Adding express-ipfilter for ip whitelist support with environment variable IP_WHITELIST

[sloydsf]

Using new package express-ipfilter.
Adding ability to define IP_WHITELIST as an environment variable.
If the variable is not defined it should not impact the existing behavior outside of requiring the module.

Example: IP_WHITELIST=1.2.3.4/32,10.0.0.0/24

[salesforce-cla]

Thanks for the contribution! It looks like @sloydsf is an internal user so signing the CLA is not required. However, we need to confirm this.

[michaelhoefer]

This should indeed work for heroku deployment, but can't validate locally well because there is no x-forwarded-for header set. I think this should change to look at the host header if x-forwarded-for is not set. And include 'localhost' in the whitelist.

[sloydsf]

Good point, I had assumed this was Heroku only.

I'll update it to be:
if(x-forwarded-for header) return last entry in x-forwarded-for header
else use tcp/ip remote_ip

[michaelhoefer]

The error handling is the only tricky thing with this, and express in general. Right now this message is not displayed, but instead an internal error message is shown alone on a blank page. May need special handling for the IpDeniedError in our normal error handler.

[michaelhoefer]

Also, I the Opts object you are passing here does not match the interface given by express-ipfilter:

export interface IpFilterOptions {
  detectIp?: (request: express.Request) => Ip;
  excluding?: Route[];
  log?: boolean;
  logLevel?: 'all' | 'deny' | 'allow';
  mode?: 'deny' | 'allow';
  // `@types/proxy-addr` does not export the `trust` parameter type
  trustProxy?: any;
}

[vazexqi]

@sloydsf - What happened to just doing the IP whitelisting on the Heroku private spaces level? Was that not the right approach?