* Creates a Socket.IO `allowRequest` handler that enforces the same IP whitelist as the HTTP middleware. * This closes the gap where Socket.IO handshakes bypassed the Express-only `ipAccessControl` middleware. * @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges * @returns
(whitelist)
| 88 | * @returns {(req: object, callback: (err: string | null, success: boolean) => void) => void} Socket.IO allowRequest handler |
| 89 | */ |
| 90 | function socketIpAccessControl (whitelist) { |
| 91 | // Empty whitelist means allow all |
| 92 | if (!Array.isArray(whitelist) || whitelist.length === 0) { |
| 93 | return function (req, callback) { |
| 94 | callback(null, true); // allow the connection |
| 95 | }; |
| 96 | } |
| 97 | |
| 98 | return function (req, callback) { |
| 99 | const clientIp = resolveClientIp(req); |
| 100 | if (isAllowed(clientIp, whitelist)) { |
| 101 | callback(null, true); // allow the connection |
| 102 | } else { |
| 103 | Log.warn(`IP ${clientIp} is not allowed to connect to the mirror socket`); |
| 104 | callback("This device is not allowed to access your mirror.", false); |
| 105 | } |
| 106 | }; |
| 107 | } |
| 108 | |
| 109 | module.exports = { ipAccessControl, socketIpAccessControl }; |
no test coverage detected