feat: geoblock country and region

[rmeena840]

Description

Closes: #807

---

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues._

I have...

• included the correct type prefix in the PR title
• added ! to the type prefix if API or client breaking change
• added appropriate labels to the PR
• provided a link to the relevant issue or specification
• updated the relevant documentation or specification
• reviewed "Files changed" and left comments if necessary

Summary by Sourcery

New Features:

• Add geoblocking of requests from specific sanctioned countries and regions using Cloudflare geolocation headers.

[sourcery-ai]

Reviewer's Guide

Adds server-side geoblocking based on Cloudflare-provided country and region headers, returning a 403 response for sanctioned locations before rendering the app.

Sequence diagram for geoblocked request handling on server

sequenceDiagram
    actor User
    participant Browser
    participant Cloudflare
    participant RemixServer

    User->>Browser: Request page
    Browser->>Cloudflare: HTTP request
    Cloudflare->>Cloudflare: Attach cf_ipcountry and cf_region headers
    Cloudflare->>RemixServer: Forward request with headers

    RemixServer->>RemixServer: Read cf_ipcountry and cf_region
    RemixServer->>RemixServer: Check against SANCTIONED_COUNTRY_REGION
    alt Request from sanctioned country or region
        RemixServer-->>Cloudflare: 403 Access denied response
        Cloudflare-->>Browser: 403 Access denied response
        Browser-->>User: Show access denied
    else Request from allowed location
        RemixServer->>RemixServer: renderToReadableStream
        RemixServer-->>Cloudflare: 200 HTML response
        Cloudflare-->>Browser: 200 HTML response
        Browser-->>User: Render application
    end

Loading

File-Level Changes

Change	Details	Files
Introduce a sanctioned country and region configuration and enforce it on every server request before rendering.	Define a SANCTIONED_COUNTRY_REGION constant listing blocked ISO country codes and region names (Crimea, Donetsk, Luhansk). Read Cloudflare geolocation headers (cf-ipcountry, cf-region) from the incoming request in the server entry handler. Determine whether the request originates from a sanctioned country or region and short-circuit the request pipeline with a 403 response and explanatory message if so, reusing existing response headers.	app/entry.server.tsx

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#807	Implement logic in the BYield app server to geoblock requests originating from sanctioned countries and regions.	✅
#807	Integrate a maintainable sanctions data source (e.g., sanctions database or configurable list) for sanctioned countries/regions, or document how the sanctioned list is derived and updated.	❌	The PR introduces a hardcoded SANCTIONED_COUNTRY_REGION list directly in entry.server.tsx, with no integration to an external sanctions database, configuration source, or documentation on how the list is maintained or updated.
#807	Determine and implement whether sanctions data should be cached in the BYield worker database, or document the decision and approach.	❌	The changes only add request-time checks using Cloudflare headers and a hardcoded list. There is no code or documentation related to caching sanctions data in a worker DB or any other storage.

Possibly linked issues

• BYield: geoblock #807: PR implements the geoblocking behavior requested in the issue using Cloudflare headers and a sanctioned list.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Consider moving SANCTIONED_COUNTRY_REGION into a shared config or constants module so it can be reused and updated without touching the entry server code.
• It might be safer to normalize the cf-ipcountry and cf-region header values (e.g., trim and upper/lowercase) before comparing, to avoid subtle mismatches due to casing or whitespace differences.
• The response message 'Access denied: country restricted' could be adjusted to reflect that either the country or region may be restricted, to better match the new logic.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider moving `SANCTIONED_COUNTRY_REGION` into a shared config or constants module so it can be reused and updated without touching the entry server code.
- It might be safer to normalize the `cf-ipcountry` and `cf-region` header values (e.g., trim and upper/lowercase) before comparing, to avoid subtle mismatches due to casing or whitespace differences.
- The response message 'Access denied: country restricted' could be adjusted to reflect that either the country or region may be restricted, to better match the new logic.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

This PR adds basic geoblocking at the server entry point to deny access from sanctioned countries and regions based on Cloudflare geolocation headers, addressing compliance requirements from issue #807.

Changes:

• Introduced a SANCTIONED_COUNTRY_REGION configuration listing sanctioned country ISO codes and specific regions.
• Updated handleRequest in app/entry.server.tsx to read Cloudflare cf-ipcountry and cf-region headers and short‑circuit with a 403 response when a request originates from a sanctioned country or region.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
app/entry.server.tsx	Adds geolocation header checks and returns a 403 response when the request appears to come from a sanctioned country or region.
app/config/sanctions.ts	Defines the static configuration object of sanctioned country codes and regions used by the entrypoint geoblocking logic.

[robert-zaremba]

is there a fallback solution if the header is not included?

[rmeena840]

If header is not included than it will be set to null. There is no other fallback solution for this.