FEATURE: allow restricting API keys to a particular range

lib/auth/default_current_user_provider.rb

@@ -107,12 +107,16 @@ class Auth::DefaultCurrentUserProvider
     api_key = ApiKey.where(key: api_key_value).includes(:user).first
     if api_key
       api_username = request["api_username"]
+
+      if api_key.allowed_ips.present? && !api_key.allowed_ips.any?{|ip| ip.include?(request.ip)}
+        Rails.logger.warn("Unauthorized API access: #{api_username} ip address: #{request.ip}")
+        return nil
+      end
+
       if api_key.user
         api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
       elsif api_username
         User.find_by(username_lower: api_username.downcase)
-      else
-        nil
       end
     end
   end

spec/components/auth/default_current_user_provider_spec.rb

@@ -31,6 +31,27 @@ describe Auth::DefaultCurrentUserProvider do
     }.to raise_error(Discourse::InvalidAccess)
   end
 
+  it "raises for a user with a mismatching ip" do
+    user = Fabricate(:user)
+    ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
+
+    expect{
+      provider("/?api_key=hello&api_username=#{user.username.downcase}", "REMOTE_ADDR" => "10.1.0.1").current_user
+    }.to raise_error(Discourse::InvalidAccess)
+
+  end
+
+  it "allows a user with a matching ip" do
+    user = Fabricate(:user)
+    ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
+
+    found_user = provider("/?api_key=hello&api_username=#{user.username.downcase}",
+                          "REMOTE_ADDR" => "10.0.0.22").current_user
+
+    found_user.id.should == user.id
+
+  end
+
   it "finds a user for a correct system api key" do
     user = Fabricate(:user)
     ApiKey.create!(key: "hello", created_by_id: -1)