403 Error requesting wallet admin API endpoints

[Leon-Zhang]

Hello, I have bcoin spvnode deployed on AWS EC2 server, but seems only wallet create api will work, wallet information API like

curl http://x:mykey@127.0.0.1:18334/wallet/

will return response header with
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Content-Length: 0
Date: Sun, 27 Jan 2019 02:57:29 GMT
Connection: keep-alive

But I already have 18334 port open, and wallet creation api works:
curl http://x:mykey@xx.xxx.xxx.xxx:18334/wallet/ccexchg3 -X PUT
{
"network": "testnet",
"wid": 5,
"id": "ccexchg3",
"watchOnly": false,
"accountDepth": 1,
"token": "05d0f03a5e210d79d6fcb138cb57bc218863b14d8e4b314e20eba6554946299b",
"tokenDepth": 0,
"master": {
"encrypted": false
},
"balance": {
"tx": 0,
"coin": 0,
"unconfirmed": 0,
"confirmed": 0
}
}
How to troubleshoot this?

Thanks.

[pinheadmz]

I suspect you need a wallet admin-token to make the first request. What does your config look like?
See http://bcoin.io/api-docs/#wallet-admin-commands

Regular wallet commands require wallet tokens.

For example, because you have exposed your API key and wallet token on github, I was able to make this request:

 curl http://x:zzzzzz@x.x.x.x:18334/wallet/ccexchg3?token=05d0f03a5e210d79d6fcb138cb57bc218863b14d8e4b314e20eba6554946299b -v
*   Trying ..
* TCP_NODELAY set
* Connected to port 18334 (#0)
* Server auth using Basic with user 'x'
> GET /wallet/ccexchg3?token=05d0f03a5e210d79d6fcb138cb57bc218863b14d8e4b314e20eba6554946299b HTTP/1.1
> Host: 18334
> Authorization: Basic 
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Content-Length: 331
< Date: Sun, 27 Jan 2019 07:22:36 GMT
< Connection: keep-alive
<
{
  "network": "testnet",
  "wid": 5,
  "id": "ccexchg3",
  "watchOnly": false,
  "accountDepth": 1,
  "token": "05d0f03a5e210d79d6fcb138cb57bc218863b14d8e4b314e20eba6554946299b",
  "tokenDepth": 0,
  "master": {
    "encrypted": false
  },
  "balance": {
    "tx": 0,
    "coin": 0,
    "unconfirmed": 0,
    "confirmed": 0
  }
}

[Leon-Zhang]

I have same configuration on my local and remote server, but remote server won't work on following command while local wallet server can list all wallets created:
curl http://x:mykey@xx.xxx.xxx.x:18334/wallet/
HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Content-Length: 0
Date: Sun, 27 Jan 2019 13:56:07 GMT
Connection: keep-alive

curl http://x:mykey@127.0.0.1:18334/wallet/
[
"primary",
"ccexchg",
"ccexchg2"
]

[pinheadmz]

Do you have wallet-auth: true in your config? Then an admin token is required

[Leon-Zhang]

./bcoin/bin/spvnode --network=testnet --uri=http://localhost --api-key=mykey --spv
--prefix ./bcoin_data --http-host=0.0.0.0 --wallet-http-host=0.0.0.0 --wallet-api-key=mykey --wallet-wallet-auth=true --daemon --index-address=true --index-tx=true

Above is my start up arguments, no other configuration file.
How to specify wallet-auth: true in argument? And why I can call wallet admin API without wallet-auth: true argument on local machine?

[pinheadmz]

Ok that is interesting, I'll test on my end. You might want to take out your wallet API key form the github post as well ;-)
And another thing I noticed, index-tx and index-address will have no effect on an SPV node so you mine as well leave them out.

Also pretty sure wallet-auth=true means a wallet-admin-token is required, so Im not sure why you can still access that API even locally without it. You'd need wallet-admin-token=<32-byte hex> in the config and then each API call would require a token=<same hex>

[pinheadmz]

Ok I just tested your config and could not reproduce the results. If wallet-admin=true then I get a 403 on all admin API calls, local and remote. If I then add wallet-admin-token to the config, that same admin token is required again both locally and remote to get API access.

I also don't know why you have uri= in there, whats that for?

[pinheadmz]

ack and one more unneeded parameter: --spv. If you are launching with bin/spvnode, the spv argument is redundant

[pinheadmz]

@Leon-Zhang I'm going to close this issue for now. Feel free to reopen it if you have more questions, or you can always find us on Slack!

[Leon-Zhang]

I have removed --wallet-wallet-auth=true parameter and it is working ok on AWS EC2 now.
I wanted to use bcoin APIs to implement send/receive and browse transaction history of my own wallet, does these parameters will match these functions?

[pinheadmz]

Yep! Although if your API is exposed to a public endpoint, you probably do want to use wallet-auth=true and set a wallet-admin-token for extra security

[Leon-Zhang]

Could you give a example config file which using wallet-admin-token and wallet-auth=true?

[pinheadmz]

~/.bcoin/bcoin.conf

network: regtest

~/.bcoin/regtest/wallet.conf

network: regtest
wallet-auth: true
admin-token: 0123456789012345678901234567890123456789012345678901234567890123
apikey: apikey

(See also #645)

Examples - admin route - list all wallets

No api key: ❌

$  curl -v 127.0.0.1:48334/wallet
HTTP/1.1 401 Unauthorized

No token: ❌

$  curl -v x:apikey@127.0.0.1:48334/wallet
HTTP/1.1 403 Forbidden

Both: ✅

$  curl -v x:apikey@127.0.0.1:48334/wallet?token=0123456789012345678901234567890123456789012345678901234567890123
[
  "primary"
]

Create a wallet (no admin token needed)

$ curl -v x:apikey@127.0.0.1:48334/wallet/NEW -X PUT
{
  "network": "regtest",
  "wid": 2,
  "id": "NEW",
  "watchOnly": false,
  "accountDepth": 1,
  "token": "260e8dbd8256974311edb53269ca62852b9dd50be6dca7c753ae9ccd2b69170e",
  "tokenDepth": 0,
  "master": {
    "encrypted": false
  },
  "balance": {
    "tx": 0,
    "coin": 0,
    "unconfirmed": 0,
    "confirmed": 0
  }
}

Note the wallet token above.

Examples - wallet route - get wallet balance

With wallet token

$ curl -v x:apikey@127.0.0.1:48334/wallet/NEW/balance?token=260e8dbd8256974311edb53269ca62852b9dd50be6dca7c753ae9ccd2b69170e
{
  "account": -1,
  "tx": 0,
  "coin": 0,
  "unconfirmed": 0,
  "confirmed": 0
}

[Leon-Zhang]

Thank you! I have made totally understand of your token usage.