Add allowAddresses option

2 files changed, 9 insertions, 0 deletions

diff --git a/README.md b/README.md
index 89a8d92..de42f02 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,7 @@ To make config options persistent, set them in `~/.ssb/config`, e.g.:
 - `emoji_base`: base url for emoji images. default: same as `base`
 - `encode_msgids`: whether to URL-encode message ids in local links. default: `true`
 - `auth`: HTTP auth password. default: `null` (no password required)
+- `allowAddresses`: Array of IP addresses allowed to connect. default: `null` (allow any to connect). Note if host is `localhost` then this setting is useless.
 - `filter`: Filter setting. `"all"` to show all messages. `"invert"` to show messages that would be hidden by the default setting. Otherwise the default setting applies, which is so to only show messages authored or upvoted by yourself or by a feed that you you follow. Exceptions are that if you navigate to a user feed page, you will see messages authored by that feed, and if you navigate to a message page, you will see that message - regardless of the filter setting. The `filter` setting may also be specified per-request as a query string parameter.
 - `showPrivates`: Whether or not to show private messages. Default is `true`. Overridden by `filter=all`.
 - `previewVotes`: Whether to preview creating votes/likes/digs (`true`) or publish them immediately (`false`). default: `false`
diff --git a/lib/serve.js b/lib/serve.js
index d550e0f..d0a9624 100644
--- a/lib/serve.js
+++ b/lib/serve.js
@@ -92,6 +92,14 @@ Serve.prototype.go = function () {
       return
     }
   }
+  var allowAddresses = conf.allowAddresses
+  if (allowAddresses) {
+    var ip = this.req.socket.remoteAddress
+    if (allowAddresses.indexOf(ip) === -1) {
+      this.res.writeHead(401)
+      return this.res.end('Not authorized')
+    }
+  }
 
   if (this.req.method === 'POST' || this.req.method === 'PUT') {
     if (/^multipart\/form-data/.test(this.req.headers['content-type'])) {