FEATURE: allow restricting API keys to a particular range

This commit is contained in:
Sam 2014-11-20 15:21:49 +11:00
parent 4aec3c8c4c
commit a9cda0f947
2 changed files with 27 additions and 2 deletions

View file

@ -107,12 +107,16 @@ class Auth::DefaultCurrentUserProvider
api_key = ApiKey.where(key: api_key_value).includes(:user).first api_key = ApiKey.where(key: api_key_value).includes(:user).first
if api_key if api_key
api_username = request["api_username"] api_username = request["api_username"]
if api_key.allowed_ips.present? && !api_key.allowed_ips.any?{|ip| ip.include?(request.ip)}
Rails.logger.warn("Unauthorized API access: #{api_username} ip address: #{request.ip}")
return nil
end
if api_key.user if api_key.user
api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase) api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
elsif api_username elsif api_username
User.find_by(username_lower: api_username.downcase) User.find_by(username_lower: api_username.downcase)
else
nil
end end
end end
end end

View file

@ -31,6 +31,27 @@ describe Auth::DefaultCurrentUserProvider do
}.to raise_error(Discourse::InvalidAccess) }.to raise_error(Discourse::InvalidAccess)
end end
it "raises for a user with a mismatching ip" do
user = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
expect{
provider("/?api_key=hello&api_username=#{user.username.downcase}", "REMOTE_ADDR" => "10.1.0.1").current_user
}.to raise_error(Discourse::InvalidAccess)
end
it "allows a user with a matching ip" do
user = Fabricate(:user)
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
"REMOTE_ADDR" => "10.0.0.22").current_user
found_user.id.should == user.id
end
it "finds a user for a correct system api key" do it "finds a user for a correct system api key" do
user = Fabricate(:user) user = Fabricate(:user)
ApiKey.create!(key: "hello", created_by_id: -1) ApiKey.create!(key: "hello", created_by_id: -1)