From a8f17fbfa546648c57965d6d063685d12219d2cb Mon Sep 17 00:00:00 2001 From: Frank John Begornia Date: Fri, 3 Apr 2026 00:49:03 +0800 Subject: [PATCH] revert --- .gitea/workflows/deploy.yml | 13 ---------- README.md | 16 ------------ docker-compose.prod.yml | 2 -- server.js | 52 ++----------------------------------- 4 files changed, 2 insertions(+), 81 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index f28d825..745ee44 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -75,19 +75,6 @@ jobs: cd "$DEPLOY_DIR" - echo "Checking .env file" - if [ ! -f .env ]; then - echo ".env file not found at $DEPLOY_DIR/.env" - echo "Please create it first with optional/custom variables such as:" - echo " - TRUST_PROXY" - echo " - ALLOWED_QR_IPS" - exit 1 - fi - - echo "Fixing .env permissions" - sudo chown $USER:$USER .env - sudo chmod 600 .env - echo "Ensure networks" docker network inspect traefik-public >/dev/null 2>&1 || \ docker network create traefik-public diff --git a/README.md b/README.md index ddfb5b1..2d7215e 100644 --- a/README.md +++ b/README.md @@ -70,19 +70,3 @@ Notes: - Internal service port is `3000` - TLS uses Traefik Let's Encrypt via `tls.certresolver=le` - Includes HTTP -> HTTPS redirect via Traefik labels - -## Restrict QR generation by IP - -The `/api/qr` endpoints support IP allowlisting via environment variable. - -- `ALLOWED_QR_IPS`: comma-separated list of allowed client IPs -- `TRUST_PROXY`: keep this `true` behind Traefik so client IP is read from forwarded headers - -Example `.env` values for production: - -```env -ALLOWED_QR_IPS=203.0.113.10,198.51.100.22 -TRUST_PROXY=true -``` - -If `ALLOWED_QR_IPS` is empty, IP filtering is disabled. diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 5da8aa2..90bd648 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -9,8 +9,6 @@ services: environment: - NODE_ENV=production - PORT=3000 - - TRUST_PROXY=${TRUST_PROXY:-true} - - ALLOWED_QR_IPS=${ALLOWED_QR_IPS:-} healthcheck: test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:3000/health"] interval: 30s diff --git a/server.js b/server.js index f4e23b2..6add550 100644 --- a/server.js +++ b/server.js @@ -3,57 +3,9 @@ const QRCode = require("qrcode"); const app = express(); const PORT = process.env.PORT || 3000; -const TRUST_PROXY = process.env.TRUST_PROXY !== "false"; -const ALLOWED_QR_IPS = new Set( - (process.env.ALLOWED_QR_IPS || "") - .split(",") - .map((ip) => ip.trim()) - .filter(Boolean) - .map((ip) => normalizeIp(ip)) -); - -app.set("trust proxy", TRUST_PROXY); app.use(express.json({ limit: "100kb" })); -function normalizeIp(ip) { - if (!ip || typeof ip !== "string") { - return ""; - } - - const trimmed = ip.trim(); - const withoutMappedV4Prefix = trimmed.startsWith("::ffff:") ? trimmed.slice(7) : trimmed; - - const ipv4WithPortMatch = withoutMappedV4Prefix.match(/^(\d+\.\d+\.\d+\.\d+):(\d+)$/); - if (ipv4WithPortMatch) { - return ipv4WithPortMatch[1]; - } - - return withoutMappedV4Prefix; -} - -function getClientIp(req) { - const forwardedFor = req.headers["x-forwarded-for"]; - if (typeof forwardedFor === "string" && forwardedFor.trim()) { - return normalizeIp(forwardedFor.split(",")[0]); - } - - return normalizeIp(req.ip || req.socket?.remoteAddress || ""); -} - -function enforceQrIpAllowlist(req, res, next) { - if (ALLOWED_QR_IPS.size === 0) { - return next(); - } - - const clientIp = getClientIp(req); - if (ALLOWED_QR_IPS.has(clientIp)) { - return next(); - } - - return res.status(403).json({ error: "Access denied for this IP address" }); -} - function parseIntWithBounds(value, fallback, min, max) { const parsed = Number.parseInt(value, 10); if (!Number.isFinite(parsed)) { @@ -118,8 +70,8 @@ app.get("/health", (_req, res) => { res.json({ status: "ok" }); }); -app.get("/api/qr", enforceQrIpAllowlist, (req, res, next) => sendQrPng(req.query, res, next)); -app.post("/api/qr", enforceQrIpAllowlist, (req, res, next) => sendQrPng(req.body, res, next)); +app.get("/api/qr", (req, res, next) => sendQrPng(req.query, res, next)); +app.post("/api/qr", (req, res, next) => sendQrPng(req.body, res, next)); app.use((err, _req, res, _next) => { console.error(err);