LNC Receiver (w/ microservice) #1763
Conversation
riccardobl
force-pushed
the
lncrecvV2
branch
from
aba4030 to
a897745
Compare
| @@ -779,6 +784,7 @@ async function upsertWallet ( | |||
| if (testCreateInvoice) { | |||
| try { | |||
| await testCreateInvoice(data) | |||
| await validate({ data, settings, skipGenerated: false }) | |||
| @@ -63,7 +63,7 @@ export function useWalletConfigurator (wallet) { | |||
| throw err | |||
| } | |||
| } else if (canReceive({ def: wallet.def, config: serverConfig })) { | |||
| const transformedConfig = await validateWallet(wallet.def, serverConfig) | |||
| const transformedConfig = await validateWallet(wallet.def, serverConfig, { skipGenerated: true }) | |||
There was a problem hiding this comment.
The changes in this file are not related to this pr specifically.
See #1769
| @@ -72,7 +72,7 @@ function composeWalletSchema (walletDef, serverSide, skipGenerated) { | |||
|
|
|||
| if (clientOnly && serverSide) { | |||
| // For server-side validation, accumulate clientOnly fields as vaultEntries | |||
| vaultEntrySchemas[optional ? 'optional' : 'required'].push(vaultEntrySchema(name)) | |||
| vaultEntrySchemas[(optional || generated) ? 'optional' : 'required'].push(vaultEntrySchema(name)) | |||
There was a problem hiding this comment.
The changes in this file are not related to this pr specifically.
See #1769
|
lncd doesn't appear authenticated. Is the expectation that it's run in a VPC or that authentication is handled in a reverse proxy? |
it only needs to be accessible by the backend, so the expectation was to run it in a vpc |
|
Everything we run in a vpc we also make authenticated, just in case, so we'll want to do that. |
do you have preferences for the authentication method? Does it need tls? |
|
Either basic or bearer auth is fine. Builtin TLS would be nice so I don't have to run a reverse proxy. Maybe we can gut lnd's gprc auth/tls? Or maybe that's more work than rolling our own. |
|
Done, added bearer auth and TLS. and these for the sn backend: the health check endpoint is authenticated too: not sure if this is desired or not, lmk if you prefer this to be not authenticated. |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| - | - | Generic Private Key | 04b959f | docker/lncd/certs/key.pem | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
I'd prefer it not be. It'll be a load balancer checking it without tls. |
Ok, i've added an unauthenticated http- /health endpoint that is configurable in the daemon (v0.3.2) using the env variables: it defaults to |
Description
A LNC receiver using a go microservice as discussed in #1342 .
The microservice proxies lnc rpcs through a rest-like api and handles the connection lifecycle internally, reusing connections when possible, and closing them if they become unused for a while.
This pr also adds the microservice to sndev.
Closes #1141
Checklist
Are your changes backwards compatible? Please answer below:
yes
On a scale of 1-10 how well and how have you QA'd this change and any features it might affect? Please answer below:
8
Did you introduce any new environment variables? If so, call them out explicitly here:
xxd -p -c0(needed only if lncd uses TLS with a self signed certificate)env variables for the microservice
(we might need to tweak these for production)
LNCD_TIMEOUT5mLNCD_LIMIT_ACTIVE_CONNECTIONS210LNCD_STATS_INTERVAL1mLNCD_DEBUGfalseLNCD_PORT7167LNCD_HOST0.0.0.0LNCD_TLS_CERT_PATH""LNCD_TLS_KEY_PATH""LNCD_AUTH_TOKEN""LNCD_DEV_UNSAFE_LOGfalseLNCD_HEALTHCHECK_SERVICE_PORT7168LNCD_HEALTHCHECK_SERVICE_HOST127.0.0.1If LNCD_HEALTHCHECK_SERVICE_PORT and LNCD_HEALTHCHECK_SERVICE_HOST are set, an additional unauthenticated and unencrypted healthcheck endpoint will be listening on the specified port and host.