search

getAlby / lightning-browser-extension

The Bitcoin Lightning Browser Extension that brings deep Lightning & Nostr integration to the web. Wallet interface to multiple lightning nodes and key signer for Nostr, Liquid and onchain use.
https://getalby.com/#extension
MIT License
529 stars 193 forks source link

What permissions does Alby need from LND? #1033

Open mariaa144 opened 2 years ago

mariaa144 commented 2 years ago

I would like to know what permissions Alby needs from LND so I can create the proper macaroon.

Can instructions on what permissions to include in a macaroon be included in the documentation or install guide?

Perhaps instructions like charge-lnd has could be added. https://github.com/accumulator/charge-lnd/blob/master/INSTALL.md#installation

qqqzhch commented 1 year ago

Let me test the difference of different permission accounts in the wallet, and sort out the documents

qqqzhch commented 1 year ago

about macaroons By default, when lnd starts, it creates three files which contain macaroons: a file called admin.macaroon, which contains a macaroon with no caveats, a file called readonly.macaroon, which is the same macaroon but with an additional caveat, that permits only methods that don't change the state of lnd, and invoice.macaroon, which only has access to invoice related methods.

Testing

admin. Macaroon can be imported into the wallet for all operations

readonly. Macaroon can be imported into wallet You cannot perform operations related to invoices, send or receive, or lnurl balance can be viewed wenln.enable can be enabled Conclusion: It can be used as a wallet to check the balance

invoice. Macaroon failed to import wallet, permission denied

I feel there is a bug, invoice.macaroon the permission level of macaroon is higher than that of readonly.macaroon。

mariaa144 commented 1 year ago

It is possible for a user of the wallet to create the macaroon for exactly their needs. https://github.com/lightningnetwork/lnd/blob/master/macaroons/README.md#bakery

I think a dev would need to look at what the wallet does to figure out permissions are needed exactly.

qqqzhch commented 1 year ago

I'll test it again and check the Invoice Macaroon import

qqqzhch commented 1 year ago

My understanding of interface permissions is wrong https://github.com/lightningnetwork/lnd/blob/master/macaroons/README.md

invoice. macaroon has too few accessible interfaces. Wallet import requires interface /v1/getinfo invoice. Macaroon does not have “/v1/getinfo” permission

// invoicePermissions is a slice of all the entities that allows a user
// to only access calls that are related to invoices, so: streaming
// RPCs, generating, and listening invoices.
invoicePermissions = []bakery.Op{
    {
        Entity: "invoices",
        Action: "read",
    },
    {
        Entity: "invoices",
        Action: "write",
    },
    {
        Entity: "address",
        Action: "read",
    },
    {
        Entity: "address",
        Action: "write",
    },
}
mariaa144 commented 1 year ago

Perhaps a bake command which provides the for required functionality would be good to include in the documentation since the macaroons are not useful by default.

qqqzhch commented 1 year ago

Perhaps a bake command which provides the for required functionality would be good to include in the documentation since the macaroons are not useful by default.

The wallet requires a lot of API permissions. I'll sort out the types of APIs and write a document

qqqzhch commented 1 year ago

The rest API that alby needs to access to link lnd Sort out the apis. Users normally use wallets need to use Admin Macaroon. If users use Read only Macaroon, they can only view the balance

mariaa144 commented 1 year ago

Fantastic! It looks like a minimal macaroon could be created to get Alby functioning with this command: lncli bakemacaroon peers:read peers:write offchain:read offchain:write info:read onchain:read onchain:write message:write invoices:read invoices:write.

How did you figure out the rest API calls that were needed? It seems to me Alby would also need invoices:write but it didn't look like it looking at the rest API linked above.

qqqzhch commented 1 year ago

The code is here at line 31 https://github.com/getAlby/lightning-browser-extension/blob/master/src/extension/background-script/connectors/lnd.ts

mariaa144 commented 1 year ago

invoices:write is also needed at this line: https://github.com/getAlby/lightning-browser-extension/blob/dd090f3ba05327319f4497ef28d8e6c921c6a2d2/src/extension/background-script/connectors/lnd.ts#L318

I wonder why it isn't included in const methods. I updated the lncli command above.

qqqzhch commented 1 year ago

It turns out that I haven't sorted out all the apis in the file, I will rearrange these apis in this file

qqqzhch commented 1 year ago

invoices:write is also needed at this line:

https://github.com/getAlby/lightning-browser-extension/blob/dd090f3ba05327319f4497ef28d8e6c921c6a2d2/src/extension/background-script/connectors/lnd.ts#L318

I wonder why it isn't included in const methods. I updated the lncli command above. const methods It is used to verify external calls and determine whether the api supports them

The following apis are missing from the previously sorted apis

"POST", "v1/channels/transactions/route" "POST","/v1/channels/transactions" "POST", "/v1/signmessage" "POST","/v1/invoices" "POST","/v2/wallet/address/next"