fix(API): mirror chia is_trusted_peer in /diagnostics trusted peers

TheLastCicada · TheLastCicada · commit 86c958bca7ab · 2026-06-03T15:21:07.000-07:00
Wallet get_connections does not return trusted status. Apply the same
localhost, trusted_peers, and trusted_cidrs rules the chia CLI uses so
localhost full-node connections are not falsely reported as untrusted.
diff --git a/src/routes/diagnostics.js b/src/routes/diagnostics.js
@@ -11,6 +11,8 @@
  * middleware returning 403), so there is no reduced-information path.
  */
 
+import net from 'net';
+
 import _ from 'lodash';
 
 import { getConfig, getConfigV2 } from '../utils/config-loader.js';
@@ -340,20 +342,77 @@ const normalizeNodeId = (id) => {
   return s.startsWith('0x') ? s.slice(2) : s;
 };
 
+// Mirrors chia's chia.util.network.is_localhost. The wallet trusts any
+// localhost peer unconditionally, so a connection to 127.0.0.1 is trusted
+// even when wallet.trusted_peers is left at its default placeholder.
+const LOCALHOST_HOSTS = new Set(['127.0.0.1', 'localhost', '::1', '0:0:0:0:0:0:0:1']);
+const stripBrackets = (host) => String(host ?? '').replace(/^\[/, '').replace(/\]$/, '');
+const isLocalhost = (peerHost) => LOCALHOST_HOSTS.has(stripBrackets(peerHost));
+
 /**
- * Cross-reference connected wallet peers against the trusted_peers map in
- * the chia config.yaml. Returns a small object suitable for embedding in
- * the diagnostics response, including whether at least one connection is
- * trusted.
+ * Mirror chia's chia.util.network.is_trusted_cidr: true when peerHost parses
+ * to an IP that falls inside any configured CIDR. Never throws -- a malformed
+ * CIDR entry is skipped rather than failing the whole diagnostics response.
+ */
+const isTrustedCidr = (peerHost, trustedCidrs) => {
+  if (!Array.isArray(trustedCidrs) || trustedCidrs.length === 0) return false;
+  const host = stripBrackets(peerHost);
+  const hostType = net.isIP(host);
+  if (hostType === 0) return false;
+  const hostFamily = hostType === 6 ? 'ipv6' : 'ipv4';
+
+  for (const cidr of trustedCidrs) {
+    const slash = String(cidr).lastIndexOf('/');
+    if (slash === -1) continue;
+    const network = String(cidr).slice(0, slash);
+    const prefix = Number(String(cidr).slice(slash + 1));
+    const netType = net.isIP(network);
+    if (netType === 0 || !Number.isInteger(prefix)) continue;
+    try {
+      const blockList = new net.BlockList();
+      blockList.addSubnet(network, prefix, netType === 6 ? 'ipv6' : 'ipv4');
+      if (blockList.check(host, hostFamily)) return true;
+    } catch {
+      // Malformed CIDR (e.g. prefix out of range) -- skip it.
+    }
+  }
+  return false;
+};
+
+/**
+ * Decide whether a single connection is trusted, mirroring chia's
+ * chia.util.network.is_trusted_peer (and the `chia peer`/`chia wallet show`
+ * CLI, which computes trust client-side -- the RPC does not return it):
+ *
+ *   trusted = is_localhost(host) OR node_id in trusted_peers OR is_trusted_cidr
+ *
+ * Returns the matched reason so the diagnostics output explains *why* a peer
+ * is trusted (e.g. a localhost full node is trusted even when trusted_peers
+ * still holds the default placeholder node id).
+ */
+const classifyTrust = (peerHost, nodeId, normalizedTrustedSet, trustedCidrs) => {
+  if (isLocalhost(peerHost)) return 'localhost';
+  if (normalizedTrustedSet && normalizedTrustedSet.has(normalizeNodeId(nodeId))) return 'configured';
+  if (isTrustedCidr(peerHost, trustedCidrs)) return 'cidr';
+  return null;
+};
+
+/**
+ * Cross-reference connected wallet peers against the chia config.yaml trust
+ * settings (wallet.trusted_peers + wallet.trusted_cidrs) plus chia's implicit
+ * localhost rule. Returns a small object suitable for embedding in the
+ * diagnostics response, including whether at least one connection is trusted.
  */
 const buildTrustedPeerView = (connectionsResult, chiaConfigResult) => {
   const view = {
     configuredTrustedNodeIds: [],
+    configuredTrustedCidrs: [],
     connected: [],
     hasTrustedConnection: false,
   };
 
