Merge pull request #2003 from cprussin/add-ip-whitelist

feat(staking): add IP whitelist
pyth-network · Oct 7, 2024 · 803cbc1 · 803cbc1
2 parents 6f02bbb + 2fb8c57
commit 803cbc1
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 9 deletions.
diff --git a/apps/staking/package.json b/apps/staking/package.json
@@ -40,6 +40,7 @@
     "clsx": "^2.1.1",
     "dnum": "^2.13.1",
     "framer-motion": "^11.3.8",
+    "ip-range-check": "^0.2.0",
     "next": "^14.2.5",
     "pino": "^9.3.2",
     "proxycheck-ts": "^0.0.11",

diff --git a/apps/staking/src/config/server.ts b/apps/staking/src/config/server.ts
@@ -54,6 +54,7 @@ export const WALLETCONNECT_PROJECT_ID = demandInProduction(
 export const MAINNET_RPC = process.env.MAINNET_RPC;
 export const HERMES_URL = getOr("HERMES_URL", "https://hermes.pyth.network");
 export const BLOCKED_REGIONS = transformOr("BLOCKED_REGIONS", fromCsv, []);
+export const IP_ALLOWLIST = transformOr("IP_ALLOWLIST", fromCsv, []);
 export const GOVERNANCE_ONLY_REGIONS = transformOr(
   "GOVERNANCE_ONLY_REGIONS",
   fromCsv,

diff --git a/apps/staking/src/middleware.ts b/apps/staking/src/middleware.ts
@@ -1,3 +1,4 @@
+import ipRangeCheck from "ip-range-check";
 import { type NextRequest, NextResponse } from "next/server";
 import ProxyCheck from "proxycheck-ts";
 
@@ -10,6 +11,7 @@ import {
   BLOCKED_REGIONS,
   GOVERNANCE_ONLY_REGIONS,
   PROXYCHECK_API_KEY,
+  IP_ALLOWLIST,
 } from "./config/server";
 
 const GEO_BLOCKED_PATH = `/${GEO_BLOCKED_SEGMENT}`;
@@ -21,22 +23,32 @@ const proxyCheckClient = PROXYCHECK_API_KEY
   : undefined;
 
 export const middleware = async (request: NextRequest) => {
-  if (await isProxyBlocked(request)) {
-    return rewrite(request, VPN_BLOCKED_PATH);
-  } else if (isGovernanceOnlyRegion(request)) {
-    return rewrite(request, GOVERNANCE_ONLY_PATH);
-  } else if (isRegionBlocked(request)) {
-    return rewrite(request, GEO_BLOCKED_PATH);
-  } else if (isBlockedSegment(request)) {
-    return rewrite(request, "/not-found");
+  if (isIpAllowlisted(request)) {
+    return isBlockedSegment(request)
+      ? rewrite(request, "/not-found")
+      : undefined;
   } else {
-    return;
+    if (await isProxyBlocked(request)) {
+      return rewrite(request, VPN_BLOCKED_PATH);
+    } else if (isGovernanceOnlyRegion(request)) {
+      return rewrite(request, GOVERNANCE_ONLY_PATH);
+    } else if (isRegionBlocked(request)) {
+      return rewrite(request, GEO_BLOCKED_PATH);
+    } else if (isBlockedSegment(request)) {
+      return rewrite(request, "/not-found");
+    } else {
+      return;
+    }
   }
 };
 
 const rewrite = (request: NextRequest, path: string) =>
   NextResponse.rewrite(new URL(path, request.url));
 
+const isIpAllowlisted = ({ ip }: NextRequest) =>
+  ip !== undefined &&
+  IP_ALLOWLIST.some((allowedRange) => ipRangeCheck(ip, allowedRange));
+
 const isGovernanceOnlyRegion = ({ geo }: NextRequest) =>
   geo?.country !== undefined &&
   GOVERNANCE_ONLY_REGIONS.includes(geo.country.toLowerCase());

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml