Block free mode VPN traffic

jahooma · jahooma · commit 2c94b30130f1 · 2026-04-26T15:20:55.000-07:00
diff --git a/docs/environment-variables.md b/docs/environment-variables.md
@@ -5,6 +5,7 @@
 - Public client env: `NEXT_PUBLIC_*` only, validated in `common/src/env-schema.ts` (used via `@codebuff/common/env`).
 - Server secrets: validated in `packages/internal/src/env-schema.ts` (used via `@codebuff/internal/env`).
 - Runtime/OS env: pass typed snapshots instead of reading `process.env` throughout the codebase.
+- `IPINFO_TOKEN` is required; free-mode country gating uses it to check IPinfo privacy signals for VPN/proxy/Tor/relay/hosting traffic.
 
 ## Env DI Helpers
 
diff --git a/packages/internal/src/env-schema.ts b/packages/internal/src/env-schema.ts
@@ -12,6 +12,7 @@ export const serverEnvSchema = clientEnvSchema.extend({
   LINKUP_API_KEY: z.string().min(1),
   CONTEXT7_API_KEY: z.string().optional(),
   GRAVITY_API_KEY: z.string().min(1),
+  IPINFO_TOKEN: z.string().min(1),
   // BuySellAds (Carbon) zone key used for the Freebuff waiting-room ad.
   // Optional: when unset the Carbon provider returns no ad and callers fall
   // back to their cached ads / fallback content. `CVADC53U` is the public
@@ -58,8 +59,16 @@ export const serverEnvSchema = clientEnvSchema.extend({
     .enum(['true', 'false'])
     .default('false')
     .transform((v) => v === 'true'),
-  FREEBUFF_SESSION_LENGTH_MS: z.coerce.number().int().positive().default(60 * 60 * 1000),
-  FREEBUFF_SESSION_GRACE_MS: z.coerce.number().int().nonnegative().default(30 * 60 * 1000),
+  FREEBUFF_SESSION_LENGTH_MS: z.coerce
+    .number()
+    .int()
+    .positive()
+    .default(60 * 60 * 1000),
+  FREEBUFF_SESSION_GRACE_MS: z.coerce
+    .number()
+    .int()
+    .nonnegative()
+    .default(30 * 60 * 1000),
 })
 export const serverEnvVars = serverEnvSchema.keyof().options
 export type ServerEnvVar = (typeof serverEnvVars)[number]
@@ -87,6 +96,7 @@ export const serverProcessEnv: ServerInput = {
   LINKUP_API_KEY: process.env.LINKUP_API_KEY,
   CONTEXT7_API_KEY: process.env.CONTEXT7_API_KEY,
   GRAVITY_API_KEY: process.env.GRAVITY_API_KEY,
+  IPINFO_TOKEN: process.env.IPINFO_TOKEN,
   CARBON_ZONE_KEY: process.env.CARBON_ZONE_KEY,
   PORT: process.env.PORT,
 
@@ -101,9 +111,12 @@ export const serverProcessEnv: ServerInput = {
   STRIPE_SECRET_KEY: process.env.STRIPE_SECRET_KEY,
   STRIPE_WEBHOOK_SECRET_KEY: process.env.STRIPE_WEBHOOK_SECRET_KEY,
   STRIPE_TEAM_FEE_PRICE_ID: process.env.STRIPE_TEAM_FEE_PRICE_ID,
-  STRIPE_SUBSCRIPTION_100_PRICE_ID: process.env.STRIPE_SUBSCRIPTION_100_PRICE_ID,
-  STRIPE_SUBSCRIPTION_200_PRICE_ID: process.env.STRIPE_SUBSCRIPTION_200_PRICE_ID,
-  STRIPE_SUBSCRIPTION_500_PRICE_ID: process.env.STRIPE_SUBSCRIPTION_500_PRICE_ID,
+  STRIPE_SUBSCRIPTION_100_PRICE_ID:
+    process.env.STRIPE_SUBSCRIPTION_100_PRICE_ID,
+  STRIPE_SUBSCRIPTION_200_PRICE_ID:
+    process.env.STRIPE_SUBSCRIPTION_200_PRICE_ID,
+  STRIPE_SUBSCRIPTION_500_PRICE_ID:
+    process.env.STRIPE_SUBSCRIPTION_500_PRICE_ID,
   LOOPS_API_KEY: process.env.LOOPS_API_KEY,
   DISCORD_PUBLIC_KEY: process.env.DISCORD_PUBLIC_KEY,
   DISCORD_BOT_TOKEN: process.env.DISCORD_BOT_TOKEN,
diff --git a/packages/internal/src/env.ts b/packages/internal/src/env.ts
@@ -3,19 +3,23 @@ import { serverEnvSchema, serverProcessEnv } from './env-schema'
 // Only provide safe defaults in CI to avoid schema failures during tests
 // In local dev, missing env vars should fail fast so devs know to configure them
 const isCI = process.env.CI === 'true' || process.env.CI === '1'
+const envInput = { ...serverProcessEnv }
 
