Added support for CIDR address checking in UserAllowedIP setting.

meshcentral.js

@@ -252,6 +252,7 @@ function CreateMeshCentralServer(config, args) {
         if (obj.args.mpsaliasport != null && (typeof obj.args.mpsaliasport != 'number')) obj.args.mpsaliasport = null;
         if (obj.args.notls == null && obj.args.redirport == null) obj.args.redirport = 80;
         if (obj.args.minifycore === 0) obj.args.minifycore = false;
+        if (typeof obj.args.userallowedip == 'string') { if (obj.args.userallowedip == '') { obj.args.userallowedip = null; } else { obj.args.userallowedip = obj.userallowedip.split(','); } }
         if (typeof obj.args.debug == 'number') obj.debugLevel = obj.args.debug;
         if (obj.args.debug == true) obj.debugLevel = 1;
         obj.db = require('./db.js').CreateDB(obj);

package.json

@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.2.5-q",
+  "version": "0.2.5-r",
   "keywords": [
     "Remote Management",
     "Intel AMT",
@@ -35,6 +35,7 @@
     "express-handlebars": "^3.0.0",
     "express-session": "^1.15.6",
     "express-ws": "^4.0.0",
+    "ipcheck": "^0.1.0",
     "meshcentral": "*",
     "minimist": "^1.2.0",
     "multiparty": "^4.2.1",

sample-config.json

@@ -31,6 +31,7 @@
       "NewAccounts": 1,
       "Footer": "<a href='https://twitter.com/mytwitter'>Twitter</a>",
       "_CertUrl": "https://192.168.2.106:443/",
+      "_UserAllowedIP": "127.0.0.1,192.168.1.0/24",
       "_PasswordRequirements": { "min": 8, "max": 128, "upper": 1, "lower": 1, "numeric": 1, "nonalpha": 1 }
     },
     "customer1": {

webserver.js

@@ -292,8 +292,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             if (req.connection) { type = 1; ip = req.ip; } // HTTP(S) request
             else if (req._socket) { type = 2; ip = req._socket.remoteAddress; } // WebSocket request
             if (!ip) return false;
-            if (ip.startsWith('::ffff:')) { ip = ip.substring(7); } // Fix IPv4 IP's encoded in IPv6 form
-            if ((ip != null) && (allowedIpList.indexOf(ip) >= 0)) { return true; }
+            for (var i = 0; i < allowedIpList.length; i++) { if (require('ipcheck').match(ip, allowedIpList[i])) { return true; } }
             if (type == 1) { res.sendStatus(401); }
             else if (type == 2) { try { req.close(); } catch (e) { } }
         } catch (e) { console.log(e); }
@@ -302,15 +301,12 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
 
     // Check if the source IP address is allowed, return domain if allowed
     function checkUserIpAddress(req, res, rootonly) {
-        if (obj.userAllowedIp != null) {
-            if (typeof obj.userAllowedIp == 'string') { if (obj.userAllowedIp == "") { obj.userAllowedIp = null; return true; } else { obj.userAllowedIp = obj.userAllowedIp.split(','); } }
-            if (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false) return null;
-        }
-        if (rootonly == true) return;
+        if ((obj.userAllowedIp != null) && (checkUserIpAddressEx(req, res, obj.userAllowedIp) == false)) { return null; }
+        if (rootonly == true) { return; }
         var domain;
         if (req.url) { domain = getDomain(req); } else { domain = getDomain(res); }
         if (domain.userallowedip == null) return domain;
-        if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) return null;
+        if (checkUserIpAddressEx(req, res, domain.userallowedip) == false) { return null; }
         return domain;
     }
 
@@ -321,7 +317,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
         var x = req.url.split('/');
         if (x.length < 2) return parent.config.domains[''];
         var y = parent.config.domains[x[1].toLowerCase()];
-        if ((y != null) && (y.dns == null)) return parent.config.domains[x[1].toLowerCase()];
+        if ((y != null) && (y.dns == null)) { return parent.config.domains[x[1].toLowerCase()]; }
         return parent.config.domains[''];
     }