[BE-31] Add IP Whitelist Guard for restricting admin endpoint access

[devwums]

Problem

Admin endpoints are accessible from any IP address. There is no network-level access restriction to limit exposure of admin operations.

Proposed Solution

Create backend/cntr/ip-whitelist.guard.ts — a NestJS CanActivate guard that reads ADMIN_IP_WHITELIST (comma-separated IPs) from the config, extracts the client IP from request.ip, and returns true only if the IP is in the list. If the env var is empty or unset, the guard allows all traffic (fail-open). All implementation must live inside backend/cntr/.

Acceptance Criteria

• File at backend/cntr/ip-whitelist.guard.ts
• Reads ADMIN_IP_WHITELIST (comma-separated string)
• Trims whitespace around each IP in the list
• Allows all traffic when env var is unset or empty
• Throws ForbiddenException for non-whitelisted IPs
• Unit test at backend/cntr/ip-whitelist.guard.spec.ts covering: matching IP, non-matching IP, empty whitelist

[Windowlight]

@Windowlight has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I’m interested in this issue and believe my experience with contracts, backend systems, and frontend implementation makes me a good fit. Happy to provide updates as I work through

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Windowlight to this issue.

[JoeX17]

@JoeX17 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi, I’d like to work on this issue.

I’m a software engineer with strong experience in JavaScript and building scalable web applications. I’m comfortable working across the stack, writing clean, maintainable code, and collaborating in open source environments.

I’ve reviewed the issue and I’m confident I can implement a solid solution while following the project’s conventions.

Please assign this issue to me, I'd be happy to contribute.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @JoeX17 to this issue.

[drips-wave]

Congratulations, @JoeX17! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @JoeX17: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @JoeX17 as part of the Stellar Wave Program's 5th Wave 🥳

😎 @JoeX17: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.