Only accept calls from localhost:
server.auth.strategy('localhost', 'ip-whitelist', ['127.0.0.1']);
NOTE: Third parameter of server.auth.strategy is options which must be an object.
To be used like
server.route({
method: 'GET',
path: '/',
handler(request, h) { return "That was from localhost!" },
options: { auth: 'localhost' }
});
In the route receives a request from a different IP, it will respond a 401 unauthorized
error with the message 192.168.0.102 is not a valid IP
, where 192.168.0.102
is the IP of the request.
You can also specify several IPs by passing a list instead. CIDR notation is supported.
For example, consider the IPs to expect requests from, as specified by MercadoPago.
server.auth.strategy(
'mercado-pago-webhook',
'ip-whitelist',
['209.225.49.0/24', '216.33.197.0/24', '216.33.196.0/24', '63.128.82.0/24', '63.128.83.0/24', '63.128.94.0/24']
);
In case you are behind a proxy, use Hapi plugin therealyou
.
It will find the "real" IP in X-Forward headers and modify the request.info.remoteAddress.
server.register([
{
plugin: require('therealyou')
},
{
plugin: require('hapi-auth-ip-whitelist')
}
])
Start local example server with
npm start
then visit http://localhost:3000.
Successfully authenticated request http://localhost:3000/authenticated. Unauthenticated request http://localhost:3000/unauthenticated.