feature: IP filtering on signup page

disable registration form on IP not in range checking the CIDR list before filtering with it placing the cidr filters as an attribute object in the config
2025-10-03 17:59:37 +02:00 · 2018-05-22 19:43:13 +02:00 · 2018-05-22 19:43:13 +02:00 · ff2c1fe813
commit ff2c1fe813
parent e2f1dad836
13 changed files with 105 additions and 9 deletions
--- a/server/helpers/utils.ts
+++ b/server/helpers/utils.ts
@ -1,4 +1,6 @@
 import { Model } from 'sequelize-typescript'
+import * as ipaddr from 'ipaddr.js'
+const isCidr = require('is-cidr')
 import { ResultList } from '../../shared'
 import { VideoResolution } from '../../shared/models/videos'
 import { CONFIG } from '../initializers'
@ -48,6 +50,39 @@ async function isSignupAllowed () {
  return totalUsers < CONFIG.SIGNUP.LIMIT
 }

+function isSignupAllowedForCurrentIP (ip: string) {
+  const addr = ipaddr.parse(ip)
+  let excludeList = [ 'blacklist' ]
+  let matched: string
+
+  // if there is a valid, non-empty whitelist, we exclude all unknown adresses too
+  if (CONFIG.SIGNUP.FILTERS.CIDR.WHITELIST.filter(cidr => isCidr(cidr)).length > 0) {
+    excludeList.push('unknown')
+  }
+
+  if (addr.kind() === 'ipv4') {
+    const addrV4 = ipaddr.IPv4.parse(ip)
+    const rangeList = {
+      whitelist: CONFIG.SIGNUP.FILTERS.CIDR.WHITELIST.filter(cidr => isCidr.v4(cidr))
+                                                .map(cidr => ipaddr.IPv4.parseCIDR(cidr)),
+      blacklist: CONFIG.SIGNUP.FILTERS.CIDR.BLACKLIST.filter(cidr => isCidr.v4(cidr))
+                                                .map(cidr => ipaddr.IPv4.parseCIDR(cidr))
+    }
+    matched = ipaddr.subnetMatch(addrV4, rangeList, 'unknown')
+  } else if (addr.kind() === 'ipv6') {
+    const addrV6 = ipaddr.IPv6.parse(ip)
+    const rangeList = {
+      whitelist: CONFIG.SIGNUP.FILTERS.CIDR.WHITELIST.filter(cidr => isCidr.v6(cidr))
+                                                .map(cidr => ipaddr.IPv6.parseCIDR(cidr)),
+      blacklist: CONFIG.SIGNUP.FILTERS.CIDR.BLACKLIST.filter(cidr => isCidr.v6(cidr))
+                                                .map(cidr => ipaddr.IPv6.parseCIDR(cidr))
+    }
+    matched = ipaddr.subnetMatch(addrV6, rangeList, 'unknown')
+  }
+
+  return !excludeList.includes(matched)
+}
+
 function computeResolutionsToTranscode (videoFileHeight: number) {
  const resolutionsEnabled: number[] = []
  const configResolutions = CONFIG.TRANSCODING.RESOLUTIONS
@ -99,6 +134,7 @@ export {
  generateRandomString,
  getFormattedObjects,
  isSignupAllowed,
+  isSignupAllowedForCurrentIP,
  computeResolutionsToTranscode,
  resetSequelizeInstance,
  getServerActor,