add: ban ipv6 addresses by prefix

assumes all ipv6 addresses have 64-bit prefix (8 bytes at the start + 2 bytes for colons)
2025-05-21 23:32:45 -04:00 · 2025-05-21 23:32:45 -04:00 · d7e800fcb4
commit d7e800fcb4
parent 2b91422d18
6 changed files with 128 additions and 4 deletions
--- a/crates/app/src/routes/api/v1/communities/posts.rs
+++ b/crates/app/src/routes/api/v1/communities/posts.rs
@ -1,6 +1,12 @@
-use axum::{extract::Path, response::IntoResponse, Extension, Json};
+use axum::{
+    extract::Path,
+    http::{HeaderMap, HeaderValue},
+    response::IntoResponse,
+    Extension, Json,
+};
 use axum_extra::extract::CookieJar;
 use tetratto_core::model::{
+    addr::RemoteAddr,
    communities::Post,
    permissions::FinePermission,
    uploads::{MediaType, MediaUpload},
@ -18,6 +24,7 @@ pub const MAXIMUM_FILE_SIZE: usize = 4194304;

 pub async fn create_request(
    jar: CookieJar,
+    headers: HeaderMap,
    Extension(data): Extension<State>,
    JsonMultipart(images, req): JsonMultipart<CreatePost>,
 ) -> impl IntoResponse {
@ -42,6 +49,24 @@ pub async fn create_request(
        );
    }

+    // get real ip
+    let real_ip = headers
+        .get(data.0.security.real_ip_header.to_owned())
+        .unwrap_or(&HeaderValue::from_static(""))
+        .to_str()
+        .unwrap_or("")
+        .to_string();
+
+    // check for ip ban
+    if data
+        .get_ipban_by_addr(RemoteAddr::from(real_ip.as_str()))
+        .await
+        .is_ok()
+    {
+        return Json(Error::NotAllowed.into());
+    }
+
+    // ...
    let mut props = Post::new(
        req.content,
        match req.community.parse::<usize>() {