borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix jwt-token

Browse Source
This commit is contained in:
Alexander Borg
2025-09-15 06:58:21 +02:00
parent 159affb113
commit 6eafcbab19
5 changed files with 103 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
server/middleware/ip-restriction.js
View File

@@ -9,6 +9,16 @@ const MultiTenantAuth = require('./multi-tenant-auth');
class IPRestrictionMiddleware {
constructor() {
this.multiAuth = new MultiTenantAuth();
this.models = null; // For dependency injection in tests
}
/**
* Set models for dependency injection (used in tests)
* @param {Object} models - Models object
*/
setModels(models) {
this.models = models;
this.multiAuth.setModels && this.multiAuth.setModels(models);
}
/**
@@ -19,7 +29,7 @@ class IPRestrictionMiddleware {
*/
isIPAllowed(clientIP, whitelist) {
if (!whitelist || !Array.isArray(whitelist) || whitelist.length === 0) {
return true; // No restrictions
return false; // Block access if no IPs are whitelisted
}
// Normalize IPv6-mapped IPv4 addresses
@@ -148,19 +158,22 @@ class IPRestrictionMiddleware {
*/
async checkIPRestriction(req, res, next) {
try {
// Ensure req.path exists
const path = req.path || req.url || '';
// Skip IP checking for health checks and internal requests
if (req.path === '/health' || req.path === '/api/health') {
if (path === '/health' || path === '/api/health') {
return next();
}
// Skip IP restrictions for management routes - they have their own access controls
if (req.path.startsWith('/api/management/')) {
console.log('🔍 IP Restriction - Skipping for management route:', req.path);
if (path.startsWith('/api/management/')) {
console.log('🔍 IP Restriction - Skipping for management route:', path);
return next();
}
// Skip IP restrictions for auth config - users need to see login form and get proper error
if (req.path === '/api/auth/config') {
if (path === '/api/auth/config') {
console.log('🔍 IP Restriction - Skipping for auth config route');
return next();
}
@@ -178,9 +191,10 @@ class IPRestrictionMiddleware {
}
// Get tenant configuration
const tenant = await Tenant.findOne({
const TenantModel = this.models ? this.models.Tenant : Tenant;
const tenant = await TenantModel.findOne({
where: { slug: tenantId },
attributes: ['id', 'slug', 'ip_restriction_enabled', 'ip_whitelist', 'ip_restriction_message', 'updated_at']
attributes: ['id', 'slug', 'ip_restrictions_enabled', 'allowed_ips', 'ip_restriction_message', 'updated_at']
});
if (!tenant) {
console.log('🔍 IP Restriction - Tenant not found in database:', tenantId);
@@ -190,13 +204,13 @@ class IPRestrictionMiddleware {
console.log('🔍 IP Restriction - Tenant config (fresh from DB):', {
id: tenant.id,
slug: tenant.slug,
ip_restriction_enabled: tenant.ip_restriction_enabled,
ip_whitelist: tenant.ip_whitelist,
ip_restrictions_enabled: tenant.ip_restrictions_enabled,
allowed_ips: tenant.allowed_ips,
updated_at: tenant.updated_at
});
// Check if IP restrictions are enabled
if (!tenant.ip_restriction_enabled) {
if (!tenant.ip_restrictions_enabled) {
console.log('🔍 IP Restriction - Restrictions disabled for tenant');
return next();
}
@@ -210,9 +224,19 @@ class IPRestrictionMiddleware {
'remote-address': req.connection.remoteAddress
});
// Parse allowed IPs (convert string to array)
let allowedIPs = [];
if (tenant.allowed_ips) {
if (Array.isArray(tenant.allowed_ips)) {
allowedIPs = tenant.allowed_ips;
} else if (typeof tenant.allowed_ips === 'string') {
allowedIPs = tenant.allowed_ips.split(',').map(ip => ip.trim()).filter(ip => ip);
}
}
// Check if IP is allowed
const isAllowed = this.isIPAllowed(clientIP, tenant.ip_whitelist);
console.log('🔍 IP Restriction - Is IP allowed:', isAllowed);
const isAllowed = this.isIPAllowed(clientIP, allowedIPs);
console.log('🔍 IP Restriction - Is IP allowed:', isAllowed, 'Allowed IPs:', allowedIPs);
if (!isAllowed) {
console.log(`🚫 IP Access Denied: ${clientIP} attempted to access tenant "${tenantId}"`);