Prevent abuse of the api endpoint

GGAlanSmithee / cardano-lucid-blockfrost-proxy-example

An example repo of using a proxy API for bockfrost communication

MIT License

23 stars 4 forks source link

Prevent abuse of the api endpoint #6

Open GGAlanSmithee opened 1 year ago

GGAlanSmithee commented 1 year ago

With this example, the Blockfrost key isn't leaked, but there is nothing stopping an adversairy from abusing the endpoint. We should put some effort into stopping this. There are some headers that could be used, but AFAIK, there is nothing that can't be spoofed. Will look into it.

GGAlanSmithee commented 1 year ago

something like

const whitelistedIps = [
  "127.0.0.1",
]

const ipIsWhitelisted = (ipAddress?: string) => ipAddress && whitelistedIps.includes(ipAddress)

// later  ...

const ipAddress = req.headers["x-real-ip"]?.toString() || req.headers["x-forwarded-for"]?.toString()

if (!ipIsWhitelisted(ipAddress)) return res.status(401).json({ message: "Unauthorized" })

GGAlanSmithee commented 1 year ago

This is likely to be implemented in use-cardano-blockfrost-proxy