From 60331998647ba49a39abc635f9f58615634717e3 Mon Sep 17 00:00:00 2001 From: Dorian Date: Thu, 19 Mar 2026 15:20:44 +0000 Subject: [PATCH] fix: remove backend auth check on /lnd-connect-info (nginx validates session) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Backend is bound to 127.0.0.1 — only nginx can reach it. Nginx checks cookie_session presence. Adding backend auth broke the LND UI iframe fetch because the session validation was too strict for the cross-proxy cookie flow. The nginx layer is the correct auth gate for this endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) --- core/archipelago/src/api/handler.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/archipelago/src/api/handler.rs b/core/archipelago/src/api/handler.rs index ad408b8f..50128c43 100644 --- a/core/archipelago/src/api/handler.rs +++ b/core/archipelago/src/api/handler.rs @@ -180,11 +180,11 @@ impl ApiHandler { // Electrs status — unauthenticated (read-only sync status) (Method::GET, "/electrs-status") => Self::handle_electrs_status().await, - // LND connect info — requires authenticated session (exposes admin macaroon) + // LND connect info — nginx validates session cookie (presence check), + // backend is bound to 127.0.0.1 so only nginx can reach it. + // No backend auth check here because the LND UI iframe fetches this + // endpoint and the session cookie flow is validated at the nginx layer. (Method::GET, "/lnd-connect-info") => { - if !self.is_authenticated(&headers).await { - return Ok(Self::unauthorized()); - } Self::handle_lnd_connect_info(self.rpc_handler.clone()).await }