Add taker http basic auth #976
Conversation
Since maker and taker are two different binaries there is no need to have a maker_username and taker_username
This will allow us to have arbitrary length passwords and easier configure it through cli parameters
The password can be provided as a argument or has a default value
bonomat
force-pushed
the
609-add-taker-auth
branch
from
de2392a to
f02b301
Compare
|
Note: we should backport this to 0.3.x because it is mostly needed for getumbrel/umbrel#1149 |
| @@ -16,6 +16,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 | |||
| The previous payout transactions are invalidated. | |||
| The new payout transactions spend from the same lock transaction, so the rollover happens off-chain. | |||
| In case a maker rejects a rollover request from a taker the old oracle price event and payout transactions stay in place. | |||
| - Changed username for HTTP authentication to `itchysats` | |||
There was a problem hiding this comment.
This should go under a different section, we are in ### Added here :)
| @@ -14,7 +14,8 @@ use std::str::FromStr; | |||
| /// A request guard that can be included in handler definitions to enforce authentication. | |||
| pub struct Authenticated {} | |||
|
|
|||
| pub const MAKER_USERNAME: &str = "maker"; | |||
| pub const USERNAME: &str = "itchysats"; | |||
| pub const TAKER_DEFAULT_PASSWORD: &str = "onbrinkofsecondbailout"; | |||
There was a problem hiding this comment.
I'd rather not have a default password in the binary. If we want a default password for umbrel, we can always hardcode that in the docker-compose file. If --password is not specified, we can always derive a password from the seed.
What do you think?
There was a problem hiding this comment.
also: if we would like a default password for the CI, we can always hardcode one in cargo dev-taker etc.
| /// let password = "Now I'm feelin' so fly like a G6".to_string(); | ||
| /// let password_vec = password.as_bytes(); | ||
| /// let password_hex = hex::encode(vec); | ||
| /// let basic_auth = base64::encode(&format!("{}:{}", "itchysats", password_hex)); |
There was a problem hiding this comment.
That diff seems unnecessary if we are just changing the username from maker to itchysats.
| /// A rocket responder that prompts the user to sign in to access the API. | ||
| #[derive(rocket::Responder)] | ||
| #[response(status = 401)] | ||
| pub struct PromptAuthentication { | ||
| inner: (), | ||
| www_authenticate: Header<'static>, | ||
| } |
There was a problem hiding this comment.
This could be re-used across both binaries.
| /// A "catcher" for all 401 responses, triggers the browser's basic auth implementation. | ||
| #[rocket::catch(401)] | ||
| pub fn unauthorized() -> PromptAuthentication { | ||
| PromptAuthentication { | ||
| inner: (), | ||
| www_authenticate: Header::new("WWW-Authenticate", r#"Basic charset="UTF-8"#), | ||
| } | ||
| } |
There was a problem hiding this comment.
This one probably too!
|
Closed in favor of #982. |
Resolves #609
This is the first step to have authentication for the taker.
For our current use of running the taker on umbrel this is sufficient. Eventually we might want to allow the user to change the password from inside of the application.