In an effort to save people's feet from their own guns, we like to make sure they give us minimally permissible credentials to do what they want us to do.
The only API lnc-web exposes for permissions are hasPerms and isReadOnly. If we wanted to make sure a session only allows us to send offchain payments for instance, we'd need to make sure hasPerms returns false for every other possible permission the session could have.
Something like a listPermissions, or macaroon function even, would allow us to more efficiently/effectively do this check.
For reference, our lnd auto-withdrawals using the old fashioned non-TURNed configuration validate the macaroon by decoding it clientside and making sure the ops are strictly limited to either:
In an effort to save people's feet from their own guns, we like to make sure they give us minimally permissible credentials to do what they want us to do.
The only API
lnc-webexposes for permissions arehasPermsandisReadOnly. If we wanted to make sure a session only allows us to send offchain payments for instance, we'd need to make surehasPermsreturns false for every other possible permission the session could have.Something like a
listPermissions, ormacaroonfunction even, would allow us to more efficiently/effectively do this check.For reference, our lnd auto-withdrawals using the old fashioned non-TURNed configuration validate the macaroon by decoding it clientside and making sure the ops are strictly limited to either:
the ideal:
the prebaked invoice macaroon: