matrix-org · megheaiulian · Oct 23, 2023 · Oct 23, 2023 · Oct 24, 2023 · Oct 24, 2023
@@ -0,0 +1 @@
+Adds widgets config (`allowedIpRanges`) option to control which IPs are allowed to access widgets.
@@ -144,6 +144,7 @@ listeners:
 #widgets:
 #  # (Optional) EXPERIMENTAL support for complimentary widgets
 #  addToAdminRooms: false
+#  allowedIpRanges: []
 #  disallowedIpRanges:
 #    - 127.0.0.0/8
 #    - 10.0.0.0/8

@@ -39,6 +39,7 @@ widgets:
 #     - 2001:db8::/32
 #     - ff00::/8
 #     - fec0::/10
+# allowedIpRanges: []
   publicUrl: https://example.com/widgetapi/v1/static
   branding:
     widgetTitle: Hookshot Configuration
@@ -56,7 +57,10 @@ When `addOnInvite` is true, the bridge will add a widget to rooms when the bot i
 `disallowedIpRanges` describes which IP ranges should be disallowed when resolving homeserver IP addresses (for security reasons).
 Unless you know what you are doing, it is recommended to not include this key. The default blocked IPs are listed above for your convenience.
 
-`publicUrl` should be set to the publicly reachable address for the widget `public` content. By default, Hookshot hosts this content on the
+`allowedIpRanges` describes which IP ranges should be allowed when resolving homeserver IP addresses even if they are in `disallowedIpRanges`.
+This allows specific sub-ranges of `disallowedIpRanges` to be used without having to carefully construct the ranges that still should be disallowed.
+
+`publicUrl` should be set to the publicly reachable address for the widget `public` content. By default, hookshot hosts this content on the
 `widgets` listener under `/widgetapi/v1/static`.
 
 `branding` allows you to change the strings used for various bits of widget UI. At the moment you can:

@@ -249,6 +249,7 @@ hookshot:
       # (Optional) EXPERIMENTAL support for complimentary widgets
       #
       # addToAdminRooms: false
+      # allowedIpRanges: []
       # disallowedIpRanges:
         # - 127.0.0.0/8
         # - 10.0.0.0/8

@@ -39,6 +39,7 @@ export class BridgeWidgetApi extends ProvisioningApi {
             expressApp,
             widgetTokenPrefix: "hookshot_",
             disallowedIpRanges: config.widgets?.disallowedIpRanges,
+            allowedIpRanges: config.widgets?.allowedIpRanges,
             openIdOverride: config.widgets?.openIdOverrides,
         });
 

@@ -340,6 +340,7 @@ interface BridgeWidgetConfigYAML {
         addOnInvite?: boolean;
     };
     disallowedIpRanges?: string[];
+    allowedIpRanges?: string[];
     branding?: {
         widgetTitle: string,
     }
@@ -357,6 +358,8 @@ export class BridgeWidgetConfig {
         addOnInvite?: boolean;
     };
     public readonly disallowedIpRanges?: string[];
+    public readonly allowedIpRanges?: string[];
+
     public readonly branding: {
         widgetTitle: string,
     }
@@ -366,10 +369,14 @@ export class BridgeWidgetConfig {
     constructor(yaml: BridgeWidgetConfigYAML) {
         this.addToAdminRooms = yaml.addToAdminRooms || false;
         this.disallowedIpRanges = yaml.disallowedIpRanges;
+        this.allowedIpRanges = yaml.allowedIpRanges;
         this.roomSetupWidget = yaml.roomSetupWidget;
         if (yaml.disallowedIpRanges !== undefined && (!Array.isArray(yaml.disallowedIpRanges) || !yaml.disallowedIpRanges.every(s => typeof s === "string"))) {
             throw new ConfigError("widgets.disallowedIpRanges", "must be a string array");
         }
+        if (yaml.allowedIpRanges !== undefined && (!Array.isArray(yaml.allowedIpRanges) || !yaml.allowedIpRanges.every(s => typeof s === "string"))) {
+            throw new ConfigError("widgets.allowedIpRanges", "must be a string array");
+        }
         try {
             this.parsedPublicUrl = makePrefixedUrl(yaml.publicUrl)
             this.publicUrl = () => { return this.parsedPublicUrl.href; }

@@ -40,6 +40,7 @@ export const DefaultConfigRoot: BridgeConfigRoot = {
         roomSetupWidget: {
             addOnInvite: false,
         },
+        allowedIpRanges: [],
         disallowedIpRanges: DefaultDisallowedIpRanges,
         branding: {
             widgetTitle: "Hookshot Configuration"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Adds widgets config (`allowedIpRanges`) option to control which IPs are allowed to access widgets.