tokens: add ip restriction

2025-03-07 11:53:03 +01:00
parent 2b0fd17fbf
commit 5342dae5b3
21 changed files with 177 additions and 44 deletions
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -59,10 +59,13 @@ async function tokenAuth(req, res, next) {
    if (!token) return next(new HttpError(401, 'No such token'));

    const user = await users.get(token.identifier);
-    if (!user) return next(new HttpError(401,'User not found'));
-    if (!user.active) return next(new HttpError(401,'User not active'));
+    if (!user) return next(new HttpError(401, 'User not found'));
+    if (!user.active) return next(new HttpError(401, 'User not active'));

-    await safe(tokens.update(token.id, { lastUsedTime: new Date() })); // ignore any error
+    const remoteAddress = req.headers['x-forwarded-for'] || req.socket.remoteAddress;
+    if (!tokens.isIpAllowedSync(token, remoteAddress)) return next(new HttpError(401, 'Token not allowed from this IP'));
+
+    await tokens.update(token.id, { lastUsedTime: new Date() });

    req.token = token;
    req.user = user;