From 48dc4a606874a31c1f29d2cd2ab8e3aee55ca368 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Thu, 19 Mar 2026 14:58:16 +0000
Subject: [PATCH] security: add is_authenticated check to /lnd-connect-info
 backend handler (AUTH-011)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 core/archipelago/src/api/handler.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/core/archipelago/src/api/handler.rs b/core/archipelago/src/api/handler.rs
index 19f51e37..ad408b8f 100644
--- a/core/archipelago/src/api/handler.rs
+++ b/core/archipelago/src/api/handler.rs
@@ -180,8 +180,11 @@ impl ApiHandler {
             // Electrs status — unauthenticated (read-only sync status)
             (Method::GET, "/electrs-status") => Self::handle_electrs_status().await,
 
-            // LND connect info — unauthenticated (read-only, localhost only)
+            // LND connect info — requires authenticated session (exposes admin macaroon)
             (Method::GET, "/lnd-connect-info") => {
+                if !self.is_authenticated(&headers).await {
+                    return Ok(Self::unauthorized());
+                }
                 Self::handle_lnd_connect_info(self.rpc_handler.clone()).await
             }