Open GGAlanSmithee opened 1 year ago
something like
const whitelistedIps = [
"127.0.0.1",
]
const ipIsWhitelisted = (ipAddress?: string) => ipAddress && whitelistedIps.includes(ipAddress)
// later ...
const ipAddress = req.headers["x-real-ip"]?.toString() || req.headers["x-forwarded-for"]?.toString()
if (!ipIsWhitelisted(ipAddress)) return res.status(401).json({ message: "Unauthorized" })
This is likely to be implemented in use-cardano-blockfrost-proxy
With this example, the Blockfrost key isn't leaked, but there is nothing stopping an adversairy from abusing the endpoint. We should put some effort into stopping this. There are some headers that could be used, but AFAIK, there is nothing that can't be spoofed. Will look into it.