Enforce IP restriction
This commit is contained in:
parent
d5eee04d7a
commit
cbef5f2a78
@ -3,6 +3,7 @@ use crate::api_tokens::{Token, TokenID, TokenVerb};
|
|||||||
use crate::api_tokens;
|
use crate::api_tokens;
|
||||||
use crate::utils::jwt_utils;
|
use crate::utils::jwt_utils;
|
||||||
use crate::utils::time_utils::time;
|
use crate::utils::time_utils::time;
|
||||||
|
use actix_remote_ip::RemoteIP;
|
||||||
use actix_web::dev::Payload;
|
use actix_web::dev::Payload;
|
||||||
use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
|
use actix_web::error::{ErrorBadRequest, ErrorUnauthorized};
|
||||||
use actix_web::{Error, FromRequest, HttpRequest};
|
use actix_web::{Error, FromRequest, HttpRequest};
|
||||||
@ -28,9 +29,14 @@ impl FromRequest for ApiAuthExtractor {
|
|||||||
type Error = Error;
|
type Error = Error;
|
||||||
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
|
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
|
||||||
|
|
||||||
fn from_request(req: &HttpRequest, _payload: &mut Payload) -> Self::Future {
|
fn from_request(req: &HttpRequest, payload: &mut Payload) -> Self::Future {
|
||||||
let req = req.clone();
|
let req = req.clone();
|
||||||
|
|
||||||
|
let remote_ip = match RemoteIP::from_request(&req, payload).into_inner() {
|
||||||
|
Ok(ip) => ip,
|
||||||
|
Err(e) => return Box::pin(async { Err(e) }),
|
||||||
|
};
|
||||||
|
|
||||||
Box::pin(async move {
|
Box::pin(async move {
|
||||||
let (token_id, token_jwt) = match (
|
let (token_id, token_jwt) = match (
|
||||||
req.headers().get("x-token-id"),
|
req.headers().get("x-token-id"),
|
||||||
@ -118,9 +124,15 @@ impl FromRequest for ApiAuthExtractor {
|
|||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO : check for ip restriction
|
if let Some(ip) = token.ip_restriction {
|
||||||
|
if !ip.contains(remote_ip.0) {
|
||||||
// TODO : manually validate all checks
|
log::error!(
|
||||||
|
"Attempt to use a token for an unauthorized IP! {remote_ip:?} token_id={}",
|
||||||
|
token.id.0
|
||||||
|
);
|
||||||
|
return Err(ErrorUnauthorized("Token cannot be used from this IP!"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if token.should_update_last_activity() {
|
if token.should_update_last_activity() {
|
||||||
if let Err(e) = api_tokens::refresh_last_used(token.id).await {
|
if let Err(e) = api_tokens::refresh_last_used(token.id).await {
|
||||||
|
Loading…
Reference in New Issue
Block a user