-
Notifications
You must be signed in to change notification settings - Fork 32
refactor: Use @parity/* 4.0.0 ; refactor sendStore post/postRaw #394
Conversation
- Update dependencies to @parity/* 4.0.0 - Update/refactor sendStore (post/postRaw) - Remove ws token (secure ui token); not needed anymore
Now that we don't need a secure token from parity, we don't need to run We should probably rewrite Parity path is now only useful to be able to launch Parity. The new logic I'd suggest (on startup):
|
Doesn't removing the token introduce a security issue? |
How so? Do you mean that ideally we should launch parity without enabling the personal api, but that it should still be available for ws connections with secure token? |
Yes, I thought that was the purpose of the secure token: if you have the token, you have access to signer_ and personal_. I'm maybe wrong though. The simple attack vector I can think of is, if we're on the same network, I can send a curl request to your node on the personal_ endpoint. |
Yes, makes sense. Currently the list of APIs enabled for WS connections made with a secure token is hardcoded (i.e. ignores run flags) and includes every api except for personal. I guess we should change that so that secure WS connections have access to all apis. |
02a1a40
to
94d58ab
Compare
Tracking openethereum/parity-ethereum#10246 (enable personal_ in secure ws connection, regardless of enabled ws apis in launch flags) However, if we continue launching Parity Ethereum with default flags, after this PR users will only be able to use Fether with the most recent (upcoming) Parity Ethereum release. This is a problem e.g. for users who be updating Fether, as Parity Ethereum won't get downloaded again (hello #204). So I think that, at least for a certain amount of time we should launch Fether with If you have a simpler idea feel free to share... |
This PR will require Parity Ethereum >=v2.4.0 Before merging, requires:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
merged into #458 |
openethereum/js-libs#93
You can test:
and make sure it all works (works for me)