Getting "Unauthorized Access" with RPC (using Python Requests)

Question

I can successfully do a getbalance RPC with digest authentication, e.g.:

url = "http://localhost:18082/json_rpc"
headers = {'content-type': 'application/json'}
rpc_input = {
       "method": "getbalance"
}
rpc_input.update({"jsonrpc": "2.0", "id": "0"})
response = requests.post(
    url,
    data=json.dumps(rpc_input),
    headers=headers,
    auth=HTTPDigestAuth('wallet_username', 'wallet_password'))
print(response.text)

However, when I want to do a create_wallet RPC I get an Unauthorized Access HTML response:

<html><head><title>Unauthorized Access</title></head><body><h1>401 Unauthorized</h1></body></html>

E.g.:

url = "http://localhost:18082/json_rpc"
headers = {'content-type': 'application/json'}
rpc_input = {
        "method": "create_wallet",
        "params": {"filename": "mytestwallet", "password": "mytestpassword", "language": "English"}
}
rpc_input.update({"jsonrpc": "2.0", "id": "0"})
response = requests.post(
    url,
    data=json.dumps(rpc_input),
    headers=headers,
    )
print(response.text)

I do notice that the create_wallet RPC does not take a wallet username parameter, could this be my problem, or am I missing something else? (Note that at https://getmonero.org/resources/developer-guides/wallet-rpc.html#create_wallet the example does include a filename parameter but no username parameter).

Answer 1

When digest authentication is activated in the monero-wallet-rpc program (with the rpc-login option), every RPC request must contain the authentication information.

So your request should be something like:

url = "http://localhost:18082/json_rpc"
headers = {'content-type': 'application/json'}
rpc_input = {
        "method": "create_wallet",
        "params": {"filename": "wallet_file", "password": "wallet_password", "language": "English"}
}
rpc_input.update({"jsonrpc": "2.0", "id": "0"})
response = requests.post(
    url,
    data=json.dumps(rpc_input),
    headers=headers,
    auth=HTTPDigestAuth('rpc_username', 'rpc_password'))
print(response.text)

There is no relation between the name and password required to connect to the RPC server of the monero-wallet-rpc program and the name and password of the wallet file.

They should be different, so that if someone gets to know the credentials of the RPC server (e.g. by reading your configuration file for monero-wallet-rpc or by listing the processes running on your machine and seeing what parameters were passed to the --rpc-login option), your wallet file is not compromised.