LNC permission clarity

[huumn]

I'm implementing LNC for stacker news. We'd like to do the following:

1. create a budgeted LNC session that can only send offchain for storage/use clientside
2. create an LNC session that can only receive offchain for storage/use serverside

I'm beginning to think about how we'd instruct someone to use LNC and have some questions.

A. It appears (1) is mostly possible from the GUI through the 'custodial' option. From the GUI, it requires also permitting receives and there's no way around that afaict. Is that correct?
B. For (2), is there a way to reuse the account in (1) but not be granted spending permissions from the GUI? For context, we don't want spending permissions stored on our servers.

---

Are we thinking about this right? Does anyone have any recommendations? Should we just write a CLI walkthrough?

---

Also, maybe a question for another repo, but is there an easy way to check session permissions? For receiving via macaroon-based auth, we decode the macaroon in the browser then validate it only has the ability to read/write invoices. Is there a way to list all the permissions on an LNC session? And, is there a way to check it has a sane budget?

Thanks!

[guggero]

Thanks for your questions. I think most of what you're looking for is possible, just not necessarily in the UI. Let's see.

1. create a budgeted LNC session that can only send offchain for storage/use clientside

Can be achieved like this:

$  litcli accounts create --balance <budget>

# ignore the macaroon returned in the step above but note the account ID that was created

$ litcli sessions add --type custom --account_id <account_ID_from_previous_step> --uri /lnrpc.Lightning/SendPayment --uri /lnrpc.Lightning/SendPaymentSync --uri ....

With the --uri flag you can specify exactly what RPC calls should be allowed. Since the session/macaroon will be tied to a custodial account, the URIs must be a subset of those compatible with custodial accounts, see

lightning-terminal/accounts/checkers.go

Line 113 in 666f19c

"/lnrpc.Lightning/AddInvoice": mid.NewResponseRewriter(

.

2. create an LNC session that can only receive offchain for storage/use serverside

Same as above, but the URIs would just be those for creating invoices (e.g. --uri /lnrpc.Lightning/AddInvoice).

For (2), is there a way to reuse the account in (1) but not be granted spending permissions from the GUI?

Yes. As long as you ignore/discard the macaroon created in the litcli accounts create account and just use the account ID, you can in fact generate as many sessions with different permissions for that account as you want.

Should we just write a CLI walkthrough?

I think that would be amazingly helpful as a document to have in the repo. A PR to do that would be highly appreciated 🙏

but is there an easy way to check session permissions?

The permissions of a session is just the macaroon that is passed to the client during the LNC handshake. But it looks like (at least with @lnc-web) there currently is no way to extract the full macaroon from the session. But you can query for available permissions.

Base example from https://github.com/lightninglabs/lnc-web, see https://github.com/lightninglabs/lnc-web/blob/main/lib/lnc.ts for not-yet-examplified functions like isReadOnly or hasPerms:

import LNC from ‘@lightninglabs/lnc-web’;

const pairingPhrase = ‘artefact morning piano photo consider light’;
const password = 'u*E0F?gU\d($N&Ckh8u)tLm';

// default connection using WASM from CDN
// WASM loaded on object creation
// default host: mailbox.terminal.lightning.today:443
// password used for encrypting credentials
const lnc = new LNC({
   pairingPhrase,
   password
});

let readOnly = lnc.isReadOnly();

// Note the slightly different format for the URI here, it's `package.Service.Method` instead of `/package.Service/Method` as is used for the `litcli ... --uri` parameter.

let sendPermission = lnc.hasPerms('lnrpc.Lightning.SendPayment') || lnc.hasPerms('lnrpc.Lightning.SendPaymentSync')

And, is there a way to check it has a sane budget?

Not from the macaroon itself, as that info isn't encoded in the macaroon. But if you call into /lnrpc.Lightning/ChannelBalance from an account-restricted session, it will return the account balance (instead of the node's full balance).

Hope those answers are helpful (feel free to incorporate this into a document/PR if you like).

[huumn]

Soooooo helpful thank you!

I'll create a PR and put it in docs once I'm a bit further along with my implementation.