Project

General

Profile

Feature #1377

API: IP restrictions

Added by Alexander Watzinger 2 months ago. Updated 5 days ago.

Status:
Closed
Priority:
Low
Category:
API
Target version:
Start date:
2020-10-03
Estimated time:

Description

Although it doesn't solve the issue for JavaScript frontends (#1233) it could be useful for other scenarios e.g. for THANADOS which doesn't want all data public but uses a Flask frontend.

Implementation details
  • Overrides the public (off) option
  • localhost should always be accepted (for use in the backend)
  • Multiple IPs are possible
  • Can be configured in instance/production.py

Related issues

Related to Feature #1233: API: External Authentication Assigned2020-05-10Actions

History

#1

Updated by Bernhard Koschicek about 2 months ago

  • Target version changed from API to 5.8.0
#2

Updated by Bernhard Koschicek about 1 month ago

  • Target version changed from 5.8.0 to 5.7.0
  • Assignee changed from Bernhard Koschicek to Alexander Watzinger
  • Status changed from Acknowledged to In Progress

On develop the new feature is available. It is a decorator @check_ip, which checks the incoming IP against a list of IPs in app.config['ALLOWED_IPS']. I added it to every /api/ path.

Only logged in users can access the API or clients with the IP on the whitelist. I tested localhost locally, there it works.

I think my part is done.

#3

Updated by Bernhard Koschicek about 1 month ago

  • Target version changed from 5.7.0 to 5.8.0
#4

Updated by Bernhard Koschicek about 1 month ago

#5

Updated by Alexander Watzinger about 1 month ago

  • Target version changed from 5.8.0 to 5.7.0
  • Status changed from In Progress to Closed
  • Description updated (diff)

Thank you Berni for preparing, there were multiple issues:

Already fixed
  • IP should have overwritten the public off option but not the public on option, maybe I should have communicate that more clearly
  • Since I don't think we need two access functions I merge them. But I wasn't sure why they weren't always called together so I hope I didn't miss something
  • I noticed some inconsistency with orders of wrappers, this can matter so better watch out there
  • I changed the error msg in api_access to "'Access denied!'" but not sure if we haven't already talked about this and there was a reason for this
Not fixed
  • Configuration is still in default.py, I change that in one go if I move other stuff too
  • Code coverage is now missing for 403 because localhost is always allowed but we wanted to look at tests anyway so I left it for now

I hope I didn't missed or break something on my part. It's all pushed in develop and online at the 2 frontend. Thanks again and see you soon.

#6

Updated by Alexander Watzinger 5 days ago

  • Target version changed from 5.7.0 to 5.6.0

Also available in: Atom PDF