Base solution for your next web application
Open Closed

Checking for IP address on all API calls #5738


User avatar
1
vladsd created

We have a white list of IP addresses, all other should be blocked.

Is there one place we can check against that list on ALL API calls to web service?

Thanks.


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team

    I suggest you register a net core middleware, this is the highest priority.

  • User Avatar
    0
    aaron created
    Support Team
  • User Avatar
    0
    vladsd created

    For all users, anonymous user and registered, I need to intercept all API calls and check against IP list in tenant table. The solutions above do not provide for it.

    Putting TenantManager reference in Startup causes issues InvalidOperationException: Unable to resolve service for type 'MyProject.MultiTenancy.TenantManager' while attempting to activate 'MyProject.Web.Startup.Startup'.

    //https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-2.1

               app.Use(async (context, next) =>
               {
                   // Do work that doesn't write to the Response.
                   if(! await _tenantManager.ValidateIPAddress())
                   {
                       throw new AbpAuthorizationException();
                   }
    
                   await next.Invoke();
               });
    
  • User Avatar
    0
    ryancyq created
    Support Team

    you can inject TenantManager and use in Intercept()

    example from the SO post:

    internal class ClientIpAuthorizationInterceptor : IInterceptor
    {
        private readonly IClientInfoProvider _clientInfoProvider;
        private readonly ITenantManager _tenantManager;
    
        public ClientIpAuthorizationInterceptor(
            IClientInfoProvider clientInfoProvider,
            ITenantManager tenantManager
        )
        {
            _clientInfoProvider = clientInfoProvider;
            _tenanrManager = tenantManager;
        }
    
        public void Intercept(IInvocation invocation)
        {
            //more code
    
            //modify the following to check IP addresses from TenantManager
            if (clientIpAuthorizeAttribute != null &&
                clientIpAuthorizeAttribute.AllowedIpAddress != _clientInfoProvider.ClientIpAddress)
            {
                throw new AbpAuthorizationException();
            }
    
            invocation.Proceed();
        }
    }
    

    Do note that by reading ip addresses from tenant manager will impact the performance as this interception is triggerred for every web request.

  • User Avatar
    0
    vladsd created

    @ryancyq sorry, it still does not solve my issue as I need IP check on all calls, now I need to add ClientIpAuthorize to all API calls! What about abp framework, I cannot access those like one for GetAll, etc.

  • User Avatar
    0
    aaron created
    Support Team
    app.Use(async (context, next) =>
    {
        IocManager.Instance.Using<TenantManager>(async tenantManager =>
        {
            if (!await _tenantManager.ValidateIPAddress())
            {
                throw new AbpAuthorizationException();
            }
        });
    
        await next.Invoke();
    });
    
  • User Avatar
    0
    vladsd created

    Better solution is to override AuthorizationHelper -> AuthorizeAsync method and check there