-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitelist feature for wallet #135
Conversation
Should the wallet API be concerned with networking security? I'd rather see that handled at another layer, which are much better suited for the task : firewalls, network ACLs/hardware, reverse proxy etc. which will be much more powerful and configurable. I am not convinced the library should be concerned by those things and would advocate for separation of concern here. |
That's a fair point. The motivation for this was the knowledge of how many people are running unsecured wallets and the general technical level of people who run wallets. Yes, real security would be preferable but unfortunately this won't be the case in many situations. This was a feature combination with FactomProject/factom-walletd#84 to disallow remote connections by default and then enable specific ones if needed. |
FactomdRPCPassword string | ||
FactomdServer string | ||
FactomdTimeout time.Duration | ||
WalletWhiteListEnable bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
whitelist is a single word and should be camel cased Whitelist (like you did in other places actually)
Right, open wallets in the wild has been a plague... ok we can do it I guess, but we will need to document that properly to avoid people questions about why they can't call their wallet. |
@WhoSoup does this PR still makes sense with the wallet stuff gone? |
Nope, this would have to be re-done at the new location. I'll close this and make a note in the issue. |
This implements a simple whitelist feature for wsapi. It's enabled by starting the webserver with
RPCConfig.WalletWhiteListEnable = true
. IPs to whitelist can be added withwsapi.WhiteListIP(string)
.Localhost (127.0.0.1, ::1) will always be able to connect. If a connection is attempted from a remote address not on the white list, the attempt is logged in the console and a 401 error is returned.