From 8a72ad1bc0af6b5aab0a3dfa543803923b18f941 Mon Sep 17 00:00:00 2001
From: ItsFlash10 <satyamsworld@gmail.com>
Date: Sun, 8 Sep 2024 22:01:04 +0530
Subject: [PATCH 1/2] feat: saved user IP and added a check to verify it

---
 prisma/migrations/20240907181905_add_ip/migration.sql |  2 ++
 prisma/schema.prisma                                  |  2 +-
 src/lib/auth.ts                                       | 10 +++++++++-
 src/middleware.ts                                     |  7 ++++++-
 4 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 prisma/migrations/20240907181905_add_ip/migration.sql

diff --git a/prisma/migrations/20240907181905_add_ip/migration.sql b/prisma/migrations/20240907181905_add_ip/migration.sql
new file mode 100644
index 00000000..c400c621
--- /dev/null
+++ b/prisma/migrations/20240907181905_add_ip/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "ip" TEXT;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index f2179266..699639d0 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -160,6 +160,7 @@ model User {
   upiIds            UpiId[]         @relation("UserUpiIds")
   solanaAddresses   SolanaAddress[] @relation("UserSolanaAddresses")
   githubUser        GitHubLink?     @relation("UserGithub")
+  ip                String?
 }
 
 model GitHubLink {
@@ -343,4 +344,3 @@ enum MigrationStatus {
   MIGRATED
   MIGRATION_ERROR
 }
-
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 8d6ca3eb..50780a75 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -114,7 +114,11 @@ export const authOptions = {
         username: { label: 'email', type: 'text', placeholder: '' },
         password: { label: 'password', type: 'password', placeholder: '' },
       },
-      async authorize(credentials: any) {
+
+      async authorize(credentials: any, req: any) {
+        const userIp =
+          req.headers['x-forwarded-for'] || req.socket.remoteAddress;
+
         try {
           if (process.env.LOCAL_CMS_PROVIDER) {
             return {
@@ -152,6 +156,7 @@ export const authOptions = {
               },
               data: {
                 token: jwt,
+                ip: userIp,
               },
             });
 
@@ -160,6 +165,7 @@ export const authOptions = {
               name: userDb.name,
               email: credentials.username,
               token: jwt,
+              ip: userIp,
             };
           }
           console.log('not in db');
@@ -191,6 +197,7 @@ export const authOptions = {
                   email: credentials.username,
                   token: jwt,
                   password: hashedPassword,
+                  ip: userIp,
                 },
               });
             } catch (e) {
@@ -202,6 +209,7 @@ export const authOptions = {
               name: user.data.name,
               email: credentials.username,
               token: jwt,
+              ip: userIp,
             };
           }
 
diff --git a/src/middleware.ts b/src/middleware.ts
index a1f6e579..5d6af36e 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -8,6 +8,11 @@ export const config = {
 export default withAuth(async (req) => {
   if (process.env.LOCAL_CMS_PROVIDER) return;
   const token = req.nextauth.token;
+  const userIp =
+    req.headers.get('x-forwarded-for') ||
+    req.ip ||
+    req.headers.get('x-real-ip');
+
   if (!token) {
     return NextResponse.redirect(new URL('/invalidsession', req.url));
   }
@@ -16,7 +21,7 @@ export default withAuth(async (req) => {
   );
 
   const json = await user.json();
-  if (!json.user) {
+  if (!json.user || (json.user.ip && json.user.ip !== userIp)) {
     return NextResponse.redirect(new URL('/invalidsession', req.url));
   }
 });

From 938fad033170214c9f684e01fbbcb16d5119713b Mon Sep 17 00:00:00 2001
From: ItsFlash10 <satyamsworld@gmail.com>
Date: Sun, 8 Sep 2024 22:37:40 +0530
Subject: [PATCH 2/2] moved the ip check to the user route

---
 src/app/api/user/route.ts | 9 ++++++++-
 src/middleware.ts         | 4 ++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/app/api/user/route.ts b/src/app/api/user/route.ts
index dda9fd84..58579b6b 100644
--- a/src/app/api/user/route.ts
+++ b/src/app/api/user/route.ts
@@ -4,7 +4,9 @@ import db from '@/db';
 export async function GET(req: NextRequest) {
   const url = new URL(req.url);
   const token = url.searchParams.get('token');
-  if (!token) {
+  const ip = url.searchParams.get('ip');
+
+  if (!token || !ip) {
     return NextResponse.redirect(new URL('/invalidsession', req.url));
   }
   const user = await db.user.findFirst({
@@ -12,6 +14,11 @@ export async function GET(req: NextRequest) {
       token,
     },
   });
+
+  if (!user || user.ip !== ip) {
+    return NextResponse.redirect(new URL('/invalidsession', req.url));
+  }
+
   return NextResponse.json({
     user,
   });
diff --git a/src/middleware.ts b/src/middleware.ts
index 5d6af36e..b80b3f86 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -17,11 +17,11 @@ export default withAuth(async (req) => {
     return NextResponse.redirect(new URL('/invalidsession', req.url));
   }
   const user = await fetch(
-    `${process.env.NEXT_PUBLIC_BASE_URL_LOCAL}/api/user?token=${token.jwtToken}`,
+    `${process.env.NEXT_PUBLIC_BASE_URL_LOCAL}/api/user?token=${token.jwtToken}?ip=${userIp}`,
   );
 
   const json = await user.json();
-  if (!json.user || (json.user.ip && json.user.ip !== userIp)) {
+  if (!json.user) {
     return NextResponse.redirect(new URL('/invalidsession', req.url));
   }
 });