cmd/payments: reject invoices without payment secret or blinded paths

Ensure that a payment is only sent if the invoice includes either a
payment address (payment secret) or at least one blinded path. This
enforces invoice security requirements and prevents insecure payment
attempts.

Author: erickcestari

cmd/commands/cmd_payments.go

@@ -588,6 +588,14 @@ func SendPaymentRequest(ctx *cli.Context, req *routerrpc.SendPaymentRequest,
 			amt = invoiceAmt
 		}
 
+		// An invoice must include either a payment address or
+		// blinded paths.
+		if (len(decodeResp.PaymentAddr) == 0) &&
+			decodeResp.BlindedPaths == nil {
+			return fmt.Errorf("invoice must contain either a " +
+				"payment address or blinded paths")
+		}
+
 		// Calculate fee limit based on the determined amount.
 		feeLimit, err = retrieveFeeLimit(ctx, amt)
 		if err != nil {