Lock down the transfer method on wallet GRPC to have some kind of authentication. #4478
Labels
P-high-risk
Process - High risk
Comments
This was referenced Aug 18, 2022
stringhandler
pushed a commit
that referenced
this issue
Aug 25, 2022
Description --- - adds basic password auth interceptor to wallet grpc. - disables grpc by default - adds `hash-grpc-password` command that produces a salted hashed password that clients can use for authentication - adds cli args to explicitly enable grpc - adds `wallet.grpc_authentication` configuration - allow grpc client to use basic auth if configured - add `--enable-grpc` cli flag to wallet Motivation and Context --- Fixes #4478 Secure GRPC calls with basic auth. User should explicitly enable grpc when it is needed. Usage: - Set `grpc_authentication = { username: "foo", password: "bar" }` - Call `tari_console_wallet hash-grpc-password` and copy the hash - Use the username and hashed password in e.g. postman or any other grpc client How Has This Been Tested? --- Basic unit tests Manually (POSTman and running a miner with GRPC auth enabled)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lock down the transfer method on wallet GRPC to have some kind of authentication.
Currently, anybody on the local machine can send funds out of the wallet via GRPC
The text was updated successfully, but these errors were encountered: