upagge/noteshare.space
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: 🐛 event logging: fix proxy IP being logged instead of client IP

Browse Source
This commit is contained in:
Maxime Cannoodt 2022-08-09 12:13:07 +02:00
parent ff6b45771e
commit 0ba9d74a83
5 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/.env.test
View File

@ -2,7 +2,7 @@ DATABASE_URL="file:./test.sqlite"
FRONTEND_URL=https://example.com FRONTEND_URL=https://example.com
POST_LIMIT=50 POST_LIMIT=50
POST_LIMIT_WINDOW_SECONDS=0.1 POST_LIMIT_WINDOW_SECONDS=0.25
GET_LIMIT=20 GET_LIMIT=20
GET_LIMIT_WINDOW_SECONDS=0.1 GET_LIMIT_WINDOW_SECONDS=0.1
LOG_LEVEL=warn LOG_LEVEL=warn

4
server/src/app.integration.test.ts
View File

@ -152,7 +152,7 @@ describe("POST /api/note", () => {
it("Applies rate limits to endpoint", async () => { it("Applies rate limits to endpoint", async () => {
// make more requests than the post limit set in .env.test // make more requests than the post limit set in .env.test
const requests = []; const requests = [];
for (let i = 0; i < 52; i++) { for (let i = 0; i < 51; i++) {
requests.push(request(app).post("/api/note").send(testNote)); requests.push(request(app).post("/api/note").send(testNote));
} }
const responses = await Promise.all(requests); const responses = await Promise.all(requests);
@ -162,7 +162,7 @@ describe("POST /api/note", () => {
expect(responseCodes).toContain(429); expect(responseCodes).toContain(429);
// sleep for 100 ms to allow rate limiter to reset // sleep for 100 ms to allow rate limiter to reset
await new Promise((resolve) => setTimeout(resolve, 100)); await new Promise((resolve) => setTimeout(resolve, 250));
}); });
}); });

10
server/src/app.ts
View File

@ -1,7 +1,7 @@
import "dotenv/config"; import "dotenv/config";
import express, { Express, Request, Response } from "express"; import express, { Express, Request, Response } from "express";
import { EncryptedNote } from "@prisma/client"; import { EncryptedNote } from "@prisma/client";
import { addDays } from "./util"; import { addDays, getConnectingIp } from "./util";
import helmet from "helmet"; import helmet from "helmet";
import rateLimit from "express-rate-limit"; import rateLimit from "express-rate-limit";
import pinoHttp from "pino-http"; import pinoHttp from "pino-http";
@ -52,8 +52,7 @@ app.use(bodyParser.json({ limit: "400k" }));
// Get encrypted note // Get encrypted note
app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => { app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
const ip = (req.headers["x-forwarded-for"] || const ip = getConnectingIp(req);
req.socket.remoteAddress) as string;
prisma.encryptedNote prisma.encryptedNote
.findUnique({ .findUnique({
where: { id: req.params.id }, where: { id: req.params.id },
@ -90,8 +89,8 @@ app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
// Post new encrypted note // Post new encrypted note
app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => { app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => {
const ip = (req.headers["x-forwarded-for"] || const ip = getConnectingIp(req);
req.socket.remoteAddress) as string;
const notePostRequest = new NotePostRequest(); const notePostRequest = new NotePostRequest();
Object.assign(notePostRequest, req.body); Object.assign(notePostRequest, req.body);
validateOrReject(notePostRequest).catch((err) => { validateOrReject(notePostRequest).catch((err) => {
@ -132,7 +131,6 @@ app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => {
// Clean up expired notes periodically // Clean up expired notes periodically
export async function cleanExpiredNotes(): Promise<number> { export async function cleanExpiredNotes(): Promise<number> {
logger.info("[Cleanup] Cleaning up expired notes..."); logger.info("[Cleanup] Cleaning up expired notes...");
const toDelete = await prisma.encryptedNote.findMany({ const toDelete = await prisma.encryptedNote.findMany({
where: { where: {
expire_time: { expire_time: {

8
server/src/util.ts
View File

@ -1,5 +1,13 @@
import { Request } from "express";
export function addDays(date: Date, days: number): Date { export function addDays(date: Date, days: number): Date {
var result = new Date(date); var result = new Date(date);
result.setDate(result.getDate() + days); result.setDate(result.getDate() + days);
return result; return result;
} }
export function getConnectingIp(req: Request): string {
return (req.headers["cf-connecting-ip"] ||
req.headers["X-Forwarded-For"] ||
req.socket.remoteAddress) as string;
}

4
webapp/src/routes/note/[id].ts
View File

@ -2,7 +2,9 @@ import type { EncryptedNote } from '$lib/model/EncryptedNote';
import type { RequestHandler } from '@sveltejs/kit'; import type { RequestHandler } from '@sveltejs/kit';
export const get: RequestHandler = async ({ request, clientAddress, params }) => { export const get: RequestHandler = async ({ request, clientAddress, params }) => {
const ip = (request.headers.get('x-forwarded-for') || clientAddress) as string; const ip = (request.headers.get('cd-connecting-ip') ||
request.headers.get('x-forwarded-for') ||
clientAddress) as string;
const url = `${import.meta.env.VITE_SERVER_INTERNAL}/api/note/${params.id}`; const url = `${import.meta.env.VITE_SERVER_INTERNAL}/api/note/${params.id}`;
const response = await fetch(url, { const response = await fetch(url, {
headers: { headers: {