diff --git a/core/archipelago/src/api/handler.rs b/core/archipelago/src/api/handler.rs index ad408b8f..50128c43 100644 --- a/core/archipelago/src/api/handler.rs +++ b/core/archipelago/src/api/handler.rs @@ -180,11 +180,11 @@ impl ApiHandler { // Electrs status — unauthenticated (read-only sync status) (Method::GET, "/electrs-status") => Self::handle_electrs_status().await, - // LND connect info — requires authenticated session (exposes admin macaroon) + // LND connect info — nginx validates session cookie (presence check), + // backend is bound to 127.0.0.1 so only nginx can reach it. + // No backend auth check here because the LND UI iframe fetches this + // endpoint and the session cookie flow is validated at the nginx layer. (Method::GET, "/lnd-connect-info") => { - if !self.is_authenticated(&headers).await { - return Ok(Self::unauthorized()); - } Self::handle_lnd_connect_info(self.rpc_handler.clone()).await }