Add optional IP whitelisting for API Keys

Open johanstokking opened this issue 6 years ago • 1 comments

Summary:

Add a whitelist of IP address ranges to API keys.

Why do we need this?

API keys can be quite sensitive, especially considering that they do not expire. A whitelist of IP address ranges that are allowed to use a specific API key could improve security.

What is already there? What do you see now?

Components query the Identity Server for the rights that an API key gives the caller.

What is missing? What do you want to see?

A field with IP address ranges in the API key.
Components should include the caller's IP address when requesting rights info.

How do you propose to implement this?

Add a list of IP ranges (prefixes) to the APIKey model
We can use the X-Forwarded-For header, but that means that this header needs to be forwarded by the rights hook.
After the IS fetches the API key from the DB, it can first check the IP ranges, so that we don't have to hash the key if the IP address already doesn't match.

Original issue: https://github.com/TheThingsIndustries/lorawan-stack/issues/86 by @romeovs

Jan 29 '19 17:01 johanstokking

I think the way to do this moving forward is to enforce an expiry (with some dropdown time options) by default.

Apr 30 '25 12:04 KrishnaIyer