Closes #28. Add IpWhiteList middleware and enable for POST /tenant.

docker-compose.prod.yml

@@ -12,6 +12,7 @@ services:
       FORCE_HTTPS: disabled
       JWT_KEY: "uZrJ!xe*xN?!;oU.u*;QOSM+|=4C?WH?6eWPcK/6AkIXIVGQguSA*r"
       THROTTLER_WHITE_LIST: "127.0.0.1"
+      TENANT_WHITE_LIST: "127.0.0.1"
     ports:
       - "3000"
       - "4000"

docker-compose.yml

@@ -12,6 +12,7 @@ services:
       FORCE_HTTPS: disabled
       JWT_KEY: "uZrJ!xe*xN?!;oU.u*;QOSM+|=4C?WH?6eWPcK/6AkIXIVGQguSA*r"
       THROTTLER_WHITE_LIST: "127.0.0.1"
+      TENANT_WHITE_LIST: "127.0.0.1"
     ports:
       - "3000"
       - "4000"

src/app.ts

@@ -1,54 +1,55 @@
-import * as express from 'express'
-import { Response, Request, NextFunction, Application } from 'express'
-import * as bodyParser from 'body-parser'
-import { RequestThrottler } from './middlewares/request.throttler'
-import config from './config'
+import * as express from 'express';
+import { Response, Request, NextFunction, Application } from 'express';
+import * as bodyParser from 'body-parser';
+import { RequestThrottler } from './middlewares/request.throttler';
+import config from './config';
 
-import { InversifyExpressServer } from 'inversify-express-utils'
-import { container } from './ioc.container'
+import { InversifyExpressServer } from 'inversify-express-utils';
+import { container } from './ioc.container';
 
-const app: Application = express()
+const app: Application = express();
 
-app.disable('x-powered-by')
+app.disable('x-powered-by');
 
 app.use((req: Request, res: Response, next: NextFunction) => {
   if (config.app.forceHttps === 'enabled') {
     if (!req.secure) {
-      return res.redirect('https://' + req.hostname + ':' + config.app.httpsPort + req.originalUrl)
+      return res.redirect('https://' + req.hostname + ':' + config.app.httpsPort + req.originalUrl);
     }
 
-    res.setHeader('Strict-Transport-Security', 'max-age=31536000')
+    res.setHeader('Strict-Transport-Security', 'max-age=31536000');
   }
 
   if (req.header('Accept') !== 'application/json') {
     return res.status(406).json({
-      error: 'Unsupported "Accept" header',
-    })
+      error: 'Unsupported "Accept" header'
+    });
   }
 
-  res.setHeader('X-Content-Type-Options', 'nosniff')
-  res.setHeader('X-Frame-Options', 'deny')
-  res.setHeader('Content-Security-Policy', 'default-src \'none\'')
-  return next()
-})
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'deny');
+  res.setHeader('Content-Security-Policy', 'default-src \'none\'');
+  return next();
+});
 
 app.post('*', (req: Request, res: Response, next: NextFunction) => {
   if (req.header('Content-Type') !== 'application/json') {
     return res.status(406).json({
-      error: 'Unsupported "Content-Type"',
-    })
+      error: 'Unsupported "Content-Type"'
+    });
   }
 
-  return next()
-})
+  return next();
+});
 
-const requestThrottler = new RequestThrottler()
+const requestThrottler = new RequestThrottler();
 
-app.use((req: Request, res: Response, next: NextFunction) => requestThrottler.throttle(req, res, next))
+app.use((req: Request, res: Response, next: NextFunction) => requestThrottler.throttle(req, res, next));
 
-app.use(bodyParser.json())
-app.use(bodyParser.urlencoded({ extended: false }))
+app.use(bodyParser.json());
+app.use(bodyParser.urlencoded({ extended: false }));
 
-let server = new InversifyExpressServer(container, null, null, app)
+// for test purpose
+let server = new InversifyExpressServer(container, null, null, app);
 
