Store client IP address in request context

2018-09-09 15:15:14 -07:00 · 2018-09-09 15:15:14 -07:00 · c9f9dd3262
commit c9f9dd3262
parent c1e1506720
9 changed files with 46 additions and 19 deletions
--- a/daemon/routes.go
+++ b/daemon/routes.go
@ -33,6 +33,7 @@ func routes(cfg *config.Config, store *storage.Storage, feedHandler *feed.Handle
 		router = router.PathPrefix(cfg.BasePath()).Subrouter()
 	}

+	router.Use(middleware.ClientIP)
 	router.Use(middleware.HeaderConfig)
 	router.Use(middleware.Logging)
 	router.Use(middleware.CommonHeaders)
--- a/http/request/context.go
+++ b/http/request/context.go
@ -24,6 +24,7 @@ const (
 	FlashMessageContextKey
 	FlashErrorMessageContextKey
 	PocketRequestTokenContextKey
+	ClientIPContextKey
 )

 // IsAdminUser checks if the logged user is administrator.
@ -103,6 +104,11 @@ func PocketRequestToken(r *http.Request) string {
 	return getContextStringValue(r, PocketRequestTokenContextKey)
 }

+// ClientIP returns the client IP address stored in the context.
+func ClientIP(r *http.Request) string {
+	return getContextStringValue(r, ClientIPContextKey)
+}
+
 func getContextStringValue(r *http.Request, key ContextKey) string {
 	if v := r.Context().Value(key); v != nil {
 		return v.(string)
--- a/http/request/request.go
+++ b/http/request/request.go
@ -100,8 +100,8 @@ func HasQueryParam(r *http.Request, param string) bool {
 	return ok
 }

-// RealIP returns client's real IP address.
-func RealIP(r *http.Request) string {
+// FindClientIP returns client's real IP address.
+func FindClientIP(r *http.Request) string {
 	headers := []string{"X-Forwarded-For", "X-Real-Ip"}
 	for _, header := range headers {
 		value := r.Header.Get(header)
--- a/http/request/request_test.go
+++ b/http/request/request_test.go
@ -11,12 +11,12 @@ import (

 func TestRealIPWithoutHeaders(t *testing.T) {
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242"}
-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}

 	r = &http.Request{RemoteAddr: "192.168.0.1"}
-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@ -27,7 +27,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "203.0.113.195, 70.41.3.18, 150.172.238.178")
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "203.0.113.195" {
+	if ip := FindClientIP(r); ip != "203.0.113.195" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}

@ -36,7 +36,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "2001:db8:85a3:8d3:1319:8a2e:370:7348")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
+	if ip := FindClientIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}

@ -45,7 +45,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "70.41.3.18")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "70.41.3.18" {
+	if ip := FindClientIP(r); ip != "70.41.3.18" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}

@ -54,7 +54,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "fake IP")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@ -64,7 +64,7 @@ func TestRealIPWithXRealIPHeader(t *testing.T) {
 	headers.Set("X-Real-Ip", "192.168.122.1")
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "192.168.122.1" {
+	if ip := FindClientIP(r); ip != "192.168.122.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@ -76,7 +76,7 @@ func TestRealIPWithBothHeaders(t *testing.T) {

 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}

-	if ip := RealIP(r); ip != "203.0.113.195" {
+	if ip := FindClientIP(r); ip != "203.0.113.195" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
--- a/middleware/basic_auth.go
+++ b/middleware/basic_auth.go
@ -18,8 +18,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)

-		remoteAddr := request.RealIP(r)
-
+		clientIP := request.ClientIP(r)
 		username, password, authOK := r.BasicAuth()
 		if !authOK {
 			logger.Debug("[Middleware:BasicAuth] No authentication headers sent")
@ -28,7 +27,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 		}

 		if err := m.store.CheckPassword(username, password); err != nil {
-			logger.Error("[Middleware:BasicAuth] [Remote=%v] Invalid username or password: %s", remoteAddr, username)
+			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
 			json.Unauthorized(w)
 			return
 		}
@ -41,7 +40,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 		}

 		if user == nil {
-			logger.Error("[Middleware:BasicAuth] [Remote=%v] User not found: %s", remoteAddr, username)
+			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username)
 			json.Unauthorized(w)
 			return
 		}
--- a/middleware/client_ip.go
+++ b/middleware/client_ip.go
@ -0,0 +1,21 @@
+// Copyright 2018 Frédéric Guillot. All rights reserved.
+// Use of this source code is governed by the Apache 2.0
+// license that can be found in the LICENSE file.
+
+package middleware // import "miniflux.app/middleware"
+
+import (
+	"context"
+	"net/http"
+
+	"miniflux.app/http/request"
+)
+
+// ClientIP stores in the real client IP address in the context.
+func (m *Middleware) ClientIP(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctx = context.WithValue(ctx, request.ClientIPContextKey, request.FindClientIP(r))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
--- a/middleware/logging.go
+++ b/middleware/logging.go
@ -14,7 +14,7 @@ import (
 // Logging logs the HTTP request.
 func (m *Middleware) Logging(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		logger.Debug("[HTTP] %s %s %s", request.RealIP(r), r.Method, r.RequestURI)
+		logger.Debug("[HTTP] %s %s %s", request.ClientIP(r), r.Method, r.RequestURI)
 		next.ServeHTTP(w, r)
 	})
 }
--- a/ui/login_check.go
+++ b/ui/login_check.go
@ -16,7 +16,7 @@ import (

 // CheckLogin validates the username/password and redirects the user to the unread page.
 func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
-	remoteAddr := request.RealIP(r)
+	clientIP := request.ClientIP(r)
 	sess := session.New(c.store, request.SessionID(r))
 	authForm := form.NewAuthForm(r)

@ -31,12 +31,12 @@ func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := c.store.CheckPassword(authForm.Username, authForm.Password); err != nil {
-		logger.Error("[Controller:CheckLogin] [Remote=%v] %v", remoteAddr, err)
+		logger.Error("[Controller:CheckLogin] [ClientIP=%s] %v", clientIP, err)
 		html.OK(w, r, view.Render("login"))
 		return
 	}

-	sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), remoteAddr)
+	sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), clientIP)
 	if err != nil {
 		html.ServerError(w, err)
 		return
--- a/ui/oauth2_callback.go
+++ b/ui/oauth2_callback.go
@ -103,7 +103,7 @@ func (c *Controller) OAuth2Callback(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.RealIP(r))
+	sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.ClientIP(r))
 	if err != nil {
 		html.ServerError(w, err)
 		return