add whitelisting IPs

This commit is contained in:
Max Leiter 2022-05-06 21:52:51 -07:00
parent f74f7b1f1a
commit 743ca20470
No known key found for this signature in database
GPG key ID: A3512F2F2F17EBDA
3 changed files with 21 additions and 3 deletions

View file

@ -57,10 +57,10 @@ You can change these to your liking.
### For SSO ### For SSO
- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which generally populated at the reverse-proxy level. - `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which is generally populated at the reverse-proxy level.
- `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`) - `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`)
- `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment) - `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment)
- `HEADER_AUTH_WHITELISTED_IPS`: comma-separated list of IPs users can access Drift from using header authentication. Defaults to '127.0.0.1'.
## Running with pm2 ## Running with pm2
It's easy to start Drift using [pm2](https://pm2.keymetrics.io/). It's easy to start Drift using [pm2](https://pm2.keymetrics.io/).

View file

@ -9,9 +9,12 @@ type Config = {
registration_password: string registration_password: string
welcome_content: string | undefined welcome_content: string | undefined
welcome_title: string | undefined welcome_title: string | undefined
// header auth
header_auth: boolean header_auth: boolean
header_auth_name: string | undefined header_auth_name: string | undefined
header_auth_role: string | undefined header_auth_role: string | undefined
header_auth_whitelisted_ips: string[] | undefined
} }
type EnvironmentValue = string | undefined type EnvironmentValue = string | undefined
@ -58,6 +61,14 @@ export const config = (env: Environment): Config => {
} }
} }
const parseArrayFromString = (str: EnvironmentValue): string[] => {
if (str) {
return str.split(",").map((s) => s.trim())
} else {
return ['127.0.0.1']
}
}
const is_production = env.NODE_ENV === "production" const is_production = env.NODE_ENV === "production"
const developmentDefault = ( const developmentDefault = (
@ -84,7 +95,8 @@ export const config = (env: Environment): Config => {
welcome_title: env.WELCOME_TITLE, welcome_title: env.WELCOME_TITLE,
header_auth: stringToBoolean(env.HEADER_AUTH), header_auth: stringToBoolean(env.HEADER_AUTH),
header_auth_name: env.HEADER_AUTH_NAME, header_auth_name: env.HEADER_AUTH_NAME,
header_auth_role: env.HEADER_AUTH_ROLE header_auth_role: env.HEADER_AUTH_ROLE,
header_auth_whitelisted_ips: parseArrayFromString(env.HEADER_AUTH_WHITELISTED_IPS)
} }
return config return config
} }

View file

@ -21,6 +21,11 @@ export default async function isSignedIn(
const token = authHeader && authHeader.split(" ")[1] const token = authHeader && authHeader.split(" ")[1]
if (config.header_auth && config.header_auth_name) { if (config.header_auth && config.header_auth_name) {
if (!config.header_auth_whitelisted_ips?.includes(req.ip)) {
console.warn(`IP ${req.ip} is not whitelisted and tried to authenticate with header auth.`)
return res.sendStatus(401)
}
// with header auth, we assume the user is authenticated, // with header auth, we assume the user is authenticated,
// but their user may not be created in the database yet. // but their user may not be created in the database yet.
@ -33,6 +38,7 @@ export default async function isSignedIn(
role role
}) })
await user.save() await user.save()
console.log(`Created user ${username} with role ${role} via header auth.`)
} }
req.user = user req.user = user