spacesprotocol
diff --git a/‎Cargo.lock
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock
Lines changed: 1 addition & 0 deletions
diff --git a/‎client/Cargo.toml
Lines changed: 1 addition & 0 deletions b/‎client/Cargo.toml
Lines changed: 1 addition & 0 deletions
diff --git a/‎client/src/auth.rs
Lines changed: 26 additions & 33 deletions b/‎client/src/auth.rs
Lines changed: 26 additions & 33 deletions
diff --git a/‎client/src/bin/space-cli.rs
Lines changed: 34 additions & 13 deletions b/‎client/src/bin/space-cli.rs
Lines changed: 34 additions & 13 deletions
diff --git a/‎client/src/config.rs
Lines changed: 28 additions & 6 deletions b/‎client/src/config.rs
Lines changed: 28 additions & 6 deletions
@@ -27,6 +27,7 @@ clap = { version = "4.5.6", features = ["derive", "env"] }
 log = "0.4.21"
 serde = { version = "1.0.200", features = ["derive"] }
 hex = "0.4.3"
+rand = "0.8"
 jsonrpsee = { version = "0.22.5", features = ["server", "http-client", "macros"] }
 directories = "5.0.1"
 env_logger = "0.11.3"
 
@@ -1,21 +1,21 @@
+use base64::Engine;
+use hyper::{Body, HeaderMap, Request, Response, StatusCode};
 use std::{
     error::Error,
     future::Future,
     pin::Pin,
     sync::Arc,
     task::{Context, Poll},
 };
-use base64::Engine;
-use hyper::{Body, Request, Response, StatusCode, HeaderMap};
 use tower::{Layer, Service};
 
 #[derive(Debug, Clone)]
 pub(crate) struct BasicAuthLayer {
-    token: Option<String>,
+    token: String,
 }
 
 impl BasicAuthLayer {
-    pub fn new(token: Option<String>) -> Self {
+    pub fn new(token: String) -> Self {
         Self { token }
     }
 }
@@ -31,37 +31,23 @@ impl<S> Layer<S> for BasicAuthLayer {
 #[derive(Debug, Clone)]
 pub(crate) struct BasicAuth<S> {
     inner: S,
-    token: Option<Arc<str>>,
+    token: Arc<str>,
 }
 
 impl<S> BasicAuth<S> {
-    pub fn new(inner: S, token: Option<String>) -> Self {
+    pub fn new(inner: S, token: String) -> Self {
         Self {
             inner,
-            token: token.map(|t| Arc::from(t.as_str())),
+            token: Arc::from(token.as_str()),
         }
     }
 
     fn check_auth(&self, headers: &HeaderMap) -> bool {
-        let Some(expected_token) = &self.token else {
-            return true;
-        };
-
-        let auth_header = match headers.get("authorization") {
-            Some(header) => header,
-            None => return false,
-        };
-
-        let auth_str = match auth_header.to_str() {
-            Ok(s) => s,
-            Err(_) => return false,
-        };
-
-        if let Some(token_part) = auth_str.strip_prefix("Basic ") {
-            token_part == expected_token.as_ref()
-        } else {
-            false
-        }
+        headers
+            .get("authorization")
+            .and_then(|h| h.to_str().ok())
+            .and_then(|s| s.strip_prefix("Basic "))
+            .map_or(false, |token| token == self.token.as_ref())
     }
 
     fn unauthorized_response() -> Response<Body> {
@@ -82,7 +68,8 @@ where
 {
     type Response = S::Response;
     type Error = Box<dyn Error + Send + Sync + 'static>;
-    type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
+    type Future =
+        Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
 
     #[inline]
     fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
@@ -96,13 +83,19 @@ where
         }
 
         let fut = self.inner.call(req);
-        let res_fut = async move {
-            fut.await.map_err(|err| err.into())
-        };
+        let res_fut = async move { fut.await.map_err(|err| err.into()) };
         Box::pin(res_fut)
     }
 }
 
