Merge pull request #28 from MaddyGuthridge/maddy-cloudflare-requests

Add support for CF-Incoming-IP header

Author: MaddyGuthridge

src/lib/server/auth/setup.ts

@@ -54,6 +54,7 @@ export async function authSetup(
     loginBannedIps: {},
     bannedIps: [],
     bannedUserAgents: [],
+    allowCloudflareIp: false,
     keyPath: null,
     version,
   };

src/lib/server/data/localConfig.ts

@@ -67,6 +67,12 @@ export const ConfigLocalJsonStruct = object({
    * be blocked.
    */
   bannedIps: array(string()),
+  /**
+   * Whether to allow determining incoming IP addresses using Cloudflare's
+   * `CF-Connecting-IP` header. Only enable if running behind a Cloudflare
+   * tunnel, otherwise the client's IP address can be faked.
+   */
+  allowCloudflareIp: boolean(),
   /**
    * Array of regular expressions matching user-agent strings which should be
    * blocked.

src/lib/server/data/migrations/index.ts

@@ -5,6 +5,7 @@ import migrateToV020 from './v0.2.0';
 import migrateToV030 from './v0.3.0';
 import migrateToV040 from './v0.4.0';
 import migrateToV060 from './v0.6.0';
+import migrateToV061 from './v0.6.1';
 import semver from 'semver';
 
 
@@ -22,8 +23,9 @@ const migrations: Record<string, MigrationFunction> = {
   // function
   '~0.4.0': migrateToV060,
   '~0.5.0': migrateToV060,
+  '0.6.0': migrateToV061,
   // Pre-empt future releases
-  '~0.6.0': updateConfigVersions,
+  '~0.6.1': updateConfigVersions,
 };
 
 /** Perform a migration from the given version */

src/lib/server/data/migrations/v0.6.1.ts

@@ -0,0 +1,13 @@
+/**
+ * Migration to v0.6.1
+ */
+
+import { setLocalConfig } from '../localConfig';
+import { unsafeLoadLocalConfig } from './unsafeLoad';
+
+
+export default async function migrate(dataDir: string, privateDataDir: string) {
+  const config = await unsafeLoadLocalConfig(privateDataDir) as any;
+  config.allowCloudflareIp = false;
+  await setLocalConfig(config);
+}

src/lib/server/request.ts

@@ -0,0 +1,21 @@
+/**
+ * Code for managing more complex aspects of requests.
+ */
+
+import type { RequestEvent } from '@sveltejs/kit';
+import { authIsSetUp } from './data/dataDir';
+import { getLocalConfig } from './data/localConfig';
+
+/** Returns the IP address of the client that sent the request */
+export async function getIpFromRequest(event: RequestEvent): Promise<string> {
+  if (!await authIsSetUp()) {
+    return event.getClientAddress();
+  }
+  const config = await getLocalConfig();
+  const realIp = event.getClientAddress();
+  if (config.allowCloudflareIp) {
+    return event.request.headers.get('CF-Connecting-IP') ?? realIp;
+  } else {
+    return realIp;
+  }
+}

src/middleware/bans.ts

@@ -1,5 +1,6 @@
 import { authIsSetUp } from '$lib/server/data/dataDir';
 import { getLocalConfig } from '$lib/server/data/localConfig';
+import { getIpFromRequest } from '$lib/server/request';
 import { error, type Handle } from '@sveltejs/kit';
 
 const banMiddleware: Handle = async (req) => {
@@ -12,7 +13,7 @@ const banMiddleware: Handle = async (req) => {
     return req.resolve(req.event);
   }
   const config = await getLocalConfig();
-  const ip = req.event.getClientAddress();
+  const ip = await getIpFromRequest(req.event);
   if (config.bannedIps.includes(ip)) {
     error(403, 'This IP address is banned');
   }

src/routes/api/admin/auth/login/+server.ts

@@ -2,13 +2,16 @@ import { isIpBanned, notifyFailedLogin } from '$lib/server/auth/fail2ban.js';
 import { validateCredentials } from '$lib/server/auth/passwords';
 import { generateToken } from '$lib/server/auth/tokens';
 import { authIsSetUp } from '$lib/server/data/dataDir.js';
+import { getIpFromRequest } from '$lib/server/request.js';
 import { error, json } from '@sveltejs/kit';
 
 
 export async function POST(req: import('./$types.js').RequestEvent) {
   if (!await authIsSetUp()) error(400, 'Auth is not set up yet');
 
-  if (await isIpBanned(req.getClientAddress())) {
+  const ip = await getIpFromRequest(req);
+
+  if (await isIpBanned(ip)) {
     error(403, 'IP address is banned');
   }
 
@@ -18,7 +21,7 @@ export async function POST(req: import('./$types.js').RequestEvent) {
   try {
     uid = await validateCredentials(username, password);
   } catch (e) {
-    await notifyFailedLogin(req.getClientAddress());
+    await notifyFailedLogin(ip);
     throw e;
   }