You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I host phoenixd instances for clients’ non-custodial wallets, removing the seed phrase from phoenix/seed.dat after clients save it to ensure they control funds.
However, admins can change the --http-password to access API endpoints and steal funds, undermining non-custodial guarantees.
Can phoenixd support an immutable HTTP password, hashed and stored in /data after initial setup, to prevent updates?
If not, are there alternative authentication methods (e.g., client-signed requests) to restrict admin access completely? Running acinq/phoenixd:latest on testnet.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I host phoenixd instances for clients’ non-custodial wallets, removing the seed phrase from phoenix/seed.dat after clients save it to ensure they control funds.
However, admins can change the --http-password to access API endpoints and steal funds, undermining non-custodial guarantees.
Can phoenixd support an immutable HTTP password, hashed and stored in /data after initial setup, to prevent updates?
If not, are there alternative authentication methods (e.g., client-signed requests) to restrict admin access completely? Running acinq/phoenixd:latest on testnet.
Beta Was this translation helpful? Give feedback.
All reactions