Open mariaa144 opened 2 years ago
Let me test the difference of different permission accounts in the wallet, and sort out the documents
about macaroons By default, when lnd starts, it creates three files which contain macaroons: a file called admin.macaroon, which contains a macaroon with no caveats, a file called readonly.macaroon, which is the same macaroon but with an additional caveat, that permits only methods that don't change the state of lnd, and invoice.macaroon, which only has access to invoice related methods.
admin. Macaroon can be imported into the wallet for all operations
readonly. Macaroon can be imported into wallet You cannot perform operations related to invoices, send or receive, or lnurl balance can be viewed wenln.enable can be enabled Conclusion: It can be used as a wallet to check the balance
invoice. Macaroon failed to import wallet, permission denied
I feel there is a bug, invoice.macaroon the permission level of macaroon is higher than that of readonly.macaroon。
It is possible for a user of the wallet to create the macaroon for exactly their needs. https://github.com/lightningnetwork/lnd/blob/master/macaroons/README.md#bakery
I think a dev would need to look at what the wallet does to figure out permissions are needed exactly.
I'll test it again and check the Invoice Macaroon import
My understanding of interface permissions is wrong https://github.com/lightningnetwork/lnd/blob/master/macaroons/README.md
invoice. macaroon has too few accessible interfaces. Wallet import requires interface /v1/getinfo invoice. Macaroon does not have “/v1/getinfo” permission
// invoicePermissions is a slice of all the entities that allows a user
// to only access calls that are related to invoices, so: streaming
// RPCs, generating, and listening invoices.
invoicePermissions = []bakery.Op{
{
Entity: "invoices",
Action: "read",
},
{
Entity: "invoices",
Action: "write",
},
{
Entity: "address",
Action: "read",
},
{
Entity: "address",
Action: "write",
},
}
Perhaps a bake command which provides the for required functionality would be good to include in the documentation since the macaroons are not useful by default.
Perhaps a bake command which provides the for required functionality would be good to include in the documentation since the macaroons are not useful by default.
The wallet requires a lot of API permissions. I'll sort out the types of APIs and write a document
The rest API that alby needs to access to link lnd Sort out the apis. Users normally use wallets need to use Admin Macaroon. If users use Read only Macaroon, they can only view the balance
Fantastic! It looks like a minimal macaroon could be created to get Alby functioning with this command: lncli bakemacaroon peers:read peers:write offchain:read offchain:write info:read onchain:read onchain:write message:write invoices:read invoices:write
.
How did you figure out the rest API calls that were needed? It seems to me Alby would also need invoices:write
but it didn't look like it looking at the rest API linked above.
invoices:write
is also needed at this line: https://github.com/getAlby/lightning-browser-extension/blob/dd090f3ba05327319f4497ef28d8e6c921c6a2d2/src/extension/background-script/connectors/lnd.ts#L318
I wonder why it isn't included in const methods
. I updated the lncli
command above.
It turns out that I haven't sorted out all the apis in the file, I will rearrange these apis in this file
invoices:write
is also needed at this line:I wonder why it isn't included in
const methods
. I updated thelncli
command above. const methods It is used to verify external calls and determine whether the api supports them
The following apis are missing from the previously sorted apis
"POST", "v1/channels/transactions/route" "POST","/v1/channels/transactions" "POST", "/v1/signmessage" "POST","/v1/invoices" "POST","/v2/wallet/address/next"
I would like to know what permissions Alby needs from LND so I can create the proper macaroon.
Can instructions on what permissions to include in a macaroon be included in the documentation or install guide?
Perhaps instructions like
charge-lnd
has could be added. https://github.com/accumulator/charge-lnd/blob/master/INSTALL.md#installation