Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

commands: require wallet password for lnpay command #9238

Merged
merged 2 commits into from
Oct 10, 2024
Merged

commands: require wallet password for lnpay command #9238

merged 2 commits into from
Oct 10, 2024

Conversation

accumulator
Copy link
Member

ref #9236

@accumulator
Copy link
Member Author

might be useful to also require password for e.g. channel closes and reverse swaps

SomberNight added a commit that referenced this pull request Oct 8, 2024
@SomberNight
commands: check password already in decorator
37d090c 
Previously it was only the actual commands that directly or indirectly verified
the password. This adds a check that runs for any command requiring a password.

related #9238
SomberNight
SomberNight reviewed Oct 8, 2024
View reviewed changes
electrum/commands.py Outdated
Comment on lines 1164 to 1165
if wallet.has_password():
wallet.check_password(password)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Conceptually this should not be done here I think.
I moved this check to the @command decorator in 37d090c.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed

@SomberNight
Copy link
Member

might be useful to also require password for e.g. channel closes and reverse swaps

Well, yes, maybe. But also something to consider is what exactly is the threat-model, because at the end of the day we might as well password-protect every command :P

>>> [cn for (cn, c) in electrum.commands.known_commands.items() if c.requires_wallet and not c.requires_password]

['get', 'listunspent', 'freeze', 'unfreeze', 'freeze_utxo', 'unfreeze_utxo', 'ismine', 'getpubkeys', 'getbalance', 'getmpk', 'onchain_history', 'lightning_history', 'setlabel', 'listcontacts', 'getalias', 'searchcontacts', 'listaddresses', 'get_request', 'get_invoice', 'list_requests', 'list_invoices', 'createnewaddress', 'changegaplimit', 'getminacceptablegap', 'getunusedaddress', 'add_request', 'addtransaction', 'delete_request', 'delete_invoice', 'clear_requests', 'clear_invoices', 'is_synchronized', 'removelocaltx', 'get_tx_status', 'add_peer', 'list_peers', 'lnpay', 'nodeid', 'list_channels', 'enable_htlc_settle', 'close_channel', 'request_force_close', 'export_channel_backup', 'import_channel_backup', 'get_channel_ctx', 'get_watchtower_ctn', 'rebalance_channels', 'reverse_swap']

  1. Dangerous commands:
    lnpay, get_channel_ctx

  2. Not too dangerous but still kind of:
    close_channel, request_force_close, export_channel_backup, reverse_swap, rebalance_channels

  3. And then there is also stuff like getmpk (privacy) or changegaplimit (DOS-potential).

Anyway, I would say let's password-protect the "dangerous" list (1).

Do you think list (2) should be password-protected as well? I am not sure.

@SomberNight SomberNight added this to the 4.5.6 milestone Oct 8, 2024
@accumulator
Copy link
Member Author

accumulator commented Oct 9, 2024
edited
Loading

Do you think list (2) should be password-protected as well? I am not sure.

These are currently inconsistent across GUIs (PIN on android, if enabled. no auth on desktop).
I'm inclined to add password requirement for (2), though only for CLI

@SomberNight
Copy link
Member

I'm inclined to add password requirement for (2), though only for CLI

Okay, let's do that then.

@accumulator
cli: require password for close_channel, request_force_close, export_…
c191fbe 
…channel_backup, reverse_swap, rebalance_channels
SomberNight
SomberNight approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@SomberNight SomberNight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@SomberNight SomberNight merged commit acc8396 into spesmilo:master Oct 10, 2024
15 checks passed
@SomberNight SomberNight mentioned this pull request Oct 10, 2024
Open
@accumulator accumulator deleted the issue9236 branch October 11, 2024 21:11
SomberNight added a commit that referenced this pull request Oct 14, 2024
@SomberNight
commands: check password already in decorator
a1cf979 
Previously it was only the actual commands that directly or indirectly verified
the password. This adds a check that runs for any command requiring a password.

related #9238
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SomberNight SomberNight SomberNight approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.5.6
Development

Successfully merging this pull request may close these issues.
2 participants
@accumulator @SomberNight