Allow setting private bitcoind connection through env vars

[Kukks]

I'm submitting a…

• Regression (a behavior that used to work and stopped working in a new release)
• Bug report
• Feature request
• Documentation issue or request
• Support request

Expected Behavior

You currently need to configure Caravan manually to use your private bitcoin node. If I am hosting Caravan remotely on a server, alongside a bitcoin node, it makes sense to have this automatically configured.

Current Behavior

Bitcoin Client => Private => enter details

Possible Solution

have BITCOIND_URL, BITCOIND_RPCUSER, BITCOINDRPCPASS options that node can read on start. Do not show the Bitcoin Client section.

[waldenraines]

I like the approach of allowing the node to be set via environment variables or via a config file (or both).

[bucko13]

Because Caravan is just a static website, just JS, HTML, and CSS, there is no Node environment that could hold and pass these values securely. There are ways with webpack, however, that you can inject env variables from the node process at build time (see this stackoverflow for some approaches), but note that this basically just allows you to pass these values in and inject them into the static code that is generated. I still like this approach though as a way for other services that might want to bundle Caravan and allow for easier connection, but it's unlikely that we'd add in support for the password field. Since this would get injected into the code in plain text, this exposes your node's username and password for any snooping service running in your browser or anything that might be able to gain access to the static js files.

That said, I think having just one extra step after loading up a wallet to enter your RPC password with everything else pre-configured at build time could be a really nice option and help with other integrations. RTL in the Raspiblitz is an example of something like this where you have to enter your password but everything else is pre-configured.

[Kukks]

Because Caravan is just a static website, just JS, HTML, and CSS, there is no Node environment that could hold and pass these values securely. There are ways with webpack, however, that you can inject env variables from the node process at build time (see this stackoverflow for some approaches), but note that this basically just allows you to pass these values in and inject them into the static code that is generated. I still like this approach though as a way for other services that might want to bundle Caravan and allow for easier connection, but it's unlikely that we'd add in support for the password field. Since this would get injected into the code in plain text, this exposes your node's username and password for any snooping service running in your browser or anything that might be able to gain access to the static js files.

That said, I think having just one extra step after loading up a wallet to enter your RPC password with everything else pre-configured at build time could be a really nice option and help with other integrations. RTL in the Raspiblitz is an example of something like this where you have to enter your password but everything else is pre-configured.

Thank you for that detailed explanation. I originally wanted to deploy this as an additional service within BTCPay Server's docker stack but this would actually be a security hole then since we have well known rpc user/pass combinations configured into the bitcoind running in internal docker network (where caravan would have access to it). I guess it would mean we would need to add an additional layer of some form of authentication to caravan( some deployed services such as ThunderHub, RTL, BTCPay Configurator, etc generate a local cookie file and btcpay generates a url with its contents. The service then validates, creates a session and regenerates the cookie file).