add tls and authentication

riccardobl · Dec 31, 2024 · fc76058 · fc76058
1 parent 99e08e6
commit fc76058
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
 dist
+certs
diff --git a/README.md b/README.md
@@ -16,8 +16,11 @@ Configuration options can be specified via environment variables (all are option
 | `LNCD_LIMIT_ACTIVE_CONNECTIONS` | `210`           | Maximum number of active connections allowed.                               |
 | `LNCD_STATS_INTERVAL`    | `1m` | Interval for logging connection pool statistics.                            |
 | `LNCD_DEBUG`             | `false`         | Flag to enable or disable debug logging.                                    |
-| `LNCD_RECEIVER_PORT`     | `7167`          | Port on which the receiver server listens.                                  |
-| `LNCD_RECEIVER_HOST`     | `0.0.0.0`       | Host address on which the receiver server listens.                          |
+| `LNCD_PORT`     | `7167`          | Port on which the  server listens.                                  |
+| `LNCD_HOST`     | `0.0.0.0`       | Host address on which the server listens.                          |
+| `LNCD_TLS_CERT_PATH`    | `""`            | Path to the TLS certificate file (empty to disable TLS).                   |
+| `LNCD_TLS_KEY_PATH`     | `""`            | Path to the TLS key file (empty to disable TLS).                           |
+| `LNCD_AUTH_TOKEN`       | `""`            | Bearer token required to access the server (empty to disable authentication). |
 | `LNCD_DEV_UNSAFE_LOG`    | `false`         | Enable or disable logging of sensitive data.                       |
 
 

diff --git a/build.sh b/build.sh
@@ -5,3 +5,4 @@ script_dir=$(dirname $0)
 cd "$script_dir/lncd"
 mkdir -p ../dist
 go build -o ../dist/lncd -tags="$RPC_TAGS" .
+cd ..
diff --git a/gen-devcerts.sh b/gen-devcerts.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+mkdir -p certs
+openssl req -x509 -newkey rsa:2048 -keyout certs/key.pem -out certs/cert.pem -days 365 -nodes \
+  -subj "/C=IT/ST=Venice/L=Venice/O=LNCD/OU=LNCD/CN=localhost"
diff --git a/lncd/lncd.go b/lncd/lncd.go
@@ -61,8 +61,11 @@ var (
 	LNCD_LIMIT_ACTIVE_CONNECTIONS = getEnvAsInt("LNCD_LIMIT_ACTIVE_CONNECTIONS", 210)
 	LNCD_STATS_INTERVAL           = getEnvAsDuration("LNCD_STATS_INTERVAL", 1*time.Minute)
 	LNCD_DEBUG                    = getEnvAsBool("LNCD_DEBUG", false)
-	LNCD_RECEIVER_PORT 		      = getEnv("LNCD_RECEIVER_PORT", "7167")
-	LNCD_RECEIVER_HOST 		      = getEnv("LNCD_RECEIVER_HOST", "0.0.0.0")
+	LNCD_PORT 		              = getEnv("LNCD_PORT", "7167")
+	LNCD_HOST 		              = getEnv("LNCD_HOST", "0.0.0.0")
+	LNCD_AUTH_TOKEN               = getEnv("LNCD_AUTH_TOKEN", "")
+	LNCD_TLS_CERT_PATH            = getEnv("LNCD_TLS_CERT_PATH", "")
+	LNCD_TLS_KEY_PATH             = getEnv("LNCD_TLS_KEY_PATH", "")
 )
 
 // //////////////////////////////
@@ -436,8 +439,23 @@ func parseKeys(localPrivKey, remotePubKey string) (
 	return localStaticKey, remoteStaticKey, nil
 }
 
-
-
+func authMiddleware(next http.HandlerFunc) http.HandlerFunc {
+    return func(w http.ResponseWriter, r *http.Request) {
+		if LNCD_AUTH_TOKEN != "" {
+			authHeader := r.Header.Get("Authorization")
+			if !strings.HasPrefix(authHeader, "Bearer ") {
+				writeJSONError(w, "Unauthorized", http.StatusUnauthorized)
+				return
+			}
+        	token := strings.TrimPrefix(authHeader, "Bearer ")
+        	if token != LNCD_AUTH_TOKEN {
+            	writeJSONError(w, "Unauthorized", http.StatusUnauthorized)
+            	return
+        	}
+		}
+        next.ServeHTTP(w, r)
+    }
+}
 
 func main() {
 	shutdownInterceptor, err := signal.Intercept()
@@ -452,24 +470,37 @@ func main() {
 	log.Infof("LNCD_LIMIT_ACTIVE_CONNECTIONS: %v", LNCD_LIMIT_ACTIVE_CONNECTIONS)
 	log.Infof("LNCD_STATS_INTERVAL: %v", LNCD_STATS_INTERVAL)
 	log.Infof("LNCD_DEBUG: %v", LNCD_DEBUG)
-	log.Infof("LNCD_RECEIVER_PORT: %v", LNCD_RECEIVER_PORT)
-	log.Infof("LNCD_RECEIVER_HOST: %v", LNCD_RECEIVER_HOST)
-	log.Debugf("debug enabled")
+	log.Infof("LNCD_PORT: %v", LNCD_PORT)
+	log.Infof("LNCD_HOST: %v", LNCD_HOST)
+	log.Infof("LNCD_TLS_CERT_PATH: %v", LNCD_TLS_CERT_PATH)
+	log.Infof("LNCD_TLS_KEY_PATH: %v", LNCD_TLS_KEY_PATH)
+
 	if UNSAFE_LOGS {
+		log.Info("LNCD_AUTH_TOKEN: %v", LNCD_AUTH_TOKEN)
 		log.Infof("!!! UNSAFE LOGGING ENABLED !!!")
 	}
+	log.Debugf("debug enabled")
 
 	var pool *ConnectionPool = NewConnectionPool()
 	startStatsLoop(pool)
 
-	http.HandleFunc("/rpc", rpcHandler(pool))
+	http.HandleFunc("/rpc", authMiddleware(rpcHandler(pool)))
+	http.HandleFunc("/health", authMiddleware(healthCheckHandler))
 	http.HandleFunc("/", formHandler)
-	http.HandleFunc("/health", healthCheckHandler)
 
-	log.Infof("Server started at "+LNCD_RECEIVER_HOST+":" + LNCD_RECEIVER_PORT)
-	if err := http.ListenAndServe(LNCD_RECEIVER_HOST+":"+LNCD_RECEIVER_PORT, nil); err != nil {
-		log.Errorf("Error starting server: %v", err)
-		exit(err)
+	log.Infof("Server starting at "+LNCD_HOST+":" + LNCD_PORT)	
+	var isTLS = LNCD_TLS_CERT_PATH != "" && LNCD_TLS_KEY_PATH != ""
+	if isTLS {
+		log.Infof("TLS enabled")
+		if err := http.ListenAndServeTLS(LNCD_HOST+":"+LNCD_PORT, LNCD_TLS_CERT_PATH, LNCD_TLS_KEY_PATH, nil); err != nil {
+			log.Errorf("Error starting server: %v", err)
+			exit(err)
+		}
+	} else {
+		if err := http.ListenAndServe(LNCD_HOST+":"+LNCD_PORT, nil); err != nil {
+			log.Errorf("Error starting server: %v", err)
+			exit(err)
+		}
 	}
 
 	<-shutdownInterceptor.ShutdownChannel()

diff --git a/lncd/ui.go b/lncd/ui.go
@@ -13,6 +13,7 @@ func formHandler(w http.ResponseWriter, r *http.Request) {
                     event.preventDefault();
                     const form = event.target;
 					const response = document.getElementById('response');
+                    const authToken = form.authtoken.value;
                     const data = {
                         Connection: {
                             Mailbox: form.mailbox.value,
@@ -26,7 +27,8 @@ func formHandler(w http.ResponseWriter, r *http.Request) {
                     fetch('/rpc', {
                         method: 'POST',
                         headers: {
-                            'Content-Type': 'application/json'
+                            'Content-Type': 'application/json',
+                            'Authorization': 'Bearer ' + authToken
                         },
                         body: JSON.stringify(data)
                     })
@@ -53,6 +55,8 @@ func formHandler(w http.ResponseWriter, r *http.Request) {
         <body>
             <h1>LNCD Test Form</h1>
             <form onsubmit="submitForm(event)">
+                <label for="mailbox">AuthToken:</label><br>
+                <input value="" type="text" id="authtoken" name="authtoken"><br>
                 <label for="mailbox">Mailbox:</label><br>
                 <input value="mailbox.terminal.lightning.today:443" type="text" id="mailbox" name="mailbox"><br>
                 <label for="pairingPhrase">Pairing Phrase:</label><br>

diff --git a/run.sh b/run.sh
@@ -1,8 +1,16 @@
 #!/bin/bash
 source build.sh
-chmod +x ../dist/lncd
+chmod +x dist/lncd
+cd dist
+
 export LNCD_DEBUG="true"
 export LNCD_TIMEOUT="1m"
 export LNCD_STATS_INTERVAL="10s"
 export LNCD_DEV_UNSAFE_LOG="true"
-../dist/lncd
+
+if [ -f ../certs/cert.pem ]; then
+  export LNCD_TLS_CERT_PATH="../certs/cert.pem"
+  export LNCD_TLS_KEY_PATH="../certs/key.pem"
+fi
+
+./lncd