Page 1 of 1

[v3.0.2.0 - Concept] - API login IP address validation

Posted: Wed Oct 18, 2017 10:11 am
by straightlight
For Opencart v3.0.2.0 release, I have integrated a little addon which was originally found from WeChat in:

- system/storage/vendor/zoujingli/wechat-php-sdk/Wechat/Lib/Tools.php file in order to filter the IP address . The most relevant location to where these types of verifications should be made would be on the:

- catalog/controller/api/login.php file.

Find:

Code: Select all

if (!in_array($this->request->server['REMOTE_ADDR'], $ip_data)) {
replace with:

Code: Select all

if (!in_array($this->getIpAddress(), $ip_data)) {
Then, find the last:

Code: Select all

}
at the end of the file. Then, add above - not below:

Code: Select all

protected function getIpAddress() {
        foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'REMOTE_ADDR') as $header) {
            if (!isset($this->request->server[$header]) || ($spoof = $this->request->server[$header]) === NULL) {
                continue;
            }
			
            sscanf($spoof, '%[^,]', $spoof);
			
            if (!filter_var($spoof, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
                $spoof = NULL;
            } else {
                return $spoof;
            }
        }
		
        return '0.0.0.0';
    }

Re: [v3.0.2.0 - Concept] - API login IP address validation

Posted: Thu Jul 27, 2023 1:26 am
by kslakhani
straightlight wrote:
Wed Oct 18, 2017 10:11 am

Code: Select all

protected function getIpAddress() {
        foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'REMOTE_ADDR') as $header) {
            if (!isset($this->request->server[$header]) || ($spoof = $this->request->server[$header]) === NULL) {
                continue;
            }
			
            sscanf($spoof, '%[^,]', $spoof);
			
            if (!filter_var($spoof, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
                $spoof = NULL;
            } else {
                return $spoof;
            }
        }
		
        return '0.0.0.0';
    }
Hi any update on this?

Re: [v3.0.2.0 - Concept] - API login IP address validation

Posted: Thu Jul 27, 2023 5:14 am
by straightlight
kslakhani wrote:
Thu Jul 27, 2023 1:26 am
straightlight wrote:
Wed Oct 18, 2017 10:11 am

Code: Select all

protected function getIpAddress() {
        foreach (array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'HTTP_X_CLIENT_IP', 'HTTP_X_CLUSTER_CLIENT_IP', 'REMOTE_ADDR') as $header) {
            if (!isset($this->request->server[$header]) || ($spoof = $this->request->server[$header]) === NULL) {
                continue;
            }
			
            sscanf($spoof, '%[^,]', $spoof);
			
            if (!filter_var($spoof, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
                $spoof = NULL;
            } else {
                return $spoof;
            }
        }
		
        return '0.0.0.0';
    }
Hi any update on this?
With such vague information, without following the forum rules, you may not get much about it. Besides, this topic is quite old. OC v4x releases already uses a new API structure, since.