Skip to content

Require HTTP Basic Auth for all RPC/CLI #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
benthecarman wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Require HTTP Basic Auth for all RPC/CLI #88

benthecarman wants to merge 1 commit into from

Conversation

@benthecarman
Copy link
Collaborator

@benthecarman benthecarman commented Dec 18, 2025

Adds basic auth to protect the RPC from potential attackers.

@benthecarman benthecarman requested a review from tnull December 18, 2025 05:31
@benthecarman benthecarman self-assigned this Dec 18, 2025
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 18, 2025
edited
Loading

👋 Thanks for assigning @tnull as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@benthecarman
Require HTTP Basic Auth for all RPC/CLI
27f36c4 
Adds basic auth to protect the RPC from potential attackers.
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 20, 2025

🔔 1st Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 22, 2025

🔔 2nd Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 24, 2025

🔔 3rd Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 27, 2025

🔔 4th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 29, 2025

🔔 5th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 31, 2025

🔔 6th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Jan 3, 2026

🔔 7th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Jan 5, 2026

🔔 8th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

tnull
tnull reviewed Jan 5, 2026
View reviewed changes
Copy link
Collaborator

@tnull tnull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So far we assumed the RPC API to not be publicly accessible. If we do assume it is, we should probably also start to take futher precautions (e.g., take a look at DoS protection, etc).

That said, I'm not against adding authentication to the RPC protocol, however, if we do:

  1. We should never transmit unhashed & unsalted passwords/credentials.
  2. Authentication's utility is very limited if we're sending credentials over unencrypted channels (actually, it might just give a false sense of security). So if we add authentication, we should probably start looking into (requiring) TLS for the RPC connections, and add corresponding helpers to generate and configure corresponding self-signed certificates.

ldk-server-client/src/client.rs
.client
.post(url)
.header(CONTENT_TYPE, APPLICATION_OCTET_STREAM)
.basic_auth(username, Some(password))
Copy link
Collaborator

@tnull tnull Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should ever transmit an unhashed and unsalted password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnull tnull tnull left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@benthecarman benthecarman

Labels

None yet

Projects

Weekly Goals
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benthecarman @ldk-reviews-bot @tnull