There's a thought (and a question) I had a while back, but that came back to mind today as I was thinking about all the things that could be built upon the BitShares platform (happens to me a lot
), and which is the following:
would it be a lot of work to implement some sort of access control to the RPC calls to the client?
I originally had this question when using a small RPC proxy to the client to be able to do some Ajax calls from a webpage, however I didn't feel very comfortable that this proxy had unrestricted access to my client (which was also running my delegate at the time).
There are also the tools that I'm working on, which (understandably so) people don't necessarily feel comfortable running (unless properly reviewed before) as it could easily steal their private keys if having access to an unlocked wallet.
Something like that would be nice in the config.json file
"rpc": {
"enable": true,
"users": [
{
"rpc_user": "web_client",
"rpc_password": "password1",
"rpc_methods_allowed": ["get_info", "about", "blockchain_get_blocks"],
},
{
"rpc_user": "bts_tools",
"rpc_password": "password2",
"rpc_methods_allowed": ["get_info", "blockchain_get_delegate_slot_records", "wallet_publish_feeds"],
}
],
"httpd_endpoint": "127.0.0.1:5678",
}
maybe also having the "rpc_methods_forbidden" property would be nice, which would allow things like:
"rpc_methods_allowed": ["*"],
"rpc_methods_forbidden": ["wallet_dump_private_key"]
although it's generally better to always whitelist instead of blacklisting methods, so we could probably do with only "rpc_methods_allowed" at the beginning.
I know that there are other priorities right now in the development of the wallet, but if this is not too much work, I think it'd be very nice to have (probably this also could help for integration in gateways, as it would allow to have a python/php/... interface to the client which has limited access to what the client can do)