Tip of the day: Did you know that users are put in the security-group known-users based on their reputation score or if they are identified to Services?

Users in this group receive a number of benefits, such as being able to send more messages per minute.

Rpc-user block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Via the rpc-user block you tell who is authorized to use JSON-RPC. This is not meant to allow end-users (real people) direct API access, but to allow software like the webpanel.

Syntax

rpc-user <name> {
    match <mask>;
    password <password>;
}

Every RPC user authenticates with a name and password:

  • name: the name of the rpc-user block designates the username used for JSON-RPC logins
  • password: this is the password, it can be an hashed instead of using plaintext.

Every block also has a match which is a Mask item. It is highly recommended to use strict filter on IP addresses, because:

  • API access is very powerful: you can grab a lot of (sensitive) information very fast, and also change and set things, wreak havoc very fast, when abused.
  • The UnrealIRCd webserver and JSON-RPC functionality is quite new. When a connection is made on the RPC server port, we first check if any of the rpc-user::match match. If not, we immediately reject the connection without even reading or parsing the request. Thus, with a strict rpc-user::match you limit the attack surface of all the JSON-RPC components a lot.

Example

rpc-user apiuser {
    match { ip 127.0.0.1; }
    password "test";
}