   let normalizedTrustedSet = null;
+  let trustedCidrs = [];
   if (chiaConfigResult?.ok) {
     const trustedPeerMap = _.get(chiaConfigResult.value, 'wallet.trusted_peers', null);
     if (trustedPeerMap && typeof trustedPeerMap === 'object') {
@@ -364,18 +423,22 @@ const buildTrustedPeerView = (connectionsResult, chiaConfigResult) => {
       view.configuredTrustedNodeIds = keys;
       normalizedTrustedSet = new Set(keys.map(normalizeNodeId));
     }
+    const configuredCidrs = _.get(chiaConfigResult.value, 'wallet.trusted_cidrs', null);
+    if (Array.isArray(configuredCidrs)) {
+      trustedCidrs = configuredCidrs;
+      view.configuredTrustedCidrs = configuredCidrs;
+    }
   } else if (chiaConfigResult) {
     view.chiaConfigError = chiaConfigResult.error;
   }
 
   if (connectionsResult?.ok && connectionsResult.value?.success !== false) {
     const connections = connectionsResult.value?.connections || [];
     view.connected = connections.map((c) => {
-      const trusted = !!(
-        normalizedTrustedSet && normalizedTrustedSet.has(normalizeNodeId(c.nodeId))
-      );
+      const trustedReason = classifyTrust(c.peerHost, c.nodeId, normalizedTrustedSet, trustedCidrs);
+      const trusted = trustedReason !== null;
       if (trusted) view.hasTrustedConnection = true;
-      return { peerHost: c.peerHost, peerPort: c.peerPort, type: c.type, trusted };
+      return { peerHost: c.peerHost, peerPort: c.peerPort, type: c.type, trusted, trustedReason };
     });
   } else if (connectionsResult) {
     view.connectionsError = connectionsResult.ok
@@ -880,6 +943,9 @@ export const __test = {
   collectSubscriptions,
   buildTrustedPeerView,
   normalizeNodeId,
+  isLocalhost,
+  isTrustedCidr,
+  classifyTrust,
   collectOwnedStoreExpectations,
   escalateLostOwnedStores,
   StatusAccumulator,
diff --git a/tests/v2/integration/diagnostics.spec.js b/tests/v2/integration/diagnostics.spec.js
@@ -218,7 +218,6 @@ describe('/diagnostics endpoint', function () {
     });
 
     describe('buildTrustedPeerView', function () {
-      const { buildTrustedPeerView } = (async () => null)(); // placeholder to keep diff small
       it('matches connected peers against trusted_peers regardless of 0x prefix or case', function () {
         const view = diagnostics.__test.buildTrustedPeerView(
           {
@@ -237,18 +236,99 @@ describe('/diagnostics endpoint', function () {
         );
         expect(view.hasTrustedConnection).to.equal(true);
         expect(view.connected[0].trusted).to.equal(true);
+        expect(view.connected[0].trustedReason).to.equal('configured');
         expect(view.connected[1].trusted).to.equal(false);
+        expect(view.connected[1].trustedReason).to.equal(null);
         expect(view.configuredTrustedNodeIds).to.deep.equal(['abcdef12']);
       });
 
