feat(ui): add admin IP whitelist gate backed by ADMIN_SECRETS #20

Merged

ashraf merged 1 commit from development_admin_ip_whitelist into main 2026-04-23 13:10:14 +00:00

Conversation 0 Commits 1 Files changed 4 +307

ashraf commented 2026-04-23 13:03:22 +00:00

Member

Copy link

Summary

• Add IP-based whitelist gate to hero_livekit_ui that loads allowed CIDR ranges from the ADMIN_SECRETS secret in hero_proc
• Whitelist enforced as axum middleware on every request, reading client IP from X-Real-Ip / X-Forwarded-For headers
• Background refresh every 60 seconds with fail-open semantics and stale-on-error policy
• Includes PUT /admin/whitelist endpoint for write-through updates

Related Issue

Closes #9

Changes

• New: crates/hero_livekit_ui/src/whitelist.rs (289 lines) -- WhitelistState, CIDR loading from hero_proc, axum middleware, background refresh task, PUT /admin/whitelist handler
• Modified: crates/hero_livekit_ui/Cargo.toml -- added ipnetwork = "0.20" dependency
• Modified: crates/hero_livekit_ui/src/main.rs -- mod whitelist, WhitelistState init, refresh task spawn, route + middleware wiring
• Modified: Cargo.lock -- added ipnetwork 0.20.0

Test Results

34 tests passed, 0 failures

## Summary - Add IP-based whitelist gate to hero_livekit_ui that loads allowed CIDR ranges from the ADMIN_SECRETS secret in hero_proc - Whitelist enforced as axum middleware on every request, reading client IP from X-Real-Ip / X-Forwarded-For headers - Background refresh every 60 seconds with fail-open semantics and stale-on-error policy - Includes PUT /admin/whitelist endpoint for write-through updates ## Related Issue Closes https://forge.ourworld.tf/lhumina_code/hero_livekit/issues/9 ## Changes - New: `crates/hero_livekit_ui/src/whitelist.rs` (289 lines) -- WhitelistState, CIDR loading from hero_proc, axum middleware, background refresh task, PUT /admin/whitelist handler - Modified: `crates/hero_livekit_ui/Cargo.toml` -- added ipnetwork = "0.20" dependency - Modified: `crates/hero_livekit_ui/src/main.rs` -- mod whitelist, WhitelistState init, refresh task spawn, route + middleware wiring - Modified: `Cargo.lock` -- added ipnetwork 0.20.0 ## Test Results 34 tests passed, 0 failures

ashraf added 1 commit 2026-04-23 13:03:22 +00:00

feat(ui): add admin IP whitelist gate backed by ADMIN_SECRETS ... a95a438afc

#9

ashraf referenced this pull request 2026-04-23 13:03:28 +00:00

Add admin IP whitelist gate (ADMIN_SECRETS) to UI #9

ashraf merged commit a95a438afc into main 2026-04-23 13:10:14 +00:00

ashraf deleted branch development_admin_ip_whitelist 2026-04-23 13:10:14 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_livekit!20

No description provided.