Merge pull request #438 from daree-dev/feature/admin-ip-whitelist

hman38705 · web-flow · commit 407541b569a7 · 2026-03-30T11:47:07.000+01:00
Implement IP whitelist for admin routes
diff --git a/services/api/src/config.rs b/services/api/src/config.rs
@@ -62,6 +62,7 @@ pub struct Config {
     pub base_url: String,
     pub api_keys: Vec<String>,
     pub admin_whitelist_ips: Vec<IpAddr>,
+    pub trust_proxy: bool,
     pub request_signing_secret: Option<String>,
     pub sendgrid_webhook_secret: Option<String>,
     pub trusted_proxy_cidrs: Vec<IpNet>,
@@ -198,6 +199,10 @@ impl Config {
                         .collect()
                 })
                 .unwrap_or_default(),
+            trust_proxy: env::var("TRUST_PROXY")
+                .ok()
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(true),
             request_signing_secret: env::var("REQUEST_SIGNING_SECRET").ok(),
             sendgrid_webhook_secret: env::var("SENDGRID_WEBHOOK_SECRET").ok(),
             trusted_proxy_cidrs,
diff --git a/services/api/src/lib.rs b/services/api/src/lib.rs
@@ -215,7 +215,7 @@ pub async fn run() -> anyhow::Result<()> {
         .route("/api/markets/featured", get(handlers::featured_markets))
         .route("/api/content", get(handlers::content))
         .layer(middleware::from_fn_with_state(
-            rate_limiter.clone(),
+            (rate_limiter.clone(), TrustProxy(config.trust_proxy)),
             security::global_rate_limit_middleware,
         ))
         .with_state(state.clone());
@@ -242,11 +242,15 @@ pub async fn run() -> anyhow::Result<()> {
             axum::routing::delete(handlers::newsletter_gdpr_delete),
         )
         .layer(middleware::from_fn_with_state(
-            rate_limiter.clone(),
+            (rate_limiter.clone(), TrustProxy(config.trust_proxy)),
             rate_limit::newsletter_rate_limit_middleware,
         ))
         .with_state(state.clone());
 
+    // Admin routes require API key authentication (if configured) and IP whitelisting (if configured).
+    // When API_KEYS is set, requests must include a valid x-api-key header.
+    // When ADMIN_WHITELIST_IPS is set, only whitelisted IPs can access admin endpoints.
+    // Invalid API key returns 401 Unauthorized, non-whitelisted IPs return 403 Forbidden.
     let admin_routes = Router::new()
         .route(
             "/api/markets/:market_id/resolve",
diff --git a/services/api/src/security.rs b/services/api/src/security.rs
@@ -262,7 +262,7 @@ impl ApiKeyAuth {
     }
 
     pub fn verify(&self, key: &str) -> bool {
-        self.valid_keys.iter().any(|k| k == key)
+        self.valid_keys.is_empty() || self.valid_keys.iter().any(|k| k == key)
     }
 }
 
@@ -315,6 +315,9 @@ impl IpWhitelist {
     }
 
     pub fn is_allowed(&self, ip: &str) -> bool {
+        if self.allowed_ips.is_empty() {
+            return true;
+        }
         if let Ok(addr) = ip.parse::<IpAddr>() {
             return self.allowed_ips.contains(&addr);
         }
diff --git a/services/api/tests/security_tests.rs b/services/api/tests/security_tests.rs
@@ -10,7 +10,7 @@ mod tests {
         Router,
     };
     use predictiq_api::security::{
-        ip_whitelist_middleware, sanitize, signing, IpWhitelist, RateLimitConfig, RateLimiter,
+        ip_whitelist_middleware, sanitize, signing, IpWhitelist, RateLimitConfig, RateLimiter, TrustProxy,
     };
     use tower::ServiceExt;
 
@@ -264,7 +264,7 @@ mod tests {
         Router::new()
             .route("/admin", get(|| async { "ok" }))
             .layer(middleware::from_fn_with_state(
-                wl,
+                (wl, TrustProxy(true)),
                 ip_whitelist_middleware,
             ))
     }
@@ -314,6 +314,14 @@ mod tests {
         assert_eq!(status, StatusCode::FORBIDDEN);
     }
 
+    #[tokio::test]
+    async fn middleware_allows_when_whitelist_empty() {
+        let wl = Arc::new(IpWhitelist::new(vec![]));
+        let req = Request::builder().uri("/admin").body(Body::empty()).unwrap();
+        let status = whitelist_app(wl).oneshot(req).await.unwrap().status();
+        assert_eq!(status, StatusCode::OK);
+    }
+
     // -------------------------------------------------------------------------
     // sanitize::contains_sql_injection — expanded corpus
     // -------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ impl ApiKeyAuth {`
`262`	`262`	`}`
`263`	`263`
`264`	`264`	`pub fn verify(&self, key: &str) -> bool {`
`265`		`- self.valid_keys.iter().any(\|k\| k == key)`
	`265`	`+ self.valid_keys.is_empty() \|\| self.valid_keys.iter().any(\|k\| k == key)`
`266`	`266`	`}`
`267`	`267`	`}`
`268`	`268`
`@@ -315,6 +315,9 @@ impl IpWhitelist {`
`315`	`315`	`}`
`316`	`316`
`317`	`317`	`pub fn is_allowed(&self, ip: &str) -> bool {`
	`318`	`+ if self.allowed_ips.is_empty() {`
	`319`	`+ return true;`
	`320`	`+ }`
`318`	`321`	`if let Ok(addr) = ip.parse::<IpAddr>() {`
`319`	`322`	`return self.allowed_ips.contains(&addr);`
`320`	`323`	`}`