Fonta1n3 / FullyNoded

Self sovereign, secure, powerful, easy to use wallet that utilizes your own node as a backend. Powered by PSBT's and descriptors. Acts as an offline signer using your node as a watch-only wallet. C-Lightning compatible for instant, unfairly cheap payments.
https://fullynoded.app
Other
201 stars 31 forks source link

Any technical reason behind alphanumeric-only RPC passwords? #63

Closed keeshux closed 4 years ago

keeshux commented 4 years ago

I know that the Bitcoin Core rpcauth.py script can take any custom password as input, yet by default it generates non-alphanumeric passwords, which are not accepted by this app.

Is there any particular reason I may be overlooking why you chose to restrict passwords to alphanumeric?

Thank you!

Fonta1n3 commented 4 years ago

Yes, special characters can break the url to your node. It’d be like putting a colon or period in random places in a website url, it wouldn’t work.

keeshux commented 4 years ago

Then it's something bound to using QR, but if I enter connection parameters manually this should not be a limitation, correct?

Fonta1n3 commented 4 years ago

Then it's something bound to using QR, but if I enter connection parameters manually this should not be a limitation, correct?

Incorrect, there is no difference between QR and manual entry other then the means of adding the creds. It always forms an http url which can be broken by characters that invalidate a url.

keeshux commented 4 years ago

I see, in fact I found that LightningRPC.swift uses credentials in a HTTP URL (http://user:pass@host/...). bitcoin-cli must be using something else.

It all makes sense, thanks for the clarifications!

Fonta1n3 commented 4 years ago

I see, in fact I found that LightningRPC.swift uses credentials in a HTTP URL (http://user:pass@host/...). bitcoin-cli must be using something else.

It all makes sense, thanks for the clarifications!

Bitcoin-cli uses the same scheme, over tor of course so everything is encrypted (from FN perspective anyway) it’s really designed for localhost.

http://rpcuser:rpcpass@xxxxxxx.onion:8332

Fonta1n3 commented 4 years ago

It may not be that all special chars invalidate it... i am not sure. All i know is I’ve had users unable to connect bc non alphanumeric chars were in their rpc creds, so i banned them :) obviously : @ . / would all break the url, haven’t taken the time to test every single one.

keeshux commented 4 years ago

Having been on the same boat, I agree on the choice. If anything URL encoding/decoding is also very implementation-dependent, better not relying on it.