highlevellogic
commented
3 years ago Approach #2: Require https
const cert = req.connection.getPeerCertificate(); use cert.subject.CN for domain (common name)
or
cert.subjectaltname: 'DNS:*.nodejs.org, DNS:nodejs.org' (But this is listed as optional in my reference.)
Is cert.subject.CN the truth? The trick here seems to be understanding which fields are user defined and which are automatic - i.e. What are the fields the CA creates from the request -- i.e. that are guaranteed to be accurate?
whitelist / blacklist domains
Working towards a simple but effective access control. When the client is a browser, CORS is an approach. For other clients:
// local and remote ip addresses differ // local has local ip of server machine // remote has lan ip (router) within lan // remote has public ip when client is outside of lan console.log("localAddress: " + req.socket.localAddress); console.log("remoteAddress: " + req.socket.remoteAddress);
Sufficient for password authentication for remote clients? Comments welcome!