{"id":18338,"library":"express-ip-access-control","title":"express-ip-access-control","description":"An Express.js middleware for IP-based access control, supporting whitelist/blacklist modes, IPv4, IPv6, CIDR, and IPv4-mapped IPv6 addresses. Current stable version is 1.1.3, released June 2018, with no recent updates. Key features include force connection address, custom deny actions (redirect or message), custom logging, and Node.js/Express 4 compatibility. Differentiators: lightweight, zero dependencies besides ipaddr.js (bundled), simple API for common IP filtering patterns.","status":"maintenance","version":"1.1.3","language":"javascript","source_language":"en","source_url":"https://github.com/KennyTangHK/express-ip-access-control","tags":["javascript","expressjs","middleware","filter","ip","access","typescript"],"install":[{"cmd":"npm install express-ip-access-control","lang":"bash","label":"npm"},{"cmd":"yarn add express-ip-access-control","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-ip-access-control","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Designed as Express middleware for version 4.x","package":"express","optional":false},{"reason":"Used internally for IP address parsing and CIDR matching","package":"ipaddr.js","optional":false}],"imports":[{"note":"Package is CJS-only, no ESM or TypeScript type declarations shipped. Use require for Node.js.","symbol":"default","correct":"const AccessControl = require('express-ip-access-control');"},{"note":"No default export for ESM; CJS require works. Use dynamic import if needed: import('express-ip-access-control').then(...)","wrong":"import AccessControl from 'express-ip-access-control';","symbol":"default","correct":"const AccessControl = require('express-ip-access-control');"},{"note":"ipMatch is attached to the default export function, not a separate named export.","wrong":"const { ipMatch } = require('express-ip-access-control');","symbol":"ipMatch","correct":"const AccessControl = require('express-ip-access-control');\nAccessControl.ipMatch(...);"}],"quickstart":{"code":"const express = require('express');\nconst AccessControl = require('express-ip-access-control');\n\nconst app = express();\n\nconst options = {\n  mode: 'deny',           // Blacklist mode: allow all except listed denies\n  denys: ['192.168.1.100', '10.0.0.0/8'],  // IPs to block\n  allows: [],             // No whitelist exceptions\n  forceConnectionAddress: false,  // Use req.ip (trust proxy aware)\n  statusCode: 403,        // Forbidden\n  message: 'Access denied',\n  log: (clientIp, access) => {\n    console.log(`${clientIp} ${access ? 'accessed' : 'denied'}`);\n  }\n};\n\napp.use(AccessControl(options));\n\napp.get('/', (req, res) => res.send('Welcome!'));\n\napp.listen(3000);","lang":"javascript","description":"Shows basic setup: require the package, configure options for deny mode, block specific IPs and CIDR ranges, apply middleware to Express app."},"warnings":[{"fix":"Use exact property names: denys and allows (with 'y' and double 'l').","message":"Options object's 'denys' and 'allows' are misspelled (denys vs denies, allows vs allows). These are the correct property names; any alternative spelling will be ignored.","severity":"breaking","affected_versions":">=0.0.0"},{"fix":"Consider alternatives like express-ipfilter or write custom middleware using ipaddr.js directly.","message":"Package not actively maintained; last release June 2018. May have unpatched vulnerabilities or incompatibility with newer Express/Node versions.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"Set statusCode to 301 or 302 along with redirectTo for redirect behavior.","message":"When using 'redirectTo', statusCode must be 301 or 302; otherwise res.send() will be used. Non-redirect status codes with redirectTo set will silently ignore redirectTo.","severity":"gotcha","affected_versions":">=0.0.0"},{"fix":"Be explicit in your lists: use pure IPv4 or pure IPv6 addresses; understand that conversion happens automatically.","message":"IPv4 mapped IPv6 addresses (e.g., ::ffff:192.0.2.1) are automatically converted to IPv4. If your list contains IPv6 addresses, they will match IPv4-mapped counterparts, which may cause unexpected matches.","severity":"gotcha","affected_versions":">=0.0.0"},{"fix":"In 'allow' mode, only IPs in 'allows' (minus any in 'denys') are allowed. Use the mode that matches your mental model: 'deny' for blacklist, 'allow' for whitelist.","message":"If mode is 'allow' (whitelist), the 'denys' list acts as an exception (blacklist) within the whitelist. This inverted logic can be confusing.","severity":"gotcha","affected_versions":">=0.0.0"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Use const AccessControl = require('express-ip-access-control');","cause":"Using ESM import instead of CommonJS require.","error":"TypeError: AccessControl is not a function"},{"fix":"Run npm install express","cause":"express is a peer dependency, not automatically installed.","error":"Error: Cannot find module 'express'"},{"fix":"Ensure options object is provided: AccessControl({ denys: [...], ... })","cause":"Forgetting to pass options object or passing undefined.","error":"Cannot read property 'denys' of undefined"},{"fix":"Ensure all IP strings are valid IPv4, IPv6, or CIDR notation (e.g., '192.168.1.1', '::1', '10.0.0.0/24').","cause":"Providing an invalid IP string or empty string in denys/allows list.","error":"Invalid IP address: ..."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}