refactor: improve IP resolution logic and enhance unit tests

tacxou · tacxou · commit 88cb486d1199 · 2026-05-13T13:47:58.000+02:00
- Adjusted the order of headers in the IP resolution function to prioritize 'x-forwarded-for' over 'x-real-ip'.
- Updated unit tests to clarify expected behavior when handling IP headers, ensuring accurate fallback logic.
- Added a new test case to verify that 'x-forwarded-for' is correctly returned when present, improving test coverage.
diff --git a/apps/api/src/_common/functions/resolve-client-ip.ts b/apps/api/src/_common/functions/resolve-client-ip.ts
@@ -53,7 +53,7 @@ function tcpPeerIp(req: Request): string | null {
  */
 export function resolveClientIp(req: Request): string | null {
   const peerIp = tcpPeerIp(req);
-  const orderedHeaders = ['cf-connecting-ip', 'true-client-ip', 'x-real-ip', 'x-forwarded-for'] as const;
+  const orderedHeaders = ['cf-connecting-ip', 'true-client-ip', 'x-forwarded-for', 'x-real-ip'] as const;
 
   for (const name of orderedHeaders) {
     const raw = headerString(req, name);
diff --git a/apps/api/tests/unit/_common/functions/resolve-client-ip.spec.ts b/apps/api/tests/unit/_common/functions/resolve-client-ip.spec.ts
@@ -27,14 +27,26 @@ describe('resolveClientIp', () => {
     expect(resolveClientIp(req)).toBe('203.0.113.1');
   });
 
-  it('returns X-Real-IP before falling back to req.ip', () => {
+  it('returns X-Real-IP when X-Forwarded-For is absent before falling back to req.ip', () => {
     const req = makeReq({
       headers: { 'x-real-ip': '192.0.2.50' },
       ip: '10.0.0.3',
     });
     expect(resolveClientIp(req)).toBe('192.0.2.50');
   });
 
+  it('returns X-Forwarded-For before X-Real-IP from the last proxy', () => {
+    const req = makeReq({
+      headers: {
+        'x-forwarded-for': '203.0.113.10, 172.18.0.2',
+        'x-real-ip': '172.18.0.2',
+      },
+      ip: '172.18.0.2',
+      socket: { remoteAddress: '172.18.0.2' } as any,
+    });
+    expect(resolveClientIp(req)).toBe('203.0.113.10');
+  });
+
   it('strips IPv4-mapped IPv6 prefix', () => {
     const req = makeReq({
       headers: { 'x-real-ip': '::ffff:192.0.2.1' },
diff --git a/apps/web/nuxt.config.ts b/apps/web/nuxt.config.ts
@@ -245,9 +245,6 @@ export default defineNuxtConfig({
       websocket: false,
     },
     routeRules: {
-      '/api/**': {
-        proxy: `${SESAME_APP_API_URL}/**`,
-      },
       '/api/core/backends/sse': {
         proxy: `${SESAME_APP_API_URL}/core/backends/sse`,
         // Disable compression and caching for SSE
@@ -257,6 +254,9 @@ export default defineNuxtConfig({
           'X-Accel-Buffering': 'no', // Disable buffering in nginx
         },
       },
+      '/api/**': {
+        proxy: `${SESAME_APP_API_URL}/**`,
+      },
     },
   },
   experimental: {
diff --git a/apps/web/src/pages/identities/outdated.vue b/apps/web/src/pages/identities/outdated.vue
@@ -1,6 +1,6 @@
 <template lang="pug">
 q-page.grid.q-pa-sm
-  q-card.col.full-height.flex.column.outdated-card(style="min-height: inherit" flat bordered)
+  q-card.col.full-height.flex.column.outdated-card(flat bordered)
     q-bar.bg-transparent.border-bottom
       q-toolbar-title Identités avec invitation périmées
     .row.items-center.no-wrap.q-px-sm.q-py-xs
diff --git a/apps/web/src/server/middleware/forward-client-ip.ts b/apps/web/src/server/middleware/forward-client-ip.ts
@@ -0,0 +1,41 @@
+import { defineEventHandler, getRequestHeader } from 'h3'
+
+function normalizeRemoteAddress(value: string | undefined): string | null {
+  if (!value) {
+    return null
+  }
+
+  const normalized = value.trim()
+  if (!normalized) {
+    return null
+  }
+
+  return normalized.startsWith('::ffff:') ? normalized.slice(7) : normalized
+}
+
+function appendForwardedFor(currentValue: string | undefined, remoteAddress: string): string {
+  if (!currentValue?.trim()) {
+    return remoteAddress
+  }
+
+  return `${currentValue}, ${remoteAddress}`
+}
+
+export default defineEventHandler((event) => {
+  const url = event.node.req.url || ''
+  if (!url.startsWith('/api/')) {
+    return
+  }
+
+  const remoteAddress = normalizeRemoteAddress(event.node.req.socket.remoteAddress)
+  if (!remoteAddress) {
+    return
+  }
+
+  const currentForwardedFor = getRequestHeader(event, 'x-forwarded-for')
+  event.node.req.headers['x-forwarded-for'] = appendForwardedFor(currentForwardedFor, remoteAddress)
+
+  if (!getRequestHeader(event, 'x-real-ip')) {
+    event.node.req.headers['x-real-ip'] = currentForwardedFor?.split(',')[0]?.trim() || remoteAddress
+  }
+})
