security: remove hardcoded whitelist IP
Move extra whitelist IPs to CC_WEB_IP_WHITELIST env var to avoid committing public IPs.
This commit is contained in:
27
server.js
27
server.js
@@ -437,14 +437,27 @@ const activeTokens = new Set();
|
|||||||
const AUTH_FAIL_WINDOW = 5 * 60 * 1000; // 5 minutes
|
const AUTH_FAIL_WINDOW = 5 * 60 * 1000; // 5 minutes
|
||||||
const AUTH_FAIL_MAX = 3;
|
const AUTH_FAIL_MAX = 3;
|
||||||
const authFailures = new Map(); // ip -> [timestamp, ...]
|
const authFailures = new Map(); // ip -> [timestamp, ...]
|
||||||
let bannedIPs = new Set();
|
let bannedIPs = new Set();
|
||||||
|
|
||||||
// Tailscale / loopback whitelist — never ban these IPs
|
// Tailscale / loopback whitelist — never ban these IPs.
|
||||||
function isWhitelistedIP(ip) {
|
// Extra whitelist can be provided via env var (comma/space separated):
|
||||||
if (!ip) return false;
|
// CC_WEB_IP_WHITELIST="<ip1>,<ip2>"
|
||||||
const cleaned = ip.replace(/^::ffff:/, '');
|
const EXTRA_WHITELIST_IPS = new Set(
|
||||||
return cleaned === '127.0.0.1' || cleaned === '::1' || cleaned.startsWith('100.') || cleaned === '';
|
String(process.env.CC_WEB_IP_WHITELIST || '')
|
||||||
}
|
.split(/[\s,]+/)
|
||||||
|
.map(s => s.trim())
|
||||||
|
.filter(Boolean)
|
||||||
|
.map(s => s.replace(/^::ffff:/, ''))
|
||||||
|
);
|
||||||
|
|
||||||
|
function isWhitelistedIP(ip) {
|
||||||
|
if (!ip) return false;
|
||||||
|
const cleaned = ip.replace(/^::ffff:/, '');
|
||||||
|
return cleaned === '127.0.0.1'
|
||||||
|
|| cleaned === '::1'
|
||||||
|
|| cleaned.startsWith('100.')
|
||||||
|
|| EXTRA_WHITELIST_IPS.has(cleaned);
|
||||||
|
}
|
||||||
|
|
||||||
function loadBannedIPs() {
|
function loadBannedIPs() {
|
||||||
try {
|
try {
|
||||||
|
|||||||
Reference in New Issue
Block a user