fix(security): add localhost-only protection for admin endpoints

Adds middleware to restrict /api/admin/restart and /api/admin/shutdown to localhost-only access. This prevents DoS attacks when the worker service is bound to 0.0.0.0 for remote UI access. Implementation: - Created requireLocalhost middleware in middleware.ts - Applied to both admin endpoints - Checks client IP against localhost addresses (127.0.0.1, ::1, etc.) - Returns 403 Forbidden for non-localhost requests Addresses security concern raised in PR #368 with cleaner DRY approach. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-17 19:06:33 -05:00
parent 44029862b1
commit 0cb3256b2d
2 changed files with 32 additions and 4 deletions
@@ -60,6 +60,34 @@ export function createMiddleware(
  return middlewares;
 }

+/**
+ * Middleware to require localhost-only access
+ * Used for admin endpoints that should not be exposed when binding to 0.0.0.0
+ */
+export function requireLocalhost(req: Request, res: Response, next: NextFunction): void {
+  const clientIp = req.ip || req.connection.remoteAddress || '';
+  const isLocalhost =
+    clientIp === '127.0.0.1' ||
+    clientIp === '::1' ||
+    clientIp === '::ffff:127.0.0.1' ||
+    clientIp === 'localhost';
+
+  if (!isLocalhost) {
+    logger.warn('SECURITY', 'Admin endpoint access denied - not localhost', {
+      endpoint: req.path,
+      clientIp,
+      method: req.method
+    });
+    res.status(403).json({
+      error: 'Forbidden',
+      message: 'Admin endpoints are only accessible from localhost'
+    });
+    return;
+  }
+
+  next();
+}
+
 /**
 * Summarize request body for logging
 * Used to avoid logging sensitive data or large payloads