Only accept calls from localhost:
server.auth.strategy('localhost', 'ip-whitelist', ['127.0.0.1']);NOTE: Third parameter of server.auth.strategy is options which must be an object.
To be used like
server.route({
method: 'GET',
path: '/',
handler(request, h) { return "That was from localhost!" },
options: { auth: 'localhost' }
});In the route receives a request from a different IP, it will respond a 401 unauthorized error with the message 192.168.0.102 is not a valid IP, where 192.168.0.102 is the IP of the request.
You can also specify several IPs by passing a list instead. For example, consider the IPs to expect requests from, as specified by MercadoPago.
server.auth.strategy(
'mercado-pago-webhook',
'ip-whitelist',
_.flatMap(
['209.225.49.*', '216.33.197.*', '216.33.196.*', '63.128.82.*', '63.128.83.*', '63.128.94.*'],
(part) => _.times(256, (n) => _.replace(part, '*', _.toString(n)))
)
);In case you are behind a proxy, use Hapi plugin therealyou.
It will find the "real" IP in X-Forward headers and modify the request.info.remoteAddress.
server.register([
{
plugin: require('therealyou')
},
{
plugin: require('hapi-auth-ip-whitelist')
}
])Start local example server with
npm startthen visit http://localhost:3000.
Successfully authenticated request http://localhost:3000/authenticated. Unauthenticated request http://localhost:3000/unauthenticated.