Summary:
Add a whitelist of IP address ranges to API keys.
Why do we need this?
API keys can be quite sensitive, especially considering that they do not expire. A whitelist of IP address ranges that are allowed to use a specific API key could improve security.
What is already there? What do you see now?
Components query the Identity Server for the rights that an API key gives the caller.
What is missing? What do you want to see?
- A field with IP address ranges in the API key.
- Components should include the caller's IP address when requesting rights info.
How do you propose to implement this?
- Add a list of IP ranges (prefixes) to the APIKey model
- We can use the
X-Forwarded-For header, but that means that this header needs to be forwarded by the rights hook.
- After the IS fetches the API key from the DB, it can first check the IP ranges, so that we don't have to hash the key if the IP address already doesn't match.
Original issue: https://github.com/TheThingsIndustries/lorawan-stack/issues/86 by @romeovs
Summary:
Add a whitelist of IP address ranges to API keys.
Why do we need this?
API keys can be quite sensitive, especially considering that they do not expire. A whitelist of IP address ranges that are allowed to use a specific API key could improve security.
What is already there? What do you see now?
Components query the Identity Server for the rights that an API key gives the caller.
What is missing? What do you want to see?
How do you propose to implement this?
X-Forwarded-Forheader, but that means that this header needs to be forwarded by the rights hook.Original issue: https://github.com/TheThingsIndustries/lorawan-stack/issues/86 by @romeovs