Skip to content

Harden LNURL-auth request handling#862

Merged
tnull merged 1 commit intolightningdevkit:mainfrom
benthecarman:ssrf-lnurl
Apr 3, 2026
Merged

Harden LNURL-auth request handling#862
tnull merged 1 commit intolightningdevkit:mainfrom
benthecarman:ssrf-lnurl

Conversation

@benthecarman
Copy link
Copy Markdown
Contributor

@benthecarman benthecarman commented Apr 1, 2026

Enforce HTTPS for non-localhost URLs per LNURL spec and disable redirect following since the auth flow is a single GET request.

@benthecarman @claude
Harden LNURL-auth request handling
a5d91b4 
Enforce HTTPS for non-localhost URLs per LNURL spec and disable
redirect following since the auth flow is a single GET request.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@ldk-reviews-bot
Copy link
Copy Markdown

ldk-reviews-bot commented Apr 1, 2026
edited
Loading

I've assigned @tnull as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@ldk-reviews-bot ldk-reviews-bot requested a review from tnull April 1, 2026 17:05
tnull
tnull reviewed Apr 2, 2026
View reviewed changes
src/lnurl_auth.rs
let domain = url.base_url();

// Enforce HTTPS for non-localhost URLs per LNURL spec.
let is_localhost = domain == "localhost" || domain == "127.0.0.1" || domain == "[::1]";
Copy link
Copy Markdown
Collaborator

@tnull tnull Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine, but I do wonder if we should limit access to localhost/local network in general? Otherwise someone could prompt us to authenticate but have us make requests to arbitrary hosts, no? Maybe this method should take an expected hostname and abort if the decoded LNURL auth doesn't match that?

Copy link
Copy Markdown
Contributor Author

@benthecarman benthecarman Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel local host and private networks can still be useful for testing.

I don't think the expected host name would really work. Most things you are just scanning qr and authenticating in. It's not really the end of the world if you auth to the "wrong" place. Your auth key is tied to the domain so the only real threat would be if someone dns hijacked you or something.

Copy link
Copy Markdown
Collaborator

@tnull tnull Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not so much authenticating, but it allows to have us make requests against random endpoints. Anyways, moving on for now.

@tnull tnull merged commit fadc74f into lightningdevkit:main Apr 3, 2026
9 of 19 checks passed
@benthecarman benthecarman deleted the ssrf-lnurl branch April 3, 2026 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnull tnull tnull approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benthecarman @ldk-reviews-bot @tnull