Home / Questions / 23643
Accepted
Jose Hermosilla Rodrigo
Asked: 2020-09-14 08:06:29 +0800 CST 2020-09-14 08:06:29 +0800 CST

Node/Express - How to restrict access to users who are not connected to the same network?

  • 772

I run into a problem that I don't know how to solve and I can't find anything about it. Imagine that I have the following routes in an express application:

// app.js
app.use('/users', require('./routes/users'));

// routes/users.js
router.use(accesoExterno);
router.route('/login').get(...).post(...).put(...)
...

In the databaseaccesoExterno , there must be a type column booleanthat says if the user has privileges to access "externally", that is, if he is not connected to the network from where he launched the server .

What should I do in the middleware accesoExternoto perform this check?

function accesoExterno(req, res, next){
  //PSEUDO-CODE
  db.users.get('accesoExterno')
  .then( tieneAcceso => {
    if(!tieneAcceso){
      // Si no tiene acceso comprobar que está conectado a la misma red
    }
  })
}

EDIT

Things I have tried:

  • req.host -> It returns the host. I can check if it is running from "localhost", which would be an option. But what if you enter through "127.0.0.1" or directly from the IP?
  • req.ip -> I think this would work for me, because if I'm connected to my network, it returns my network's IP, if not, it returns my device's IP?

Any clarification to my doubts would be of great help.

javascript

1 Answers

  1. Best Answer

    The value of req.ipgives you the "assumed" value of the ip of the user making the request. If you join that with the own configuration of your equipment you can determine if it belongs to the same ip range as you.

    To determine your own configuration you can use the native os module with the function os.networkInterfaces

    From now on you just have to iterate over the values ​​and check if at least one of them matches the one on your server. The middleware function would be something like this.

    var os = require('os');
var ip = require('ip'); 

function accesoExterno(req, res, next){
    //PSEUDO-CODE
    db.users.get('accesoExterno').then( tieneAcceso => {
        if(!tieneAcceso) {
            if (inRange(req.ip)) {
                next();
            } else {
                res.status(401).send('Unauthorized');
            }
       }
    });
}

function inRange(currentIp) {
    // Obtengo la lista de interfaces
    var interfaces = os.networkInterfaces();

    for (var interf in interfaces) {
        // Interfaces es un objeto donde las llaves son el nombre del adaptador
        // El contenido es un arreglo de direcciones ip asignadas al adaptador
        // Pueden haber varias
        var currentInterface = interfaces[interf];

        for (var j = 0; j < currentInterface.length; j++) {
            // Es true si es 127.0.0.1 o similar. 
            if (!currentInterface[j].internal) {
                // Creamos la subnet para calcular
                var subnet = ip.subnet(currentInterface[j].address, currentInterface[j].netmask);
                // Si se encuentra al menos una coincidencia abortamos el ciclo retornando true
                if (subnet.contains(currentIp)) {
                     return true;
                }
            }
        }
    }

    // Si no se ha encontrado nada devolvemos false
    return false;
}

    In the example I have used the ip module which brings some very convenient tools for managing ip and subnets.

    You can read more about this process in the Wikipedia article

    https://en.wikipedia.org/wiki/Subnetwork

    Note that it req.ipmay not work if the setting trust-proxyis set to false, and that this value can be spoofed by the user or any of the proxies in the chain.

    • 3