feat!(rpc): rpc.disable-auth flag (#3117)

In many setups, nodes are running in trusted environments and setting the jwt token is not necessary and very cumbersome. This PR enables a quick fix by providing a flag/config option to the RPC to disable auth. Breaking config. New flag: `--rpc.skip-auth`. New default config: ```toml [RPC] Address = "localhost" Port = "26658" SkipAuth = false ``` _______________ Comes from a discussion with @joroshiba at Astria.
celestiaorg · Jan 29, 2024 · 4850c90 · 4850c90
1 parent debad37
commit 4850c90
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 9 deletions.
diff --git a/api/rpc/server.go b/api/rpc/server.go
@@ -20,16 +20,17 @@ import (
 var log = logging.Logger("rpc")
 
 type Server struct {
-	srv      *http.Server
-	rpc      *jsonrpc.RPCServer
-	listener net.Listener
+	srv          *http.Server
+	rpc          *jsonrpc.RPCServer
+	listener     net.Listener
+	authDisabled bool
 
 	started atomic.Bool
 
 	auth jwt.Signer
 }
 
-func NewServer(address, port string, secret jwt.Signer) *Server {
+func NewServer(address, port string, authDisabled bool, secret jwt.Signer) *Server {
 	rpc := jsonrpc.NewServer()
 	srv := &Server{
 		rpc: rpc,
@@ -38,7 +39,8 @@ func NewServer(address, port string, secret jwt.Signer) *Server {
 			// the amount of time allowed to read request headers. set to the default 2 seconds
 			ReadHeaderTimeout: 2 * time.Second,
 		},
-		auth: secret,
+		auth:         secret,
+		authDisabled: authDisabled,
 	}
 	srv.srv.Handler = &auth.Handler{
 		Verify: srv.verifyAuth,
@@ -51,6 +53,9 @@ func NewServer(address, port string, secret jwt.Signer) *Server {
 // reached if a token is provided in the header of the request, otherwise only
 // methods with `read` permissions are accessible.
 func (s *Server) verifyAuth(_ context.Context, token string) ([]auth.Permission, error) {
+	if s.authDisabled {
+		return perms.AllPerms, nil
+	}
 	return authtoken.ExtractSignedPermissions(s.auth, token)
 }
 

diff --git a/nodebuilder/rpc/config.go b/nodebuilder/rpc/config.go
@@ -8,15 +8,17 @@ import (
 )
 
 type Config struct {
-	Address string
-	Port    string
+	Address  string
+	Port     string
+	SkipAuth bool
 }
 
 func DefaultConfig() Config {
 	return Config{
 		Address: defaultBindAddress,
 		// do NOT expose the same port as celestia-core by default so that both can run on the same machine
-		Port: defaultPort,
+		Port:     defaultPort,
+		SkipAuth: false,
 	}
 }
 

diff --git a/nodebuilder/rpc/constructors.go b/nodebuilder/rpc/constructors.go
@@ -37,5 +37,5 @@ func registerEndpoints(
 }
 
 func server(cfg *Config, auth jwt.Signer) *rpc.Server {
-	return rpc.NewServer(cfg.Address, cfg.Port, auth)
+	return rpc.NewServer(cfg.Address, cfg.Port, cfg.SkipAuth, auth)
 }
diff --git a/nodebuilder/rpc/flags.go b/nodebuilder/rpc/flags.go
@@ -3,13 +3,16 @@ package rpc
 import (
 	"fmt"
 
+	logging "github.com/ipfs/go-log/v2"
 	"github.com/spf13/cobra"
 	flag "github.com/spf13/pflag"
 )
 
 var (
+	log      = logging.Logger("rpc")
 	addrFlag = "rpc.addr"
 	portFlag = "rpc.port"
+	authFlag = "rpc.skip-auth"
 )
 
 // Flags gives a set of hardcoded node/rpc package flags.
@@ -26,6 +29,11 @@ func Flags() *flag.FlagSet {
 		"",
 		fmt.Sprintf("Set a custom RPC port (default: %s)", defaultPort),
 	)
+	flags.Bool(
+		authFlag,
+		false,
+		"Skips authentication for RPC requests",
+	)
 
 	return flags
 }
@@ -40,4 +48,12 @@ func ParseFlags(cmd *cobra.Command, cfg *Config) {
 	if port != "" {
 		cfg.Port = port
 	}
+	ok, err := cmd.Flags().GetBool(authFlag)
+	if err != nil {
+		panic(err)
+	}
+	if ok {
+		log.Warn("RPC authentication is disabled")
+		cfg.SkipAuth = true
+	}
 }