Tip of the day: Channel mode +f is a powerful anti-flood feature. It is also slightly complex. Enable it in your most important channels, and consider setting a default in set::modes-on-join.

Rpc-user block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

Via the rpc-user block you tell who is authorized to use JSON-RPC. This is not meant to allow end-users (real people) direct API access, but to allow software like the webpanel.

Syntax

rpc-user <name> {
    match <mask>;
    password <password>;
    rpc-class <rpcclass>;
}

Every RPC user authenticates with a name and password:

  • name: the name of the rpc-user block designates the username used for JSON-RPC logins
  • password: this is the password, it can be an hashed instead of using plaintext.
  • rpc-class: defines which methods can be called, this refers to an Rpc-class block. Only in UnrealIRCd 6.1.7 and later!
    You can use one of the build-in ones:
    • full: access to all JSON-RPC Methods
    • readonly: only access to like user.list, channel.list, server_ban.list, but not changing things like user.set_nick or server_ban.add.

Every block also has a match which is a Mask item. It is highly recommended to use strict filter on IP addresses, because:

  • API access is very powerful: you can grab a lot of (sensitive) information very fast, and also change and set things, wreak havoc very fast, when abused.
  • The UnrealIRCd webserver and JSON-RPC functionality is quite new. When a connection is made on the RPC server port, we first check if any of the rpc-user::match match. If not, we immediately reject the connection without even reading or parsing the request. Thus, with a strict rpc-user::match you limit the attack surface of all the JSON-RPC components a lot.

Example

rpc-user apiuser {
    match { ip 127.0.0.1; }
    password "test";
}
Retrieved from "https://www.unrealircd.org/docwiki/index.php?title=Rpc-user_block&oldid=14079"