-pub fn basic_auth_token(user: &str, password: &str) -> String {
-    base64::prelude::BASE64_STANDARD.encode(format!("{user}:{password}"))
-}
+pub fn auth_cookie(user: &str, password: &str) -> String {
+    format!("{user}:{password}")
+}
+
+pub fn auth_token_from_cookie(cookie: &str) -> String {
+    base64::prelude::BASE64_STANDARD.encode(cookie)
+}
+
+pub fn auth_token_from_creds(user: &str, password: &str) -> String {
+    base64::prelude::BASE64_STANDARD.encode(auth_cookie(user, password))
+}
@@ -20,14 +20,13 @@ use jsonrpsee::{
 };
 use serde::{Deserialize, Serialize};
 use spaces_client::{
-    auth::basic_auth_token,
-    config::{default_spaces_rpc_port, ExtendedNetwork},
+    auth::{auth_token_from_cookie, auth_token_from_creds},
+    config::{default_cookie_path, default_spaces_rpc_port, ExtendedNetwork},
     deserialize_base64,
     format::{
         print_error_rpc_response, print_list_bidouts, print_list_spaces_response,
-        print_list_transactions, print_list_unspent, print_server_info,
-        print_list_wallets, print_wallet_balance_response, print_wallet_info, print_wallet_response,
-        Format,
+        print_list_transactions, print_list_unspent, print_list_wallets, print_server_info,
+        print_wallet_balance_response, print_wallet_info, print_wallet_response, Format,
     },
     rpc::{
         BidParams, ExecuteParams, OpenParams, RegisterParams, RpcClient, RpcWalletRequest,
@@ -55,6 +54,9 @@ pub struct Args {
     /// Spaced RPC URL [default: based on specified chain]
     #[arg(long)]
     spaced_rpc_url: Option<String>,
+    /// Spaced RPC cookie file path
+    #[arg(long, env = "SPACED_RPC_COOKIE")]
+    rpc_cookie: Option<PathBuf>,
     /// Spaced RPC user
     #[arg(long, requires = "rpc_password", env = "SPACED_RPC_USER")]
     rpc_user: Option<String>,
@@ -394,16 +396,35 @@ impl SpaceCli {
             args.spaced_rpc_url = Some(default_spaced_rpc_url(&args.chain));
         }
 
-        let client = HttpClientBuilder::default();
-        let client = if args.rpc_user.is_some() {
-            let token = basic_auth_token(args.rpc_user.as_ref().unwrap(), args.rpc_password.as_ref().unwrap());
-            let mut headers = hyper::http::HeaderMap::new();
-            headers.insert("Authorization", hyper::http::HeaderValue::from_str(&format!("Basic {token}")).unwrap());
-            client.set_headers(headers)
+        let auth_token = if args.rpc_user.is_some() {
+            auth_token_from_creds(
+                args.rpc_user.as_ref().unwrap(),
+                args.rpc_password.as_ref().unwrap(),
+            )
         } else {
-            client
+            let cookie_path = match &args.rpc_cookie {
+                Some(path) => path,
+                None => &default_cookie_path(&args.chain),
+            };
+            let cookie = fs::read_to_string(cookie_path).map_err(|e| {
+                anyhow!(
+                    "Failed to read cookie file '{}': {}",
+                    cookie_path.display(),
+                    e
+                )
+            })?;
+            auth_token_from_cookie(&cookie)
+        };
+        let client = {
+            let mut headers = hyper::http::HeaderMap::new();
+            headers.insert(
+                "Authorization",
+                hyper::http::HeaderValue::from_str(&format!("Basic {auth_token}")).unwrap(),
+            );
+            HttpClientBuilder::default()
+                .set_headers(headers)
+                .build(args.spaced_rpc_url.clone().unwrap())?
         };
-        let client = client.build(args.spaced_rpc_url.clone().unwrap())?;
 
         Ok((
             Self {
 
@@ -5,20 +5,23 @@ use std::{
     path::PathBuf,
 };
 
-use clap::{
-    ArgGroup, Parser, ValueEnum,
+use rand::{
+    distributions::Alphanumeric,
+    {thread_rng, Rng},
 };
+
+use clap::{ArgGroup, Parser, ValueEnum};
 use directories::ProjectDirs;
 use jsonrpsee::core::Serialize;
 use log::error;
 use serde::Deserialize;
 use spaces_protocol::bitcoin::Network;
 
 use crate::{
-    auth::basic_auth_token,
+    auth::{auth_token_from_cookie, auth_token_from_creds},
     source::{BitcoinRpc, BitcoinRpcAuth},
-    store::{LiveStore, Store},
     spaces::Spaced,
+    store::{LiveStore, Store},
 };
 
 const RPC_OPTIONS: &str = "RPC Server Options";
@@ -140,9 +143,21 @@ impl Args {
             .collect();
 
         let auth_token = if args.rpc_user.is_some() {
-            Some(basic_auth_token(args.rpc_user.as_ref().unwrap(), args.rpc_password.as_ref().unwrap()))
+            auth_token_from_creds(
+                args.rpc_user.as_ref().unwrap(),
+                args.rpc_password.as_ref().unwrap(),
+            )
         } else {
-            None
+            let cookie = format!(
+                "__cookie__:{}",
+                thread_rng()
+                    .sample_iter(&Alphanumeric)
+                    .take(64)
+                    .map(char::from)
+                    .collect::<String>()
+            );
+            fs::write(data_dir.join(".cookie"), &cookie)?;
+            auth_token_from_cookie(&cookie)
         };
 
         let bitcoin_rpc_auth = if let Some(cookie) = args.bitcoin_rpc_cookie {
@@ -228,6 +243,13 @@ fn get_default_node_dirs() -> ProjectDirs {
     })
 }
 
+pub fn default_cookie_path(network: &ExtendedNetwork) -> PathBuf {
+    get_default_node_dirs()
+        .data_dir()
+        .join(network.to_string())
+        .join(".cookie")
+}
+
 // from clap utilities
 pub fn safe_exit(code: i32) -> ! {
     use std::io::Write;