Description
Background
Basically any POST to uri:/lnrpc.Lightning/CheckMacaroonPermissions with a correctly encoded macaroon and no 'permissions' field will always return True. The 'fullMethod' field appears to be ignored.
Your environment
Tested response in lnd v0.18.4-beta and 0.19.1-beta in Polar v3.2.0 and a live instance of Debian 12.
Steps to reproduce
Following the API guide: https://lightning.engineering/api-docs/api/lnd/lightning/check-macaroon-permissions/ but change the macaroon to readonly and test a write method.
import base64, codecs, json, requests
REST_HOST = 'localhost:8080'
MACAROON_PATH = 'LND_DIR/data/chain/bitcoin/regtest/readonly.macaroon'
TLS_PATH = 'LND_DIR/tls.cert'
url = f'https://{REST_HOST}/v1/macaroon/checkpermissions'
macaroon = codecs.encode(open(MACAROON_PATH, 'rb').read(), 'hex')
macaroon_raw = bytes.fromhex(macaroon.decode())
macaroon_base64 = base64.urlsafe_b64encode(macaroon_raw).decode()
headers = {'Grpc-Metadata-macaroon': macaroon}
data = {
'macaroon': macaroon_base64,
'fullMethod': '/lnrpc.Lightning/CloseChannel',
}
r = requests.post(url, headers=headers, data=json.dumps(data), verify=TLS_PATH)
print(r.json())
{'valid': True}
data = {
'macaroon': macaroon_base64,
'fullMethod': 'foo',
}
r = requests.post(url, headers=headers, data=json.dumps(data), verify=TLS_PATH)
print(r.json())
{'valid': True}
data = {
'macaroon': macaroon_base64,
}
r = requests.post(url, headers=headers, data=json.dumps(data), verify=TLS_PATH)
print(r.json())
{'valid': True}
Expected behaviour
Response should be either {'valid': True} or {'valid': False}. At least, that's my understanding of the 'fullMethod' according to the documentation (which could stand for a bit more description).
Actual behaviour
The 'fullMethod' field is ignored, and the response is always {'valid': True} regardless of value, as long as the macaroon is correct.