Add IP block on authentication via EID

Also, correct mistakenly used 403 error code.
Update aplication-example.yml to include new functionality.

app/controllers/api/v1/registrant/auth_controller.rb

@@ -5,6 +5,8 @@ module Api
   module V1
     module Registrant
       class AuthController < ActionController::API
+        before_action :check_ip_whitelist
+
         rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
           error = {}
           error[parameter_missing_exception.param] = ['parameter is required']
@@ -39,6 +41,14 @@ module Api
           hash = token_creator.token_in_hash
           hash
         end
+
+        def check_ip_whitelist
+          allowed_ips = ENV['registrant_api_auth_allowed_ips'].to_s.split(',').map(&:strip)
+
+          unless allowed_ips.include?(request.ip) || Rails.env.development?
+            render json: { error: 'Not authorized' }, status: 401
+          end
+        end
       end
     end
   end

app/controllers/api/v1/registrant/base_controller.rb

@@ -7,6 +7,13 @@ module Api
       class BaseController < ActionController::API
         before_action :authenticate
 
+        rescue_from(ActionController::ParameterMissing) do |parameter_missing_exception|
+          error = {}
+          error[parameter_missing_exception.param] = ['parameter is required']
+          response = { errors: [error] }
+          render json: response, status: :unprocessable_entity
+        end
+
         private
 
         def bearer_token
@@ -22,7 +29,7 @@ module Api
           if decryptor.valid?
             sign_in decryptor.user
           else
-            render json: { error: 'Not authorized' }, status: 403
+            render json: { error: 'Not authorized' }, status: 401
           end
         end
       end

app/controllers/api/v1/registrant/domains_controller.rb

@@ -7,11 +7,11 @@ module Api
       class DomainsController < BaseController
         def index
           registrant = ::Registrant.find_by(ident: current_user.registrant_ident)
-          unless registrant
+          if registrant
-            render json: Domain.all
-          else
             domains = Domain.where(registrant_id: registrant.id)
             render json: domains
+          else
+            render json: []
           end
         end
       end

config/application-example.yml

@@ -96,6 +96,8 @@ arireg_host: 'http://demo-ariregxml.rik.ee:81/'
 sk_digi_doc_service_endpoint: 'https://tsp.demo.sk.ee'
 sk_digi_doc_service_name: 'Testimine'
 
+# Registrant API
+registrant_api_auth_allowed_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas
 
 #
 # MISC

test/system/api/registrant/registrant_api_authentication_test.rb

@@ -33,6 +33,20 @@ class RegistrantApiAuthenticationTest < ApplicationSystemTestCase
     end
   end
 
+  def test_request_returns_401_from_a_not_whitelisted_ip
+    params = { foo: :bar, test: :test }
+    @original_whitelist_ip = ENV['registrant_api_auth_allowed_ips']
+    ENV['registrant_api_auth_allowed_ips'] = '1.2.3.4'
+
+    post '/api/v1/registrant/auth/eid', params
+    assert_equal(401, response.status)
+    json_body = JSON.parse(response.body, symbolize_names: true)
+
+    assert_equal({error: 'Not authorized'}, json_body)
+
+    ENV['registrant_api_auth_allowed_ips'] = @original_whitelist_ip
+  end
+
   def test_request_documented_parameters_are_required
     params = { foo: :bar, test: :test }
 

test/system/api/registrant/registrant_api_domains_test.rb

@@ -14,9 +14,12 @@ class RegistrantApiDomainsTest < ApplicationSystemTestCase
     assert_equal(200, response.status)
   end
 
-  def test_root_returns_403_without_authorization
+  def test_root_returns_401_without_authorization
     get '/api/v1/registrant/domains', {}, {}
-    assert_equal(403, response.status)
+    assert_equal(401, response.status)
+    json_body = JSON.parse(response.body, symbolize_names: true)
+
+    assert_equal({error: 'Not authorized'}, json_body)
   end
 
   private