feat: allow or block an ip/range of ips using labels (#211)

* feat: allow or block an ip/range of ips using labels * refactor: redirect to root page when no username or ip is provided in the unauthorized page
2025-10-28 12:45:47 +00:00 · 2025-06-25 20:35:48 +03:00
parent 9008b67f7d
commit 84d4c84ed2
8 changed files with 128 additions and 2 deletions
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -96,6 +96,38 @@ func (h *Handlers) AuthHandler(c *gin.Context) {
 		return
 	}

+	// Check if the IP is allowed/blocked
+	ip := c.ClientIP()
+	if !h.Auth.CheckIP(c, labels) {
+		log.Warn().Str("ip", ip).Msg("IP not allowed")
+
+		if proxy.Proxy == "nginx" || !isBrowser {
+			c.JSON(403, gin.H{
+				"status":  403,
+				"message": "Forbidden",
+			})
+			return
+		}
+
+		values := types.UnauthorizedQuery{
+			Resource: strings.Split(host, ".")[0],
+			IP:       ip,
+		}
+
+		// Build query
+		queries, err := query.Values(values)
+
+		// Handle error
+		if err != nil {
+			log.Error().Err(err).Msg("Failed to build queries")
+			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
+			return
+		}
+
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", h.Config.AppURL, queries.Encode()))
+		return
+	}
+
 	// Check if auth is enabled
 	authEnabled, err := h.Auth.AuthEnabled(c, labels)