Restrict API key usage by source IP #5879

New Issue

Closed

opened 2025-12-29 19:33:46 +01:00 by adam · 11 comments

adam commented 2025-12-29 19:33:46 +01:00

Owner

Copy Link

Originally created by @PieterL75 on GitHub (Jan 5, 2022).

Originally assigned to: @jeremystretch, @PieterL75 on GitHub.

NetBox version

v3.1.4

Feature type

Change to existing functionality

Proposed functionality

Limit the access to the API with a certain API key by source IPs

Use case

We have API keys that belong to 'service accounts'. The source IP of these services consumers are known.
We should be able to limit the usage of these service account API keys to only the known sources.
This cannot be done by firewalls but needs to go to the application layer

If an API key gets compromised, it cannot be used outside of that scope of source IPs

Database changes

API Keys

• add multivalue 'Source IP'

External dependencies

No response

Originally created by @PieterL75 on GitHub (Jan 5, 2022). Originally assigned to: @jeremystretch, @PieterL75 on GitHub. ### NetBox version v3.1.4 ### Feature type Change to existing functionality ### Proposed functionality Limit the access to the API with a certain API key by source IPs ### Use case We have API keys that belong to 'service accounts'. The source IP of these services consumers are known. We should be able to limit the usage of these service account API keys to only the known sources. This cannot be done by firewalls but needs to go to the application layer If an API key gets compromised, it cannot be used outside of that scope of source IPs ### Database changes API Keys - add multivalue 'Source IP' ### External dependencies _No response_

adam added the status: acceptedtype: feature labels 2025-12-29 19:33:46 +01:00

adam closed this issue 2025-12-29 19:33:46 +01:00

adam commented 2025-12-29 19:33:46 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Jan 5, 2022):

This should be feasible to implement in our custom TokenAuthentication class. We currently override only the authenticate_credentials() method, which has access only to the token itself, but the authenticate() method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials.

We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. 🙂

@jeremystretch commented on GitHub (Jan 5, 2022): This should be feasible to implement in our custom TokenAuthentication class. We currently override only the `authenticate_credentials()` method, which has access only to the token itself, but the `authenticate()` method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials. We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. :slightly_smiling_face:

adam commented 2025-12-29 19:33:46 +01:00

Author

Owner

Copy Link

@hagbarddenstore commented on GitHub (Jan 5, 2022):

This should be feasible to implement in our custom TokenAuthentication class. We currently override only the authenticate_credentials() method, which has access only to the token itself, but the authenticate() method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials.

We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. 🙂

Be aware that Python might not receive the "true" source IP because of being behind a proxy. It would be helpful if the documentation mentioned that where this feature is documented. Perhaps adding external links on how to configure passing remote IP in nginx, apache, etc.

https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

@hagbarddenstore commented on GitHub (Jan 5, 2022): > This should be feasible to implement in our custom TokenAuthentication class. We currently override only the `authenticate_credentials()` method, which has access only to the token itself, but the `authenticate()` method receives the entire request. We just need a way to reference the requesting IP address when evaluating the credentials. > > We'll also need to do a bit of grunt work around mapping allowed IPs (e.g. networks and/or lists of individual IPs), but I certainly hope we can manage that. 🙂 Be aware that Python might not receive the "true" source IP because of being behind a proxy. It would be helpful if the documentation mentioned that where this feature is documented. Perhaps adding external links on how to configure passing remote IP in nginx, apache, etc. https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

adam commented 2025-12-29 19:33:47 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Mar 7, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Mar 7, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).

adam commented 2025-12-29 19:33:47 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Mar 10, 2022):

Can we keep this open ? Our compliance team is asking about when this could be implemented

@PieterL75 commented on GitHub (Mar 10, 2022): Can we keep this open ? Our compliance team is asking about when this could be implemented

adam commented 2025-12-29 19:33:47 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Mar 10, 2022):

@PieterL75 would you like to volunteer to own it?

@jeremystretch commented on GitHub (Mar 10, 2022): @PieterL75 would you like to volunteer to own it?

adam commented 2025-12-29 19:33:47 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Mar 10, 2022):

I lack real coding ethics, but never afraid of a challenge...
I'll give it a try.

Must be in netbox/netbox/api/authentication.py ?

adding a check under TokenPermissions/has_permission() ?

@PieterL75 commented on GitHub (Mar 10, 2022): I lack real coding ethics, but never afraid of a challenge... I'll give it a try. Must be in netbox/netbox/api/authentication.py ? adding a check under TokenPermissions/has_permission() ?

adam commented 2025-12-29 19:33:47 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Mar 11, 2022):

Looks like I have a working solution...
@jeremystretch Can you review this branch in my fork : https://github.com/PieterL75/netbox/tree/master
Or should I create a PR here

@PieterL75 commented on GitHub (Mar 11, 2022): Looks like I have a working solution... @jeremystretch Can you review this branch in my fork : https://github.com/PieterL75/netbox/tree/master Or should I create a PR here

adam commented 2025-12-29 19:33:48 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Mar 25, 2022):

Given the substantial changes being introduced here (namely adding the allowed_ips field to the Token model), I'd like to tag this for v3.2.

@PieterL75 would you mind rebasing your PR on the feature branch? I don't think you'll run into much trouble but please let me know if I can be of assistance.

@jeremystretch commented on GitHub (Mar 25, 2022): Given the substantial changes being introduced here (namely adding the `allowed_ips` field to the Token model), I'd like to tag this for v3.2. @PieterL75 would you mind rebasing your PR on the `feature` branch? I don't think you'll run into much trouble but please let me know if I can be of assistance.

adam commented 2025-12-29 19:33:48 +01:00

Author

Owner

Copy Link

@DanSheps commented on GitHub (Apr 8, 2022):

I am assuming we would want to shoot for v3.3 now?

