SillyTavern/src/middleware/whitelist.js

import path from 'node:path';
import fs from 'node:fs';
import process from 'node:process';
import Handlebars from 'handlebars';
import ipMatching from 'ip-matching';

import { getIpFromRequest } from '../express-common.js';
import { color, getConfigValue } from '../util.js';

const whitelistPath = path.join(process.cwd(), './whitelist.txt');
const enableForwardedWhitelist = getConfigValue('enableForwardedWhitelist', false);
let whitelist = getConfigValue('whitelist', []);
let knownIPs = new Set();

const DEFAULT_WHITELIST_ERROR_MESSAGE =
    '<h1>Forbidden</h1><p>If you are the system administrator, add your IP address to the whitelist or disable whitelist mode by editing <code>config.yaml</code> in the root directory of your installation.</p><hr /><p><em>Connection from {{ipDetails}} has been blocked. This attempt has been logged.</em></p>';

if (fs.existsSync(whitelistPath)) {
    try {
        let whitelistTxt = fs.readFileSync(whitelistPath, 'utf-8');
        whitelist = whitelistTxt.split('\n').filter(ip => ip).map(ip => ip.trim());
    } catch (e) {
        // Ignore errors that may occur when reading the whitelist (e.g. permissions)
    }
}

/**
 * Get the client IP address from the request headers.
 * @param {import('express').Request} req Express request object
 * @returns {string|undefined} The client IP address
 */
function getForwardedIp(req) {
    if (!enableForwardedWhitelist) {
        return undefined;
    }

    // Check if X-Real-IP is available
    if (req.headers['x-real-ip']) {
        return req.headers['x-real-ip'].toString();
    }

    // Check for X-Forwarded-For and parse if available
    if (req.headers['x-forwarded-for']) {
        const ipList = req.headers['x-forwarded-for'].toString().split(',').map(ip => ip.trim());
        return ipList[0];
    }

    // If none of the headers are available, return undefined
    return undefined;
}

/**
 * Returns a middleware function that checks if the client IP is in the whitelist.
 * @param {boolean} whitelistMode If whitelist mode is enabled via config or command line
 * @param {boolean} listen If listen mode is enabled via config or command line
 * @returns {import('express').RequestHandler} The middleware function
 */
export default function whitelistMiddleware(whitelistMode, listen) {
    return function (req, res, next) {
        const clientIp = getIpFromRequest(req);
        const forwardedIp = getForwardedIp(req);
        const userAgent = req.headers['user-agent'];

        if (listen && !knownIPs.has(clientIp)) {
            console.log(color.yellow(`New connection from ${clientIp}; User Agent: ${userAgent}\n`));
            knownIPs.add(clientIp);

            // Write access log
            const timestamp = new Date().toISOString();
            const log = `${timestamp} ${clientIp} ${userAgent}\n`;
            fs.appendFile('access.log', log, (err) => {
                if (err) {
                    console.error('Failed to write access log:', err);
                }
            });
        }

        //clientIp = req.connection.remoteAddress.split(':').pop();
        if (whitelistMode === true && !whitelist.some(x => ipMatching.matches(clientIp, ipMatching.getMatch(x)))
            || forwardedIp && whitelistMode === true && !whitelist.some(x => ipMatching.matches(forwardedIp, ipMatching.getMatch(x)))
        ) {
            // Log the connection attempt with real IP address
            const ipDetails = forwardedIp
                ? `${clientIp} (forwarded from ${forwardedIp})`
                : clientIp;
            const errorMessage = Handlebars.compile(
                getConfigValue(
                    'whitelistErrorMessage',
                    DEFAULT_WHITELIST_ERROR_MESSAGE,
                ),
            );
            console.log(
                color.red(
                    `Blocked connection from ${clientIp}; User Agent: ${userAgent}\n\tTo allow this connection, add its IP address to the whitelist or disable whitelist mode by editing config.yaml in the root directory of your SillyTavern installation.\n`,
                ),
            );
            return res.status(403).send(errorMessage({ ipDetails }));
        }
        next();
    };
}
Simplify node imports 2024-10-11 00:28:17 +03:00			`import path from 'node:path';`
			`import fs from 'node:fs';`
Explicitly import node process 2024-10-11 10:43:29 +03:00			`import process from 'node:process';`
woohoo 2025-01-24 03:35:56 +00:00			`import Handlebars from 'handlebars';`
Node: Migrate to ES Modules 2024-10-10 22:37:22 +03:00			`import ipMatching from 'ip-matching';`
Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00
Node: Migrate to ES Modules 2024-10-10 22:37:22 +03:00			`import { getIpFromRequest } from '../express-common.js';`
			`import { color, getConfigValue } from '../util.js';`
Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00
			`const whitelistPath = path.join(process.cwd(), './whitelist.txt');`
Add config value for forwarded IPs whitelisting 2024-04-22 15:52:59 +03:00			`const enableForwardedWhitelist = getConfigValue('enableForwardedWhitelist', false);`
Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00			`let whitelist = getConfigValue('whitelist', []);`
Rename basic auth middleware 2023-12-15 18:43:00 +02:00			`let knownIPs = new Set();`
Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00
woohoo 2025-01-24 03:35:56 +00:00			`const DEFAULT_WHITELIST_ERROR_MESSAGE =`
			`'<h1>Forbidden</h1><p>If you are the system administrator, add your IP address to the whitelist or disable whitelist mode by editing <code>config.yaml</code> in the root directory of your installation.</p><hr /><p><em>Connection from {{ipDetails}} has been blocked. This attempt has been logged.</em></p>';`

Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00			`if (fs.existsSync(whitelistPath)) {`
			`try {`
			`let whitelistTxt = fs.readFileSync(whitelistPath, 'utf-8');`
			`whitelist = whitelistTxt.split('\n').filter(ip => ip).map(ip => ip.trim());`
			`} catch (e) {`
			`// Ignore errors that may occur when reading the whitelist (e.g. permissions)`
			`}`
			`}`

Merge branch 'staging' into neo-server 2024-04-13 15:26:48 +03:00			`/**`
			`* Get the client IP address from the request headers.`
			`* @param {import('express').Request} req Express request object`
			`* @returns {string\|undefined} The client IP address`
			`*/`
fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`function getForwardedIp(req) {`
Add config value for forwarded IPs whitelisting 2024-04-22 15:52:59 +03:00			`if (!enableForwardedWhitelist) {`
			`return undefined;`
			`}`

fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`// Check if X-Real-IP is available`
			`if (req.headers['x-real-ip']) {`
Add config value for forwarded IPs whitelisting 2024-04-22 15:52:59 +03:00			`return req.headers['x-real-ip'].toString();`
fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`}`

			`// Check for X-Forwarded-For and parse if available`
			`if (req.headers['x-forwarded-for']) {`
Add config value for forwarded IPs whitelisting 2024-04-22 15:52:59 +03:00			`const ipList = req.headers['x-forwarded-for'].toString().split(',').map(ip => ip.trim());`
fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`return ipList[0];`
			`}`

			`// If none of the headers are available, return undefined`
			`return undefined;`
			`}`

Whitelist to check listen mode via console 2024-03-30 22:42:51 +02:00			`/**`
			`* Returns a middleware function that checks if the client IP is in the whitelist.`
Control whitelist mode with console flag 2024-04-12 01:33:39 +03:00			`* @param {boolean} whitelistMode If whitelist mode is enabled via config or command line`
Whitelist to check listen mode via console 2024-03-30 22:42:51 +02:00			`* @param {boolean} listen If listen mode is enabled via config or command line`
			`* @returns {import('express').RequestHandler} The middleware function`
			`*/`
Node: Migrate to ES Modules 2024-10-10 22:37:22 +03:00			`export default function whitelistMiddleware(whitelistMode, listen) {`
Whitelist to check listen mode via console 2024-03-30 22:42:51 +02:00			`return function (req, res, next) {`
			`const clientIp = getIpFromRequest(req);`
fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`const forwardedIp = getForwardedIp(req);`
woohoo 2025-01-24 03:35:56 +00:00			`const userAgent = req.headers['user-agent'];`
Move whitelist middleware to its own module 2023-12-14 17:36:41 -05:00
Whitelist to check listen mode via console 2024-03-30 22:42:51 +02:00			`if (listen && !knownIPs.has(clientIp)) {`
			console.log(color.yellow(`New connection from ${clientIp}; User Agent: ${userAgent}\n`));
			`knownIPs.add(clientIp);`

			`// Write access log`
			`const timestamp = new Date().toISOString();`
			const log = `${timestamp} ${clientIp} ${userAgent}\n`;
			`fs.appendFile('access.log', log, (err) => {`
			`if (err) {`
			`console.error('Failed to write access log:', err);`
			`}`
			`});`
			`}`

			`//clientIp = req.connection.remoteAddress.split(':').pop();`
fix: whitelist in real-ip 2024-04-12 22:03:36 -07:00			`if (whitelistMode === true && !whitelist.some(x => ipMatching.matches(clientIp, ipMatching.getMatch(x)))`
			`\|\| forwardedIp && whitelistMode === true && !whitelist.some(x => ipMatching.matches(forwardedIp, ipMatching.getMatch(x)))`
			`) {`
			`// Log the connection attempt with real IP address`
woohoo 2025-01-24 03:35:56 +00:00			`const ipDetails = forwardedIp`
			? `${clientIp} (forwarded from ${forwardedIp})`
			`: clientIp;`
			`const errorMessage = Handlebars.compile(`
			`getConfigValue(`
			`'whitelistErrorMessage',`
			`DEFAULT_WHITELIST_ERROR_MESSAGE,`
			`),`
			`);`
			`console.log(`
			`color.red(`
			`Blocked connection from ${clientIp}; User Agent: ${userAgent}\n\tTo allow this connection, add its IP address to the whitelist or disable whitelist mode by editing config.yaml in the root directory of your SillyTavern installation.\n`,
			`),`
			`);`
			`return res.status(403).send(errorMessage({ ipDetails }));`
Whitelist to check listen mode via console 2024-03-30 22:42:51 +02:00			`}`
			`next();`
			`};`
			`}`