Expose session's macaroon and/or full permission list #112
Description
In an effort to save people's feet from their own guns, we like to make sure they give us minimally permissible credentials to do what they want us to do.
The only API lnc-web exposes for permissions are hasPerms and isReadOnly. If we wanted to make sure a session only allows us to send offchain payments for instance, we'd need to make sure hasPerms returns false for every other possible permission the session could have.
Something like a listPermissions, or macaroon function even, would allow us to more efficiently/effectively do this check.
For reference, our lnd auto-withdrawals using the old fashioned non-TURNed configuration validate the macaroon by decoding it clientside and making sure the ops are strictly limited to either:
the ideal:
const INVOICABLE_MACAROON_OPS = [
{
entity: 'invoices',
actions: [
'read',
'write'
]
}
]the prebaked invoice macaroon:
const INVOICE_MACAROON_OPS = [
{
entity: 'address',
actions: [
'read',
'write'
]
},
{
entity: 'invoices',
actions: [
'read',
'write'
]
},
{
entity: 'onchain',
actions: [
'read'
]
}
]