Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin clnrest improvements #6436

Closed
ShahanaFarooqui opened this issue Jul 24, 2023 · 5 comments · Fixed by #6686
Closed

Plugin clnrest improvements #6436

ShahanaFarooqui opened this issue Jul 24, 2023 · 5 comments · Fixed by #6686
Assignees
@ShahanaFarooqui @tonyaldon
Labels
enhancement
Milestone
v23.11

Comments

@ShahanaFarooqui
Copy link
Collaborator

ShahanaFarooqui commented Jul 24, 2023
edited
Loading

  • Generate client, server & CA certs.

  • Write automated testcases

  • Add configurable CSRF, CORS & CSP options

  • Add websocket server support for browsers too
    Reported by @ddustin on Discord
    "It looks like the web browser based websocket api does not allow custom http headers. so I believe, in it's current form,
    clnrest isn't usable in a web browser -- was that intentional? perhaps we could move the rune and node id to another field (uri
    or websocket message) so we're compatible with web browsers. Here are four common solutions to the problem:
    https://websockets.readthedocs.io/en/stable/topics/authentication.html"
@ShahanaFarooqui ShahanaFarooqui added this to the v23.11 milestone Jul 24, 2023
@ShahanaFarooqui ShahanaFarooqui self-assigned this Jul 24, 2023
@tonyaldon
Copy link
Contributor

Hey @ShahanaFarooqui if you're not already working on clnrest tests I'd like to write some tests for clnrest plugin. Is it okay for you?

@ShahanaFarooqui
Copy link
Collaborator Author

@tonyaldon Hey, perfect timing. I was about to start it today. Please go ahead and let me know if you need any information regarding it.

BTW, you can refer to ./tests/test_cln_rs.py which has been written for grpc and mimic the same tests for clnrest as well.

@tonyaldon
Copy link
Contributor

Cool! I'll work on it. Thanks for the reference to grpc test.

@ShahanaFarooqui ShahanaFarooqui linked a pull request Sep 15, 2023 that will close this issue
plugin/clnrest: security improvements #6686
Merged
@ShahanaFarooqui
Copy link
Collaborator Author

ShahanaFarooqui commented Sep 16, 2023
edited
Loading

For posterity:

  • Generate client, server & CA certs.

Done.

  • Add configurable CSRF, CORS & CSP options

Introduced CORS and CSP configuration options but not including CSRF till there is no absolute need because:
- Not using cookies, SameSite Cookie Attribute and ensuring that client never sends the rune automatically with cross-site requests can easily mitigate the risk of XSRF attack.
- Adding that with strict origin check, rune's embedded restrictions and stateless authentication (ie. rune is passed via an authorization header) makes CSRF negligible.

  • Add websocket server support for browsers too

Websocket Server support for browser was already available but it did not have rune authentication. Added the authentication and an html/js example in doc/developers-guide/app-development/rest.md now.

@ShahanaFarooqui
Copy link
Collaborator Author

Cool! I'll work on it. Thanks for the reference to grpc test.

Please link your PR with this issue as well once it is drafted/ready for review.

@tonyaldon tonyaldon mentioned this issue Oct 6, 2023
Merged
ShahanaFarooqui pushed a commit to ShahanaFarooqui/lightning that referenced this issue Oct 30, 2023
@tonyaldon @ShahanaFarooqui
pytest: adds test suite for clnrest plugin
60f421b 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
@ShahanaFarooqui ShahanaFarooqui mentioned this issue Oct 30, 2023
Merged
ShahanaFarooqui pushed a commit to ShahanaFarooqui/lightning that referenced this issue Oct 31, 2023
@tonyaldon @ShahanaFarooqui
pytest: adds test suite for clnrest plugin
598b0b2 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
ShahanaFarooqui pushed a commit to ShahanaFarooqui/lightning that referenced this issue Oct 31, 2023
@tonyaldon @ShahanaFarooqui
pytest: adds test suite for clnrest plugin
19e5c2c 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
ShahanaFarooqui pushed a commit to ShahanaFarooqui/lightning that referenced this issue Nov 3, 2023
@tonyaldon @ShahanaFarooqui
pytest: adds test suite for clnrest plugin
540caf9 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
rustyrussell pushed a commit to ShahanaFarooqui/lightning that referenced this issue Nov 10, 2023
@tonyaldon @rustyrussell
pytest: adds test suite for clnrest plugin
42a1d0a 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
ShahanaFarooqui pushed a commit to ShahanaFarooqui/lightning that referenced this issue Nov 11, 2023
@tonyaldon @ShahanaFarooqui
pytest: adds test suite for clnrest plugin
979af95 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to ElementsProject#6436.
nepet pushed a commit that referenced this issue Nov 16, 2023
@tonyaldon @nepet
pytest: adds test suite for clnrest plugin
b3f122a 
- cln-grpc certificate reuse
- new certificate generation
- `GET` and `POST` requests
- websocket server
- config options and HTTP headers

Link to #6436.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ShahanaFarooqui ShahanaFarooqui

@tonyaldon tonyaldon

Labels
enhancement
Projects
None yet
Milestone
v23.11
Development

Successfully merging a pull request may close this issue.

plugin/clnrest: security improvements ShahanaFarooqui/lightning
2 participants
@ShahanaFarooqui @tonyaldon