Securing api

jabme/app/settings/base.py

@@ -32,7 +32,11 @@
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
-CORS_ORIGIN_ALLOW_ALL = True
+CORS_ALLOWED_ORIGINS = [
+    "https://covaccinate.tech",
+    "http://localhost:3000",
+    "http://127.0.0.1:3000",
+]
 ROOT_URLCONF = "app.urls"
 
 TEMPLATES = [

jabme/users/decorators.py

@@ -0,0 +1,16 @@
+import os
+
+from django.http import HttpResponse
+
+allowed_ips = os.environ.get("ALLOWED_IPS", "localhost 127.0.0.1").split()
+
+
+def login_by_ip(view_func):
+    def authorize(request, *args, **kwargs):
+        user_ip = request.META["REMOTE_ADDR"]
+        for ip in allowed_ips:
+            if ip == user_ip:
+                return view_func(request, *args, **kwargs)
+        return HttpResponse("Forbidden. F Off.")
+
+    return authorize

jabme/users/views.py

@@ -17,9 +17,11 @@
 from django.shortcuts import render
 from django.template import Context, loader
 from django.utils import timezone
+from django.utils.decorators import method_decorator
 from fake_useragent import UserAgent
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from users.decorators import login_by_ip
 from users.models import District
 
 PINCODE_REGEX = "^[1-9][0-9]{5}$"
@@ -72,6 +74,7 @@ def post(self, request):
         return Response("Registered Successfully")
 
 
+@method_decorator(login_by_ip, name="get")
 class FindSlotView(APIView):
     def get(self, request):
         time_threshold = datetime.now(timezone.utc) - timedelta(
@@ -203,6 +206,7 @@ def get(self, request):
         return Response(result)
 
 
+@method_decorator(login_by_ip, name="post")
 class UpdateEmailSentTime(APIView):
     def post(self, request):
         now = Now()