feat: add Plug to block requests by Ip

Author: leonimella

apps/block_scout_web/lib/block_scout_web/api_router.ex

@@ -14,7 +14,7 @@ defmodule BlockScoutWeb.ApiRouter do
   """
   use BlockScoutWeb, :router
   alias BlockScoutWeb.{AddressTransactionController, APIKeyV2Router, SmartContractsApiV2Router, UtilsApiV2Router}
-  alias BlockScoutWeb.Plug.{CheckAccountAPI, CheckApiV2, RateLimit}
+  alias BlockScoutWeb.Plug.{CheckAccountAPI, CheckApiV2, RateLimit, BlockedIpList}
 
   forward("/v2/smart-contracts", SmartContractsApiV2Router)
   forward("/v2/key", APIKeyV2Router)
@@ -37,13 +37,15 @@ defmodule BlockScoutWeb.ApiRouter do
     plug(CheckApiV2)
     plug(:fetch_session)
     plug(:protect_from_forgery)
+    plug(BlockedIpList)
     plug(RateLimit)
   end
 
   pipeline :api_v2_no_session do
     plug(BlockScoutWeb.Plug.Logger, application: :api_v2)
     plug(:accepts, ["json"])
     plug(CheckApiV2)
+    plug(BlockedIpList)
     plug(RateLimit)
   end
 

apps/block_scout_web/lib/block_scout_web/plug/blocked_ip_list.ex

@@ -0,0 +1,16 @@
+defmodule BlockScoutWeb.Plug.BlockedIpList do
+  @moduledoc """
+    Block requests by IP
+  """
+  alias BlockScoutWeb.AccessHelper
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    if AccessHelper.blocked_access?(conn) do
+      AccessHelper.handle_blocked_access(conn, true)
+    else
+      conn
+    end
+  end
+end

apps/block_scout_web/lib/block_scout_web/views/access_helper.ex

@@ -63,6 +63,32 @@ defmodule BlockScoutWeb.AccessHelper do
     end
   end
 
+  def blocked_access?(conn) do
+    case Application.get_env(:block_scout_web, :blocked_ips) do
+      nil ->
+        false
+
+      blocked_ips ->
+        blocked_ips
+        |> String.replace(" ", "")
+        |> String.split(",")
+        |> Enum.member?(conn_to_ip_string(conn))
+    end
+  end
+
+  def handle_blocked_access(conn, api_v2? \\ false) do
+    APILogger.message("unauthorized request")
+
+    view = if api_v2?, do: ApiView, else: RPCView
+    tag = if api_v2?, do: :message, else: :error
+
+    conn
+    |> Conn.put_status(401)
+    |> put_view(view)
+    |> render(tag, %{tag => "unauthorized"})
+    |> Conn.halt()
+  end
+
   # credo:disable-for-next-line /Complexity/
   defp check_rate_limit_inner(conn, rate_limit_config) do
     global_limit = rate_limit_config[:global_limit]
@@ -81,8 +107,6 @@ defmodule BlockScoutWeb.AccessHelper do
 
     user_agent = get_user_agent(conn)
 
-    Logger.info("request ip: #{inspect(ip_string)}")
-
     cond do
       check_api_key(conn) && get_api_key(conn) == static_api_key ->
         rate_limit(static_api_key, limit_by_key, time_interval_limit)

config/runtime.exs

@@ -136,6 +136,8 @@ config :block_scout_web, BlockScoutWeb.MicroserviceInterfaces.TransactionInterpr
   service_url: System.get_env("MICROSERVICE_TRANSACTION_INTERPRETATION_URL"),
   enabled: ConfigHelper.parse_bool_env_var("MICROSERVICE_TRANSACTION_INTERPRETATION_ENABLED")
 
+config :block_scout_web, blocked_ips: System.get_env("API_BLOCKED_IPS")
+
 # Configures Ueberauth's Auth0 auth provider
 config :ueberauth, Ueberauth.Strategy.Auth0.OAuth,
   domain: System.get_env("ACCOUNT_AUTH0_DOMAIN"),