Enable macaroons #552
Enable macaroons #552
Conversation
valentinewallace
force-pushed
the
enable-macaroons
branch
from
d02753e
to
0b309a7
Compare
public/grpc-client.js
Outdated
| function getMacaroonCreds(lndSettingsDir) { | ||
| return grpc.credentials.createFromMetadataGenerator(function(args, callback) { | ||
| const metadata = new grpc.Metadata(); | ||
| const macaroonPath = path.join(lndSettingsDir, 'admin.macaroon'); |
There was a problem hiding this comment.
It's worth noting that soon the macaroons will be stored in the network directory. Do we want to hold off on this PR until this happens?
There was a problem hiding this comment.
When that happens, the fix should just be a path update
| @@ -226,6 +221,7 @@ describe('Action Integration Tests', function() { | |||
|
|
|||
| it('should fund wallet for node1', async () => { | |||
| btcdProcess.kill(); | |||
| await nap(NAP_TIME); | |||
There was a problem hiding this comment.
Ha, fixed thx
valentinewallace
force-pushed
the
enable-macaroons
branch
from
0b309a7
to
d0b2b32
Compare
|
Build's failing because we're not using the latest lnd on travis, will update once I figure out what the best commit would be. |
| credentials = grpc.credentials.combineChannelCredentials( | ||
| credentials, | ||
| macaroonCreds | ||
| ); |
There was a problem hiding this comment.
So the locker doesn't need macaroons? Only the lnrpc.Lightning service?
There was a problem hiding this comment.
If the wallet hasn't been initialized, the macaroons don't exist yet. The wallet creation process involves creating the macaroons :)
| const macaroonHex = fs.readFileSync(macaroonPath).toString('hex'); | ||
| metadata.add('macaroon', macaroonHex); | ||
| callback(null, metadata); | ||
| }); |
There was a problem hiding this comment.
How does this work with return if it's asynchronous? Don't we need to wait for the callback to set the metadata?
There was a problem hiding this comment.
In order to combine the ssl credentials with the macaroon metadata, we need to turn the metadata into a CallCredentials object.
createFromMetadataGenerator requires an metadata generator (the asynchronous function) and returns a CallCredentials object that can be composed with the ssl ChannelCredentials object: googleapis/google-cloud-node#1346 (comment)
There was a problem hiding this comment.
Ok. Thanks for the explanation.
public/grpc-client.js
Outdated
| metadata.add('macaroon', macaroonHex); | ||
| return metadata; | ||
| function getMacaroonCreds(lndSettingsDir, network) { | ||
| return grpc.credentials.createFromMetadataGenerator(function(args, callback) { |
There was a problem hiding this comment.
Use array function (args, callback) => here.
| credentials = grpc.credentials.combineChannelCredentials( | ||
| credentials, | ||
| macaroonCreds | ||
| ); | ||
| lnd = new lnrpc.Lightning(`localhost:${lndPort}`, credentials); |
There was a problem hiding this comment.
So we don't need to pass the metadata in each api call because we inject the credentials here?
There was a problem hiding this comment.
Yep, thought it simplified the code a bit to not have to remember to pass in metadata each time.
There was a problem hiding this comment.
If we stayed with passing in metadata each time, we'd also have to get the macaroons to action/grpc and pass them into the Duplex here: https://github.com/lightninglabs/lightning-app/blob/master/src/action/grpc.js#L96 or else stream writes fail due to missing macaroons.
| @@ -9,7 +9,7 @@ module.exports.RATE_DELAY = 15 * 60 * 1000; | |||
|
|
|||
| module.exports.LND_PORT = 10009; | |||
| module.exports.LND_PEER_PORT = 10019; | |||
| module.exports.MACAROONS_ENABLED = false; | |||
| module.exports.NETWORK = 'testnet'; | |||
There was a problem hiding this comment.
What if we're in dev mode? Then the app will start with testnet instead of simnet?
|
|
||
| lncli --rpcserver=localhost:10009 --no-macaroons --lnddir=data/lnd sendpayment --pay_req=ENCODED_INVOICE | ||
| lncli --rpcserver=localhost:10009 --lnddir=data/lnd sendpayment --pay_req=ENCODED_INVOICE |
valentinewallace
force-pushed
the
enable-macaroons
branch
from
8601b90
to
fccd4ba
Compare
public/electron.js
Outdated
| @@ -123,7 +123,7 @@ function createWindow() { | |||
| ipcMain, | |||
| lndSettingsDir, | |||
| lndPort: LND_PORT, | |||
| macaroonsEnabled: MACAROONS_ENABLED, | |||
| network: NETWORK, | |||
There was a problem hiding this comment.
network: isDev ? 'simnet' : NETWORK
Else the app will use 'testnet' in dev mode as well.
There was a problem hiding this comment.
ah missed that, fixed
valentinewallace
force-pushed
the
enable-macaroons
branch
from
fccd4ba
to
4c02208
Compare
Now, each network has its own macaroons.
valentinewallace
force-pushed
the
enable-macaroons
branch
from
4c02208
to
4a3409a
Compare
Due to a security vulnerability, macaroons should always be enabled within the app.