Block users trying to access outside IP list

om.munishsehgal · April 19, 2023, 4:39pm

Hi , I am writing a rule to block emails trying to access outside from a given IP list, but it is still allowing users to login .

here is the rule

function (user, context, callback) {
   
  //Global blockedUsers 
  var blockedUsers = [ 'ops@xyz.com'];  
  //authorized IPs
  var whitelistIPs = ['182.77.51.73','103.54.102.149', '182.77.60.237', '203.134.218.180','70.35.203.46','103.54.103.28','203.134.213.35'];
  
  var userHasAccess = false;
  if (blockedUsers.some(
        function (email) {
          return email === user.email;
        }))
      {
        if ( whitelistIPs.some(
      function (ip) {
        return context.request.ip !== ip;
      }))
        {
           return callback(new UnauthorizedError('Access denied from this IP address.'));
        }
      }
      
    

    return callback(null, user, context);
}

rueben.tiow · April 19, 2023, 5:41pm

Hi @om.munishsehgal,

Welcome to the Auth0 Community!

I understand that you are experiencing issues when trying to block users that do not have whitelisted IPs from logging in with an Auth0 Rule.

I have written a new Rule script to block non-whitelisted IPs and blacklisted email addresses:

function (user, context, callback) {
 const blockedUsers = [ 'ops@xyz.com']; 
 const whitelist = ["8.8.8.8", "1.2.3.4"];
  if (!whitelist.includes(context.request.ip) || user.email.includes(blockedUsers)) {
    return callback(new UnauthorizedError('Access to this application has been temporarily revoked'));
  }

  callback(null, user, context);
}

Please let me know if you have any questions.

Thanks,
Rueben

system · May 3, 2023, 5:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.