-export default server.build()
+export default server.build();

src/config.ts

@@ -9,7 +9,8 @@ const {
   THROTTLER_INTERVAL,
   THROTTLER_MAX,
   THROTTLER_MIN_DIFF,
-  JWT_KEY
+  JWT_KEY,
+  TENANT_WHITE_LIST
 } = process.env;
 
 export default {
@@ -36,5 +37,8 @@ export default {
     maxInInterval: THROTTLER_MAX || 5, // max number of allowed requests from 1 IP in "interval" time window
     minDifference: THROTTLER_MIN_DIFF || 0, // optional, minimum time between 2 requests from 1 IP
     whiteList: THROTTLER_WHITE_LIST ? THROTTLER_WHITE_LIST.split(',') : [] // requests from these IPs won't be throttled
+  },
+  tenant: {
+    whitelist: TENANT_WHITE_LIST ? TENANT_WHITE_LIST.split(',') : []
   }
 };

src/controllers/specs/tenant.controller.spec.ts

@@ -1,8 +1,11 @@
 import * as chai from 'chai';
 import app from '../../app';
+import IpWhiteListFilter from '../../middlewares/ip.whitelist';
 import { container } from '../../ioc.container';
 import { StorageServiceType, StorageService } from '../../services/storage.service';
 import { TenantServiceType, TenantServiceInterface } from '../../services/tenant.service';
+import * as express from 'express';
+import { InversifyExpressServer } from 'inversify-express-utils';
 
 chai.use(require('chai-http'));
 const { expect, request } = chai;
@@ -80,6 +83,20 @@ describe('Tenants', () => {
         done();
       });
     });
+
+    it('should use tenant IP whitelist', (done) => {
+      container.rebind<express.RequestHandler>('TenantIpWhiteList').toConstantValue(
+        (req: any, res: any, next: any) => (new IpWhiteListFilter([])).filter(req, res, next)
+      );
+
+      // create new app with new TenantIpWhiteList binding.
+      const testApp = new InversifyExpressServer(container).build();
+
+      request(testApp).post('/tenant').set('Accept', 'application/json').send({ email: 'test@test.com', password: 'test12' }).end((err, res) => {
+        expect(res.status).to.equal(403);
+        done();
+      });
+    });
   });
 
   describe('POST /tenant/login', () => {

src/controllers/tenant.controller.ts

@@ -23,6 +23,7 @@ export class TenantController {
    */
   @httpPost(
     '/',
+    'TenantIpWhiteList',
     'CreateTenantValidation'
   )
   async create(req: Request, res: Response): Promise<void> {

src/ioc.container.ts

@@ -1,50 +1,55 @@
-import { Container } from 'inversify'
-import { TenantServiceInterface, TenantService, TenantServiceType } from './services/tenant.service'
-import { StorageServiceType, StorageService, RedisService } from './services/storage.service'
-import { KeyServiceType, KeyServiceInterface, KeyService } from './services/key.service'
-import { JWTServiceInterface, JWTServiceType, JWTService } from './services/jwt.service'
-import { JWTController } from './controllers/jwt.controller'
-import { TenantController } from './controllers/tenant.controller'
-import { UserController } from './controllers/user.controller'
-import { interfaces, TYPE } from 'inversify-express-utils'
-import { UserService, UserServiceInterface, UserServiceType } from './services/user.service'
-import { Auth } from './middlewares/auth'
-import * as express from 'express'
-import * as validation from './middlewares/request.validation'
+import { Container } from 'inversify';
+import { TenantServiceInterface, TenantService, TenantServiceType } from './services/tenant.service';
+import { StorageServiceType, StorageService, RedisService } from './services/storage.service';
+import { KeyServiceType, KeyServiceInterface, KeyService } from './services/key.service';
+import { JWTServiceInterface, JWTServiceType, JWTService } from './services/jwt.service';
+import { JWTController } from './controllers/jwt.controller';
+import { TenantController } from './controllers/tenant.controller';
+import { UserController } from './controllers/user.controller';
+import { interfaces, TYPE } from 'inversify-express-utils';
+import { UserService, UserServiceInterface, UserServiceType } from './services/user.service';
+import { Auth } from './middlewares/auth';
+import config from './config';
+import * as express from 'express';
+import * as validation from './middlewares/request.validation';
+import IpWhiteListFilter from './middlewares/ip.whitelist';
 
-let container = new Container()
+let container = new Container();
 
 // services
-container.bind<KeyServiceInterface>(KeyServiceType).to(KeyService)
-container.bind<JWTServiceInterface>(JWTServiceType).to(JWTService)
-container.bind<StorageService>(StorageServiceType).to(RedisService)
-container.bind<TenantServiceInterface>(TenantServiceType).to(TenantService)
-container.bind<UserServiceInterface>(UserServiceType).to(UserService)
+container.bind<KeyServiceInterface>(KeyServiceType).to(KeyService);
+container.bind<JWTServiceInterface>(JWTServiceType).to(JWTService);
+container.bind<StorageService>(StorageServiceType).to(RedisService);
+container.bind<TenantServiceInterface>(TenantServiceType).to(TenantService);
+container.bind<UserServiceInterface>(UserServiceType).to(UserService);
 
