Dev: Add IP Restriction for Access Token and HMAC in Shield

[datamweb]

Why?

If a token or HMAC key is leaked, it can only be used from specified IP addresses(Enhanced Security).
Requests from unknown IPs will be rejected(Prevents Unauthorized Access).
Many financial and payment services use this method(Industry Standard for Sensitive APIs).

Demo:

1. Store allowed_ips in the extra field (as JSON) or add a dedicated allowed_ips column to auth_identities
2. Store allowed IPs when generating a token
3. Validate IP when using a token
4. Allow enabling/disabling this feature in Config/AuthToken.php
5. Support for multi IPs

If you disagree or have suggestions for improvement, feel free to comment.

[michalsn]

Dedicated column sounds reasonable.

I wouldn't limit this functionality to tokens only. This may be useful to any channel of authentication.