access control id remote client

[highlevellogic]

Working towards a simple but effective access control. When the client is a browser, CORS is an approach. For other clients:

// local and remote ip addresses differ
// local has local ip of server machine
// remote has lan ip (router) within lan
// remote has public ip when client is outside of lan
console.log("localAddress: " + req.socket.localAddress);
console.log("remoteAddress: " + req.socket.remoteAddress);

Sufficient for password authentication for remote clients?
Comments welcome!

[highlevellogic]

Approach #2: Require https

const cert = req.connection.getPeerCertificate();
use cert.subject.CN for domain (common name)

or

cert.subjectaltname: 'DNS:*.nodejs.org, DNS:nodejs.org'
(But this is listed as optional in my reference.)

Is cert.subject.CN the truth?
The trick here seems to be understanding which fields are user defined and which are automatic - i.e. What are the fields the CA creates from the request -- i.e. that are guaranteed to be accurate?

whitelist / blacklist domains