feat: get client ip from header set in checkHeaders array (#39)

This array should be updated with allowed headers based on peoples needs. However, be careful.
HemmeligOrg · Oct 2, 2021 · fef33f1 · fef33f1
1 parent 28dd3fd
commit fef33f1
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 2 deletions.
diff --git a/config/default.js b/config/default.js
@@ -15,10 +15,12 @@ const {
     SECRET_DO_SPACES_BUCKET = 'hemmelig',
     SECRET_DO_SPACES_FOLDER = 'localhost.hemmelig.app',
     SECRET_MAX_TEXT_SIZE = 256, // 256 kb
+    NODE_ENV = 'development',
 } = process.env;
 
 module.exports = {
     localHostname: SECRET_LOCAL_HOSTNAME,
+    env: NODE_ENV,
     host: SECRET_HOST,
     port: SECRET_PORT,
     secret_key: SECRET_MASTER_KEY,

diff --git a/src/server/decorators/allowed-ip.js b/src/server/decorators/allowed-ip.js
@@ -1,6 +1,7 @@
 // do-connecting-ip
 const fp = require('fastify-plugin');
 const { getSecretKey } = require('../services/redis');
+const getClientIp = require('../helpers/client-ip');
 
 module.exports = fp(async (fastify) => {
     fastify.decorate('allowedIp', async (request, reply) => {
@@ -12,7 +13,7 @@ module.exports = fp(async (fastify) => {
         // Currently, hemmelig.app only have rate limiting available for non self-hosted version.
         // However, future wise it might be doable to add a setting for what header to check for an ip
         // For local testing, use this:  const ip = headers.host;
-        const ip = 'do-connecting-ip' in headers ? headers['do-connecting-ip'] : '';
+        const ip = getClientIp(headers);
 
         if (ip && allowedIp && ip !== allowedIp) {
             reply.code(403).send({ error: 'Invalid IP address' });

diff --git a/src/server/decorators/rate-limit.js b/src/server/decorators/rate-limit.js
@@ -1,6 +1,7 @@
 // do-connecting-ip
 const fp = require('fastify-plugin');
 const { createRateLimit } = require('../services/redis');
+const getClientIp = require('../helpers/client-ip');
 
 /*
  *
@@ -18,7 +19,7 @@ module.exports = fp(async (fastify) => {
         // Currently, hemmelig.app only have rate limiting available for non self-hosted version.
         // However, future wise it might be doable to add a setting for what header to check for an ip
         // For local testing, use this:  const ip = headers.host;
-        const ip = 'do-connecting-ip' in headers ? headers['do-connecting-ip'] : '';
+        const ip = getClientIp(headers);
 
         if (ip) {
             const shouldRateLimit = await createRateLimit(ip);

diff --git a/src/server/helpers/client-ip.js b/src/server/helpers/client-ip.js
@@ -0,0 +1,16 @@
+const config = require('config');
+
+module.exports = function getClientIp(headers) {
+    // Iterate through a list of headers allowed to fetch the ip from
+    const checkHeaders = [
+        'do-connecting-ip', // digital ocean app platform
+        'x-forwarded-for',
+    ];
+
+    if (config.get('env') === 'development') {
+        checkHeaders.push('host');
+    }
+
+    // return the first existing header
+    return checkHeaders.find((header) => header in headers);
+};