Skip to content

Add HMAC-based authentication for RPC/CLI #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
benthecarman wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add HMAC-based authentication for RPC/CLI #88

benthecarman wants to merge 1 commit into from

Conversation

@benthecarman
Copy link
Collaborator

@benthecarman benthecarman commented Dec 18, 2025
edited
Loading

Implements time-based HMAC-SHA256 authentication using a shared API key.
Each request includes a timestamp and HMAC in the X-Auth header, preventing
replay attacks with a 60-second tolerance window.

@benthecarman benthecarman requested a review from tnull December 18, 2025 05:31
@benthecarman benthecarman self-assigned this Dec 18, 2025
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 18, 2025
edited
Loading

👋 Thanks for assigning @tnull as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@benthecarman benthecarman force-pushed the auth branch 2 times, most recently from d0ff118 to 27f36c4 Compare December 18, 2025 05:47
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 20, 2025

🔔 1st Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 22, 2025

🔔 2nd Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 24, 2025

🔔 3rd Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 27, 2025

🔔 4th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 29, 2025

🔔 5th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 31, 2025

🔔 6th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Jan 3, 2026

🔔 7th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Jan 5, 2026

🔔 8th Reminder

Hey @tnull! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

tnull
tnull reviewed Jan 5, 2026
View reviewed changes
Copy link
Collaborator

@tnull tnull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So far we assumed the RPC API to not be publicly accessible. If we do assume it is, we should probably also start to take futher precautions (e.g., take a look at DoS protection, etc).

That said, I'm not against adding authentication to the RPC protocol, however, if we do:

  1. We should never transmit unhashed & unsalted passwords/credentials.
  2. Authentication's utility is very limited if we're sending credentials over unencrypted channels (actually, it might just give a false sense of security). So if we add authentication, we should probably start looking into (requiring) TLS for the RPC connections, and add corresponding helpers to generate and configure corresponding self-signed certificates.

@benthecarman benthecarman changed the title Require HTTP Basic Auth for all RPC/CLI Add HMAC-based authentication for RPC/CLI Jan 9, 2026
@benthecarman
Copy link
Collaborator Author

benthecarman commented Jan 9, 2026

Used claude to swith to a HMAC based approach instead, this way we aren't leaking the secrets in the request, working on the TLS stuff in a follow up

@benthecarman benthecarman force-pushed the auth branch 4 times, most recently from 3c5e9fc to 2f04d98 Compare January 9, 2026 21:06
@benthecarman @claude
Add HMAC-based authentication for RPC/CLI
bd0905b 
Implements time-based HMAC-SHA256 authentication using a shared API key.
Each request includes a timestamp and HMAC in the X-Auth header, preventing
replay attacks with a 60-second tolerance window.

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@benthecarman benthecarman mentioned this pull request Jan 9, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnull tnull tnull left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@benthecarman benthecarman

Labels

None yet

Projects

Weekly Goals
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benthecarman @ldk-reviews-bot @tnull