Is there a Wakanda way to:
I will answer the questions one by one :
1-
This should be done using your OS' firewall (using iptables for instance if you are on Linux)
2-
If you restrict access to the app using the firewall, you might not need to do this. But if you really need to :
Today there is no good way to do this, because you can't disable the authentication REST API. The workaround I propose is as follows (but I don't think it will work if you are using active directory ):
Add a custom request handler for authentication /login where you do something like :
function login(request,response){
var ip = request.remoteAddress;
if( ! isIPAuthorized(ip)){
response.statusCode = 403;
return;
}
sessionStorage["login-request"] = true;
/*
* Your login code here
* For instance you can use loginByPassword, createUserSession ..
*/
sessionStorage["login-request"] = false;
}
Inside your Login Listener you can check if the login request came from you custom login function or not by checking the sessionStorage :
if(!sessionStorage["login-request"]){
return {
"error" : 1024,
"errorMessage" : "Unautorized Login Attempt"
}
}
This way any login attempt using the default REST authentication API where IPs are not checked will be refused.