advanced configuration for IP/CIDR allow-listing #6
Labels
Comments
dillonstreator
changed the title
dillonstreator
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enable users to optionally configure an allow list of ip addresses or range(s) that can access the secret in the create form.
Unless a more generalized locking mechanism is employed, the check must happen within the redis lua script to maintain the burn after read contract regarding 1 recipient guarantee. If there is not an easy way to perform the comparison of an ip address against an ip range / CIDR, a more generalized locking mechanism may be required. Distributed mutual exclusion is important to the contract specifications of the system so we must opt for the highest consistency and fault tolerance guarantee, regardless of performance tradeoffs. https://www.perplexity.ai/search/is-redlock-a-guaranteed-mutual-tiRw1r.6RTKhMrp17gJkZg
crypt.fyi/packages/server/src/vault/redis.ts
Lines 54 to 59 in 537e869
An alternate simplified approach here would be to execute a separate lua script that extracts just the ip range (if one exists) and compares against the incoming request ip address in server memory prior to the primary lua script being executed. This keeps the system guarantees without the need to introduce a more generalized locking pattern.
Apply validation to the ip address list.
Add configuration for max allowed list size with some sane default.
https://zod.dev/?id=ip-addresses
https://zod.dev/?id=ip-ranges-cidr
Related: #14
The text was updated successfully, but these errors were encountered: