diff --git a/package.json b/package.json index 5f856d55..90e8b082 100644 --- a/package.json +++ b/package.json @@ -17,6 +17,7 @@ "dotenv": "^7.0.0", "express": "^4.13.4", "express-sslify": "^1.2.0", + "express-ipfilter": "^1.1.2", "helmet": "^3.13.0", "heroku-logger": "^0.3.1", "jsep": "^0.3.4", diff --git a/server.js b/server.js index a848b95a..1af5d0b1 100644 --- a/server.js +++ b/server.js @@ -9,6 +9,7 @@ const SESSION_TIMEOUT_HOURS = process.env.SESSION_TIMEOUT_HOURS || 2; const express = require('express'), enforce = require('express-sslify'), + ipfilter = require('express-ipfilter').IpFilter, path = require('path'), bodyParser = require('body-parser'), cookieSession = require('cookie-session'), @@ -47,6 +48,21 @@ if (process.env.FORCE_HTTPS === "true") { app.use(enforce.HTTPS({trustProtoHeader: true})); } +if (process.env.IP_WHITELIST) { + let clientIp = function(req, res) { + return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',').pop() : "" + } + let whitelist_ips = ['::1', '127.0.0.1'].concat(process.env.IP_WHITELIST.split(',')) + app.use( + ipfilter(whitelist_ips, { + detectIp: clientIp, + forbidden: 'You are not authorized to access this page.', + filter: whitelist_ips, + mode: 'allow', + }) + ) +} + app.set('port', process.env.PORT || 5000); app.use(bodyParser.urlencoded({limit: '50mb', extended: false})); app.use(bodyParser.json({limit: '50mb'})); diff --git a/yarn.lock b/yarn.lock index bdfd8ce1..e6366585 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1473,6 +1473,16 @@ expect@^24.9.0: jest-message-util "^24.9.0" jest-regex-util "^24.9.0" +express-ipfilter@^1.1.2: + version "1.1.2" + resolved "https://registry.yarnpkg.com/express-ipfilter/-/express-ipfilter-1.1.2.tgz#536e1b8922f00df45d6da8796b02a75b1033a20f" + integrity sha512-dm1G3sVxlSbcOWSxfUTCo20ySyNQXJ4hJD5fuQJFoZlhkQvpbuDGBlh8AbFm1GwX85EWvfyhekOkvcydaXkBkg== + dependencies: + ip "~1.1.0" + lodash "^4.17.11" + proxy-addr "^2.0.4" + range_check "^1.2.0" + express-sslify@^1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/express-sslify/-/express-sslify-1.2.0.tgz#30e84bceed1557eb187672bbe1430a0a2a100d9c" @@ -2009,6 +2019,21 @@ invariant@^2.2.4: dependencies: loose-envify "^1.0.0" +ip6@0.0.4: + version "0.0.4" + resolved "https://registry.yarnpkg.com/ip6/-/ip6-0.0.4.tgz#44c5a9db79e39d405201b4d78d13b3870e48db31" + integrity sha1-RMWp23njnUBSAbTXjROzhw5I2zE= + +ip@~1.1.0: + version "1.1.5" + resolved "https://registry.yarnpkg.com/ip/-/ip-1.1.5.tgz#bdded70114290828c0a039e72ef25f5aaec4354a" + integrity sha1-vd7XARQpCCjAoDnnLvJfWq7ENUo= + +ipaddr.js@1.2: + version "1.2.0" + resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.2.0.tgz#8aba49c9192799585bdd643e0ccb50e8ae777ba4" + integrity sha1-irpJyRknmVhb3WQ+DMtQ6K53e6Q= + ipaddr.js@1.9.1: version "1.9.1" resolved "https://registry.yarnpkg.com/ipaddr.js/-/ipaddr.js-1.9.1.tgz#bff38543eeb8984825079ff3a2a8e6cbd46781b3" @@ -2805,7 +2830,7 @@ lodash@^3.10.1: resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6" integrity sha1-W/Rejkm6QYnhfUgnid/RW9FAt7Y= -lodash@^4.17.19: +lodash@^4.17.11, lodash@^4.17.19: version "4.17.20" resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.20.tgz#b44a9b6297bcb698f1c51a3545a2b3b368d59c52" integrity sha512-PlhdFcillOINfeV7Ni6oF1TAEayyZBoZ8bcshTHqOYJYlrqzRK5hagpagky5o4HfCzzd1TRkXPMFq6cKk9rGmA== @@ -3468,7 +3493,7 @@ prompts@^2.0.1: kleur "^3.0.3" sisteransi "^1.0.4" -proxy-addr@~2.0.5: +proxy-addr@^2.0.4, proxy-addr@~2.0.5: version "2.0.6" resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.6.tgz#fdc2336505447d3f2f2c638ed272caf614bbb2bf" integrity sha512-dh/frvCBVmSsDYzw6n926jv974gddhkFPfiN8hPOi30Wax25QZyZEGveluCgliBnqmuM+UJmBErbAUFIoDbjOw== @@ -3523,6 +3548,14 @@ range-parser@~1.2.1: resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.1.tgz#3cf37023d199e1c24d1a55b84800c2f3e6468031" integrity sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg== +range_check@^1.2.0: + version "1.4.0" + resolved "https://registry.yarnpkg.com/range_check/-/range_check-1.4.0.tgz#cd87c7ac62c40ba9df69b8703c604f60c3748635" + integrity sha1-zYfHrGLEC6nfabhwPGBPYMN0hjU= + dependencies: + ip6 "0.0.4" + ipaddr.js "1.2" + raw-body@2.4.0: version "2.4.0" resolved "https://registry.yarnpkg.com/raw-body/-/raw-body-2.4.0.tgz#a1ce6fb9c9bc356ca52e89256ab59059e13d0332"