supertokens-auth-reactAllow / Deny requests based on IP address
You can set the SuperTokens core's config such that it accepts / denies requests that originate from certain IPs. This can be used to make sure that only your backend is able to query the SuperTokens core - increasing the security.
Allowing requests that have certain IP addresses#
- With Docker
- Without Docker
docker run \
-p 3567:3567 \
-e IP_ALLOW_REGEX="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
# You need to add the following to the config.yaml file.
# The file path can be found by running the "supertokens --help" command
ip_allow_regex: 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1
The above will only allow requests that originate from an IP that matches 127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1 regular expression. A breakdown of this regex is:
127\.\d+\.\d+\.\d+: IPs that start with127.; OR::1: IPv6 from localhost; OR0:0:0:0:0:0:0:1: IPv6 from localhost
In this way, we allow requests only from localhost and for other requests, the core will return a 403 status code. If instead you want to allow a list of IP addresses that correspond to your backend server's IP address, you can set this value to IP1|IP2|IP3... - for example: 100.12.12.3|192.167.4.3|50.32.5.1.
If this value is not set, then the core will allow requests from any IP address.
Denying requests that have certain IP addresses#
This is the opposite of the above config. If you only set this, the core will allow requests from any IP other than the one that matches the regular expression corresponding to this setting..
- With Docker
- Without Docker
docker run \
-p 3567:3567 \
-e IP_DENY_REGEX="100.1.1.3" \
-d registry.supertokens.io/supertokens/supertokens-<db_name>
# You need to add the following to the config.yaml file.
# The file path can be found by running the "supertokens --help" command
ip_deny_regex: 100.1.1.3
The above setting will make the core accept requests from any IP other than 100.1.1.3. For 100.1.1.3, it will return a 403.
What if both the configs are set?#
In this case, the core will allow requests only based on the value of ip_allow_regex, as long that request's IP doesn't match the regex of ip_deny_regex. For example, if you set ip_allow_regex: IP1|IP2 and ip_deny_regex: IP1, then the core will accept requests only from IP2.
important
For managed service, please navigate to your dashboard and go to the edit configuration section to set this value.