From ff6b45771e040f57057ac9cb81a5f8f2403b58db Mon Sep 17 00:00:00 2001
From: Maxime Cannoodt <Maxime.Cannoodt@UGent.be>
Date: Tue, 9 Aug 2022 00:09:02 +0200
Subject: [PATCH] fix: :bug: log correct client host behind reverse proxy

---
 server/src/app.ts              | 14 +++++++++-----
 webapp/src/routes/note/[id].ts |  9 +++++++--
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/server/src/app.ts b/server/src/app.ts
index 114978f..378ebe2 100644
--- a/server/src/app.ts
+++ b/server/src/app.ts
@@ -52,6 +52,8 @@ app.use(bodyParser.json({ limit: "400k" }));
 
 // Get encrypted note
 app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
+  const ip = (req.headers["x-forwarded-for"] ||
+    req.socket.remoteAddress) as string;
   prisma.encryptedNote
     .findUnique({
       where: { id: req.params.id },
@@ -60,7 +62,7 @@ app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
       if (note != null) {
         await EventLogger.readEvent({
           success: true,
-          host: req.hostname,
+          host: ip,
           note_id: note.id,
           size_bytes: note.ciphertext.length + note.hmac.length,
         });
@@ -68,7 +70,7 @@ app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
       } else {
         await EventLogger.readEvent({
           success: false,
-          host: req.hostname,
+          host: ip,
           note_id: req.params.id,
           error: "Note not found",
         });
@@ -78,7 +80,7 @@ app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
     .catch(async (err) => {
       await EventLogger.readEvent({
         success: false,
-        host: req.hostname,
+        host: ip,
         note_id: req.params.id,
         error: err.message,
       });
@@ -88,6 +90,8 @@ app.get("/api/note/:id", getLimiter, (req: Request, res: Response, next) => {
 
 // Post new encrypted note
 app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => {
+  const ip = (req.headers["x-forwarded-for"] ||
+    req.socket.remoteAddress) as string;
   const notePostRequest = new NotePostRequest();
   Object.assign(notePostRequest, req.body);
   validateOrReject(notePostRequest).catch((err) => {
@@ -105,7 +109,7 @@ app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => {
     .then(async (savedNote) => {
       await EventLogger.writeEvent({
         success: true,
-        host: req.hostname,
+        host: ip,
         note_id: savedNote.id,
         size_bytes: savedNote.ciphertext.length + savedNote.hmac.length,
         expire_window_days: EXPIRE_WINDOW_DAYS,
@@ -118,7 +122,7 @@ app.post("/api/note/", postLimiter, (req: Request, res: Response, next) => {
     .catch(async (err) => {
       await EventLogger.writeEvent({
         success: false,
-        host: req.hostname,
+        host: ip,
         error: err.message,
       });
       next(err);
diff --git a/webapp/src/routes/note/[id].ts b/webapp/src/routes/note/[id].ts
index f6a0643..87c7afc 100644
--- a/webapp/src/routes/note/[id].ts
+++ b/webapp/src/routes/note/[id].ts
@@ -1,9 +1,14 @@
 import type { EncryptedNote } from '$lib/model/EncryptedNote';
 import type { RequestHandler } from '@sveltejs/kit';
 
-export const get: RequestHandler = async ({ params }) => {
+export const get: RequestHandler = async ({ request, clientAddress, params }) => {
+	const ip = (request.headers.get('x-forwarded-for') || clientAddress) as string;
 	const url = `${import.meta.env.VITE_SERVER_INTERNAL}/api/note/${params.id}`;
-	const response = await fetch(url);
+	const response = await fetch(url, {
+		headers: {
+			'x-forwarded-for': ip
+		}
+	});
 
 	if (response.ok) {
 		try {