Awesome

hapi-auth-ip-whitelist

Usage

Localhost

Only accept calls from localhost:

server.auth.strategy('localhost', 'ip-whitelist', ['127.0.0.1']);

NOTE: Third parameter of server.auth.strategy is options which must be an object.

To be used like

server.route({ 
  method: 'GET', 
  path: '/',
  handler(request, h) { return "That was from localhost!" }, 
  options: { auth: 'localhost' }
});

In the route receives a request from a different IP, it will respond a 401 unauthorized error with the message 192.168.0.102 is not a valid IP, where 192.168.0.102 is the IP of the request.

Address ranges

You can also specify several IPs by passing a list instead. CIDR notation is supported.

For example, consider the IPs to expect requests from, as specified by MercadoPago.

server.auth.strategy(
  'mercado-pago-webhook',
  'ip-whitelist',
  ['209.225.49.0/24', '216.33.197.0/24', '216.33.196.0/24', '63.128.82.0/24', '63.128.83.0/24', '63.128.94.0/24']  
);

Behind proxy

In case you are behind a proxy, use Hapi plugin therealyou. It will find the "real" IP in X-Forward headers and modify the request.info.remoteAddress.

server.register([
  {
    plugin: require('therealyou')
  },
  {
    plugin: require('hapi-auth-ip-whitelist')
  }
])

Example server

Start local example server with

npm start

then visit http://localhost:3000.

Successfully authenticated request http://localhost:3000/authenticated. Unauthenticated request http://localhost:3000/unauthenticated.