MagicMirror/js/ip_access_control.js

const ipaddr = require("ipaddr.js");
const Log = require("logger");

/**
 * Checks if a client IP matches any entry in the whitelist
 * @param {string} clientIp - The IP address to check
 * @param {string[]} whitelist - Array of IP addresses or CIDR ranges
 * @returns {boolean} True if IP is allowed
 */
function isAllowed (clientIp, whitelist) {
	try {
		const addr = ipaddr.process(clientIp);

		return whitelist.some((entry) => {
			try {
				// CIDR notation
				if (entry.includes("/")) {
					const [rangeAddr, prefixLen] = ipaddr.parseCIDR(entry);
					return addr.match(rangeAddr, prefixLen);
				}

				// Single IP address - let ipaddr.process normalize both
				const allowedAddr = ipaddr.process(entry);
				return addr.toString() === allowedAddr.toString();
			} catch (err) {
				Log.warn(`Invalid whitelist entry: ${entry}`);
				return false;
			}
		});
	} catch (err) {
		Log.warn(`Failed to parse client IP: ${clientIp}`);
		return false;
	}
}

/**
 * Creates an Express middleware for IP whitelisting
 * @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges
 * @returns {import("express").RequestHandler} Express middleware function
 */
function ipAccessControl (whitelist) {
	// Empty whitelist means allow all
	if (!Array.isArray(whitelist) || whitelist.length === 0) {
		return function (req, res, next) {
			res.header("Access-Control-Allow-Origin", "*");
			next();
		};
	}

	return function (req, res, next) {
		const clientIp = req.ip || req.socket.remoteAddress;

		if (isAllowed(clientIp, whitelist)) {
			res.header("Access-Control-Allow-Origin", "*");
			next();
		} else {
			Log.log(`IP ${clientIp} is not allowed to access the mirror`);
			res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");
		}
	};
}

module.exports = { ipAccessControl };
refactor: replace `express-ipfilter` with lightweight custom middleware (#3917) This fixes security issue [CVE-2023-42282](https://github.com/advisories/GHSA-78xj-cgh5-2h22), which is not very likely to be exploitable in MagicMirror² setups, but still should be fixed. The [express-ipfilter](https://www.npmjs.com/package/express-ipfilter) package depends on the obviously unmaintained [ip](https://github.com/indutny/node-ip) package, which has known security vulnerabilities. Since no fix is available, this commit replaces both dependencies with a custom middleware using the better maintained [ipaddr.js](https://www.npmjs.com/package/ipaddr.js) library. Changes: - Add new `js/ip_access_control.js` with lightweight middleware - Remove `express-ipfilter` dependency, add `ipaddr.js` - Update `js/server.js` to use new middleware - In addition, I have formulated the descriptions of the corresponding tests a little more clearly. 2025-10-18 19:56:55 +02:00			`const ipaddr = require("ipaddr.js");`
			`const Log = require("logger");`

			`/**`
			`* Checks if a client IP matches any entry in the whitelist`
			`* @param {string} clientIp - The IP address to check`
			`* @param {string[]} whitelist - Array of IP addresses or CIDR ranges`
			`* @returns {boolean} True if IP is allowed`
			`*/`
			`function isAllowed (clientIp, whitelist) {`
			`try {`
			`const addr = ipaddr.process(clientIp);`

			`return whitelist.some((entry) => {`
			`try {`
			`// CIDR notation`
			`if (entry.includes("/")) {`
			`const [rangeAddr, prefixLen] = ipaddr.parseCIDR(entry);`
			`return addr.match(rangeAddr, prefixLen);`
			`}`

			`// Single IP address - let ipaddr.process normalize both`
			`const allowedAddr = ipaddr.process(entry);`
			`return addr.toString() === allowedAddr.toString();`
			`} catch (err) {`
			Log.warn(`Invalid whitelist entry: ${entry}`);
			`return false;`
			`}`
			`});`
			`} catch (err) {`
			Log.warn(`Failed to parse client IP: ${clientIp}`);
			`return false;`
			`}`
			`}`

			`/**`
			`* Creates an Express middleware for IP whitelisting`
			`* @param {string[]} whitelist - Array of allowed IP addresses or CIDR ranges`
			`* @returns {import("express").RequestHandler} Express middleware function`
			`*/`
			`function ipAccessControl (whitelist) {`
			`// Empty whitelist means allow all`
			`if (!Array.isArray(whitelist) \|\| whitelist.length === 0) {`
			`return function (req, res, next) {`
			`res.header("Access-Control-Allow-Origin", "*");`
			`next();`
			`};`
			`}`

			`return function (req, res, next) {`
			`const clientIp = req.ip \|\| req.socket.remoteAddress;`

			`if (isAllowed(clientIp, whitelist)) {`
			`res.header("Access-Control-Allow-Origin", "*");`
			`next();`
			`} else {`
			Log.log(`IP ${clientIp} is not allowed to access the mirror`);
			`res.status(403).send("This device is not allowed to access your mirror. <br> Please check your config.js or config.js.sample to change this.");`
			`}`
			`};`
			`}`

			`module.exports = { ipAccessControl };`