fix(oauth2): move disable IP adress check

smarcet · smarcet · commit 92df7f7a0c8e · 2026-03-17T10:52:33.000-03:00
diff --git a/app/Models/OAuth2/ResourceServer.php b/app/Models/OAuth2/ResourceServer.php
@@ -66,7 +66,6 @@ class ResourceServer extends BaseEntity
      */
     public function isOwn($ip)
     {
-        if (!config('oauth2.validate_resource_server_ip', true)) return true;
 
         $provided_ips = array_map('trim', explode(',', $ip));
         $own_ips = array_map('trim', explode(',', $this->ips));
diff --git a/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php b/app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php
@@ -78,31 +78,31 @@ public function validate(AccessToken $access_token, IClient $client)
                 'resource server is disabled!'
             );
         }
-        //check resource server ip address
-        if (!$resource_server->isOwn($current_ip))
-        {
-            throw new BearerTokenDisclosureAttemptException
-            (
-                sprintf
+        if (config('oauth2.validate_resource_server_ip', false)) {
+            //check resource server ip address
+            if (!$resource_server->isOwn($current_ip)) {
+                throw new BearerTokenDisclosureAttemptException
                 (
-                    'resource server ip (%s) differs from current request ip %s',
-                    $resource_server->getIPAddresses(),
-                    $current_ip
-                )
-            );
-        }
-        // check if current ip belongs to a registered resource server audience
-        if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip))
-        {
-            throw new BearerTokenDisclosureAttemptException
-            (
-                sprintf
+                    sprintf
+                    (
+                        'resource server ip (%s) differs from current request ip %s',
+                        $resource_server->getIPAddresses(),
+                        $current_ip
+                    )
+                );
+            }
+            // check if current ip belongs to a registered resource server audience
+            if (!$this->token_service->checkAccessTokenAudience($access_token, $current_ip)) {
+                throw new BearerTokenDisclosureAttemptException
                 (
-                    'access token current audience (%s) does not match with current request ip %s',
-                    $access_token->getAudience(),
-                    $current_ip
-                )
-            );
+                    sprintf
+                    (
+                        'access token current audience (%s) does not match with current request ip %s',
+                        $access_token->getAudience(),
+                        $current_ip
+                    )
+                );
+            }
         }
     }
 }
diff --git a/config/oauth2.php b/config/oauth2.php
@@ -11,5 +11,5 @@
     | the request IP and the access token audience.
     |
     */
-    'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true),
+    'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false),
 ];

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,6 @@ class ResourceServer extends BaseEntity`
`66`	`66`	`*/`
`67`	`67`	`public function isOwn($ip)`
`68`	`68`	`{`
`69`		`- if (!config('oauth2.validate_resource_server_ip', true)) return true;`
`70`	`69`
`71`	`70`	`$provided_ips = array_map('trim', explode(',', $ip));`
`72`	`71`	`$own_ips = array_map('trim', explode(',', $this->ips));`
Original file line number	Diff line number	Diff line change
`@@ -11,5 +11,5 @@`
`11`	`11`	`\| the request IP and the access token audience.`
`12`	`12`	`\|`
`13`	`13`	`*/`
`14`		`- 'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true),`
	`14`	`+ 'validate_resource_server_ip' => env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false),`
`15`	`15`	`];`