isLocalIP not sufficient for IPv6

[qqqzzzzzzqqq]

Describe the bug

Since switching my home network to fully IPv6, I've noticed I have to set credentials on my stash even for local access from some devices.

When I use the domain name ending with .local that is offered by my router, devices look this up using IPv6 and then make connections using their public IP address, not their fe80::/10 link-local address.

This, of course, triggers the security_tripwire_accessed_from_public_internet because these are not local IP addresses.

I can work around this by setting a password or by setting the dangerous_allow_public_without_auth to true, but I'd love a middle ground where I can set the dangerous_allow_public_without_auth to a specific IPv6 subnet, corresponding to the subnet that my router allocates, as these are still devices that are accessing it locally, not over the internet.

Steps to reproduce

1. Have an IPv6 home network
2. Remove any credentials
3. Access your stash locally over DNS using http://server.namelocal:9999/

Expected behaviour

I would expect to be able to access it without hitting the tripwire, even if it requires me to manually specify the local subnet somehow.

Screenshots or additional context

No response

Stash version

v0.30.1

Device details

Chrome on Android

Relevant log output

[feederbox826]

https://discourse.stashapp.cc/t/tripwire-on-ipv6-localhost/245

fe... is not link-local and is actually global unicast

[qqqzzzzzzqqq]

Right, sorry. That was my mistake! Whether it's link-local or not, it's not the address that's being used.

My ISP and router are allocating public IP addresses to every device, not using NAT for "internal" addresses. As I understand it, that's the normal way to build an IPv6 network, since NAT only really exists in IPv4 because there aren't enough IPv4 addresses available to assign one to every device in the world.

I think the recommended way to work out if an IPv6 address belongs to a local network or not requires the calling application (stash in this case) to know what the prefix of the local network is and then look for any IP addresses with that prefix. But that would require something like a config option for us to be able to specify the prefix. The built-in methods in Go aren't enough because there isn't the same convention for "this number means local" that NAT has.

I'm not really an expert on this stuff though - just learning as I go along because it's my first time having working IPv6 on a home network!

[feederbox826]

As I understand it, that's the normal way to build an IPv6 network

yes, technically that is the correct way to build a public-reachable network, but v6 has special allocations for non-resolvable private addresses. The prefix your router is using is supposed to be private but wasn't updated when the ruling changed

Trying to determine the network block wouldn't make much sense since it's always a large block* except when it's not VPS providers like hetzner provide a /64 and seem to be the most common allocation, specifying a block would make much more sense for users who want to publicly route or have deprecated ranges like yours

[utopiabound]

Can we add a whitelist for allowed IPs without Auth? If I've got an assigned /64 IPv6 address space, I can control access at my router, but IPv6 addresses are meant to be globally routable, and not just link-local. This would let me access my server at http://hostname.local:port from my phone.

[qqqzzzzzzqqq]

Yeah @utopiabound said better what I was trying to say. My local network addresses are meant to be public. I think it's a pretty normal network setup to just assign public IP addresses to every device, not private ones. Private addreses weren't even invented until people started to run out of IPv4 addresses, an issue that won't ever occur with IPv6.

[qqqzzzzzzqqq]

A little more info on this. My ISP is using IPv6-PD and has allocated me a /48 subnet. This is what all my local devices have as their IP addresses, both on the local network and on the internet.

qBittorrent has a setting called "Bypass authentication for clients in whitelisted IP subnets". When I put my PD subnet into that field, I can now access qBittorrent without authentication locally, but it would still be safe from intruders from other subnets.