From 743ca20470bedb1b9a26f7ec5793eda2f4aa8d80 Mon Sep 17 00:00:00 2001
From: Max Leiter <maxwell.leiter@gmail.com>
Date: Fri, 6 May 2022 21:52:51 -0700
Subject: [PATCH] add whitelisting IPs

---
 README.md                                 |  4 ++--
 server/src/lib/config.ts                  | 14 +++++++++++++-
 server/src/lib/middleware/is-signed-in.ts |  6 ++++++
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b088fc7f..c19c6a1c 100644
--- a/README.md
+++ b/README.md
@@ -57,10 +57,10 @@ You can change these to your liking.
 
 ### For SSO
 
-- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which generally populated at the reverse-proxy level.
+- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which is generally populated at the reverse-proxy level.
 - `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`)
 - `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment)
-
+- `HEADER_AUTH_WHITELISTED_IPS`: comma-separated list of IPs users can access Drift from using header authentication. Defaults to '127.0.0.1'. 
 ## Running with pm2
 
 It's easy to start Drift using [pm2](https://pm2.keymetrics.io/).
diff --git a/server/src/lib/config.ts b/server/src/lib/config.ts
index 46b6241d..c5fdd913 100644
--- a/server/src/lib/config.ts
+++ b/server/src/lib/config.ts
@@ -9,9 +9,12 @@ type Config = {
 	registration_password: string
 	welcome_content: string | undefined
 	welcome_title: string | undefined
+
+	// header auth
 	header_auth: boolean
 	header_auth_name: string | undefined
 	header_auth_role: string | undefined
+	header_auth_whitelisted_ips: string[] | undefined
 }
 
 type EnvironmentValue = string | undefined
@@ -58,6 +61,14 @@ export const config = (env: Environment): Config => {
 		}
 	}
 
+	const parseArrayFromString = (str: EnvironmentValue): string[] => {
+		if (str) {
+			return str.split(",").map((s) => s.trim())
+		} else {
+			return ['127.0.0.1']
+		}
+	}
+
 	const is_production = env.NODE_ENV === "production"
 
 	const developmentDefault = (
@@ -84,7 +95,8 @@ export const config = (env: Environment): Config => {
 		welcome_title: env.WELCOME_TITLE,
 		header_auth: stringToBoolean(env.HEADER_AUTH),
 		header_auth_name: env.HEADER_AUTH_NAME,
-		header_auth_role: env.HEADER_AUTH_ROLE
+		header_auth_role: env.HEADER_AUTH_ROLE,
+		header_auth_whitelisted_ips: parseArrayFromString(env.HEADER_AUTH_WHITELISTED_IPS)
 	}
 	return config
 }
diff --git a/server/src/lib/middleware/is-signed-in.ts b/server/src/lib/middleware/is-signed-in.ts
index 0d408de4..7e2f0816 100644
--- a/server/src/lib/middleware/is-signed-in.ts
+++ b/server/src/lib/middleware/is-signed-in.ts
@@ -21,6 +21,11 @@ export default async function isSignedIn(
 	const token = authHeader && authHeader.split(" ")[1]
 
 	if (config.header_auth && config.header_auth_name) {
+		if (!config.header_auth_whitelisted_ips?.includes(req.ip)) {
+			console.warn(`IP ${req.ip} is not whitelisted and tried to authenticate with header auth.`)
+			return res.sendStatus(401)
+		}
+
 		// with header auth, we assume the user is authenticated,
 		// but their user may not be created in the database yet.
 
@@ -33,6 +38,7 @@ export default async function isSignedIn(
 				role
 			})
 			await user.save()
+			console.log(`Created user ${username} with role ${role} via header auth.`)
 		}
 
 		req.user = user