6

I want to enable API calls to my full node from an host besides localhost. The question is what startup flags or equivalent entries in an .ini config file do I need to make authenticated API calls?

From my experience these configurations are required:

API_HOST = 0.0.0.0
IRI_OPTIONS = "--remote"
REMOTE_AUTH = user:pw

(user is a username and pw a password.)

With this setup I need to provide a flag --user usr:pw if I use curl. Example call:

curl --user usr:pw http://public-fullnodenode-ip:port -X POST -H 'Content-Type: application/json' -H 'X-IOTA-API-Version: 1' -d '{"command": "getNeighbors"}'

The auth info --user usr:pw matches with the entry in my full node config .ini REMOTE_AUTH = user:pw.

This works but is probably not the correct way. Because following the startup flag documentation it should be a username:hashedpassword combination. Not a username:password combination:

--remote-auth

Require authentication password for accessing remotely. Requires a correct username:hashedpassword combination. Example input: --remote-auth iotatoken:LL9EZFNCHZCMLJLVUBCKJSWKFEXNYRHHMYS9XQLUZRDEKUUDOCMBMRBWJEMEDDXSDPHIGQULENCRVEYMO

So how is it done the correct way?

What hash algorithm should be used? And in the curl call behind --user is still a password (not the hash) provided?

The API call with curl is not transport encrypted right? Is it insecure to use the --user flag?

Community
  • 1
IW01
  • 121
  • 1
  • 2

2 Answers2

2

  1. IRI API currently uses HTTP Basic Authentication which transports username and password in an unencrypted form. I believe the documentation is implicitly suggesting that you shouldn't use your regular user account password but rather some arbitrary large random string which can be easily generated by hashing some text or your regular password (which I would advise against if not using some random prefix - salt). You have to specify the same string for curl password as in your iri.ini or command line argument to --remote-auth.

  2. IRI API is exposed via plain HTTP, therefore be advised that your username and password (hash) will be transferred over-the-wire unencrypted. If you want to beef up the security, you may want to install a reverse HTTPS-enabled proxy in front of IRI API and accessing IRI API via this proxy.

Helmar
  • 1,293
  • 1
  • 15
  • 28
Andrej Komelj
  • 56
  • 3
1

IOTA home made hash function Curl (different thing than curl library/utility) is the function used for authentication option. To get it working take a look at http://lepsi-nez-zivot.blogspot.cz/2018/01/iota-iri-remote-authentication.html JS code example shows how to compute the hash.

LRA
  • 151
  • 2