add whitelisting IPs

2022-05-06 21:52:51 -07:00 · 2022-05-06 21:52:51 -07:00 · 743ca20470
commit 743ca20470
parent f74f7b1f1a
3 changed files with 21 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -57,10 +57,10 @@ You can change these to your liking.
 ### For SSO
- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which generally populated at the reverse-proxy level.
+- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which is generally populated at the reverse-proxy level.
 - `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`)
 - `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment)
-
+- `HEADER_AUTH_WHITELISTED_IPS`: comma-separated list of IPs users can access Drift from using header authentication. Defaults to '127.0.0.1'. 
 ## Running with pm2
 It's easy to start Drift using [pm2](https://pm2.keymetrics.io/).
--- a/server/src/lib/config.ts
+++ b/server/src/lib/config.ts
@ -9,9 +9,12 @@ type Config = {
 	registration_password: string
 	welcome_content: string | undefined
 	welcome_title: string | undefined
 	// header auth
 	header_auth: boolean
 	header_auth_name: string | undefined
 	header_auth_role: string | undefined
 	header_auth_whitelisted_ips: string[] | undefined
 }
 type EnvironmentValue = string | undefined
@ -58,6 +61,14 @@ export const config = (env: Environment): Config => {
 		}
 	}
 	const parseArrayFromString = (str: EnvironmentValue): string[] => {
 		if (str) {
 			return str.split(",").map((s) => s.trim())
 		} else {
 			return ['127.0.0.1']
 		}
 	}
 	const is_production = env.NODE_ENV === "production"
 	const developmentDefault = (
@ -84,7 +95,8 @@ export const config = (env: Environment): Config => {
 		welcome_title: env.WELCOME_TITLE,
 		header_auth: stringToBoolean(env.HEADER_AUTH),
 		header_auth_name: env.HEADER_AUTH_NAME,
-		header_auth_role: env.HEADER_AUTH_ROLE
+		header_auth_role: env.HEADER_AUTH_ROLE,
 		header_auth_whitelisted_ips: parseArrayFromString(env.HEADER_AUTH_WHITELISTED_IPS)
 	}
 	return config
 }
--- a/server/src/lib/middleware/is-signed-in.ts
+++ b/server/src/lib/middleware/is-signed-in.ts
@ -21,6 +21,11 @@ export default async function isSignedIn(
 	const token = authHeader && authHeader.split(" ")[1]
 	if (config.header_auth && config.header_auth_name) {
 		if (!config.header_auth_whitelisted_ips?.includes(req.ip)) {
 			console.warn(`IP ${req.ip} is not whitelisted and tried to authenticate with header auth.`)
 			return res.sendStatus(401)
 		}
 		// with header auth, we assume the user is authenticated,
 		// but their user may not be created in the database yet.
@ -33,6 +38,7 @@ export default async function isSignedIn(
 				role
 			})
 			await user.save()
 			console.log(`Created user ${username} with role ${role} via header auth.`)
 		}
 		req.user = user