From 24e49cf98f6c22d2d7f3816f051d9680ce78041c Mon Sep 17 00:00:00 2001
From: Wildan Maulana <wildan.m@gmail.com>
Date: Wed, 14 Nov 2012 15:31:20 +0700
Subject: [PATCH] Restricting API access by IP address

---
 components/AuthorizedIPFilter.php  | 47 ++++++++++++++++++++++++++++++
 components/RestController.php      |  6 ++--
 migrations/m120901_053457_rest.php | 21 ++++++++-----
 3 files changed, 64 insertions(+), 10 deletions(-)
 create mode 100644 components/AuthorizedIPFilter.php

diff --git a/components/AuthorizedIPFilter.php b/components/AuthorizedIPFilter.php
new file mode 100644
index 0000000..7ec8e44
--- /dev/null
+++ b/components/AuthorizedIPFilter.php
@@ -0,0 +1,47 @@
+<?php
+/**
+ * AuthorizedIPFilter class file
+ *
+ * @author Wildan Maulana <wildan.m@opentinklabs.com>
+ * @copyright Copyright 2012, OpenThink Labs
+ * @license http://opensource.org/licenses/bsd-license.php The BSD License
+ */
+/**
+ * Allows automated authentication of controller actions.
+ */
+class AuthorizedIPFilter extends CFilter
+{
+	/**
+	 * Authorized IP Address 
+	 *
+	 */
+	public $ip_authorizeds = array();
+
+	/**
+	 * Performs authorized IP filter
+	 * before execution of a RestController method
+	 *
+	 * @param CFilterChain $filter 	The filter chain
+	 */
+	public function preFilter( $filterChain )
+	{  
+		$HttpAuthRequest = new HttpAuthRequest();
+		$auth_headers    = array();
+		$credentials     = explode(":",(base64_decode($HttpAuthRequest->params)));
+		if( is_array($credentials) && count($credentials) > 0 )
+		{
+			$api_user = ApiUser::model()->findByAttributes(array("username"=>$credentials[0])) ;
+			if($api_user) {
+				  $ip_authorizeds = explode(",",$api_user->ip_authorized) ; 
+				  if(in_array($_SERVER['REMOTE_ADDR'],$ip_authorizeds)) 
+				  	return $filterChain->run(); 
+			}				
+		}
+
+		$Response = new Response();
+		$Response->send( 
+			401, 'Not Authorized', 'txt', $auth_headers
+		);
+	}
+}
+?>
diff --git a/components/RestController.php b/components/RestController.php
index dc8d143..155640b 100644
--- a/components/RestController.php
+++ b/components/RestController.php
@@ -67,9 +67,9 @@ abstract class RestController extends Controller
 	 * @param string $action 	The action id. 
 	 */
 	public function actionRestRoute( $action = '' )
-	{
+	{   
 		$request = new CHttpRequest();
-		$verb 	= $request->getRequestType();
+		$verb 	 = $request->getRequestType();
 
 		if( isset($this->map_methods[$verb]) )
 			$verb = $this->map_methods[$verb];
@@ -98,6 +98,8 @@ public function filters()
 	{
 		$filters = array();
 		
+		//authorize ip filter is a must
+		$filters[] = array('application.extensions.resty.components.AuthorizedIPFilter') ;
 		if( $this->require_auth === true )
 		{
 			$filters[]= array( 
diff --git a/migrations/m120901_053457_rest.php b/migrations/m120901_053457_rest.php
index ba04599..f8642d1 100644
--- a/migrations/m120901_053457_rest.php
+++ b/migrations/m120901_053457_rest.php
@@ -13,7 +13,8 @@ class m120901_053457_rest extends CDbMigration
 	public $default = array( 
 		'username' => 'api_user', 
 		'password' => 'api_key', 
-		'email'=>'info@example.com' 
+		'email'=>'info@example.com',
+		'ip_authorized'=>'127.0.0.1' 
 	);
 
 	public function safeUp()
@@ -24,23 +25,26 @@ public function safeUp()
 			"password" => "varchar(128) NOT NULL DEFAULT ''",
 			"email" => "varchar(128) NOT NULL DEFAULT ''",
 			"activation_key" => "varchar(128) NOT NULL DEFAULT ''",
-			"createtime" => "int(10) NOT NULL DEFAULT 0",
-			"lastvisit" => "int(10) NOT NULL DEFAULT 0",
-			"privilege" => "int(1) NOT NULL DEFAULT 0",
-			"status" => "int(1) NOT NULL DEFAULT 0",
+			"ip_authorized"=>"text",
+			"createtime" => "INTEGER NOT NULL DEFAULT 0",
+			"lastvisit" => "INTEGER NOT NULL DEFAULT 0",
+			"privilege" => "INTEGER NOT NULL DEFAULT 0",
+			"status" => "INTEGER NOT NULL DEFAULT 0",
 		));
 
 		if( in_array('--interactive=0',$_SERVER['argv'])) 
 		{
-			$this->_model->username = $this->default['username'];
-			$this->_model->password = $this->default['password'];
-			$this->_model->email 	= $this->default['email'];
+			$this->_model->username      = $this->default['username'];
+			$this->_model->password      = $this->default['password'];
+			$this->_model->email 	     = $this->default['email'];
+			$this->_model->ip_authorized = $this->default['ip_authorized'];
 		}
 		else
 		{
 			$this->stdinToModel('First api user', 'username', $this->default['username'] );
 			$this->stdinToModel('First user\'s password', 'password', $this->default['password'] );
 			$this->stdinToModel('First user\'s email', 'email', $this->default['email'] );
+			$this->stdinToModel('First authorized IP address', 'ip_authorized', $this->default['ip_authorized'] );
 		}
 
 		$this->insert( $this->api_user_table, array(
@@ -49,6 +53,7 @@ public function safeUp()
 			'password' => md5($this->_model->password),
 			'email' => $this->_model->email,
 			'activation_key' => md5(microtime()),
+			'ip_authorized'=>$this->_model->ip_authorized,
 			'createtime' => time(),
 			'lastvisit' => '0',
 			'privilege' => '1',