add whitelisting IPs
This commit is contained in:
Max Leiter
parent
f74f7b1f1a
commit
743ca20470
3 changed files with 21 additions and 3 deletions
|
|
@ -57,10 +57,10 @@ You can change these to your liking.
|
|||
|
||||
### For SSO
|
||||
|
||||
- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which generally populated at the reverse-proxy level.
|
||||
- `HEADER_AUTH`: if true, enables authenthication via the HTTP header specified in `HEADER_AUTH_KEY` which is generally populated at the reverse-proxy level.
|
||||
- `HEADER_AUTH_KEY`: if `HEADER_AUTH` is true, the header to look for the users username (like `Auth-User`)
|
||||
- `HEADER_AUTH_ROLE`: if `HEADER_AUTH` is true, the header to look for the users role ("user" | "admin", at the moment)
|
||||
|
||||
- `HEADER_AUTH_WHITELISTED_IPS`: comma-separated list of IPs users can access Drift from using header authentication. Defaults to '127.0.0.1'.
|
||||
## Running with pm2
|
||||
|
||||
It's easy to start Drift using [pm2](https://pm2.keymetrics.io/).
|
||||
|
|
|
|||
|
|
@ -9,9 +9,12 @@ type Config = {
|
|||
registration_password: string
|
||||
welcome_content: string | undefined
|
||||
welcome_title: string | undefined
|
||||
|
||||
// header auth
|
||||
header_auth: boolean
|
||||
header_auth_name: string | undefined
|
||||
header_auth_role: string | undefined
|
||||
header_auth_whitelisted_ips: string[] | undefined
|
||||
}
|
||||
|
||||
type EnvironmentValue = string | undefined
|
||||
|
|
@ -58,6 +61,14 @@ export const config = (env: Environment): Config => {
|
|||
}
|
||||
}
|
||||
|
||||
const parseArrayFromString = (str: EnvironmentValue): string[] => {
|
||||
if (str) {
|
||||
return str.split(",").map((s) => s.trim())
|
||||
} else {
|
||||
return ['127.0.0.1']
|
||||
}
|
||||
}
|
||||
|
||||
const is_production = env.NODE_ENV === "production"
|
||||
|
||||
const developmentDefault = (
|
||||
|
|
@ -84,7 +95,8 @@ export const config = (env: Environment): Config => {
|
|||
welcome_title: env.WELCOME_TITLE,
|
||||
header_auth: stringToBoolean(env.HEADER_AUTH),
|
||||
header_auth_name: env.HEADER_AUTH_NAME,
|
||||
header_auth_role: env.HEADER_AUTH_ROLE
|
||||
header_auth_role: env.HEADER_AUTH_ROLE,
|
||||
header_auth_whitelisted_ips: parseArrayFromString(env.HEADER_AUTH_WHITELISTED_IPS)
|
||||
}
|
||||
return config
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,6 +21,11 @@ export default async function isSignedIn(
|
|||
const token = authHeader && authHeader.split(" ")[1]
|
||||
|
||||
if (config.header_auth && config.header_auth_name) {
|
||||
if (!config.header_auth_whitelisted_ips?.includes(req.ip)) {
|
||||
console.warn(`IP ${req.ip} is not whitelisted and tried to authenticate with header auth.`)
|
||||
return res.sendStatus(401)
|
||||
}
|
||||
|
||||
// with header auth, we assume the user is authenticated,
|
||||
// but their user may not be created in the database yet.
|
||||
|
||||
|
|
@ -33,6 +38,7 @@ export default async function isSignedIn(
|
|||
role
|
||||
})
|
||||
await user.save()
|
||||
console.log(`Created user ${username} with role ${role} via header auth.`)
|
||||
}
|
||||
|
||||
req.user = user
|
||||
|
|
|
|||
Loading…
Reference in a new issue