Merge pull request #130 from axelarnetwork/feat/block-sanctioned-and-…

…wartorn-countries feat/block sanctioned and embargoed countries
axelarnetwork · Jan 11, 2024 · 711749a · 711749a · vercel · Jan 11, 2024
2 parents d463413 + 6502b13
commit 711749a
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/apps/maestro/src/middleware.ts b/apps/maestro/src/middleware.ts
@@ -0,0 +1,65 @@
+import { NextResponse, type NextRequest } from "next/server";
+
+// Limit middleware pathname config
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except for the ones starting with:
+     * - api (API routes)
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - favicon.ico (favicon file)
+     */
+    "/((?!api|logos|_next/static|_next/image|favicon.ico).*)",
+  ],
+};
+
+export function middleware(req: NextRequest) {
+  // Extract country
+  const country = req.geo?.country ?? "US";
+
+  const isBlocked = BLOCKED_COUNTRIES.includes(country);
+
+  if (!isBlocked && req.nextUrl.pathname === "/restricted") {
+    req.nextUrl.pathname = "/";
+    return NextResponse.redirect(req.nextUrl);
+  }
+
+  if (isBlocked) {
+    console.info("unauthorized_access_attempt:", {
+      ...(req.geo ?? {}),
+      ip: req.ip,
+      userAgent: req.headers.get("user-agent"),
+    });
+
+    req.nextUrl.pathname = "/restricted";
+  }
+
+  // Rewrite to URL
+  return NextResponse.rewrite(req.nextUrl);
+}
+
+/**
+ * Blocked sanctioned or embargoed countries
+ * based on https://orpa.princeton.edu/export-controls/sanctioned-countries
+ */
+const BLOCKED_COUNTRIES: string[] = [
+  "CU", // Cuba
+  "IR", // Iran
+  "KP", // North Korea
+  "RU", // Russia
+  "SY", // Syria
+  "UA-CR", // Crimea (Ukraine)
+  "UA-DN", // Donetsk (Ukraine)
+  "UA-LU", // Luhansk (Ukraine)
+  "BA", // Balkans
+  "BY", // Belarus
+  "MM", // Burma (Myanmar)
+  "CD", // Congo, Dem. Rep. of
+  "ET", // Ethiopia
+  "HK", // Hong Kong
+  "SD", // Sudan
+  "VE", // Venezuela
+  "YE", // Yemen
+  "ZW", // Zimbabwe,
+];
diff --git a/apps/maestro/src/pages/restricted.tsx b/apps/maestro/src/pages/restricted.tsx
@@ -0,0 +1,18 @@
+import { AlertTriangleIcon, Card } from "@axelarjs/ui";
+import type { FC } from "react";
+
+const RestrictedPage: FC = () => (
+  <div className="bg-base-100 absolute inset-0 z-10 grid min-h-[100dvh] place-items-center overflow-y-scroll">
+    <Card className="bg-warning text-warning-content">
+      <Card.Body>
+        <Card.Title>
+          <AlertTriangleIcon />
+          Your access is restricted
+        </Card.Title>
+        Access from this IP address or location is restricted.
+      </Card.Body>
+    </Card>
+  </div>
+);
+
+export default RestrictedPage;