Add IP address checking to services_keyauth authentication method.
mathiaz.sk - November 4, 2009 - 12:45
| Project: | Services |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Description
Nice feature would be to add checking from which IP came request so user can limit access for service only to certain IP addresses.
#1
#2
Is this secure? I was under the impression that the IP address in the HTTP request is easily spoofed (much like REFERRER and other data in the request.) If that is true I'd rather not offer it at all than give a false sense of security.
#3
My I add another question? Does this really have to do with keyauth? or would IP address access more focused on services, with or without keys being in use?
#4
Its not mandatory to put there list of ip addresses, its just enhancement to key checking.
@heyrocker
I am not sure how easily can be IP address spoofed. This feature was ment to be addition to key checking. But if its security issue it shouldn't be used.
#5
Mathiaz.sk, I'm trying to find the best place for IP address access control, perhaps it should be done previously by the services module itself instead of an option in the keyauth module.
How did you come to this situation? do you need the keyauth based also in IP address checking or something?
#6
After some research it looks like REMOTE_ADDR is trustworthy, as it comes from Apache and not from the browser. I do agree that maybe this is best as a general services setting rather than a keyauth-specific setting. That way it would be global rather than tied to a specific auth method, although since we can only currently have one auth method per server anyways I'm not sure how much that matters.
Anyways this is a sensible addition and I'll try to review this and do some testing soon.