cardano-lucid-blockfrost-proxy-example icon indicating copy to clipboard operation
cardano-lucid-blockfrost-proxy-example copied to clipboard

Published 20 hours ago verified publisher icon GGAlanSmithee

Prevent abuse of the api endpoint

Open GGAlanSmithee opened this issue 2 years ago • 2 comments

With this example, the Blockfrost key isn't leaked, but there is nothing stopping an adversairy from abusing the endpoint. We should put some effort into stopping this. There are some headers that could be used, but AFAIK, there is nothing that can't be spoofed. Will look into it.

GGAlanSmithee avatar Dec 11 '22 13:12 GGAlanSmithee

something like

const whitelistedIps = [
  "127.0.0.1",
]

const ipIsWhitelisted = (ipAddress?: string) => ipAddress && whitelistedIps.includes(ipAddress)

// later  ...

const ipAddress = req.headers["x-real-ip"]?.toString() || req.headers["x-forwarded-for"]?.toString()

if (!ipIsWhitelisted(ipAddress)) return res.status(401).json({ message: "Unauthorized" })

GGAlanSmithee avatar Dec 11 '22 13:12 GGAlanSmithee

This is likely to be implemented in use-cardano-blockfrost-proxy

GGAlanSmithee avatar Jan 01 '23 15:01 GGAlanSmithee