Add custom IP filtering auth plugin and acceptance tests

GrantBirki · GrantBirki · commit 84dd5d90c278 · 2025-06-16T22:55:03.000-07:00
diff --git a/spec/acceptance/acceptance_tests.rb b/spec/acceptance/acceptance_tests.rb
@@ -568,5 +568,24 @@ def expired_unix_timestamp(seconds_ago = 600)
         expect_response(response, Net::HTTPUnauthorized, "authentication failed")
       end
     end
+
+    describe "custom ip filtering auth plugin" do
+      it "successfully validates using a custom IP filtering auth plugin" do
+        payload = {}.to_json
+        headers = { "Content-Type" => "application/json", "X-Forwarded-For" => "999.999.999.999" }
+        response = make_request(:post, "/webhooks/ip_filtering_example", payload, headers)
+
+        expect_response(response, Net::HTTPSuccess)
+        body = parse_json_response(response)
+        expect(body["status"]).to eq("success")
+      end
+
+      it "rejects requests with invalid IP using custom IP filtering auth plugin" do
+        payload = {}.to_json
+        headers = { "Content-Type" => "application/json", "X-Forwarded-For" => "123.456.789.000" }
+        response = make_request(:post, "/webhooks/ip_filtering_example", payload, headers)
+        expect_response(response, Net::HTTPUnauthorized, "authentication failed")
+      end
+    end
   end
 end
diff --git a/spec/acceptance/config/endpoints/ip_filtering_example.yml b/spec/acceptance/config/endpoints/ip_filtering_example.yml
@@ -0,0 +1,10 @@
+path: /ip_filtering_example
+handler: Hello
+
+auth:
+  type: ip_filtering_example
+
+opts:
+  allowed_ips:
+    - "999.999.999.999" # intentionally invalid IP
+    - "888.888.888.888" # intentionally invalid IP
diff --git a/spec/acceptance/plugins/auth/ip_filtering_example.rb b/spec/acceptance/plugins/auth/ip_filtering_example.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+# Example custom auth plugin for IP filtering
+module Hooks
+  module Plugins
+    module Auth
+      class IpFilteringExample < Base
+        def self.valid?(payload:, headers:, config:)
+          # Get the allowed IPs from the configuration (opts is a hash containing additional options that can be set in any endpoint configuration)
+          allowed_ips = config.dig(:opts, :allowed_ips) || []
+
+          # Get the request IP from headers or payload
+          # Find the IP via the request headers with case-insensitive matching - this is a helper method available in the base class
+          # so it is available to all auth plugins.
+          # This example assumes the IP is in the "X-Forwarded-For" header, which is common for proxied requests
+          request_ip = find_header_value(headers, "X-Forwarded-For")
+
+          # If the request IP is not found, return false
+          return false unless request_ip
+
+          # Return true if the request IP is in the allowed IPs list
+          allowed_ips.include?(request_ip)
+        end
+      end
+    end
+  end
+end
