From acbac07a4270bb74099a783f7c5fa6128eb0fa52 Mon Sep 17 00:00:00 2001 From: jholdstock Date: Sat, 4 Apr 2026 10:49:41 +0800 Subject: [PATCH] jsonrpc: Fix bugs in authenticate RPC. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The `authenticate` RPC command is registered using the wallet's own named type `AuthenticateCmd` derived from the dcrd type `AuthenticateCmd`. In Go, this creates a distinct type. `types.AuthenticateCmd` and `dcrdtypes.AuthenticateCmd` are not interchangeable in type assertions. Since `dcrjson.ParseParams` returns `*types.AuthenticateCmd` (the registered type), this assertion always fails. When it fails, `ok` is `false`, and the function returns `false` at line 326 — meaning "not invalid" — regardless of what credentials were supplied. There is a second bug in the same function: if `ParseParams` itself fails (e.g., malformed params), `invalidAuth` also returns `false` (line 322), which is fail-open rather than fail-closed. --- internal/rpc/jsonrpc/server.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/internal/rpc/jsonrpc/server.go b/internal/rpc/jsonrpc/server.go index 28ada699a..cbad13f6d 100644 --- a/internal/rpc/jsonrpc/server.go +++ b/internal/rpc/jsonrpc/server.go @@ -24,7 +24,6 @@ import ( "decred.org/dcrwallet/v5/rpc/jsonrpc/types" "github.com/decred/dcrd/chaincfg/v3" "github.com/decred/dcrd/dcrjson/v4" - dcrdtypes "github.com/decred/dcrd/rpc/jsonrpc/types/v4" "github.com/gorilla/websocket" ) @@ -319,13 +318,13 @@ func idPointer(id any) (p *any) { func (s *Server) invalidAuth(req *dcrjson.Request) bool { cmd, err := dcrjson.ParseParams(types.Method(req.Method), req.Params) if err != nil { - return false + return true } - authCmd, ok := cmd.(*dcrdtypes.AuthenticateCmd) + authCmd, ok := cmd.(*types.AuthenticateCmd) if !ok { - return false + return true } - // Authenticate commands are invalid when no basic auth is used + // Authenticate commands are invalid when no basic auth is used. if s.authsha == nil { return true }