From 7afe1e0a30f0b8560bfa0320c96181c96cb4bb24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=88=98=E7=A5=A5=E8=B6=85?= <iwind.liu@gmail.com>
Date: Wed, 11 Aug 2021 10:01:23 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E8=AE=BE=E7=BD=AE=E6=A3=80?=
 =?UTF-8?q?=E6=9F=A5IP=E6=97=B6=E5=90=8C=E6=97=B6=E4=B9=9F=E6=A3=80?=
 =?UTF-8?q?=E6=9F=A5=E7=9B=B4=E6=8E=A5=E8=BF=9E=E6=8E=A5=E7=AE=A1=E7=90=86?=
 =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E7=9A=84=E4=B8=8A=E6=B8=B8IP?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/web/helpers/user_must_auth.go   | 6 ++++++
 internal/web/helpers/user_should_auth.go | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/internal/web/helpers/user_must_auth.go b/internal/web/helpers/user_must_auth.go
index 5846e83c..c10acc6d 100644
--- a/internal/web/helpers/user_must_auth.go
+++ b/internal/web/helpers/user_must_auth.go
@@ -6,6 +6,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
+	"net"
 	"net/http"
 	"reflect"
 	"strings"
@@ -63,6 +64,11 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		action.ResponseWriter.WriteHeader(http.StatusForbidden)
 		return false
 	}
+	remoteAddr, _, _ := net.SplitHostPort(action.Request.RemoteAddr)
+	if len(remoteAddr) > 0 && remoteAddr != action.RequestRemoteIP() && !checkIP(securityConfig, remoteAddr) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
 
 	// 检查系统是否已经配置过
 	if !setup.IsConfigured() {
diff --git a/internal/web/helpers/user_should_auth.go b/internal/web/helpers/user_should_auth.go
index 1b88daa1..56bfdad6 100644
--- a/internal/web/helpers/user_should_auth.go
+++ b/internal/web/helpers/user_should_auth.go
@@ -5,6 +5,7 @@ import (
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils/numberutils"
 	"github.com/iwind/TeaGo/actions"
+	"net"
 	"net/http"
 )
 
@@ -35,6 +36,11 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 		action.ResponseWriter.WriteHeader(http.StatusForbidden)
 		return false
 	}
+	remoteAddr, _, _ := net.SplitHostPort(action.Request.RemoteAddr)
+	if len(remoteAddr) > 0 && remoteAddr != action.RequestRemoteIP() && !checkIP(securityConfig, remoteAddr) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
 
 	return true
 }