search

ElementsProject / lightning

Core Lightning — Lightning Network implementation focusing on spec compliance and performance
Other
2.81k stars 892 forks source link

Rune restrictions per unit of time and rune UX #7308

Open Amperstrand opened 4 months ago

Amperstrand commented 4 months ago

Goal: to create a rune that can be rate limited to N times per hour

Documentation:

rate: the rate limit, per minute, e.g. "rate=60" is equivalent to "per=1sec".

First attempt:

lightning-cli decode string=$(lightning-cli createrune restrictions='[["per=1hour"]]' | jq -r '.rune')
{
   "type": "rune",
   "unique_id": "250",
   "string": "XXXXXXXX:=250&per=1hour",
   "restrictions": [
      {
         "alternatives": [
            "per=1hour"
         ],
         "summary": "per (unknown condition?) equal to '1hour'"
      }
   ],
   "valid": true
}

Issue 1 (UX): Human readable output

createrune does not show human readable output. This means that I need to use lightning-cli decode string=$rune to interpret the rune in a way that a human can understand it

proposed fix: consider including the human readable summary or restrictions as part of the createrune output.

Issue 2: createrune allows you to create invalid runes

lightning-cli createrune restrictions='foo'
{
   "code": -32602,
   "message": "restrictions: not a valid restriction (should be array): invalid token '\"foo\"'"
}

lightning-cli decode string=$(lightning-cli createrune restrictions='["foo=bar"]' | jq -r '.rune')
{
   "type": "rune",
   "unique_id": "255",
   "string": "XXXXX:=255&foo=bar",
   "restrictions": [
      {
         "alternatives": [
            "foo=bar"
         ],
         "summary": "foo (unknown condition?) equal to 'bar'"
      }
   ],
   "valid": true
}

suggested fix: Either don't allow creating runes with unknown conditions or issue a warning when issuing

Issue 3 (UX) Warnings for runes that can drain funds

lightning-cli createrune
{
   "rune": "XXXXX",
   "unique_id": "256",
   "warning_unrestricted_rune": "WARNING: This rune has no restrictions! Anyone who has access to this rune could drain funds from your node. Be careful when giving this to apps that you don't trust. Consider using the restrictions parameter to only allow access to specific rpc methods."
}

lightning-cli createrune  restrictions='[["method=pay"]]'
{
   "rune": "XXXXX",
   "unique_id": "257"
}

suggested fix: both these runes will allow the user to drain all of the funds, but only the first one comes with a warning. Not quite sure how to fix this other then finding a way to communicate to the user what the rune will actually allow you to do.

Amperstrand commented 4 months ago

Highlightning the difference between AND vs OR

future_time=$(($(date +%s) + 24*60*60))
OR_restrictions='[["time<'$future_time'","rate=2"]]'
AND_restrictions='[["time<'$future_time'"],["rate=2"]]'
lightning-cli decode string=$(lightning-cli createrune restrictions=$AND_restrictions | jq .rune) | jq .restrictions

[
  {
    "alternatives": [
      "time<1715762646"
    ],
    "summary": "time (in seconds since 1970) less than 1715762646 (approximately 23 hours 59 minutes from now)"
  },
  {
    "alternatives": [
      "rate=2"
    ],
    "summary": "rate (max per minute) equal to 2"
  }
]

lightning-cli decode string=$(lightning-cli createrune restrictions=$OR_restrictions | jq .rune) | jq .restrictions

[
  {
    "alternatives": [
      "time<1715762646",
      "rate=2"
    ],
    "summary": "time (in seconds since 1970) less than 1715762646 (approximately 23 hours 58 minutes from now) OR rate (max per minute) equal to 2"
  }
]

Perhaps a safer way to create AND restrictions is to create hierarchical runes where the parent rune has a time to live ("time<'$future_time'") and the child rune has a rate limit.