Add API Key and OAuth2 client restrictions

[Kirby]

XenForo 2.3 allows to create API keys and configure the scopes they can be used for.

However it is not possible to restrict them to specific IP addresses or specify a start and / or expiry date.
Being able to restrict API keys in such a way could strenghten security, especially if the API is used to connect other (internal) services / apps.

XenForo 2.3 will add OAuth2 clients that will also use API scopes.

I therefore suggest to make it possible to restrict API keys and OAuth2 clients to specific IP addresses / CIDR and allow to set a start and / or expiry date.

 

[btmgreg]

What would an example be of it failing to work? Like if the other site changed their server and thus their ip?

What's the benefit of this added security and how could it be circumvented if it didn't exist?

 

[Kirby]

What would an example be of it failing to work? Like if the other site changed their server and thus their ip?

I am not sure if I understand this question?
If there was an IP restriction in place and an API call was made from an unauthorized IP the call would fail.
One such example would be if the consumer changed its IP address and the API Key or OAuth client hasn't been updated accordingly.

What's the benefit of this added security and how could it be circumvented if it didn't exist?

The benefit is that API keys and OAuth clients can only be used from authorized IPs (or for a certain time).
Only allowing whitelisted IPs is a pretty standard security mechanism - Facebook, CloudFlare, AutoDNS, etc. offer this functionality.
Doing so narrows possible attack vectors on API key abuse as they can only be used from certain IPs (or for a certain time).
So in case an API key gets compromised an attacker would also need have to make requests from the authorized IPs (and not just from anywhere).