From d85afa6c0688f4f33771404461686319f0da2fe1 Mon Sep 17 00:00:00 2001
From: Alexandre Pion <pion@afnic.fr>
Date: Tue, 12 Oct 2021 15:33:14 +0200
Subject: [PATCH 1/3] Raise an error if method called from remote IP

The "add_api_user" method should be called from a local IP.
---
 lib/Zonemaster/Backend/RPCAPI.pm | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/Zonemaster/Backend/RPCAPI.pm b/lib/Zonemaster/Backend/RPCAPI.pm
index 76e20add2..687149de1 100644
--- a/lib/Zonemaster/Backend/RPCAPI.pm
+++ b/lib/Zonemaster/Backend/RPCAPI.pm
@@ -575,6 +575,12 @@ sub add_api_user {
         if ( $allow ) {
             $result = 1 if ( $self->{db}->add_api_user( $params->{username}, $params->{api_key} ) eq '1' );
         }
+        else {
+            die Zonemaster::Backend::Error::PermissionDenied->new(
+                message => 'Unauthorized to call this method from a remote IP',
+                data => { remote_ip => $remote_ip }
+            );
+        }
     };
     if ($@) {
         handle_exception( $@ );

From dd83a686e0971277c0130833eebd1bebc9035205 Mon Sep 17 00:00:00 2001
From: Alexandre Pion <pion@afnic.fr>
Date: Tue, 12 Oct 2021 15:37:22 +0200
Subject: [PATCH 2/3] Update documentation with example output

---
 docs/API.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/docs/API.md b/docs/API.md
index d4281efe2..622aa32ae 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -1208,9 +1208,15 @@ Omitting params:
 Trying to add a user over non-localhost:
 ```json
 {
-  "result": 0,
   "id": 1,
-  "jsonrpc": "2.0"
+  "jsonrpc": "2.0",
+  "error": {
+    "code": -32603,
+    "data": {
+      "remote_ip": "10.0.0.1"
+    },
+    "message": "Unauthorized to call this method from a remote IP"
+  }
 }
 ```
 

From b03c8590f319cfd7c0e0bc1f529c73f52521604e Mon Sep 17 00:00:00 2001
From: Alexandre Pion <pion@afnic.fr>
Date: Wed, 13 Oct 2021 09:20:59 +0200
Subject: [PATCH 3/3] Improve error wording

---
 docs/API.md                      | 2 +-
 lib/Zonemaster/Backend/RPCAPI.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/API.md b/docs/API.md
index 622aa32ae..2b7750100 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -1215,7 +1215,7 @@ Trying to add a user over non-localhost:
     "data": {
       "remote_ip": "10.0.0.1"
     },
-    "message": "Unauthorized to call this method from a remote IP"
+    "message": "Call to \"add_api_user\" method not permitted from a remote IP"
   }
 }
 ```
diff --git a/lib/Zonemaster/Backend/RPCAPI.pm b/lib/Zonemaster/Backend/RPCAPI.pm
index 687149de1..5f3c178a9 100644
--- a/lib/Zonemaster/Backend/RPCAPI.pm
+++ b/lib/Zonemaster/Backend/RPCAPI.pm
@@ -577,7 +577,7 @@ sub add_api_user {
         }
         else {
             die Zonemaster::Backend::Error::PermissionDenied->new(
-                message => 'Unauthorized to call this method from a remote IP',
+                message => 'Call to "add_api_user" method not permitted from a remote IP',
                 data => { remote_ip => $remote_ip }
             );
         }