 
     if (result) {
-      const { k0AuthKey, k2CmacKey, k3, k4, accountId } = result
+      const { k0AuthKey, k2CmacKey, k3, k4, token } = result
       await markCardInitAsUsed(k2CmacKey)
 
-      card = await createCard({ uid, k0AuthKey, k2CmacKey, k3, k4, ctr, accountId })
+      card = await createCard({ uid, k0AuthKey, k2CmacKey, k3, k4, ctr, token })
     } else {
       res.status(400).send({ status: "ERROR", reason: "card not found" })
       return
diff --git a/apps/boltcard/new.ts b/apps/boltcard/new.ts
index 3f30299a01f..3bd56f27806 100644
--- a/apps/boltcard/new.ts
+++ b/apps/boltcard/new.ts
@@ -23,19 +23,21 @@ function randomHex(): string {
 boltcardRouter.get(
   "/createboltcard",
   async (req: express.Request, res: express.Response) => {
-    const accountId = req.query.accountId
+    // should be pass with POST? not sure if this would be compatible
+    // with the wallet that can create cards
+    const token = req.query.token
 
-    if (!accountId) {
-      res.status(400).send({ status: "ERROR", reason: "accountId missing" })
+    if (!token) {
+      res.status(400).send({ status: "ERROR", reason: "token missing" })
       return
     }
 
-    if (typeof accountId !== "string") {
-      res.status(400).send({ status: "ERROR", reason: "accountId is not a string" })
+    if (typeof token !== "string") {
+      res.status(400).send({ status: "ERROR", reason: "token is not a string" })
       return
     }
 
-    // TODO: accountId uuid validation
+    // TODO: token validation?
 
     const oneTimeCode = randomHex()
     const k0AuthKey = "0c3b25d92b38ae443229dd59ad34b85d"
@@ -49,7 +51,7 @@ boltcardRouter.get(
       k2CmacKey,
       k3,
       k4,
-      accountId,
+      token,
     })
 
     if (result instanceof Error) {
diff --git a/apps/boltcard/package.json b/apps/boltcard/package.json
index 7360c90c89d..9243867d93c 100644
--- a/apps/boltcard/package.json
+++ b/apps/boltcard/package.json
@@ -8,6 +8,8 @@
     "aes-js": "^3.1.2",
     "body-parser": "^1.20.2",
     "express": "^4.18.2",
+    "graphql": "^16.8.0",
+    "graphql-request": "^6.1.0",
     "knex": "^2.5.1",
     "node-aes-cmac": "^0.1.1",
     "pg": "^8.11.3"