oullin · gocanto · Sep 10, 2025 · Sep 10, 2025 · Sep 10, 2025
diff --git a/caddy/Caddyfile.prod b/caddy/Caddyfile.prod
@@ -25,6 +25,16 @@ oullin.io {
 		format json
 	}
 
+	route /api/generate-signature/* {
+		@allowed {
+			# Allow requests only from the VPS itself (localhost).
+			ip_range 127.0.0.1 ::1
+		}
+
+		# If the remote IP is not in the allowed range, abort the connection.
+		abort not @allowed
+	}
+
 	# API handler.
 	# 	- Reverse-proxy all requests to the Go API, forwarding Host + auth headers.
 	#	- to: Tell Caddy which upstream to send to.

diff --git a/pkg/middleware/public_middleware.go b/pkg/middleware/public_middleware.go
@@ -61,12 +61,6 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler {
 			return mwguards.RateLimitedError("Too many requests", "Too many requests for key: "+limiterKey)
 		}
 
-		if err := p.HasInvalidIP(r); err != nil {
-			p.rateLimiter.Fail(limiterKey)
-
-			return err
-		}
-
 		vt := mwguards.NewValidTimestamp(ts, p.now)
 		if err := vt.Validate(p.clockSkew, p.disallowFuture); err != nil {
 			p.rateLimiter.Fail(limiterKey)
@@ -89,20 +83,6 @@ func (p PublicMiddleware) Handle(next http.ApiHandler) http.ApiHandler {
 	}
 }
 
-func (p PublicMiddleware) HasInvalidIP(r *baseHttp.Request) *http.ApiError {
-	ip := portal.ParseClientIP(r)
-
-	if ip == "" {
-		return mwguards.InvalidRequestError("Clients IPs are required to access this endpoint", "")
-	}
-
-	if p.isProduction && ip != p.allowedIP {
-		return mwguards.InvalidRequestError("The given IP is not allowed", "unauthorised ip: "+ip)
-	}
-
-	return nil
-}
-
 func (p PublicMiddleware) GuardDependencies() *http.ApiError {
 	missing := []string{}