feat: add validate_resource_server_ip feature flag to config and check to validate

[romanetar]

ref https://app.clickup.com/t/86b82z68f

Summary by CodeRabbit

• New Features

  • Added optional resource server IP validation that can be enabled via environment variable.

• Chores

  • Added new configuration option and environment variable setup.

[smarcet]

LGTM

[coderabbitai]

📝 Walkthrough

Walkthrough

A new configuration option OAUTH2_VALIDATE_RESOURCE_SERVER_IP is introduced to conditionally guard resource server IP address and audience validation during OAuth2 bearer token authentication. The feature is disabled by default and toggled via environment variable.

Changes

Cohort / File(s)	Summary
Configuration & Environment .env.example, config/oauth2.php	Added new OAUTH2_VALIDATE_RESOURCE_SERVER_IP environment variable and corresponding configuration option with documentation explaining the validation behavior.
Bearer Token Strategy app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php	Wrapped resource server IP validation and audience checks in a conditional block controlled by the new config flag. Both validations execute only when the config flag is true.
Resource Server Model app/Models/OAuth2/ResourceServer.php	Minor formatting adjustment: added blank line after opening brace in the isOwn method.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Strategy as ValidateBearerTokenStrategy
    participant Config as Configuration
    participant IP as IP Validator
    participant Audience as Audience Validator
    
    Client->>Strategy: Bearer token request
    Strategy->>Config: Check OAUTH2_VALIDATE_RESOURCE_SERVER_IP
    
    alt Config Flag Enabled
        Config-->>Strategy: true
        Strategy->>IP: Validate resource server IP<br/>vs request IP
        alt IP Valid
            IP-->>Strategy: ✓ Match
            Strategy->>Audience: Validate token audience
            alt Audience Valid
                Audience-->>Strategy: ✓ Authorized
                Strategy-->>Client: Token accepted
            else Audience Invalid
                Audience-->>Strategy: ✗ Unauthorized audience
                Strategy-->>Client: 401 Unauthorized
            end
        else IP Invalid
            IP-->>Strategy: ✗ IP mismatch
            Strategy-->>Client: 401 Unauthorized
        end
    else Config Flag Disabled
        Config-->>Strategy: false
        Strategy-->>Client: Token accepted<br/>(skip validation)
    end

Loading

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A toggle appears, so clever and neat,
OAuth2 validation now bittersweet!
IP addresses checked when the flag's turned to true,
Conditional logic—what wonderful brew!
Security dances to config's sweet tune. 🔐✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a validate_resource_server_ip feature flag to config and implementing the corresponding validation check.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/toggle-ip-addr-whitelisting

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use your project's `phpmd` ruleset to improve the quality of PHP code reviews.

You can customize the ruleset in your CodeRabbit configuration, or provide a path to a custom ruleset file.

[github-actions]

📘 OpenAPI / Swagger preview

➡️ https://OpenStackweb.github.io/openstackid/openapi/pr-98/

This page is automatically updated on each push to this PR.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.env.example:
- Line 118: The env example and the application default disagree: the env var
OAUTH2_VALIDATE_RESOURCE_SERVER_IP is set to true in .env.example while the app
default in config (OAUTH2_VALIDATE_RESOURCE_SERVER_IP defaulting to false) is
false; make them consistent by either changing the .env.example value to false
to match the current default or updating the config default to true so the
example reflects actual behavior—update the OAUTH2_VALIDATE_RESOURCE_SERVER_IP
entry accordingly and ensure any README or setup notes mirror that choice.

In `@config/oauth2.php`:
- Around line 1-15: The config key 'validate_resource_server_ip' currently
defaults to env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false) which disables IP
validation by default; change the default to true so the expression becomes
env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true) (preserving existing security
behavior) and update any inline comment if needed to reflect that operators must
explicitly opt out via the OAUTH2_VALIDATE_RESOURCE_SERVER_IP environment
variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6aa5bcd1-01d1-41fb-b04c-898df3346761

📥 Commits

Reviewing files that changed from the base of the PR and between 4b5b726 and 92df7f7.

📒 Files selected for processing (4)

• .env.example
• app/Models/OAuth2/ResourceServer.php
• app/libs/OAuth2/GrantTypes/Strategies/ValidateBearerTokenResourceServerStrategy.php
• config/oauth2.php

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistency between example value and config default.

The example sets OAUTH2_VALIDATE_RESOURCE_SERVER_IP=true, but config/oauth2.php defaults to false when the env var is not set. Developers copying this example will get validation enabled, but fresh deployments without explicit configuration will have it disabled.

Consider aligning these: either default to true in the config (preserving existing security behavior) or set the example to false to match the actual default.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.env.example at line 118, The env example and the application default
disagree: the env var OAUTH2_VALIDATE_RESOURCE_SERVER_IP is set to true in
.env.example while the app default in config (OAUTH2_VALIDATE_RESOURCE_SERVER_IP
defaulting to false) is false; make them consistent by either changing the
.env.example value to false to match the current default or updating the config
default to true so the example reflects actual behavior—update the
OAUTH2_VALIDATE_RESOURCE_SERVER_IP entry accordingly and ensure any README or
setup notes mirror that choice.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Consider defaulting to true to preserve existing security behavior.

This feature flag defaults to false, which disables resource server IP validation. If existing deployments previously relied on this validation (which was unconditional before this PR), upgrading without setting the env var will silently reduce their security posture.

A safer migration path would be to default to true (preserving current behavior) and let operators explicitly opt out if needed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/oauth2.php` around lines 1 - 15, The config key
'validate_resource_server_ip' currently defaults to
env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', false) which disables IP validation by
default; change the default to true so the expression becomes
env('OAUTH2_VALIDATE_RESOURCE_SERVER_IP', true) (preserving existing security
behavior) and update any inline comment if needed to reflect that operators must
explicitly opt out via the OAUTH2_VALIDATE_RESOURCE_SERVER_IP environment
variable.