Skip to content

auth: relax authentication requirement when hosting on 127.0.0.1 #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

auth: relax authentication requirement when hosting on 127.0.0.1 #300

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
12334e6
auth: relax authentication requirement when hosting on 127.0.0.1
lightclient Sep 6, 2022
cd62038
spelling
lightclient Sep 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/engine/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Authentication is performed as follows:
- Clarification: The websocket handshake starts with the CL performing a websocket upgrade request. This is a regular http GET request, and the actual
parameters for the WS-handshake are carried in the http headers.
- For `inproc`, a.k.a raw ipc communication, no authentication is required, under the assumption that a process able to access `ipc` channels for the process, which usually means local file access, is already sufficiently permissioned that further authentication requirements do not add security.

- If the listening address is `127.0.0.1`, no authentication is required, under the assumption that sockets bound to the localhost cannot accept external connections and therefore are not susceptible to manipulation from remote adversaries. Furthermore, EL clients **SHOULD** reject requests where the `Origin` header field does not equal the current domain as the request most likey originated from a browser.

## JWT specifications

Expand Down