 // middlewares
-const auth = new Auth(container.get<KeyServiceInterface>(KeyServiceType))
+const auth = new Auth(container.get<KeyServiceInterface>(KeyServiceType));
 container.bind<express.RequestHandler>('AuthMiddleware').toConstantValue(
   (req: any, res: any, next: any) => auth.authenticate(req, res, next)
-)
+);
 container.bind<express.RequestHandler>('CreateUserValidation').toConstantValue(
   (req: any, res: any, next: any) => validation.createUser(req, res, next)
-)
+);
 container.bind<express.RequestHandler>('CreateTenantValidation').toConstantValue(
   (req: any, res: any, next: any) => validation.createTenant(req, res, next)
-)
+);
 container.bind<express.RequestHandler>('LoginTenantValidation').toConstantValue(
   (req: any, res: any, next: any) => validation.loginTenant(req, res, next)
-)
+);
 container.bind<express.RequestHandler>('CreateTokenValidation').toConstantValue(
   (req: any, res: any, next: any) => validation.createToken(req, res, next)
-)
+);
 container.bind<express.RequestHandler>('TokenRequiredValidation').toConstantValue(
   (req: any, res: any, next: any) => validation.tokenRequired(req, res, next)
-)
+);
+container.bind<express.RequestHandler>('TenantIpWhiteList').toConstantValue(
+  (req: any, res: any, next: any) => (new IpWhiteListFilter(config.tenant.whitelist)).filter(req, res, next)
+);
 
 // controllers
-container.bind<interfaces.Controller>(TYPE.Controller).to(JWTController).whenTargetNamed('JWTController')
-container.bind<interfaces.Controller>(TYPE.Controller).to(TenantController).whenTargetNamed('TenantController')
-container.bind<interfaces.Controller>(TYPE.Controller).to(UserController).whenTargetNamed('UserController')
+container.bind<interfaces.Controller>(TYPE.Controller).to(JWTController).whenTargetNamed('JWTController');
+container.bind<interfaces.Controller>(TYPE.Controller).to(TenantController).whenTargetNamed('TenantController');
+container.bind<interfaces.Controller>(TYPE.Controller).to(UserController).whenTargetNamed('UserController');
 
-export { container }
+export { container };

src/middlewares/ip.whitelist.ts

@@ -0,0 +1,33 @@
+import { Response, Request, NextFunction } from 'express';
+
+export default class IpWhiteListFilter {
+  whiteList: Array<string>;
+
+  /**
+   * constructor
+   * @param whiteList Array<string>
+   */
+  constructor(whiteList: Array<string>) {
+    this.whiteList = whiteList;
+  }
+
+  filter(req: Request, res: Response, next: NextFunction) {
+    let ip = req.ip;
+
+    /*
+     Check if IP has ipv6 prefix and remove it.
+     See: https://stackoverflow.com/questions/29411551/express-js-req-ip-is-returning-ffff127-0-0-1
+     */
+    if (ip.substr(0, 7) === '::ffff:') {
+      ip = ip.substr(7);
+    }
+
+    if (this.whiteList.indexOf(ip) !== -1) {
+      return next();
+    }
+
+    return res.status(403).send({
+      error: 'Forbidden'
+    });
+  }
+}

src/middlewares/specs/ip.whitelist.spec.ts

@@ -0,0 +1,40 @@
+import * as express from 'express';
+import { Response, Request, NextFunction, Application } from 'express';
+import * as chai from 'chai';
+import IpWhiteListFilter from '../ip.whitelist';
+
+const { expect, request } = chai;
+
+describe('IP whitelist filter', () => {
+  describe('Test filter', () => {
+    it ('should respond with 403 if IP is not in whitelist', (done) => {
+      const app: Application = express();
+
+      const filter = new IpWhiteListFilter([]);
+
+      app.use((req: Request, res: Response, next: NextFunction) => filter.filter(req, res, next));
+
+      const data = {};
+      request(app).post('/user').set('Accept', 'application/json').send(data).end((err, res) => {
+        expect(res.status).to.equal(403);
+        done();
+      });
+    });
+
+    it ('should allow request if IP is in whitelist', (done) => {
+      const app: Application = express();
+
+      const filter = new IpWhiteListFilter([
+        '127.0.0.1'
+      ]);
+
+      app.use((req: Request, res: Response, next: NextFunction) => filter.filter(req, res, next));
+
+      const data = {};
+      request(app).post('/user').set('Accept', 'application/json').send(data).end((err, res) => {
+        expect(res.status).to.equal(404); // 404 as test app doesn't have any routes
+        done();
+      });
+    });
+  });
+});