I have a fastapi server and a react client application and i am new to implementing security features. The current react application uses Auth0 to handle user authentication.
I am trying to ensure that requests made to the fastapi app can only be made by my co-workers. This app is for internal office use, and only people using the office wifi should have access to this app. Would it be enough to implement ip address restriction as shown below? (code generated by chatgpt). Or is it still necessary to implement json web token (jwt) to authenticate users making request from the front end?
Is my understanding correct that if i implement ip address restriction, i do not need to implement jwt, since there are no user-specific requirements, and the app will be secure, since only users with access to office wifi and accessing the front end in the office will be able to get it to work?
from fastapi import FastAPI, HTTPException, Request
app = FastAPI()
# Replace this with the WiFi IP range
allowed_wifi_range = "192.168.1."
# Middleware to check the incoming request's IP address
@app.middleware("http")
async def check_ip(request: Request, call_next):
client_ip = request.client.host
# Check if the client IP address is within the allowed WiFi range
if not client_ip.startswith(allowed_wifi_range):
raise HTTPException(
status_code=403,
detail="Access Forbidden: Your IP address is not allowed.",
)
response = await call_next(request)
return response
# Your protected endpoint
@app.get("/protected")
def protected_route():
return {"message": "This is a protected route"}
Only using IP authentication is generally considered a very low security posture, and ignores a number of common attack patterns.
For example, consider the scenario of cross-site request forgery. An attacker has control of a malicous site. They insert Javascript into a page on this site which calls your API. They then send a message to a user on your network that includes a link to their malicious page. When the user clicks the link, they run the script in their browser, and access your API. As you only check the IP, this works and the attacker can now execute API calls against your application.
Defending against this requires authentication of the requests to the API. Using a JWT on the requests which is issued to your front-end application by the identity provider allows your API to know that the request is being made in the context of your intended use case and is properly authenticated.
You should also look into CORS (Cross-Origin Resource Sharing) and related security headers to ensure that you advise browsers connecting to your API of the context in which it should be possible for a page to interact with the API.
Maybe not relevant to your situation, but another issue with IP filtering of this type is that if you decided to host the API outside your network, then you would not be able to tell the difference between one network in your office and another unless they mapped to different Internet addresses. For example, a guest WiFi network that was separate from the corporate WiFi might still appear to the Internet as your router/firewall IP, and then the API could not filter to just your corporate WiFi.