[PR #388] Add API setting registration_allowfrom #401

New issue

Open

opened 2026-03-13 16:21:45 +03:00 by kerem · 0 comments

kerem commented

2026-03-13 16:21:45 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/acme-dns/acme-dns/pull/388
Author: @candlerb
Created: 6/24/2025
Status: 🔄 Open

Base: master ← Head: candlerb/216

📝 Commits (1)

9aaec6c Add API setting registration_allowfrom

📊 Changes

11 files changed (+129 additions, -92 deletions)

View changed files

📝 README.md (+2 -0)
📝 config.cfg (+2 -0)
📝 pkg/acmedns/acmetxt.go (+0 -33)
➖ pkg/acmedns/acmetxt_test.go (+0 -38)
📝 pkg/acmedns/cidrslice.go (+31 -0)
📝 pkg/acmedns/cidrslice_test.go (+34 -0)
📝 pkg/acmedns/config.go (+4 -0)
📝 pkg/acmedns/types.go (+14 -13)
📝 pkg/api/api_test.go (+28 -4)
📝 pkg/api/auth.go (+4 -4)
📝 pkg/api/register.go (+10 -0)

📄 Description

Fixes #216

Repurpose the user "allowfrom" code to add a new API setting registration_allowfrom, so that the API can be open to the Internet but registration only accepted from trusted IP addresses.

For discussion:

The setting name registration_allowfrom is not symmetrical with disable_registration. Furthermore, "allowfrom" ought to be two words, but I was copying what the API does.
I am happy to change it to something else, maybe restrict_registration. However, I think it would be good to leave the door open to adding future restrictions on registration, e.g. having a static username/password or HTTP Basic Auth. I note that other settings share a common prefix (e..g tls_* or log*)
Some care is needed when applying this setting. If you mistype the name, or put it in the wrong section like [general], then it will be silently ignored, and your registration will be open to the world. But the same is true of other settings, including disable_registration. It would be more secure if the TOML parser could be made strict: see #294

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/acme-dns/acme-dns/pull/388 **Author:** [@candlerb](https://github.com/candlerb) **Created:** 6/24/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `candlerb/216` --- ### 📝 Commits (1) - [`9aaec6c`](https://github.com/acme-dns/acme-dns/commit/9aaec6c98e9764b58dd7d53be2d9603d8f1c6fc9) Add API setting registration_allowfrom ### 📊 Changes **11 files changed** (+129 additions, -92 deletions) <details> <summary>View changed files</summary> 📝 `README.md` (+2 -0) 📝 `config.cfg` (+2 -0) 📝 `pkg/acmedns/acmetxt.go` (+0 -33) ➖ `pkg/acmedns/acmetxt_test.go` (+0 -38) 📝 `pkg/acmedns/cidrslice.go` (+31 -0) 📝 `pkg/acmedns/cidrslice_test.go` (+34 -0) 📝 `pkg/acmedns/config.go` (+4 -0) 📝 `pkg/acmedns/types.go` (+14 -13) 📝 `pkg/api/api_test.go` (+28 -4) 📝 `pkg/api/auth.go` (+4 -4) 📝 `pkg/api/register.go` (+10 -0) </details> ### 📄 Description Fixes #216 Repurpose the user "allowfrom" code to add a new API setting `registration_allowfrom`, so that the API can be open to the Internet but registration only accepted from trusted IP addresses. For discussion: * The setting name `registration_allowfrom` is not symmetrical with `disable_registration`. Furthermore, "allowfrom" ought to be two words, but I was copying what the API does. I am happy to change it to something else, maybe `restrict_registration`. However, I think it would be good to leave the door open to adding future restrictions on registration, e.g. having a static username/password or HTTP Basic Auth. I note that other settings share a common prefix (e..g `tls_*` or `log*`) * Some care is needed when applying this setting. If you mistype the name, or put it in the wrong section like `[general]`, then it will be silently ignored, and your registration will be open to the world. But the same is true of other settings, including `disable_registration`. It would be more secure if the TOML parser could be made strict: see #294 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>