Bake Macaroon root_key_id can't just be a positive number.

[CRex15]

When trying to use a Macaroon generated by the BakeMacaroon API, failure can occur if using a root_key_id < 18441921392371827000 ([4]byte starting with {0xFF, 0xEE, 0xDD, 0xCC}).

When using a macaroon with permissions for Loop, Pool, Faraday, and Litd that was baked with a root_key_id matching the above condition, AND calling an rpc from these services, an error is returned: "proxy error with context {rpc service}: invalid macaroon: macaroon service not yet initialised". LND rpc services can still be used with this macaroon.

[guggero]

This is something specific to litd and I'm not sure we want to add litd specific comments in the lnd API docs.

Though I agree that we might need to document this better in https://github.com/lightninglabs/lightning-terminal.

The condition you mention: root_key_id < 18441921392371827000 ([4]byte starting with {0xFF, 0xEE, 0xDD, 0xCC} This means a macaroon is NOT what we call a super macaroon (a super macaroon would be root_key_id >= 18441921392371827000. And in litd you can only have permissions for Loop, Pool, Faraday and Litd within a single macaroon if it is a super macaroon, otherwise it will treat it as a normal macaroon and go down a different code path which would explain the error message (which also hints at something not being fully started yet by the way).

So am I correct in assuming that you would like to have a documentation on how to bake a (super) macaroon that can be used for all RPCs bundled by litd?

[guggero]

Also see https://github.com/lightninglabs/lightning-terminal/pull/568.

[CRex15]

Documentation on how to bake a super macaroon would be very helpful. Also, any description on the difference between macaroons would be great. To be honest, I came across this issue without even knowing super macaroons existed. I was trying to get access to Loop and Faraday and just decided to bake a macaroon with permissions to all services. That's why I came across this error in the first place.