From 55c7e00ad64a24660b729cc8e6ea3ec527b69f88 Mon Sep 17 00:00:00 2001
From: Maximilian Friedersdorff <max@gwairfelin.com>
Date: Thu, 11 Dec 2025 21:34:33 +0000
Subject: [PATCH] Make netlist configurable

---
 cmd/server/main.go                 | 14 ++++++++++++-
 internal/conf/conf.go              |  1 +
 internal/middleware/reject_anon.go | 33 ++++++++++++++----------------
 3 files changed, 29 insertions(+), 19 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 7f6d173..8eb6959 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -51,7 +51,19 @@ func main() {
 	etag := middleware.NewETag("static", cacheExpiration)
 
 	router.Handle("/", middleware.LoggingMiddleware(http.RedirectHandler("/notes/", http.StatusFound)))
-	router.Handle("/notes/", sessions.AsMiddleware(middleware.LoggingMiddleware(http.StripPrefix("/notes", notesRouter))))
+	router.Handle(
+		"/notes/",
+		sessions.AsMiddleware(
+			middleware.LoggingMiddleware(
+				middleware.RejectAnonMiddleware(
+					"/auth/login/",
+					http.StripPrefix(
+						"/notes", notesRouter,
+					),
+				),
+			),
+		),
+	)
 	router.Handle("/auth/", sessions.AsMiddleware(middleware.LoggingMiddleware(http.StripPrefix("/auth", sessionRouter))))
 	router.Handle(
 		"/static/",
diff --git a/internal/conf/conf.go b/internal/conf/conf.go
index 7c3592a..9b4cd07 100644
--- a/internal/conf/conf.go
+++ b/internal/conf/conf.go
@@ -68,6 +68,7 @@ type Config struct {
 		RedirectURL  string `toml:"redirect_url"`
 		UserinfoURL  string `toml:"userinfo_url"`
 	}
+	AnonCIDRs []string `toml:"anon_networks"`
 }
 
 var (
diff --git a/internal/middleware/reject_anon.go b/internal/middleware/reject_anon.go
index 82ba800..c5da2a9 100644
--- a/internal/middleware/reject_anon.go
+++ b/internal/middleware/reject_anon.go
@@ -10,30 +10,14 @@ import (
 	"net"
 	"net/http"
 	"strings"
+
+	"forgejo.gwairfelin.com/max/gonotes/internal/conf"
 )
 
 type netList []net.IPNet
 
-var safeCIDRs = [...]string{"192.168.0.0/23", "10.0.0.0/24", "2001:8b0:f70:546d::/64"}
-
-var safeOriginNets netList
-
 const ipHeader = "x-forwarded-for"
 
-func init() {
-	safeOriginNets = make([]net.IPNet, 0, len(safeCIDRs))
-	for _, cidr := range safeCIDRs {
-		_, net, err := net.ParseCIDR(cidr)
-
-		if err != nil {
-			log.Printf("ignoring invalid cidr: %s", err)
-			continue
-		}
-
-		safeOriginNets = append(safeOriginNets, *net)
-	}
-}
-
 func (n *netList) Contains(ip net.IP) bool {
 	for _, net := range *n {
 		if contains := net.Contains(ip); contains {
@@ -44,6 +28,19 @@ func (n *netList) Contains(ip net.IP) bool {
 }
 
 func RejectAnonMiddleware(redirect string, next http.Handler) http.Handler {
+	safeOriginNets := make(netList, 0, len(conf.Conf.AnonCIDRs))
+
+	for _, cidr := range conf.Conf.AnonCIDRs {
+		_, net, err := net.ParseCIDR(cidr)
+
+		if err != nil {
+			log.Printf("ignoring invalid cidr: %s", err)
+			continue
+		}
+
+		safeOriginNets = append(safeOriginNets, *net)
+	}
+
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		user := r.Context().Value(ContextKey("user")).(string)