add: use RemoteAddr for ip blocks as well

2025-06-30 15:35:18 -04:00 · 2025-06-30 15:35:18 -04:00 · f5faed7762
commit f5faed7762
parent 14936b8b90
12 changed files with 127 additions and 28 deletions
--- a/crates/app/src/routes/api/v1/reactions.rs
+++ b/crates/app/src/routes/api/v1/reactions.rs
@ -1,7 +1,12 @@
 use crate::{State, get_user_from_token, routes::api::v1::CreateReaction};
-use axum::{Extension, Json, extract::Path, response::IntoResponse};
+use axum::{
+    extract::Path,
+    http::{HeaderMap, HeaderValue},
+    response::IntoResponse,
+    Extension, Json,
+};
 use axum_extra::extract::CookieJar;
-use tetratto_core::model::{oauth, ApiReturn, Error, reactions::Reaction};
+use tetratto_core::model::{addr::RemoteAddr, oauth, reactions::Reaction, ApiReturn, Error};

 pub async fn get_request(
    jar: CookieJar,
@ -26,6 +31,7 @@ pub async fn get_request(

 pub async fn create_request(
    jar: CookieJar,
+    headers: HeaderMap,
    Extension(data): Extension<State>,
    Json(req): Json<CreateReaction>,
 ) -> impl IntoResponse {
@ -40,6 +46,20 @@ pub async fn create_request(
        Err(e) => return Json(Error::MiscError(e.to_string()).into()),
    };

+    // get real ip
+    let real_ip = headers
+        .get(data.0.0.security.real_ip_header.to_owned())
+        .unwrap_or(&HeaderValue::from_static(""))
+        .to_str()
+        .unwrap_or("")
+        .to_string();
+
+    // check for ip ban
+    let addr = RemoteAddr::from(real_ip.as_str());
+    if data.get_ipban_by_addr(&addr).await.is_ok() {
+        return Json(Error::NotAllowed.into());
+    }
+
    // check for existing reaction
    if let Ok(r) = data.get_reaction_by_owner_asset(user.id, asset_id).await {
        match data.delete_reaction(r.id, &user).await {
@ -63,6 +83,7 @@ pub async fn create_request(
        .create_reaction(
            Reaction::new(user.id, asset_id, req.asset_type, req.is_like),
            &user,
+            &addr,
        )
        .await
    {