Our desktop application is using a Go process that binds to a localhost port. The problem is that this port is accessible to any computer on the local network. And maybe even a bigger problem is the fact that due to very open CORS rules, any website can make fetch requests to your localhost daemon, causing all kinds of problems.

To prevent these problems, the daemon needs some layer of authentication. And if we design this layer thoughtfully, we can also unlock some cool use cases for us, like serving and even editing private documents on the web.

The basic idea is that the daemon needs to know who's talking to it.

With all the recent talk about how quantum computers could become a threat for asymmetric crypto sooner than we thought before, it would be nice if this authentication layer would not solely rely on Ed25519 signing keys. The current idea we discussed is to let the daemon issue session tokens/cookies to users who authenticate, and then use those sessions as a lighter-weight authentication mechanism.

 has been raving about Macaroons since the very beginning of Seed (formerly Mintter). And LND has been one of the practical examples of implementing macaroon-based auth for their daemon. You can read their docs for more details.

I want our system to implement something similar. Something that could protect the daemon when it's running as a sidecar to the desktop app, and also when it's running as a multi-tenant service in our server-side infrastructure.

CC:    .