Add IP filtering for accounting functions

(ground work for #1820)

data/datacreator.ts

@@ -108,7 +108,7 @@ async function createUsers () {
   const users = await loadStaticData('users')
 
   await Promise.all(
-    users.map(async ({ username, email, password, customDomain, key, role, deletedFlag, profileImage, securityQuestion, feedback, address, card, totpSecret = '' }: User) => {
+    users.map(async ({ username, email, password, customDomain, key, role, deletedFlag, profileImage, securityQuestion, feedback, address, card, totpSecret, lastLoginIp = '' }: User) => {
       try {
         const completeEmail = customDomain ? email : `${email}@${config.get('application.domain')}`
         const user = await UserModel.create({
@@ -118,7 +118,8 @@ async function createUsers () {
           role,
           deluxeToken: role === security.roles.deluxe ? security.deluxeToken(completeEmail) : '',
           profileImage: `assets/public/images/uploads/${profileImage ?? (role === security.roles.admin ? 'defaultAdmin.png' : 'default.svg')}`,
-          totpSecret
+          totpSecret,
+          lastLoginIp
         })
         datacache.users[key] = user
         if (securityQuestion) await createSecurityAnswer(user.id, securityQuestion.id, securityQuestion.answer)

data/static/users.yml

@@ -25,7 +25,7 @@
     - fullName: 'Administrator'
       cardNum: 4024007105648108
       expMonth: 4
-      expYear: 2086      
+      expYear: 2086
 -
   email: jim
   password: 'ncc-1701'
@@ -195,6 +195,7 @@
   password: 'i am an awesome accountant'
   key: accountant
   role: 'accounting'
+  lastLoginIp: '123.456.789'
   securityQuestion:
     id: 7
     answer: 'sdAffsdfrefrbgreq3423'
@@ -236,7 +237,7 @@
   password: 'y&x5Z#f6W532Z4445#Ae2HkwZVyDb7&oCUaDzFU'
   key: john
   role: 'customer'
-- 
+-
   email: emma
   username: E=ma²
   password: 'y&x5Z#f6W532ZUf$q3DsdgfgfgxxUsvoCUaDzFU'

data/types.ts

@@ -38,6 +38,7 @@ export interface User extends Model {
   card?: Card[]
   totpSecret?: string
   walletBalance?: number
+  lastLoginIp?: string
 }
 
 export interface Delivery extends Model {

package.json

@@ -125,6 +125,7 @@
     "errorhandler": "^1.5.1",
     "exif": "^0.6.0",
     "express": "^4.17.1",
+    "express-ipfilter": "^1.2.0",
     "express-jwt": "0.1.3",
     "express-rate-limit": "^5.3.0",
     "express-robots-txt": "^0.4.1",

server.ts

@@ -40,6 +40,7 @@ const yaml = require('js-yaml')
 const swaggerUi = require('swagger-ui-express')
 const RateLimit = require('express-rate-limit')
 const client = require('prom-client')
+const ipfilter = require('express-ipfilter').IpFilter
 const swaggerDocument = yaml.load(fs.readFileSync('./swagger.yml', 'utf8'))
 const {
   ensureFileIsPassed,
@@ -363,7 +364,7 @@ restoreOverwrittenFilesWithOriginals().then(() => {
   /* Accounting users are allowed to check and update quantities */
   app.delete('/api/Quantitys/:id', security.denyAll())
   app.post('/api/Quantitys', security.denyAll())
-  app.use('/api/Quantitys/:id', security.isAccounting())
+  app.use('/api/Quantitys/:id', security.isAccounting(), ipfilter(['123.456.789'], { mode: 'allow' }))
   /* Feedbacks: Do not allow changes of existing feedback */
   app.put('/api/Feedbacks/:id', security.denyAll())
   /* PrivacyRequests: Only allowed for authenticated users */

test/api/quantityApiSpec.ts

@@ -164,7 +164,24 @@ describe('/api/Quantitys/:ids', () => {
       })
   })
 
-  it('GET quantity of all items for accounting users', () => {
+  it('GET quantity of all items for accounting users blocked by IP filter', () => {
+    return frisby.post(`${REST_URL}/user/login`, {
+      headers: jsonHeader,
+      body: {
+        email: `accountant@${config.get('application.domain')}`,
+        password: 'i am an awesome accountant'
+      }
+    })
+      .expect('status', 200)
+      .then(({ json }) => {
+        return frisby.get(`${API_URL}/Quantitys/1`, {
+          headers: { Authorization: `Bearer ${json.authentication.token}`, 'content-type': 'application/json' }
+        })
+          .expect('status', 403)
+      })
+  })
+
+  xit('GET quantity of all items for accounting users from IP 123.456.789', () => {
     return frisby.post(`${REST_URL}/user/login`, {
       headers: jsonHeader,
       body: {
@@ -223,7 +240,27 @@ describe('/api/Quantitys/:ids', () => {
       })
   })
 
-  it('PUT quantity as accounting user', () => {
+  it('PUT quantity as accounting user blocked by IP filter', () => {
+    return frisby.post(`${REST_URL}/user/login`, {
+      headers: jsonHeader,
+      body: {
+        email: `accountant@${config.get('application.domain')}`,
+        password: 'i am an awesome accountant'
+      }
+    })
+      .expect('status', 200)
+      .then(({ json }) => {
+        return frisby.put(`${API_URL}/Quantitys/1`, {
+          headers: { Authorization: `Bearer ${json.authentication.token}`, 'content-type': 'application/json' },
+          body: {
+            quantity: 100
+          }
+        })
+          .expect('status', 403)
+      })
+  })
+
+  xit('PUT quantity as accounting user from IP 123.456.789', () => {
     return frisby.post(`${REST_URL}/user/login`, {
       headers: jsonHeader,
       body: {