       it('reports empty trusted set when chia config has no trusted_peers', function () {
         const view = diagnostics.__test.buildTrustedPeerView(
-          { ok: true, value: { connections: [{ peerHost: 'h', peerPort: 0, type: 1, nodeId: 'aa' }] } },
+          { ok: true, value: { connections: [{ peerHost: '5.6.7.8', peerPort: 0, type: 1, nodeId: 'aa' }] } },
           { ok: true, value: { wallet: {} } },
         );
         expect(view.hasTrustedConnection).to.equal(false);
         expect(view.connected[0].trusted).to.equal(false);
         expect(view.configuredTrustedNodeIds).to.deep.equal([]);
+        expect(view.configuredTrustedCidrs).to.deep.equal([]);
+      });
+
+      it('trusts a localhost peer even when trusted_peers holds only the default placeholder', function () {
+        // Reproduces the real-world case: chia auto-trusts 127.0.0.1, but the
+        // config still contains the example placeholder node id, so a
+        // node-id-only check would wrongly report the peer as untrusted.
+        const view = diagnostics.__test.buildTrustedPeerView(
+          {
+            ok: true,
+            value: {
+              connections: [
+                { peerHost: '127.0.0.1', peerPort: 58444, type: 1, nodeId: 'bf628b52deadbeef' },
+              ],
+            },
+          },
+          {
+            ok: true,
+            value: {
+              wallet: {
+                trusted_peers: {
+                  '0ThisisanexampleNodeID7ff9d60f1c3fa270c213c0ad0cb89c01274634a7c3cb9': 'Does_not_matter',
+                },
+              },
+            },
+          },
+        );
+        expect(view.hasTrustedConnection).to.equal(true);
+        expect(view.connected[0].trusted).to.equal(true);
+        expect(view.connected[0].trustedReason).to.equal('localhost');
+      });
+
+      it('trusts a peer whose IP falls inside a configured trusted CIDR', function () {
+        const view = diagnostics.__test.buildTrustedPeerView(
+          {
+            ok: true,
+            value: {
+              connections: [
+                { peerHost: '10.0.0.5', peerPort: 8444, type: 1, nodeId: 'aa' },
+                { peerHost: '192.168.1.5', peerPort: 8444, type: 1, nodeId: 'bb' },
+              ],
+            },
+          },
+          { ok: true, value: { wallet: { trusted_cidrs: ['10.0.0.0/24'] } } },
+        );
+        expect(view.connected[0].trusted).to.equal(true);
+        expect(view.connected[0].trustedReason).to.equal('cidr');
+        expect(view.connected[1].trusted).to.equal(false);
+        expect(view.configuredTrustedCidrs).to.deep.equal(['10.0.0.0/24']);
+      });
+    });
+
+    describe('isLocalhost', function () {
+      it('recognizes the loopback hosts chia treats as localhost', function () {
+        const { isLocalhost } = diagnostics.__test;
+        expect(isLocalhost('127.0.0.1')).to.equal(true);
+        expect(isLocalhost('localhost')).to.equal(true);
+        expect(isLocalhost('::1')).to.equal(true);
+        expect(isLocalhost('[::1]')).to.equal(true);
+        expect(isLocalhost('0:0:0:0:0:0:0:1')).to.equal(true);
+        expect(isLocalhost('1.2.3.4')).to.equal(false);
+        expect(isLocalhost(null)).to.equal(false);
+      });
+    });
+
+    describe('isTrustedCidr', function () {
+      it('matches IPv4 and IPv6 addresses inside configured ranges', function () {
+        const { isTrustedCidr } = diagnostics.__test;
+        expect(isTrustedCidr('10.0.0.5', ['10.0.0.0/24'])).to.equal(true);
+        expect(isTrustedCidr('10.0.1.5', ['10.0.0.0/24'])).to.equal(false);
+        expect(isTrustedCidr('2001:db8::1', ['2001:db8::/32'])).to.equal(true);
+      });
+
+      it('never throws on malformed input', function () {
+        const { isTrustedCidr } = diagnostics.__test;
+        expect(isTrustedCidr('not-an-ip', ['10.0.0.0/24'])).to.equal(false);
+        expect(isTrustedCidr('10.0.0.5', ['garbage', '10.0.0.0/99', '10.0.0.0'])).to.equal(false);
+        expect(isTrustedCidr('10.0.0.5', [])).to.equal(false);
+        expect(isTrustedCidr('10.0.0.5', null)).to.equal(false);
       });
     });
 