 if (isCI) {
   const ensureEnvDefault = (key: string, value: string) => {
     if (!process.env[key]) {
       process.env[key] = value
     }
+    envInput[key as keyof typeof envInput] = process.env[key]
   }
 
   ensureEnvDefault('OPEN_ROUTER_API_KEY', 'test')
   ensureEnvDefault('OPENAI_API_KEY', 'test')
   ensureEnvDefault('ANTHROPIC_API_KEY', 'test')
+  ensureEnvDefault('FIREWORKS_API_KEY', 'test')
   ensureEnvDefault('LINKUP_API_KEY', 'test')
   ensureEnvDefault('GRAVITY_API_KEY', 'test')
+  ensureEnvDefault('IPINFO_TOKEN', 'test')
   ensureEnvDefault('PORT', '4242')
   ensureEnvDefault('DATABASE_URL', 'postgres://user:pass@localhost:5432/db')
   ensureEnvDefault('CODEBUFF_GITHUB_ID', 'test-id')
@@ -26,6 +30,9 @@ if (isCI) {
   ensureEnvDefault('STRIPE_SECRET_KEY', 'sk_test_dummy')
   ensureEnvDefault('STRIPE_WEBHOOK_SECRET_KEY', 'whsec_dummy')
   ensureEnvDefault('STRIPE_TEAM_FEE_PRICE_ID', 'price_test')
+  ensureEnvDefault('STRIPE_SUBSCRIPTION_100_PRICE_ID', 'price_test_100')
+  ensureEnvDefault('STRIPE_SUBSCRIPTION_200_PRICE_ID', 'price_test_200')
+  ensureEnvDefault('STRIPE_SUBSCRIPTION_500_PRICE_ID', 'price_test_500')
   ensureEnvDefault('LOOPS_API_KEY', 'test')
   ensureEnvDefault('DISCORD_PUBLIC_KEY', 'test')
   ensureEnvDefault('DISCORD_BOT_TOKEN', 'test')
@@ -46,4 +53,4 @@ if (process.env.NEXT_PUBLIC_CB_ENVIRONMENT !== 'prod') {
   }
 }
 
-export const env = serverEnvSchema.parse(serverProcessEnv)
+export const env = serverEnvSchema.parse(envInput)
diff --git a/web/src/app/api/v1/chat/completions/_post.ts b/web/src/app/api/v1/chat/completions/_post.ts
@@ -256,14 +256,18 @@ export async function postChatCompletions(params: {
 
     // For free mode requests, require a resolved allowlisted country.
     if (isFreeModeRequest) {
-      const countryAccess = getFreeModeCountryAccess(req)
+      const countryAccess = await getFreeModeCountryAccess(req, {
+        fetch,
+        ipinfoToken: env.IPINFO_TOKEN,
+      })
 
       logger.info(
         {
           cfHeader: countryAccess.cfCountry,
           geoipResult: countryAccess.geoipCountry,
           resolvedCountry: countryAccess.countryCode,
           countryBlockReason: countryAccess.blockReason,
+          ipPrivacySignals: countryAccess.ipPrivacy?.signals,
           clientIp: countryAccess.hasClientIp ? '[redacted]' : undefined,
         },
         'Free mode country detection',
@@ -277,6 +281,7 @@ export async function postChatCompletions(params: {
             error: 'free_mode_not_available_in_country',
             countryCode: countryAccess.countryCode,
             countryBlockReason: countryAccess.blockReason,
+            ipPrivacySignals: countryAccess.ipPrivacy?.signals,
             clientIp: countryAccess.hasClientIp ? '[redacted]' : undefined,
           },
           logger,
diff --git a/web/src/app/api/v1/freebuff/session/_handlers.ts b/web/src/app/api/v1/freebuff/session/_handlers.ts
@@ -1,4 +1,5 @@
 import { NextResponse } from 'next/server'
+import { env } from '@codebuff/internal/env'
 
