fix: Missing plan check and ip whitelist parsing

unkeyed · Oct 13, 2024 · 648dcd3 · 648dcd3
1 parent 2028fe3
commit 648dcd3
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/apps/api/src/pkg/keys/service.ts b/apps/api/src/pkg/keys/service.ts
@@ -57,7 +57,11 @@ type InvalidResponse = {
     | "DISABLED"
     | "INSUFFICIENT_PERMISSIONS";
   key: Key;
-  identity: { id: string; externalId: string; meta: Record<string, unknown> | null } | null;
+  identity: {
+    id: string;
+    externalId: string;
+    meta: Record<string, unknown> | null;
+  } | null;
   api: Api;
   ratelimit?: {
     remaining: number;
@@ -73,7 +77,11 @@ type ValidResponse = {
   code?: never;
   valid: true;
   key: Key;
-  identity: { id: string; externalId: string; meta: Record<string, unknown> | null } | null;
+  identity: {
+    id: string;
+    externalId: string;
+    meta: Record<string, unknown> | null;
+  } | null;
   api: Api;
   ratelimit?: {
     remaining: number;
@@ -285,7 +293,9 @@ export class KeyService {
            * Merge ratelimits from the identity and the key
            * Key limits take pecedence
            */
-          const ratelimits: { [name: string]: Pick<Ratelimit, "name" | "limit" | "duration"> } = {};
+          const ratelimits: {
+            [name: string]: Pick<Ratelimit, "name" | "limit" | "duration">;
+          } = {};
 
           if (
             dbRes.ratelimitAsync !== null &&
@@ -397,6 +407,7 @@ export class KeyService {
 
     if (data.api.ipWhitelist) {
       const ip = c.req.header("True-Client-IP") ?? c.req.header("CF-Connecting-IP");
+
       if (!ip) {
         return Ok({
           key: data.key,
@@ -407,7 +418,8 @@ export class KeyService {
           permissions: data.permissions,
         });
       }
-      const ipWhitelist = JSON.parse(data.api.ipWhitelist) as string[];
+
+      const ipWhitelist = data.api.ipWhitelist.split(",").map((s) => s.trim());
       if (!ipWhitelist.includes(ip)) {
         return Ok({
           key: data.key,

diff --git a/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts b/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts
@@ -43,14 +43,27 @@ export const updateApiIpWhitelist = rateLimitedProcedure(ratelimit.update)
             "We are unable to update the API whitelist. Please try again or contact [email protected]",
         });
       });
-    if (!api || api.workspace.tenantId !== ctx.tenant.id) {
+
+    if (
+      !api ||
+      api.workspace.tenantId !== ctx.tenant.id ||
+      input.workspaceId !== api.workspace.id
+    ) {
       throw new TRPCError({
         code: "NOT_FOUND",
         message:
           "We are unable to find the correct API. Please try again or contact [email protected].",
       });
     }
 
+    if (api.workspace.plan !== "enterprise") {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message:
+          "IP Whitelisting is only available for enterprise plans. Please contact [email protected].",
+      });
+    }
+
     const newIpWhitelist = input.ipWhitelist === null ? null : input.ipWhitelist.join(",");
 
     await db
@@ -68,6 +81,7 @@ export const updateApiIpWhitelist = rateLimitedProcedure(ratelimit.update)
                 "We are unable to update the API whitelist. Please try again or contact [email protected]",
             });
           });
+
         await insertAuditLogs(tx, {
           workspaceId: api.workspace.id,
           actor: {