feat(admin): Improve IP whitelist management

Datanoise · Datanoise · commit 923631e6ec99 · 2026-02-22T17:41:04.000+01:00
- Prevents duplicate entries from being added to the IP whitelist.
- Updates the IP whitelist on the admin page dynamically using JavaScript, removing the need for a page reload.
- Refactors whitelist and ban logic into helper functions on the Config struct.
diff --git a/config/config.go b/config/config.go
@@ -121,6 +121,54 @@ type Config struct {
 	Users map[string]*User `json:"users"`
 }
 
+func (c *Config) IsWhitelisted(ip string) bool {
+	for _, existingIP := range c.WhitelistedIPs {
+		if existingIP == ip {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Config) AddWhitelistedIP(ip string) {
+	if !c.IsWhitelisted(ip) {
+		c.WhitelistedIPs = append(c.WhitelistedIPs, ip)
+	}
+}
+
+func (c *Config) RemoveWhitelistedIP(ip string) {
+	for i, existingIP := range c.WhitelistedIPs {
+		if existingIP == ip {
+			c.WhitelistedIPs = append(c.WhitelistedIPs[:i], c.WhitelistedIPs[i+1:]...)
+			return
+		}
+	}
+}
+
+func (c *Config) IsBanned(ip string) bool {
+	for _, existingIP := range c.BannedIPs {
+		if existingIP == ip {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *Config) AddBannedIP(ip string) {
+	if !c.IsBanned(ip) {
+		c.BannedIPs = append(c.BannedIPs, ip)
+	}
+}
+
+func (c *Config) RemoveBannedIP(ip string) {
+	for i, existingIP := range c.BannedIPs {
+		if existingIP == ip {
+			c.BannedIPs = append(c.BannedIPs[:i], c.BannedIPs[i+1:]...)
+			return
+		}
+	}
+}
+
 func HashPassword(p string) (string, error) {
 	bytes, err := bcrypt.GenerateFromPassword([]byte(p), 12)
 	return string(bytes), err
diff --git a/server/handlers_admin.go b/server/handlers_admin.go
@@ -336,35 +336,72 @@ func (s *Server) handleRemoveBannedIP(w http.ResponseWriter, r *http.Request) {
 
 func (s *Server) handleAddWhitelistedIP(w http.ResponseWriter, r *http.Request) {
 	if !s.isCSRFSafe(r) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
 		return
 	}
 	user, ok := s.checkAuth(r)
-	if ok && user.Role == config.RoleSuperAdmin {
-		ip := r.FormValue("ip")
-		if ip != "" {
-			s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs, ip)
-			s.Config.SaveConfig()
+	if !ok || user.Role != config.RoleSuperAdmin {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	ip := r.FormValue("ip")
+	if ip == "" {
+		http.Error(w, "IP address cannot be empty", http.StatusBadRequest)
+		return
+	}
+
+	// Check for duplicates
+	for _, existingIP := range s.Config.WhitelistedIPs {
+		if existingIP == ip {
+			http.Error(w, "IP address already in the whitelist", http.StatusConflict)
+			return
 		}
 	}
-	http.Redirect(w, r, "/admin", http.StatusSeeOther)
+
+	s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs, ip)
+	// For consistency, sort the list after adding
+	sort.Strings(s.Config.WhitelistedIPs)
+	s.Config.SaveConfig()
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{"ip": ip, "status": "added"})
 }
 
 func (s *Server) handleRemoveWhitelistedIP(w http.ResponseWriter, r *http.Request) {
 	if !s.isCSRFSafe(r) {
+		http.Error(w, "Forbidden", http.StatusForbidden)
 		return
 	}
 	user, ok := s.checkAuth(r)
-	if ok && user.Role == config.RoleSuperAdmin {
-		ip := r.FormValue("ip")
-		for i, b := range s.Config.WhitelistedIPs {
-			if b == ip {
-				s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs[:i], s.Config.WhitelistedIPs[i+1:]...)
-				s.Config.SaveConfig()
-				break
-			}
+	if !ok || user.Role != config.RoleSuperAdmin {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	ip := r.FormValue("ip")
+	if ip == "" {
+		http.Error(w, "IP address cannot be empty", http.StatusBadRequest)
+		return
+	}
+
+	found := false
+	for i, b := range s.Config.WhitelistedIPs {
+		if b == ip {
+			s.Config.WhitelistedIPs = append(s.Config.WhitelistedIPs[:i], s.Config.WhitelistedIPs[i+1:]...)
+			s.Config.SaveConfig()
+			found = true
+			break
 		}
 	}
-	http.Redirect(w, r, "/admin", http.StatusSeeOther)
+
+	if !found {
+		http.Error(w, "IP not found in whitelist", http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{"ip": ip, "status": "removed"})
 }
 
