Harden LNURL-auth request handling#862
Harden LNURL-auth request handling#862benthecarman wants to merge 1 commit intolightningdevkit:mainfrom
Conversation
Enforce HTTPS for non-localhost URLs per LNURL spec and disable redirect following since the auth flow is a single GET request. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
I've assigned @tnull as a reviewer! |
| let domain = url.base_url(); | ||
|
|
||
| // Enforce HTTPS for non-localhost URLs per LNURL spec. | ||
| let is_localhost = domain == "localhost" || domain == "127.0.0.1" || domain == "[::1]"; |
There was a problem hiding this comment.
That's fine, but I do wonder if we should limit access to localhost/local network in general? Otherwise someone could prompt us to authenticate but have us make requests to arbitrary hosts, no? Maybe this method should take an expected hostname and abort if the decoded LNURL auth doesn't match that?
There was a problem hiding this comment.
I feel local host and private networks can still be useful for testing.
I don't think the expected host name would really work. Most things you are just scanning qr and authenticating in. It's not really the end of the world if you auth to the "wrong" place. Your auth key is tied to the domain so the only real threat would be if someone dns hijacked you or something.
3 participants
Enforce HTTPS for non-localhost URLs per LNURL spec and disable redirect following since the auth flow is a single GET request.