I recommend creating a Machine-to-Machine whitelist action with an array of whitelisted IP addresses. Then in Step 2, I recommend calling the Management API’s Update an action endpoint to update your whitelist action with the corresponding IP address into the whitelist array.
For example:
exports.onExecuteCredentialsExchange = async (event, api) => {
const whitelist = ["8.8.8.8", "1.2.3.4"]
if (!whitelist.includes(event.request.ip)) {
api.access.deny('invalid_request', "Access from your IP address is not allowed.");
}
};
I hope this helps!
Please let me know if you have any further questions.
One more question, since the IP check happens before access token is created and there is no IP info in access token, user could take the access token and call the API from a different IP. Is that a security issue?
This is a little tricky to answer since, technically yes, this could be a security issue if the access token granted to the user was somehow compromised. I would recommend reading our Token Best Practices documentation to familiarize the best practices for securing tokens.
I will add that, since only whitelisted IP addresses can get an access token for your Logical API, we can safely assume that it was granted to the right user. At this point, they would be able to use that access token however they prefer, which includes using it from a different IP.
In this case, my best recommendation would be to make these tokens as short-lived as possible so that it limits the time an attacker can abuse a stolen token.