Handle cidrs correctly

server/lib/ip.ts

@@ -274,13 +274,4 @@ export async function getNextAvailableOrgSubnet(): Promise<string> {
     }
 
     return subnet;
-}
-
-export function isValidCidr(cidr: string): boolean {
-    try {
-        cidrToRange(cidr);
-        return true;
-    } catch (e) {
-        return false;
-    }
 }

server/routers/client/createClient.ts

@@ -9,7 +9,8 @@ import {
     userClients,
     olms,
     clientSites,
-    exitNodes
+    exitNodes,
+    orgs
 } from "@server/db/schema";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -19,7 +20,8 @@ import { eq, and } from "drizzle-orm";
 import { fromError } from "zod-validation-error";
 import moment from "moment";
 import { hashPassword } from "@server/auth/password";
-import { isValidCIDR } from "@server/lib/validators";
+import { isValidCIDR, isValidIP } from "@server/lib/validators";
+import { isIpInCidr } from "@server/lib/ip";
 
 const createClientParamsSchema = z
     .object({
@@ -78,7 +80,7 @@ export async function createClient(
             );
         }
 
-        if (subnet && !isValidCIDR(subnet)) {
+        if (subnet && !isValidIP(subnet)) {
             return next(
                 createHttpError(
                     HttpCode.BAD_REQUEST,
@@ -87,6 +89,31 @@ export async function createClient(
             );
         }
 
+        const [org] = await db
+            .select()
+            .from(orgs)
+            .where(eq(orgs.orgId, orgId));
+
+        if (!org) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    `Organization with ID ${orgId} not found`
+                )
+            );
+        }
+
+        if (subnet && !isIpInCidr(subnet, org.subnet)) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "IP is not in the CIDR range of the subnet."
+                )
+            );
+        }
+
+        const updatedSubnet = `${subnet}/${org.subnet.split("/")[1]}`; // we want the block size of the whole org
+
         await db.transaction(async (trx) => {
             // TODO: more intelligent way to pick the exit node
 
@@ -123,7 +150,7 @@ export async function createClient(
                     exitNodeId: exitNode.exitNodeId,
                     orgId,
                     name,
-                    subnet,
+                    subnet: updatedSubnet,
                     type
                 })
                 .returning();

server/routers/client/pickClientDefaults.ts

@@ -44,7 +44,7 @@ export async function pickClientDefaults(
 
         const newSubnet = await getNextAvailableClientSubnet(orgId);
 
-        const subnet = `${newSubnet.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org
+        const subnet = newSubnet.split("/")[0];
 
         return response<PickClientDefaultsResponse>(res, {
             data: {

server/routers/newt/handleGetConfigMessage.ts

@@ -73,6 +73,8 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
             return;
         }
 
+        // TODO: WE NEED TO PULL THE CIDR FROM THE DB SUBNET ON THE ORG INSTEAD BECAUSE IT CAN BE DIFFERENT
+        // TODO: SOMEHOW WE NEED TO ALLOW THEM TO PUT IN THEIR OWN ADDRESS
         address = `${address.split("/")[0]}/${config.getRawConfig().orgs.block_size}`; // we want the block size of the whole org
 
         // Update the site with new WireGuard info