@DanSheps commented on GitHub (Apr 8, 2022): I am assuming we would want to shoot for v3.3 now?

adam commented 2025-12-29 19:33:48 +01:00

Author

Owner

Copy Link

@PieterL75 commented on GitHub (Apr 8, 2022):

What about 3.2.1 ?
I'm off for a week, going to do the rebase when I'm back

@PieterL75 commented on GitHub (Apr 8, 2022): What about 3.2.1 ? I'm off for a week, going to do the rebase when I'm back

adam commented 2025-12-29 19:33:49 +01:00

Author

Owner

Copy Link

@jeremystretch commented on GitHub (Apr 8, 2022):

It's an API change, so it'll need to go in the next minor release (v3.3).

@jeremystretch commented on GitHub (Apr 8, 2022): It's an API change, so it'll need to go in the next minor release (v3.3).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update-changelog-comments-docs

feature-removal-issue-type

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

v4.5.0

v4.4.10

v4.4.9

v4.5.0-beta1

v4.4.8

v4.4.7

v4.4.6

v4.4.5

v4.4.4

v4.4.3

v4.4.2

v4.4.1

v4.4.0

v4.3.7

v4.4.0-beta1

v4.3.6

v4.3.5

v4.3.4

v4.3.3

v4.3.2

v4.3.1

v4.3.0

v4.2.9

v4.3.0-beta2

v4.2.8

v4.3.0-beta1

v4.2.7

v4.2.6

v4.2.5

v4.2.4

v4.2.3

v4.2.2

v4.2.1

v4.2.0

v4.1.11

v4.1.10

v4.1.9

v4.1.8

v4.2-beta1

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.11

v4.0.10

v4.0.9

v4.1-beta1

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.7.8

v3.7.7

v4.0-beta2

v3.7.6

v3.7.5

v4.0-beta1

v3.7.4

v3.7.3

v3.7.2

v3.7.1

v3.7.0

v3.6.9

v3.6.8

v3.6.7

v3.7-beta1

v3.6.6

v3.6.5

v3.6.4

v3.6.3

v3.6.2

v3.6.1

v3.6.0

v3.5.9

v3.6-beta2

v3.5.8

v3.6-beta1

v3.5.7

v3.5.6

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.10

v3.4.9

v3.5-beta2

v3.4.8

v3.5-beta1

v3.4.7

v3.4.6

v3.4.5

v3.4.4

v3.4.3

v3.4.2

v3.4.1

v3.4.0

v3.3.10

v3.3.9

v3.4-beta1

v3.3.8

v3.3.7

v3.3.6

v3.3.5

v3.3.4

v3.3.3

v3.3.2

v3.3.1

v3.3.0

v3.2.9

v3.2.8

v3.3-beta2

v3.2.7

v3.3-beta1

v3.2.6

v3.2.5

v3.2.4

v3.2.3

v3.2.2

v3.2.1

v3.2.0

v3.1.11

v3.1.10

v3.2-beta2

v3.1.9

v3.2-beta1

v3.1.8

v3.1.7

v3.1.6

v3.1.5

v3.1.4

v3.1.3

v3.1.2

v3.1.1

v3.1.0

v3.0.12

v3.0.11

v3.0.10

v3.1-beta1

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.11.12

v3.0-beta2

v2.11.11

v2.11.10

v3.0-beta1

v2.11.9

v2.11.8

v2.11.7

v2.11.6

v2.11.5

v2.11.4

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.10

v2.10.9

v2.11-beta1

v2.10.8

v2.10.7

v2.10.6

v2.10.5

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.11

v2.10-beta2

v2.9.10

v2.10-beta1

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.9-beta2

v2.8.9

v2.9-beta1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.12

v2.6.11

v2.6.10

v2.6.9

v2.7-beta1

Solcon-2020-01-06

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.13

v2.5.12

v2.6-beta1

v2.5.11

v2.5.10

v2.5.9

v2.5.8

v2.5.7

v2.5.6

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.9

v2.5-beta2

v2.4.8

v2.5-beta1

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.7

v2.4-beta1

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.10

v2.3-beta2

v2.2.9

v2.3-beta1

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.6

v2.2-beta2

v2.1.5

v2.2-beta1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.10

v2.1-beta1

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v2.0-beta3

v1.9.6

v1.9.5

v2.0-beta2

v1.9.4-r1

v1.9.3

v2.0-beta1

v1.9.2

v1.9.1

v1.9.0-r1

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.3

v1.7.2-r1

v1.7.1

v1.7.0

v1.6.3

v1.6.2-r1

v1.6.1-r1

1.6.1

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.1

v1.3.0

v1.2.2

v1.2.1

v1.2.0

v1.1.0

v1.0.7-r1

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3-r1

v1.0.3

1.0.0

Labels

Clear labels

beta

breaking change

complexity: high

complexity: low

complexity: medium

needs milestone

netbox

pending closure

plugin candidate

pull-request

Mirrored from GitHub Pull Request

severity: high

severity: low

severity: medium

status: accepted

status: backlog

status: blocked

status: duplicate

status: needs owner

status: needs triage

status: revisions needed

status: under review

topic: GraphQL

topic: Internationalization

topic: OpenAPI

topic: UI/UX

topic: cabling

topic: event rules

topic: htmx navigation

topic: industrialization

topic: migrations

topic: plugins

topic: scripts

topic: templating

topic: testing

type: bug

type: deprecation

type: documentation

type: feature

type: housekeeping

type: translation

No Label status: accepted type: feature

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#5879