 func (s *Server) handleClearAuthLockout(w http.ResponseWriter, r *http.Request) {
diff --git a/server/templates/admin.html b/server/templates/admin.html
@@ -1506,7 +1506,7 @@ <h1 class="page-title"><i data-lucide="shield-check"></i> Security & Bans</h1>
                         <h2>Ban Address or Range</h2>
                         <div class="card">
                             <form action="/admin/add-banned-ip" method="POST"
-                                onsubmit="return submitForm(event, false)">
+                                onsubmit="return submitForm(event, true)">
                                 <input type="hidden" name="csrf" value="{{$.CSRFToken}}">
                                 <div class="form-group">
                                     <label>IP Address or CIDR Range</label>
@@ -1554,8 +1554,7 @@ <h2>Banned IP List</h2>
                     <section>
                         <h2>Whitelist Address or Range</h2>
                         <div class="card">
-                            <form action="/admin/add-whitelisted-ip" method="POST"
-                                onsubmit="return submitForm(event, false)">
+                            <form action="/admin/add-whitelisted-ip" method="POST">
                                 <input type="hidden" name="csrf" value="{{$.CSRFToken}}">
                                 <div class="form-group">
                                     <label>IP Address or CIDR Range</label>
@@ -1575,21 +1574,20 @@ <h2>Whitelisted IP List</h2>
                                         <th style="width:30%">Action</th>
                                     </tr>
                                 </thead>
-                                <tbody>
+                                <tbody id="whitelist-tbody">
                                     {{range .Config.WhitelistedIPs}}
                                     <tr>
                                         <td>{{.}}</td>
                                         <td>
-                                            <form action="/admin/remove-whitelisted-ip" method="POST"
-                                                onsubmit="return submitForm(event, false)">
+                                            <form action="/admin/remove-whitelisted-ip" method="POST" class="remove-whitelist-form">
                                                 <input type="hidden" name="csrf" value="{{$.CSRFToken}}">
                                                 <input type="hidden" name="ip" value="{{.}}">
                                                 <button type="submit" class="btn btn-outline btn-sm">Remove</button>
                                             </form>
                                         </td>
                                     </tr>
                                     {{else}}
-                                    <tr>
+                                    <tr id="no-whitelist-ips-row">
                                         <td colspan="2" style="text-align:center; padding:2rem">No IPs whitelisted.</td>
                                     </tr>
                                     {{end}}
@@ -2565,6 +2563,110 @@ <h2>Edit AutoDJ</h2>
             if (window.location.hash) { var it = window.location.hash.substring(1); if (document.getElementById(it)) { showTab(it, false); } }
         })();
     </script>
+    <script>
+        document.addEventListener('DOMContentLoaded', function() {
+            const addWhitelistForm = document.querySelector('form[action="/admin/add-whitelisted-ip"]');
+            const whitelistTbody = document.getElementById('whitelist-tbody');
+
+            // --- Handle ADDING a whitelisted IP ---
+            if (addWhitelistForm) {
+                addWhitelistForm.addEventListener('submit', function(event) {
+                    event.preventDefault();
+                    const form = event.target;
+                    const ipInput = form.querySelector('input[name="ip"]');
+                    const ip = ipInput.value.trim();
+
+                    if (!ip) {
+                        alert('IP address cannot be empty.');
+                        return;
+                    }
+
+                    // Client-side duplicate check
+                    const existingIPs = Array.from(whitelistTbody.querySelectorAll('tr td:first-child')).map(td => td.textContent.trim());
+                    if (existingIPs.includes(ip)) {
+                        alert('This IP address is already in the whitelist.');
+                        return;
+                    }
+
+                    const formData = new FormData(form);
+                    
+                    fetch(form.action, {
+                        method: 'POST',
+                        body: formData
+                    })
+                    .then(response => {
+                        if (response.ok) {
+                            return response.json();
+                        }
+                        return response.text().then(text => { throw new Error(text || 'An unknown error occurred.') });
+                    })
+                    .then(data => {
+                        if (data.status === 'added') {
+                            const noIpRow = document.getElementById('no-whitelist-ips-row');
+                            if (noIpRow) {
+                                noIpRow.remove();
+                            }
+
+                            const newRow = document.createElement('tr');
+                            newRow.innerHTML = `
+                                <td>${data.ip}</td>
+                                <td>
+                                    <form action="/admin/remove-whitelisted-ip" method="POST" class="remove-whitelist-form">
+                                        <input type="hidden" name="csrf" value="${csrfToken}">
+                                        <input type="hidden" name="ip" value="${data.ip}">
+                                        <button type="submit" class="btn btn-outline btn-sm">Remove</button>
+                                    </form>
+                                </td>
+                            `;
+                            whitelistTbody.appendChild(newRow);
+                            newRow.querySelector('.remove-whitelist-form').addEventListener('submit', handleRemoveSubmit);
+                            ipInput.value = '';
+                        }
+                    })
+                    .catch(error => {
+                        alert('Failed to add IP: ' + error.message);
+                    });
+                });
+            }
+
+            // --- Handle REMOVING a whitelisted IP ---
+            const handleRemoveSubmit = function(event) {
+                event.preventDefault();
+                const form = event.target;
+                const row = form.closest('tr');
+                const formData = new FormData(form);
+
+                fetch(form.action, {
+                    method: 'POST',
+                    body: formData
+                })
+                .then(response => {
+                    if (response.ok) {
+                        return response.json();
+                    }
+                    return response.text().then(text => { throw new Error(text || 'An unknown error occurred.') });
+                })
+                .then(data => {
+                    if (data.status === 'removed') {
+                        row.remove();
+                        if (whitelistTbody.childElementCount === 0) {
+                            const noIpRow = document.createElement('tr');
+                            noIpRow.id = 'no-whitelist-ips-row';
+                            noIpRow.innerHTML = '<td colspan="2" style="text-align:center; padding:2rem">No IPs whitelisted.</td>';
+                            whitelistTbody.appendChild(noIpRow);
+                        }
+                    }
+                })
+                .catch(error => {
+                    alert('Failed to remove IP: ' + error.message);
+                });
+            };
+
+            document.querySelectorAll('.remove-whitelist-form').forEach(form => {
+                form.addEventListener('submit', handleRemoveSubmit);
+            });
+        });
+    </script>
 </body>
 
 </html>
