feat: add validate_resource_server_ip feature flag to config and check to validate (#98)

* feat: add validate_resource_server_ip feature flag to config and check to validate

Signed-off-by: romanetar <roman_ag@hotmail.com>

* fix(oauth2): move disable IP adress check

---------

Signed-off-by: romanetar <roman_ag@hotmail.com>
Co-authored-by: smarcet <smarcet@gmail.com>

Author: romanetar

.env.example

@@ -115,6 +115,8 @@ AUTH_PASSWORD_SHAPE_PATTERN="^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^
 AUTH_PASSWORD_SHAPE_WARNING="Password must include at least one uppercase letter, one lowercase letter, one number, and one special character."
 
 
+OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true
+
 #Open Telemetry
 OTEL_SERVICE_ENABLED=true
 OTEL_SERVICE_NAME=idp-api

app/Models/OAuth2/ResourceServer.php

@@ -65,7 +65,9 @@ class ResourceServer extends BaseEntity
      * @return bool
      */
     public function isOwn($ip)
-    {   $provided_ips = array_map('trim', explode(',', $ip));
+    {
+
+        $provided_ips = array_map('trim', explode(',', $ip));
         $own_ips = array_map('trim', explode(',', $this->ips));
         Log::debug
         (

app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php

@@ -78,31 +78,31 @@ public function validate(AccessToken $access_token, IClient $client)
                 'resource server is disabled!'
             );
         }
-        //check resource server ip address
-        if (!$resource_server->isOwn($current_ip))
-        {
-            throw new BearerTokenDisclosureAttemptException
-            (
-                sprintf
+        if (config('oauth2.validate_resource_server_ip', false)) {
+            //check resource server ip address
+            if (!$resource_server->isOwn($current_ip)) {
+                throw new BearerTokenDisclosureAttemptException
                 (
-                    'resource server ip (%s) differs from current request ip %s',
-                    $resource_server->getIPAddresses(),
-                    $current_ip
-                )
-            );
-        }
-        // check if current ip belongs to a registered resource server audience
-        if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip))
-        {
-            throw new BearerTokenDisclosureAttemptException
-            (
-                sprintf
+                    sprintf
+                    (
+                        'resource server ip (%s) differs from current request ip %s',
+                        $resource_server->getIPAddresses(),
+                        $current_ip
+                    )
+                );
+            }
+            // check if current ip belongs to a registered resource server audience
+            if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) {
+                throw new BearerTokenDisclosureAttemptException
                 (
-                    'access token current audience (%s) does not match with current request ip %s',
-                    $access_token->getAudience(),
-                    $current_ip
-                )
-            );
+                    sprintf
+                    (
+                        'access token current audience (%s) does not match with current request ip %s',
+                        $access_token->getAudience(),
+                        $current_ip
+                    )
+                );
+            }
         }
     }
 }

config/oauth2.php

@@ -0,0 +1,15 @@
+<?php
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Validate Resource Server IP Address
+    |--------------------------------------------------------------------------
+    |
+    | When enabled, validates that the resource server IP address matches
+    | the request IP and the access token audience.
+    |
+    */
+    'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false),
+];