 import {
   endUserSession,
@@ -22,8 +23,13 @@ import type { NextRequest } from 'next/server'
  *  `country_blocked` status and would tight-poll on an unrecognized 200
  *  body — fall into their existing `!resp.ok` error path and back off on
  *  the 10s error retry cadence. The new CLI parses the 403 body directly. */
-function countryBlockedResponse(req: NextRequest): NextResponse | null {
-  const countryAccess = getFreeModeCountryAccess(req)
+async function countryBlockedResponse(
+  req: NextRequest,
+  deps: FreebuffSessionDeps,
+): Promise<NextResponse | null> {
+  const countryAccess = await getFreeModeCountryAccess(req, {
+    ipinfoToken: env.IPINFO_TOKEN,
+  })
   if (countryAccess.allowed) return null
   return NextResponse.json(
     {
@@ -126,7 +132,7 @@ export async function postFreebuffSession(
   const auth = await resolveUser(req, deps)
   if ('error' in auth) return auth.error
 
-  const blocked = countryBlockedResponse(req)
+  const blocked = await countryBlockedResponse(req, deps)
   if (blocked) return blocked
 
   const requestedModel = req.headers.get(FREEBUFF_MODEL_HEADER) ?? ''
@@ -170,7 +176,7 @@ export async function getFreebuffSession(
   const auth = await resolveUser(req, deps)
   if ('error' in auth) return auth.error
 
-  const blocked = countryBlockedResponse(req)
+  const blocked = await countryBlockedResponse(req, deps)
   if (blocked) return blocked
 
   try {
diff --git a/web/src/app/api/v1/freebuff/session/route.ts b/web/src/app/api/v1/freebuff/session/route.ts
@@ -9,12 +9,17 @@ import { logger } from '@/util/logger'
 
 import type { NextRequest } from 'next/server'
 
+const freebuffSessionDeps = {
+  getUserInfoFromApiKey,
+  logger,
+}
+
 export async function GET(req: NextRequest) {
-  return getFreebuffSession(req, { getUserInfoFromApiKey, logger })
+  return getFreebuffSession(req, freebuffSessionDeps)
 }
 
 export async function POST(req: NextRequest) {
-  return postFreebuffSession(req, { getUserInfoFromApiKey, logger })
+  return postFreebuffSession(req, freebuffSessionDeps)
 }
 
 export async function DELETE(req: NextRequest) {
diff --git a/web/src/server/__tests__/free-mode-country.test.ts b/web/src/server/__tests__/free-mode-country.test.ts
@@ -1,45 +1,136 @@
 import { describe, expect, test } from 'bun:test'
 import { NextRequest } from 'next/server'
 
-import { getFreeModeCountryAccess } from '../free-mode-country'
+import {
+  getFreeModeCountryAccess,
+  lookupIpinfoPrivacy,
+} from '../free-mode-country'
 
 function makeReq(headers: Record<string, string> = {}): NextRequest {
   return new NextRequest('http://localhost:3000/api/v1/chat/completions', {
     headers,
   })
 }
 
+const noAnonymousNetwork = {
+  ipinfoToken: 'test-token',
+  lookupIpPrivacy: async () => ({ signals: [] }),
+}
+
 describe('free mode country access', () => {
-  test('allows allowlisted Cloudflare countries', () => {
-    const access = getFreeModeCountryAccess(makeReq({ 'cf-ipcountry': 'us' }))
+  test('allows allowlisted Cloudflare countries', async () => {
+    const access = await getFreeModeCountryAccess(
+      makeReq({ 'cf-ipcountry': 'us' }),
+      noAnonymousNetwork,
+    )
     expect(access.allowed).toBe(true)
     expect(access.countryCode).toBe('US')
     expect(access.blockReason).toBe(null)
   })
 
