Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding express-ipfilter for ip whitelist support with environment variable IP_WHITELIST #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adding express-ipfilter for ip whitelist support with environment variable IP_WHITELIST #13

wants to merge 1 commit into from

Conversation

sloydsf
Copy link
Collaborator

@sloydsf sloydsf commented Oct 10, 2020

Using new package express-ipfilter.
Adding ability to define IP_WHITELIST as an environment variable.
If the variable is not defined it should not impact the existing behavior outside of requiring the module.

Example: IP_WHITELIST=1.2.3.4/32,10.0.0.0/24

@salesforce-cla
Copy link

Thanks for the contribution! It looks like @sloydsf is an internal user so signing the CLA is not required. However, we need to confirm this.

michaelhoefer
michaelhoefer suggested changes Oct 19, 2020
View reviewed changes
server.js
@@ -47,6 +48,21 @@ if (process.env.FORCE_HTTPS === "true") {
app.use(enforce.HTTPS({trustProtoHeader: true}));
}

if (process.env.IP_WHITELIST) {
let clientIp = function(req, res) {
return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',').pop() : ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should indeed work for heroku deployment, but can't validate locally well because there is no x-forwarded-for header set. I think this should change to look at the host header if x-forwarded-for is not set. And include 'localhost' in the whitelist.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I had assumed this was Heroku only.

I'll update it to be:
if(x-forwarded-for header) return last entry in x-forwarded-for header
else use tcp/ip remote_ip

server.js
app.use(
ipfilter(whitelist_ips, {
detectIp: clientIp,
forbidden: 'You are not authorized to access this page.',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error handling is the only tricky thing with this, and express in general. Right now this message is not displayed, but instead an internal error message is shown alone on a blank page. May need special handling for the IpDeniedError in our normal error handler.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I the Opts object you are passing here does not match the interface given by express-ipfilter:

export interface IpFilterOptions {
  detectIp?: (request: express.Request) => Ip;
  excluding?: Route[];
  log?: boolean;
  logLevel?: 'all' | 'deny' | 'allow';
  mode?: 'deny' | 'allow';
  // `@types/proxy-addr` does not export the `trust` parameter type
  trustProxy?: any;
}

@vazexqi
Copy link

vazexqi commented Oct 19, 2020

@sloydsf - What happened to just doing the IP whitelisting on the Heroku private spaces level? Was that not the right approach?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelhoefer michaelhoefer michaelhoefer requested changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
cla:missing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@sloydsf @vazexqi @michaelhoefer