Verify that source IP is valid for server requests

Currently, server authentication for updating the ladder and for
uploading replays is done by comparing the hash of the token provided
by the server to the hash on record. This commit adds a second layer
of authentication by also verifying that the request actually
originates from the Pokemon Showdown server in question.

For now, I have also maintained the server token check as a form of
two-factor authentication.

action.php

@@ -164,8 +164,9 @@ foreach ($reqs as $reqData) {
 		$server = @$PokemonServers[@$reqData['serverid']];
 		
 		//var_export($users->getUserData($reqData['p1']));
-		if (!$server || $server['token'] !== md5($reqData['servertoken']))
-		{
+		if (!$server ||
+				($_SERVER['REMOTE_ADDR'] !== gethostbyname($server['server'])) ||
+				($server['token'] !== md5($reqData['servertoken']))) {
 			$out = 0;
 			break;
 		}
@@ -187,8 +188,9 @@ foreach ($reqs as $reqData) {
 		$server = @$PokemonServers[@$reqData['serverid']];
 		
 		//var_export($users->getUserData($reqData['p1']));
-		if (!$server || $server['token'] !== md5($reqData['servertoken']))
-		{
+		if (!$server ||
+				($_SERVER['REMOTE_ADDR'] !== gethostbyname($server['server'])) ||
+				($server['token'] !== md5($reqData['servertoken']))) {
 			$out = 0;
 			break;
 		}