IP whitelisting for Geo-enabling functionality in the primary
Description
Currently, Geo user authentication, file and repository synchronization works by having the secondary connect to the primary with privileged functionality, mostly mediated via JSON web tokens. However, we allow those connections to come from any IP in the world.
Proposal
Add an IP whitelist to the geo_nodes
table. If filled in, Geo-specific routes and JWTs generated by a particular secondary will only be considered valid by the primary if the traffic is sourced from one of the listed IPs or ranges.
This raises the barrier to exploitation - an attacker able to intercept traffic between secondary and primary is not necessarily also able to originate traffic from an arbitrary source IP.
As every secondary has access to every other secondary's private tokens (they are stored in the replicated database), this also prevents secondaries from impersonating each other. That's unlikely to be a huge concern, but it is neater.
For this issue, we are adding the IP whitelist at the database level only. If this functionality proves useful, we can add a UI component at a later stage.