add whitelisting IPs

4 years ago · 743ca20470
parent f74f7b1f1a
commit 743ca20470
3 changed files with 21 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -57,10 +57,10 @@ You can change these to your liking.

 ### For SSO

- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which generally populated at the reverse-proxy level.
+- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which is generally populated at the reverse-proxy level.
 - `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`)
 - `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment)
-
+- `HEADER_AUTH_WHITELISTED_IPS`: comma-separated list of IPs users can access Drift from using header authentication. Defaults to '127.0.0.1'. 
 ## Running with pm2

 It's easy to start Drift using [pm2](https://pm2.keymetrics.io/).
--- a/server/src/lib/config.ts
+++ b/server/src/lib/config.ts
@ -9,9 +9,12 @@ type Config = {
 	registration_password: string
 	welcome_content: string | undefined
 	welcome_title: string | undefined
+
+	// header auth
 	header_auth: boolean
 	header_auth_name: string | undefined
 	header_auth_role: string | undefined
+	header_auth_whitelisted_ips: string[] | undefined
 }

 type EnvironmentValue = string | undefined
@ -58,6 +61,14 @@ export const config = (env: Environment): Config => {
 		}
 	}

+	const parseArrayFromString = (str: EnvironmentValue): string[] => {
+		if (str) {
+			return str.split(",").map((s) => s.trim())
+		} else {
+			return ['127.0.0.1']
+		}
+	}
+
 	const is_production = env.NODE_ENV === "production"

 	const developmentDefault = (
@ -84,7 +95,8 @@ export const config = (env: Environment): Config => {
 		welcome_title: env.WELCOME_TITLE,
 		header_auth: stringToBoolean(env.HEADER_AUTH),
 		header_auth_name: env.HEADER_AUTH_NAME,
-		header_auth_role: env.HEADER_AUTH_ROLE
+		header_auth_role: env.HEADER_AUTH_ROLE,
+		header_auth_whitelisted_ips: parseArrayFromString(env.HEADER_AUTH_WHITELISTED_IPS)
 	}
 	return config
 }
--- a/server/src/lib/middleware/is-signed-in.ts
+++ b/server/src/lib/middleware/is-signed-in.ts
@ -21,6 +21,11 @@ export default async function isSignedIn(
 	const token = authHeader && authHeader.split(" ")[1]

 	if (config.header_auth && config.header_auth_name) {
+		if (!config.header_auth_whitelisted_ips?.includes(req.ip)) {
+			console.warn(`IP ${req.ip} is not whitelisted and tried to authenticate with header auth.`)
+			return res.sendStatus(401)
+		}
+
 		// with header auth, we assume the user is authenticated,
 		// but their user may not be created in the database yet.

@ -33,6 +38,7 @@ export default async function isSignedIn(
 				role
 			})
 			await user.save()
+			console.log(`Created user ${username} with role ${role} via header auth.`)
 		}

 		req.user = user