Server: Simplify IP filtering - only blacklist

- Remove whitelist (not needed for public launcher) - Only BLOCKED_IPS env var supported now
2026-05-07 17:14:47 +00:00
parent 04f97c3c80
commit 513c07666b
2 changed files with 15 additions and 38 deletions
@@ -15,8 +15,7 @@ RATE_LIMIT_REQUESTS = 60  # Max requests per window
 RATE_LIMIT_WINDOW = 60  # Window in seconds
 _ip_request_counts: dict[str, list[float]] = defaultdict(list)

-# IP filtering config (set from main.py)
-ALLOWED_IPS: set[str] = set()
+# IP blocking config (set from main.py)
 BLOCKED_IPS: set[str] = set()

 # Suspicious paths that indicate bot scanning
@@ -39,13 +38,6 @@ SUSPICIOUS_PATHS = {
    ".git", ".svn", ".hg",
 }

-# Known client IPs (allow by default for legitimate users)
-KNOWN_CLIENT_IPS = {
-    "127.0.0.1", "localhost",
-    # Add known client IPs here or leave empty to allow all
-}
-
-
 def get_client_ip(request: Request) -> str:
    """Extract client IP from request"""
    client_ip = request.client.host if request.client else "unknown"
@@ -55,15 +47,9 @@ def get_client_ip(request: Request) -> str:
    return client_ip


-def is_ip_allowed(client_ip: str) -> tuple[bool, str]:
-    """Check if IP is allowed"""
-    if BLOCKED_IPS and client_ip in BLOCKED_IPS:
-        return False, "blocked"
-    
-    if ALLOWED_IPS and client_ip not in ALLOWED_IPS:
-        return False, "not_whitelisted"
-    
-    return True, "allowed"
+def is_ip_blocked(client_ip: str) -> bool:
+    """Check if IP is blocked"""
+    return client_ip in BLOCKED_IPS


 def check_rate_limit(client_ip: str) -> bool:
@@ -108,11 +94,9 @@ def is_suspicious_path(path: str) -> bool:
    return False


-def set_ip_config(allowed: Optional[set[str]] = None, blocked: Optional[set[str]] = None):
-    """Configure IP filtering (call from main.py)"""
-    global ALLOWED_IPS, BLOCKED_IPS
-    if allowed is not None:
-        ALLOWED_IPS = allowed
+def set_ip_config(blocked: Optional[set[str]] = None):
+    """Configure IP blocking (call from main.py)"""
+    global BLOCKED_IPS
    if blocked is not None:
        BLOCKED_IPS = blocked

@@ -122,17 +106,14 @@ class LoggingMiddleware(BaseHTTPMiddleware):
        request_id = str(uuid.uuid4())[:8]
        client_ip = get_client_ip(request)
        
-        # Check IP allow/block
-        allowed, reason = is_ip_allowed(client_ip)
-        if not allowed:
-            # Silent block - don't give attackers any info
+        # Check if IP is blocked
+        if is_ip_blocked(client_ip):
            return Response(status_code=404, content="")
        
-        # Check rate limit (skip for known clients)
-        if client_ip not in KNOWN_CLIENT_IPS:
-            if not check_rate_limit(client_ip):
-                logger.warning(f"Rate limited: {client_ip} ({request.url.path})")
-                return Response(status_code=429, content="Too many requests")
+        # Check rate limit
+        if not check_rate_limit(client_ip):
+            logger.warning(f"Rate limited: {client_ip} ({request.url.path})")
+            return Response(status_code=429, content="Too many requests")
        
        # Check suspicious path (silent 404 for bots)
        path = request.url.path