issues/88: create middleware that adds the real client IP address (#187)

What: - Create middleware that adds the real client IP address Note that this is on a best effort basis. Finding the true client IP address is a precarious process[1] Why: - Fixes: #88 Ref: 1. https://adam-p.ca/blog/2022/03/x-forwarded-for/
komuw · Dec 11, 2022 · 2bd9f43 · 2bd9f43
1 parent c9fdb51
commit 2bd9f43
Show file tree

Hide file tree

Showing 24 changed files with 1,056 additions and 125 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,11 @@
 Most recent version is listed first.  
 
 
+## v0.0.26
+- Create middleware that adds the "real" client IP address: https://github.com/komuw/ong/pull/187        
+  Note that this is on a best effort basis.       
+  Finding the true client IP address is a precarious process [1](https://adam-p.ca/blog/2022/03/x-forwarded-for/)      
+
 ## v0.0.25
 - ong/client: Use roundTripper for logging: https://github.com/komuw/ong/pull/185
 - Make most middleware private: https://github.com/komuw/ong/pull/186

diff --git a/README.md b/README.md
@@ -13,8 +13,8 @@ It's name is derived from Tanzanian artiste, [Remmy Ongala](https://en.wikipedia
 Taken mainly from the talk; `How I Write HTTP Web Services after Eight Years`[1][2] by Mat Ryer.    
 
 
-You really should not be using this code/library. The Go `net/http` package is more than enough.    
-If you need some extra bits, may I suggest the awesome [github.com/gorilla](https://github.com/gorilla) web toolkit.    
+You really should not use this library/toolkit.    
+Instead, use the Go `net/http` package; and if you need some extra bits, may I suggest the awesome [github.com/gorilla](https://github.com/gorilla) web toolkit.    
 
 
 This library is made just for me, it might be unsafe & it does not generally accept code contributions.       

diff --git a/cookie/cookie.go b/cookie/cookie.go
@@ -4,14 +4,14 @@ package cookie
 import (
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/komuw/ong/cry"
+	"github.com/komuw/ong/internal/clientip"
 )
 
 const (
@@ -118,17 +118,15 @@ func SetEncrypted(
 		enc = cry.New(secretKey)
 	})
 
-	ip, _, err := net.SplitHostPort(r.RemoteAddr)
-	if err != nil {
-		return
-	}
-
+	ip := clientip.Get(
+		// Note: client IP can be spoofed easily and this could lead to issues with their cookies.
+		r,
+	)
 	expires := strconv.Itoa(
 		int(
 			time.Now().UTC().Add(mAge).Unix(),
 		),
 	)
-
 	combined := ip + expires + value
 	encryptedEncodedVal := fmt.Sprintf(
 		"%d%s%d%s%s",
@@ -191,11 +189,10 @@ func GetEncrypted(
 	{
 		// Try and prevent replay attacks.
 		// This does not completely stop them, but it is better than nothing.
-		incomingIP, _, errS := net.SplitHostPort(r.RemoteAddr)
-		if errS != nil {
-			return nil, errS
-		}
-
+		incomingIP := clientip.Get(
+			// Note: client IP can be spoofed easily and this could lead to issues with their cookies.
+			r,
+		)
 		if ip != incomingIP {
 			return nil, errors.New("ong/cookie: mismatched IP addresses")
 		}

diff --git a/example/main.go b/example/main.go
@@ -29,7 +29,7 @@ func main() {
 	l := log.New(os.Stdout, 1000)
 	mux := mux.New(
 		l,
-		middleware.WithOpts("localhost", 65081, secretKey, l),
+		middleware.WithOpts("localhost", 65081, secretKey, middleware.DirectIpStrategy, l),
 		nil,
 		mux.NewRoute(
 			"/api",

diff --git a/internal/README.md b/internal/README.md
@@ -0,0 +1,4 @@
+The packages in this directory:         
+ - are the ones that may be needed by multiple packages in `ong`.             
+   eg, the `github.com/komuw/ong/internal/clientip` package is need by both `github.com/komuw/ong/middleware` & `github.com/komuw/ong/cookie`.     
+   So, we cannot create `clientip` inside `ong/middleware` since `ong/cookie` cannot import `ong/middleware`(middleware already imports cookie.)