From 7a7faf405e3019a45bcf79d165d77e0fe20f32aa Mon Sep 17 00:00:00 2001
From: Naim A <227396+naim94a@users.noreply.github.com>
Date: Wed, 6 May 2020 03:37:18 +0300
Subject: [PATCH] check remote_addr is loopback

---
 src/webserver.rs | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/webserver.rs b/src/webserver.rs
index d0fa0c8..499b055 100644
--- a/src/webserver.rs
+++ b/src/webserver.rs
@@ -59,18 +59,23 @@ fn authenticate(tokens: HashMap<String, String>) -> impl Filter<Extract = (), Er
     warp::filters::any::any()
         .map(move || tokens.clone())
         .and(filters::query::query::<AuthToken>())
-        .and_then(|tokens: Arc<HashSet<String>>, token: AuthToken| {
-            async move {
-                if let Some(token) = token.token {
-                    if tokens.contains(&token) {
-                        return Ok(());
+        .and(filters::addr::remote())
+        .and_then(
+            |tokens: Arc<HashSet<String>>, token: AuthToken, peer_addr: Option<std::net::SocketAddr>| {
+                async move {
+                    if let Some(addr) = peer_addr {
+                        if let Some(token) = token.token {
+                            if addr.ip().is_loopback() && tokens.contains(&token) {
+                                return Ok(());
+                            }
+                        }
                     }
+                    Err(warp::reject::custom(ActionStatus::Err {
+                        reason: "Access Denied".into(),
+                    }))
                 }
-                Err(warp::reject::custom(ActionStatus::Err {
-                    reason: "Access Denied".into(),
-                }))
-            }
-        })
+            },
+        )
         .untuple_one()
 }