multi: add DisableUI option

ellemouton · ellemouton · commit 0ec95086a82b · 2023-03-17T11:16:22.000+02:00
Add a new `disableui` config option. If this option is set then the user
no longer needs to set the `uipassword` config option. This also means
that the user will no longer be able to interact with the local UI.
diff --git a/config.go b/config.go
@@ -143,9 +143,10 @@ type Config struct {
 	HTTPListen     string   `long:"insecure-httplisten" description:"The host:port to listen on with TLS disabled. This is dangerous to enable as credentials will be submitted without encryption. Should only be used in combination with Tor hidden services or other external encryption."`
 	EnableREST     bool     `long:"enablerest" description:"Also allow REST requests to be made to the main HTTP(s) port(s) configured above."`
 	RestCORS       []string `long:"restcors" description:"Add an ip:port/hostname to allow cross origin access from. To allow all origins, set as \"*\"."`
-	UIPassword     string   `long:"uipassword" description:"The password that must be entered when using the loop UI. use a strong password to protect your node from unauthorized access through the web UI."`
+	UIPassword     string   `long:"uipassword" description:"The password that must be entered when using the UI. Use a strong password to protect your node from unauthorized access through the web UI."`
 	UIPasswordFile string   `long:"uipassword_file" description:"Same as uipassword but instead of passing in the value directly, read the password from the specified file."`
 	UIPasswordEnv  string   `long:"uipassword_env" description:"Same as uipassword but instead of passing in the value directly, read the password from the specified environment variable."`
+	DisableUI      bool     `long:"disableui" description:"If set to true, no web UI will be served and so the uipassword will also not need to be set."`
 
 	LetsEncrypt       bool   `long:"letsencrypt" description:"Use Let's Encrypt to create a TLS certificate for the UI instead of using lnd's TLS certificate. Port 80 must be free to listen on and must be reachable from the internet for this to work."`
 	LetsEncryptHost   string `long:"letsencrypthost" description:"The host name to create a Let's Encrypt certificate for."`
@@ -424,13 +425,19 @@ func loadAndValidateConfig(interceptor signal.Interceptor) (*Config, error) {
 			return nil, err
 		}
 	}
-	err = readUIPassword(cfg)
-	if err != nil {
-		return nil, fmt.Errorf("could not read UI password: %v", err)
-	}
-	if len(cfg.UIPassword) < uiPasswordMinLength {
-		return nil, fmt.Errorf("please set a strong password for the "+
-			"UI, at least %d characters long", uiPasswordMinLength)
+
+	// If the web UI is enabled, a UI password must be provided.
+	if !cfg.DisableUI {
+		err = readUIPassword(cfg)
+		if err != nil {
+			return nil, fmt.Errorf("could not read UI password: %v",
+				err)
+		}
+		if len(cfg.UIPassword) < uiPasswordMinLength {
+			return nil, fmt.Errorf("please set a strong "+
+				"password for the UI, at least %d characters "+
+				"long", uiPasswordMinLength)
+		}
 	}
 
 	if cfg.Network != DefaultNetwork {
diff --git a/rpc_proxy.go b/rpc_proxy.go
@@ -333,7 +333,7 @@ func (p *rpcProxy) makeDirector(allowLitRPC bool) func(ctx context.Context,
 		authHeaders := md.Get("authorization")
 		macHeader := md.Get(HeaderMacaroon)
 		switch {
-		case len(authHeaders) == 1:
+		case len(authHeaders) == 1 && !p.cfg.DisableUI:
 			macBytes, err := p.basicAuthToMacaroon(
 				authHeaders[0], requestURI, nil,
 			)
@@ -482,6 +482,12 @@ func (p *rpcProxy) StreamServerInterceptor(srv interface{},
 func (p *rpcProxy) convertBasicAuth(ctx context.Context,
 	requestURI string, ctxErr error) (context.Context, error) {
 
+	// If the UI is disabled, then there is no UI password and so the
+	// request is required to have a macaroon in it.
+	if p.cfg.DisableUI {
+		return ctx, ctxErr
+	}
+
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
 		return ctx, ctxErr
diff --git a/terminal.go b/terminal.go
@@ -1252,6 +1252,14 @@ func (g *LightningTerminal) startMainWebServer() error {
 			return
 		}
 
+		// If the UI is disabled, then we return a 401 here to prevent
+		// serving any of the static files.
+		if g.cfg.DisableUI {
+			resp.WriteHeader(http.StatusUnauthorized)
+
+			return
+		}
+
 		// If we got here, it's a static file the browser wants, or
 		// something we don't know in which case the static file server
 		// will answer with a 404.
@@ -1630,6 +1638,13 @@ func (g *LightningTerminal) showStartupInfo() error {
 		listenAddr = fmt.Sprintf("%s, %s", listenAddr, g.cfg.HTTPListen)
 	}
 
+	webInterfaceString := fmt.Sprintf(
+		"%s (open %s in your browser)", listenAddr, info.webURI,
+	)
+	if g.cfg.DisableUI {
+		webInterfaceString = "disabled"
+	}
+
 	str := "" +
 		"----------------------------------------------------------\n" +
 		" Lightning Terminal (LiT) by Lightning Labs               \n" +
@@ -1639,10 +1654,10 @@ func (g *LightningTerminal) showStartupInfo() error {
 		" LND Alias               %s                               \n" +
 		" LND Version             %s                               \n" +
 		" LiT Version             %s                               \n" +
-		" Web interface           %s (open %s in your browser)     \n" +
+		" Web interface           %s  			           \n" +
 		"----------------------------------------------------------\n"
 	fmt.Printf(str, info.mode, info.status, info.alias, info.version,
-		Version(), listenAddr, info.webURI)
+		Version(), webInterfaceString)
 
 	return nil
 }
