scheb · scheb · Jan 26, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 21, 2024
diff --git a/doc/configuration.rst b/doc/configuration.rst
@@ -82,9 +82,10 @@ Bundle Configuration
        # Supports IPv4, IPv6 and IP subnet masks.
        ip_whitelist:
            - 127.0.0.1  # One IPv4
-           - 192.168.0.0/16  # IPv4 subnet
+           - 192.168.0.0/16  # One IPv4 subnet
            - 2001:0db8:85a3:0000:0000:8a2e:0370:7334  # One IPv6
-           - 2001:db8:abcd:0012::0/64  # IPv6 subnet
+           - 2001:db8:abcd:0012::0/64  # One IPv6 subnet
+           - !php/const Symfony\Component\HttpFoundation\IpUtils::PRIVATE_SUBNETS # All private IPv4 and IPv6 subnets
 
        # If you want to have your own implementation to retrieve the whitelisted IPs.
        # The configuration option "ip_whitelist" becomes meaningless in that case.

diff --git a/src/bundle/DependencyInjection/Configuration.php b/src/bundle/DependencyInjection/Configuration.php
@@ -4,6 +4,8 @@
 
 namespace Scheb\TwoFactorBundle\DependencyInjection;
 
+use RecursiveArrayIterator;
+use RecursiveIteratorIterator;
 use Scheb\TwoFactorBundle\Model\BackupCodeInterface;
 use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface as EMailTwoFactorInterface;
 use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface as GoogleTwoFactorInterface;
@@ -15,6 +17,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
 use function interface_exists;
+use function iterator_to_array;
 
 /**
  * @final
@@ -42,6 +45,12 @@ public function getConfigTreeBuilder(): TreeBuilder
                     ->prototype('scalar')->end()
                 ->end()
                 ->arrayNode('ip_whitelist')
+                    ->beforeNormalization()
+                        ->ifArray()
+                        ->then(static function (array $value): array {
+                            return iterator_to_array(new RecursiveIteratorIterator(new RecursiveArrayIterator($value)), false);
+                        })
+                    ->end()
                     ->defaultValue([])
                     ->prototype('scalar')->end()
                 ->end()

diff --git a/tests/DependencyInjection/SchebTwoFactorExtensionTest.php b/tests/DependencyInjection/SchebTwoFactorExtensionTest.php
@@ -99,7 +99,7 @@ public function load_fullConfig_setConfigValues(): void
         $this->assertHasParameter('cookie.example.org', 'scheb_two_factor.trusted_device.cookie_domain');
         $this->assertHasParameter('/cookie-path', 'scheb_two_factor.trusted_device.cookie_path');
         $this->assertHasParameter(['Symfony\Component\Security\Core\Authentication\Token\SomeToken'], 'scheb_two_factor.security_tokens');
-        $this->assertHasParameter(['127.0.0.1'], 'scheb_two_factor.ip_whitelist');
+        $this->assertHasParameter(['127.0.0.1', '10.0.0.0/8', '192.168.0.0/16'], 'scheb_two_factor.ip_whitelist');
     }
 
     /**
@@ -647,6 +647,7 @@ private function getFullConfig(): array
     - Symfony\Component\Security\Core\Authentication\Token\SomeToken
 ip_whitelist:
     - 127.0.0.1
+    - ['10.0.0.0/8', '192.168.0.0/16']
 ip_whitelist_provider: acme_test.ip_whitelist_provider
 two_factor_token_factory: acme_test.two_factor_token_factory
 two_factor_provider_decider: acme_test.two_factor_provider_decider