Baking macaroons for tapd

[alex-georgiou]

Hello,

This is probably something I'm doing wrong, rather than a defect in the software.

I am a little confused as to how to bake macaroons for accessing the HTTPS REST API for tapd.

I am running litd, and tapd which connects to the local litd:

$ litd -V
litd version 0.17.0-beta commit=lightning-terminal-v0.12.0-alpha

$ tapd --version
tapd version 0.3.0-alpha commit=v0.3.0

With lnd/litd, I can use lncli bakemacaroon to generate any macaroon file to access the REST API on the default port 8080. However, for accessing the tapd REST API on 8089, there is no equivalent command in tapcli to bake a macaroon.

Moreover, lncli listpermissions lists a number of endpoints of the form /taprpc.TaprootAssets/*. Does this mean that I should be using lncli bakemacaroon to bake macaroons for tapd?

I noticed that the auto-generated ~/.tapd/data/testnet/admin.macaroon has a location of tapd:

$ lncli printmacaroon `xxd -p ~/.tapd/data/testnet/admin.macaroon | tr -d '\n'`
{
	"version": 2,
	"location": "tapd",
	"root_key_id": "0",
	"permissions": [
		"addresses:read",
...

..while macaroons for lnd have a location of lnd:

$ lncli printmacaroon `xxd -p ~/.lnd/data/chain/bitcoin/testnet/admin.macaroon | tr -d '\n'`
{
	"version": 2,
	"location": "lnd",
	"root_key_id": "0",
	"permissions": [
		"address:read",
...

I tried using lncli to create a macaroon for the tapd getinfo call:

lncli \
	--network=testnet \
	bakemacaroon \
	--ip_address 127.0.0.1 \
	uri:/taprpc.TaprootAssets/GetInfo

However when I use it to access the POST endpoint /v1/taproot-assets/getinfo, I get the standard macaroon error in the logs:

[ERR] RPCS: [/taprpc.TaprootAssets/GetInfo]: verification failed: signature mismatch after caveat verification

I know that my getinfo call is otherwise correct, because if I start tapd with --no-macaroons it returns the expected JSON response.

What is the recommended way to bake macaroons for tapd?

[guggero]

Hey. Sorry for getting back to you this late. The reason why you get an error is that the macaroon root key is different between lnd and tapd. So if you bake a macaroon in lnd, you get one that is signed/hashed with a key that only lnd knows. When tapd then tries to validate it, the verification fails for that reason.
So to do what you are trying to achieve, we would either need to implement baking macaroons in the tapd RPC as well.
Or, if you are running tapd as part of the Lightning Terminal (litd, see https://github.com/lightninglabs/lightning-terminal), you could bake a so called "super macaroon" that is valid for all daemons in the litd bundles (the gRPC/REST proxy basically swaps it out for the actual tapd macaroon transparently).

[alex-georgiou]

Hello, thank you for your reply.

I don't remember exactly why, but I wasn't able to use the built-in tapd that ships with litd, so I built tapd from source separately.

I will take your advice and try again with litd 0.12.1, since it looks like using macaroons with the bundle is the best solution.