Kjarrigan said over 6 years ago on Restricting Access by IP Address :

We use something similiar to disable login for api-calls from within our company network. Looks something like this:

skip_before_action :authenticate_user!
before_action :verify_user
ALLOWED_IP_ADDRESS_RANGES = %w(127.0.0.0/24)
  
def verify_user
  allowed = ALLOWED_IP_ADDRESS_RANGES.find do |addr|
    range = IPAddr.new(addr)
    range.include? IPAddr.new(request.ip)
  end
  unless allowed
    render plain: "Unauthorized", status: Foo::STATE_IP_NOT_IN_RANGE
  end
end