Server: Simplify IP filtering - only blacklist

- Remove whitelist (not needed for public launcher)
- Only BLOCKED_IPS env var supported now

server/main.py

@@ -33,17 +33,13 @@ BUILDS_DIR = Path("builds")
 import os
 import middleware as mw
 
-# Configure allowed IPs (empty = allow all, set IPs = only these allowed)
+# Configure blocked IPs only
-ALLOWED_IPS = set(os.environ.get("ALLOWED_IPS", "").split(",")) - {""}
-# Configure blocked IPs
 BLOCKED_IPS = set(os.environ.get("BLOCKED_IPS", "").split(",")) - {""}
 
-if ALLOWED_IPS:
-    logger.info(f"IP whitelist enabled: {len(ALLOWED_IPS)} IPs allowed")
 if BLOCKED_IPS:
     logger.info(f"IP blacklist enabled: {len(BLOCKED_IPS)} IPs blocked")
 
-mw.set_ip_config(allowed=ALLOWED_IPS, blocked=BLOCKED_IPS)
+mw.set_ip_config(blocked=BLOCKED_IPS)
 
 
 @asynccontextmanager

server/middleware.py

@@ -15,8 +15,7 @@ RATE_LIMIT_REQUESTS = 60  # Max requests per window
 RATE_LIMIT_WINDOW = 60  # Window in seconds
 _ip_request_counts: dict[str, list[float]] = defaultdict(list)
 
-# IP filtering config (set from main.py)
+# IP blocking config (set from main.py)
-ALLOWED_IPS: set[str] = set()
 BLOCKED_IPS: set[str] = set()
 
 # Suspicious paths that indicate bot scanning
@@ -39,13 +38,6 @@ SUSPICIOUS_PATHS = {
     ".git", ".svn", ".hg",
 }
 
-# Known client IPs (allow by default for legitimate users)
-KNOWN_CLIENT_IPS = {
-    "127.0.0.1", "localhost",
-    # Add known client IPs here or leave empty to allow all
-}
-
-
 def get_client_ip(request: Request) -> str:
     """Extract client IP from request"""
     client_ip = request.client.host if request.client else "unknown"
@@ -55,15 +47,9 @@ def get_client_ip(request: Request) -> str:
     return client_ip
 
 
-def is_ip_allowed(client_ip: str) -> tuple[bool, str]:
+def is_ip_blocked(client_ip: str) -> bool:
-    """Check if IP is allowed"""
+    """Check if IP is blocked"""
-    if BLOCKED_IPS and client_ip in BLOCKED_IPS:
+    return client_ip in BLOCKED_IPS
-        return False, "blocked"
-    
-    if ALLOWED_IPS and client_ip not in ALLOWED_IPS:
-        return False, "not_whitelisted"
-    
-    return True, "allowed"
 
 
 def check_rate_limit(client_ip: str) -> bool:
@@ -108,11 +94,9 @@ def is_suspicious_path(path: str) -> bool:
     return False
 
 
-def set_ip_config(allowed: Optional[set[str]] = None, blocked: Optional[set[str]] = None):
+def set_ip_config(blocked: Optional[set[str]] = None):
-    """Configure IP filtering (call from main.py)"""
+    """Configure IP blocking (call from main.py)"""
-    global ALLOWED_IPS, BLOCKED_IPS
+    global BLOCKED_IPS
-    if allowed is not None:
-        ALLOWED_IPS = allowed
     if blocked is not None:
         BLOCKED_IPS = blocked
 
@@ -122,14 +106,11 @@ class LoggingMiddleware(BaseHTTPMiddleware):
         request_id = str(uuid.uuid4())[:8]
         client_ip = get_client_ip(request)
         
-        # Check IP allow/block
+        # Check if IP is blocked
-        allowed, reason = is_ip_allowed(client_ip)
+        if is_ip_blocked(client_ip):
-        if not allowed:
-            # Silent block - don't give attackers any info
             return Response(status_code=404, content="")
         
-        # Check rate limit (skip for known clients)
+        # Check rate limit
-        if client_ip not in KNOWN_CLIENT_IPS:
         if not check_rate_limit(client_ip):
             logger.warning(f"Rate limited: {client_ip} ({request.url.path})")
             return Response(status_code=429, content="Too many requests")