Support restricting API token access based on IP address

pkg/settings/setting.go

@@ -370,6 +370,7 @@ type Config struct {
 	PasswordResetTokenExpiredTime         uint32
 	PasswordResetTokenExpiredTimeDuration time.Duration
 	EnableAPIToken                        bool
+	APITokenAllowedRemoteIPs              []*core.IPPattern
 	MaxFailuresPerIpPerMinute             uint32
 	MaxFailuresPerUserPerMinute           uint32
 
@@ -667,29 +668,13 @@ func loadServerConfiguration(config *Config, configFile *ini.File, sectionName s
 }
 
 func loadMCPServerConfiguration(config *Config, configFile *ini.File, sectionName string) error {
+	var err error
+
 	config.EnableMCPServer = getConfigItemBoolValue(configFile, sectionName, "enable_mcp", false)
-	mcpAllowedRemoteIps := getConfigItemStringValue(configFile, sectionName, "mcp_allowed_remote_ips", "")
+	config.MCPAllowedRemoteIPs, err = getIPPatterns(configFile, sectionName, "mcp_allowed_remote_ips", "")
 
-	if mcpAllowedRemoteIps != "" {
-		remoteIPs := strings.Split(mcpAllowedRemoteIps, ",")
-		config.MCPAllowedRemoteIPs = make([]*core.IPPattern, 0, len(remoteIPs))
-
-		for i := 0; i < len(remoteIPs); i++ {
-			ip := strings.TrimSpace(remoteIPs[i])
-			pattern, err := core.ParseIPPattern(ip)
-
-			if err != nil {
-				return err
-			}
-
-			if pattern == nil {
-				continue
-			}
-
-			config.MCPAllowedRemoteIPs = append(config.MCPAllowedRemoteIPs, pattern)
-		}
-	} else {
-		config.MCPAllowedRemoteIPs = nil
+	if err != nil {
+		return err
 	}
 
 	return nil
@@ -976,6 +961,8 @@ func loadCronConfiguration(config *Config, configFile *ini.File, sectionName str
 }
 
 func loadSecurityConfiguration(config *Config, configFile *ini.File, sectionName string) error {
+	var err error
+
 	config.SecretKeyNoSet = !getConfigItemIsSet(configFile, sectionName, "secret_key")
 	config.SecretKey = getConfigItemStringValue(configFile, sectionName, "secret_key", defaultSecretKey)
 
@@ -1018,6 +1005,11 @@ func loadSecurityConfiguration(config *Config, configFile *ini.File, sectionName
 	config.PasswordResetTokenExpiredTimeDuration = time.Duration(config.PasswordResetTokenExpiredTime) * time.Second
 
 	config.EnableAPIToken = getConfigItemBoolValue(configFile, sectionName, "enable_api_token", false)
+	config.APITokenAllowedRemoteIPs, err = getIPPatterns(configFile, sectionName, "api_token_allowed_remote_ips", "")
+
+	if err != nil {
+		return err
+	}
 
 	config.MaxFailuresPerIpPerMinute = getConfigItemUint32Value(configFile, sectionName, "max_failures_per_ip_per_minute", defaultMaxFailuresPerIpPerMinute)
 	config.MaxFailuresPerUserPerMinute = getConfigItemUint32Value(configFile, sectionName, "max_failures_per_user_per_minute", defaultMaxFailuresPerUserPerMinute)
@@ -1260,6 +1252,34 @@ func getFinalPath(workingPath, p string) (string, error) {
 	return p, err
 }
 
+func getIPPatterns(configFile *ini.File, sectionName string, itemName string, defaultValue string) ([]*core.IPPattern, error) {
+	configValue := getConfigItemStringValue(configFile, sectionName, itemName, defaultValue)
+
+	if configValue == "" {
+		return nil, nil
+	}
+
+	remoteIPs := strings.Split(configValue, ",")
+	ipPatterns := make([]*core.IPPattern, 0, len(remoteIPs))
+
+	for i := 0; i < len(remoteIPs); i++ {
+		ip := strings.TrimSpace(remoteIPs[i])
+		pattern, err := core.ParseIPPattern(ip)
+
+		if err != nil {
+			return nil, err
+		}
+
+		if pattern == nil {
+			continue
+		}
+
+		ipPatterns = append(ipPatterns, pattern)
+	}
+
+	return ipPatterns, nil
+}
+
 func getMultiLanguageContentConfig(configFile *ini.File, sectionName string, enableKey string, contentKey string) MultiLanguageContentConfig {
 	config := MultiLanguageContentConfig{
 		Enabled:              getConfigItemBoolValue(configFile, sectionName, enableKey, false),