ironfish icon indicating copy to clipboard operation
ironfish copied to clipboard

Published 20 hours ago verified publisher icon iron-fish

[FIP] Ironfish auth system for Rpc call

Open hairtail opened this issue 2 years ago • 3 comments

Description

Support different level of permission for Ironfish Rpc

  • Read: Read node state, no private data.
  • Write: Write to local store / chain, and read permissions.
  • Sign: Use private keys stored in accounts for signing, read and write permissions.
  • Admin: Manage permissions, read, write and sign permissions.

hairtail avatar Jun 26 '22 14:06 hairtail

I'm curious about this, because it's an important feature that we need.

Instead of Read / Write / Sign /Admin should we just do this based on RPC routes / namespaces? You could just have preset configurations called Read, Write, Sign, Admin where each one is just a set of namespaces / requests that we decide makes sense, but users could also provision keys with their own set of requests.

for instance config/getConfig is read only, but could reveal sensitive information. I would only mount this request and make it available to keys with Admin level even though it's a read only api.

const READ = [
    `${ApiNamespace.node}/status`,
]

const ADMIN = [
    ApiNamespace.config,
    `${ApiNamespace.node}/stop`
]

class RpcKey {
    key: Buffer
    permissions: string[]
}

const adminKey = new RpcKey(ADMIN)
const readKey = new RpcKey(READ)

NullSoldier avatar Jul 01 '22 19:07 NullSoldier

Cool, what you have mentioned above is kind of easy way to implement auth system. If everything is ok, I will try to work on it.

hairtail avatar Jul 01 '22 23:07 hairtail

Working on auth sys with Bearer token. Let me know if there's some update or anything wrong.

hairtail avatar Jul 12 '22 07:07 hairtail

RPC auth tokens were added in #2224

hughy avatar Dec 08 '22 20:12 hughy