feat: enforce web UI access control on index, auth, and users routes using ipWhitelistOnly and webUiGuard middleware

Author: plingdevelop

.env.example

@@ -105,3 +105,5 @@ COS_BUCKET_NAME=
 COS_REGION=
 COS_DOWNLOAD_URL=
 
+# The value should be a comma-separated list of IP addresses, e.g., "127.0.0.1,10.0.0.1". 
+WEB_UI_WHITELIST=

src/app.ts

@@ -8,7 +8,14 @@ import { logger } from 'kv-logger';
 import { AppError, NotFound } from './core/app-error';
 import { config } from './core/config';
 import { i18n } from './core/i18n';
-import { i18nMiddleware, Req, Res, withLogger } from './core/middleware';
+import {
+    i18nMiddleware,
+    ipWhitelistOnly,
+    Req,
+    Res,
+    webUiGuard,
+    withLogger,
+} from './core/middleware';
 import { accessKeysRouter } from './routes/accessKeys';
 import { accountRouter } from './routes/account';
 import { appsRouter } from './routes/apps';
@@ -89,8 +96,8 @@ app.use('/accessKeys', accessKeysRouter);
 app.use('/apps', appsRouter);
 app.use('/account', accountRouter);
 // code-push-server routes
-app.use('/auth', authRouter);
-app.use('/users', usersRouter);
+app.use('/auth', [ipWhitelistOnly, webUiGuard], authRouter);
+app.use('/users', [ipWhitelistOnly, webUiGuard], usersRouter);
 
 // 404 handler
 // eslint-disable-next-line @typescript-eslint/no-unused-vars

src/core/config.ts

@@ -7,6 +7,8 @@ import {
     withLogLevelFilter,
 } from 'kv-logger';
 
+const env = process.env.NODE_ENV || 'development';
+
 function toBool(str: string): boolean {
     return str === 'true' || str === '1';
 }
@@ -125,8 +127,19 @@ export const config = {
         updateCheckCache: toBool(process.env.UPDATE_CHECK_CACHE),
         // options value is (true | false), when it's true, it will cache rollout results in redis
         rolloutClientUniqueIdCache: toBool(process.env.ROLLOUT_CLIENT_UNIQUE_ID_CACHE),
+        // NODE_ENV value. This determines the current running environment (e.g., development, staging, production).
+        env,
+        /**
+         * whitelist for allowing access to the web UI.
+         * When in production or when registration is disabled, only IPs listed here will be allowed to access the web UI.
+         * The value should be a comma-separated list of IP addresses, e.g., "127.0.0.1,10.0.0.1".
+         */
+        webUIWhitelist: (process.env.WEB_UI_WHITELIST || '')
+            .split(',')
+            .map((ip) => ip.trim())
+            .filter(Boolean),
     },
-    // Config for smtp email，register module need validate user email project source https://github.com/nodemailer/nodemailer
+    // Config for smtp email, register module need validate user email project source https://github.com/nodemailer/nodemailer
     smtpConfig: {
         host: process.env.SMTP_HOST,
         port: toNumber(process.env.SMTP_PORT, 465),
@@ -153,7 +166,6 @@ setLogTransports(
     ),
 );
 
-const env = process.env.NODE_ENV || 'development';
 logger.info(`use config`, {
     env,
     storageType: config.common.storageType,

src/core/middleware.ts

@@ -10,6 +10,7 @@ import { Users, UsersInterface } from '../models/users';
 import { AppError, Unauthorized } from './app-error';
 import { config } from './config';
 import { t } from './i18n';
+import { shouldHideWebUI } from './utils/common';
 import { parseToken, md5 } from './utils/security';
 
 export type LocaleI18n = 'en' | 'ko' | 'zh';
@@ -164,3 +165,49 @@ export function i18nMiddleware(req: Req, res: Res, next: NextFunction) {
 
     next();
 }
+
+export function webUiGuard(req: Req, res: Response, next: NextFunction) {
+    if (!shouldHideWebUI()) {
+        return next();
+    }
+
+    req.logger?.info?.('blocked web UI access', {
+        path: req.path,
+        method: req.method,
+    });
+
+    return res.status(405).send('Method Not Allowed');
+}
+
+export function ipWhitelistOnly(req: Req, res: Response, next: NextFunction) {
+    const whitelist = config.common.webUIWhitelist || [];
+
+    if (!Array.isArray(whitelist) || whitelist.length === 0) {
+        return next();
+    }
+
+    const defaultIp = req.ip;
+    const forwardedFor = req.headers['x-forwarded-for'];
+
+    const realIp = Array.isArray(forwardedFor)
+        ? forwardedFor[0]
+        : forwardedFor?.split(',')[0]?.trim() || defaultIp;
+
+    const isAllowed = whitelist.includes(realIp);
+
+    if (!isAllowed) {
+        req.logger?.info?.('IP whitelist blocked', {
+            requestIp: realIp,
+            path: req.path,
+        });
+
+        return res.status(403).send('Forbidden');
+    }
+
+    req.logger?.info?.('IP whitelist allowed', {
+        requestIp: realIp,
+        path: req.path,
+    });
+
+    return next();
+}

src/core/utils/common.ts

@@ -13,6 +13,15 @@ import { config } from '../config';
 
 const streamPipeline = util.promisify(pipeline);
 
+/** 프로덕션이거나, ALLOW_REGISTRATION !== true 이면 UI 숨김 */
+export function shouldHideWebUI(): boolean {
+    const env = config.common.env || process.env.NODE_ENV;
+    const isProdEnv = env === 'production';
+    const allowRegistration = Boolean(config.common.allowRegistration);
+
+    return isProdEnv || !allowRegistration;
+}
+
 function cleanVersion(versionNo?: string) {
     if (typeof versionNo !== 'string') {
         return versionNo as any;

src/routes/index.ts

@@ -1,12 +1,17 @@
 import express from 'express';
 import { AppError } from '../core/app-error';
 import { i18n } from '../core/i18n';
-import { checkToken, Req } from '../core/middleware';
+import { checkToken, ipWhitelistOnly, Req, webUiGuard } from '../core/middleware';
 import { clientManager } from '../core/services/client-manager';
 
 export const indexRouter = express.Router();
 
-indexRouter.get('/', (req, res) => {
+/**
+ * 프로덕션 레벨 미들웨어 적용
+ * - ipWhitelistOnly: IP주소 검사
+ * - webUiGuard: NODE_ENV='production' OR ALLOW_REGISTRATION='true'
+ */
+indexRouter.get('/', [ipWhitelistOnly, webUiGuard], (req, res) => {
     res.render('index', { title: 'CodePushServer' });
 });