From 648dcd3d8da3ed001b914d4d93c7d63f0f1c86e6 Mon Sep 17 00:00:00 2001
From: Flo <53355483+Flo4604@users.noreply.github.com>
Date: Sun, 13 Oct 2024 13:43:58 +0200
Subject: [PATCH] fix: Missing plan check and ip whitelist parsing

---
 apps/api/src/pkg/keys/service.ts              | 20 +++++++++++++++----
 .../lib/trpc/routers/api/updateIpWhitelist.ts | 16 ++++++++++++++-
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/pkg/keys/service.ts b/apps/api/src/pkg/keys/service.ts
index 22e676989f..350b1e8f1a 100644
--- a/apps/api/src/pkg/keys/service.ts
+++ b/apps/api/src/pkg/keys/service.ts
@@ -57,7 +57,11 @@ type InvalidResponse = {
     | "DISABLED"
     | "INSUFFICIENT_PERMISSIONS";
   key: Key;
-  identity: { id: string; externalId: string; meta: Record<string, unknown> | null } | null;
+  identity: {
+    id: string;
+    externalId: string;
+    meta: Record<string, unknown> | null;
+  } | null;
   api: Api;
   ratelimit?: {
     remaining: number;
@@ -73,7 +77,11 @@ type ValidResponse = {
   code?: never;
   valid: true;
   key: Key;
-  identity: { id: string; externalId: string; meta: Record<string, unknown> | null } | null;
+  identity: {
+    id: string;
+    externalId: string;
+    meta: Record<string, unknown> | null;
+  } | null;
   api: Api;
   ratelimit?: {
     remaining: number;
@@ -285,7 +293,9 @@ export class KeyService {
            * Merge ratelimits from the identity and the key
            * Key limits take pecedence
            */
-          const ratelimits: { [name: string]: Pick<Ratelimit, "name" | "limit" | "duration"> } = {};
+          const ratelimits: {
+            [name: string]: Pick<Ratelimit, "name" | "limit" | "duration">;
+          } = {};
 
           if (
             dbRes.ratelimitAsync !== null &&
@@ -397,6 +407,7 @@ export class KeyService {
 
     if (data.api.ipWhitelist) {
       const ip = c.req.header("True-Client-IP") ?? c.req.header("CF-Connecting-IP");
+
       if (!ip) {
         return Ok({
           key: data.key,
@@ -407,7 +418,8 @@ export class KeyService {
           permissions: data.permissions,
         });
       }
-      const ipWhitelist = JSON.parse(data.api.ipWhitelist) as string[];
+
+      const ipWhitelist = data.api.ipWhitelist.split(",").map((s) => s.trim());
       if (!ipWhitelist.includes(ip)) {
         return Ok({
           key: data.key,
diff --git a/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts b/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts
index 67954331c0..8efa932dbc 100644
--- a/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts
+++ b/apps/dashboard/lib/trpc/routers/api/updateIpWhitelist.ts
@@ -43,7 +43,12 @@ export const updateApiIpWhitelist = rateLimitedProcedure(ratelimit.update)
             "We are unable to update the API whitelist. Please try again or contact support@unkey.dev",
         });
       });
-    if (!api || api.workspace.tenantId !== ctx.tenant.id) {
+
+    if (
+      !api ||
+      api.workspace.tenantId !== ctx.tenant.id ||
+      input.workspaceId !== api.workspace.id
+    ) {
       throw new TRPCError({
         code: "NOT_FOUND",
         message:
@@ -51,6 +56,14 @@ export const updateApiIpWhitelist = rateLimitedProcedure(ratelimit.update)
       });
     }
 
+    if (api.workspace.plan !== "enterprise") {
+      throw new TRPCError({
+        code: "UNAUTHORIZED",
+        message:
+          "IP Whitelisting is only available for enterprise plans. Please contact support@unkey.dev.",
+      });
+    }
+
     const newIpWhitelist = input.ipWhitelist === null ? null : input.ipWhitelist.join(",");
 
     await db
@@ -68,6 +81,7 @@ export const updateApiIpWhitelist = rateLimitedProcedure(ratelimit.update)
                 "We are unable to update the API whitelist. Please try again or contact support@unkey.dev",
             });
           });
+
         await insertAuditLogs(tx, {
           workspaceId: api.workspace.id,
           actor: {