go-nitro icon indicating copy to clipboard operation
go-nitro copied to clipboard
verified publisher icon statechannels

Add authentication to the RPC layer

Open geoknee opened this issue 2 years ago • 3 comments

Right now, anyone can spend money or otherwise cause havoc via a nitro node's public RPC endpoint.

geoknee avatar Jul 10 '23 17:07 geoknee

From duplicate thread:

In the universe of nitro-as-a-sidecar rather than nitro-as-a-networked-service there's the option to only accept connections from the local machine.

Good point, but I suppose there might still be attack vectors from malware?

NiloCK avatar Jul 14 '23 12:07 NiloCK

Solving this may involve our supporting wss and https (secure).

geoknee avatar Jul 18 '23 11:07 geoknee

Useful resources:

  • https://besu.hyperledger.org/stable/public-networks/how-to/use-besu-api/authenticate
  • https://medium.com/@terawattled/protecting-ethereum-json-rpc-api-with-password-887f3591d221

We may want to protect different API methods in different ways. For example GetAddress() may require different credentials to CreateLedgerChannel.

The second article suggests that using nginx (reverse proxy) is a good pattern because the authentication built into e.g. go-nitro can then be very simple.

geoknee avatar Jul 19 '23 15:07 geoknee