remove separate userapiallowedips config and check

2025-04-21 02:51:42 +02:00 · 2025-04-14 11:58:42 +02:00 · 2025-04-14 11:58:42 +02:00 · 1755a4a7df
commit 1755a4a7df
parent 25d3325049
2 changed files with 13 additions and 43 deletions
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@ -329,7 +329,7 @@ func (auth *Authentication) AuthApi(
 			return
 		}

-		ipErr := securedCheck(user, "api", r)
+		ipErr := securedCheck(user, r)
 		if ipErr != nil {
 			log.Infof("auth api -> secured check failed: %s", err.Error())
 			onfailure(rw, r, ipErr)
@ -372,13 +372,6 @@ func (auth *Authentication) AuthUserApi(
 			return
 		}

-		ipErr := securedCheck(user, "userapi", r)
-		if ipErr != nil {
-			log.Infof("auth user api -> secured check failed: %s", err.Error())
-			onfailure(rw, r, ipErr)
-			return
-		}
-
 		if user != nil {
 			switch {
 			case len(user.Roles) == 1:
@ -466,7 +459,7 @@ func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
 }

 // Helper Moved To MiddleWare Auth Handlers
-func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) error {
+func securedCheck(user *schema.User, r *http.Request) error {
 	if user == nil {
 		return fmt.Errorf("no user for secured check")
 	}
@ -484,37 +477,17 @@ func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) erro
 		IPAddress = strings.Split(IPAddress, ":")[0]
 	}

-	// Used for checking TokenAuth'd Requests Only: Remove '== schema.AuthToken'-Condition
-	if checkEndpoint == "api" {
-		// If nothing declared in config: deny all request to this api endpoint
-		if config.Keys.ApiAllowedIPs == nil || len(config.Keys.ApiAllowedIPs) == 0 {
-			return fmt.Errorf("missing configuration key ApiAllowedIPs")
-		}
-		// If wildcard declared in config: Continue
-		if config.Keys.ApiAllowedIPs[0] == "*" {
-			return nil
-		}
-		// check if IP is allowed
-		if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
-			return fmt.Errorf("unknown ip: %v", IPAddress)
-		}
-
-	} else if checkEndpoint == "userapi" {
-		// If nothing declared in config: deny all request to this api endpoint
-		if config.Keys.UserApiAllowedIPs == nil || len(config.Keys.UserApiAllowedIPs) == 0 {
-			return fmt.Errorf("missing configuration key UserApiAllowedIPs")
-		}
-		// If wildcard declared in config: Continue
-		if config.Keys.UserApiAllowedIPs[0] == "*" {
-			return nil
-		}
-		// check if IP is allowed
-		if !util.Contains(config.Keys.UserApiAllowedIPs, IPAddress) {
-			return fmt.Errorf("unknown user ip: %v", IPAddress)
-		}
-
-	} else {
-		return fmt.Errorf("unknown checkEndpoint for secured check")
+	// If nothing declared in config: deny all request to this api endpoint
+	if len(config.Keys.ApiAllowedIPs) == 0 {
+		return fmt.Errorf("missing configuration key ApiAllowedIPs")
+	}
+	// If wildcard declared in config: Continue
+	if config.Keys.ApiAllowedIPs[0] == "*" {
+		return nil
+	}
+	// check if IP is allowed
+	if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
+		return fmt.Errorf("unknown ip: %v", IPAddress)
 	}

 	return nil
--- a/pkg/schema/config.go
+++ b/pkg/schema/config.go
@ -103,9 +103,6 @@ type ProgramConfig struct {
 	// Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
 	ApiAllowedIPs []string `json:"apiAllowedIPs"`

-	// Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
-	UserApiAllowedIPs []string `json:"userApiAllowedIPs"`
-
 	// Drop root permissions once .env was read and the port was taken.
 	User  string `json:"user"`
 	Group string `json:"group"`