-  test('blocks countries outside the allowlist', () => {
-    const access = getFreeModeCountryAccess(makeReq({ 'cf-ipcountry': 'FR' }))
+  test('blocks countries outside the allowlist', async () => {
+    const access = await getFreeModeCountryAccess(
+      makeReq({ 'cf-ipcountry': 'FR' }),
+      noAnonymousNetwork,
+    )
     expect(access.allowed).toBe(false)
     expect(access.countryCode).toBe('FR')
     expect(access.blockReason).toBe('country_not_allowed')
   })
 
-  test('blocks anonymized Cloudflare country codes without falling back to IP geo', () => {
-    const access = getFreeModeCountryAccess(
+  test('blocks anonymized Cloudflare country codes without falling back to IP geo', async () => {
+    const access = await getFreeModeCountryAccess(
       makeReq({
         'cf-ipcountry': 'T1',
         'x-forwarded-for': '8.8.8.8',
       }),
+      noAnonymousNetwork,
     )
     expect(access.allowed).toBe(false)
     expect(access.countryCode).toBe(null)
     expect(access.blockReason).toBe('anonymized_or_unknown_country')
   })
 
-  test('blocks missing client location as unknown', () => {
-    const access = getFreeModeCountryAccess(makeReq())
+  test('blocks missing client location as unknown', async () => {
+    const access = await getFreeModeCountryAccess(makeReq(), noAnonymousNetwork)
     expect(access.allowed).toBe(false)
     expect(access.countryCode).toBe(null)
     expect(access.blockReason).toBe('missing_client_ip')
   })
+
+  test('blocks allowlisted countries when the client IP is an anonymous network', async () => {
+    const access = await getFreeModeCountryAccess(
+      makeReq({
+        'cf-ipcountry': 'US',
+        'x-forwarded-for': '203.0.113.10',
+      }),
+      {
+        ipinfoToken: 'test-token',
+        lookupIpPrivacy: async () => ({
+          signals: ['vpn'],
+        }),
+      },
+    )
+    expect(access.allowed).toBe(false)
+    expect(access.countryCode).toBe('US')
+    expect(access.blockReason).toBe('anonymous_network')
+    expect(access.ipPrivacy?.signals).toEqual(['vpn'])
+  })
+
+  test('allows allowlisted countries when privacy lookup finds no anonymous signals', async () => {
+    const access = await getFreeModeCountryAccess(
+      makeReq({
+        'cf-ipcountry': 'US',
+        'x-forwarded-for': '203.0.113.10',
+      }),
+      {
+        ipinfoToken: 'test-token',
+        lookupIpPrivacy: async () => ({
+          signals: [],
+        }),
+      },
+    )
+    expect(access.allowed).toBe(true)
+    expect(access.blockReason).toBe(null)
+  })
+
+  test('allows allowlisted countries when privacy lookup fails', async () => {
+    const access = await getFreeModeCountryAccess(
+      makeReq({
+        'cf-ipcountry': 'US',
+        'x-forwarded-for': '203.0.113.10',
+      }),
+      {
+        ipinfoToken: 'test-token',
+        lookupIpPrivacy: async () => {
+          throw new Error('provider unavailable')
+        },
+      },
+    )
+    expect(access.allowed).toBe(true)
+    expect(access.blockReason).toBe(null)
+    expect(access.ipPrivacy).toBe(null)
+  })
+
+  test('parses IPinfo privacy signals', async () => {
+    const fetch = async () =>
+      Response.json({
+        vpn: true,
+        proxy: false,
+        tor: true,
+        relay: false,
+        hosting: true,
+        service: 'Example VPN',
+      })
+
+    const privacy = await lookupIpinfoPrivacy({
+      ip: '203.0.113.10',
+      token: 'test-token',
+      fetch: fetch as unknown as typeof globalThis.fetch,
+    })
+
+    expect(privacy).toEqual({
+      signals: ['vpn', 'tor', 'hosting', 'service'],
+    })
+  })
 })
diff --git a/web/src/server/free-mode-country.ts b/web/src/server/free-mode-country.ts
