Store client IP address in request context

This commit is contained in:
Frédéric Guillot 2018-09-09 15:15:14 -07:00
parent c1e1506720
commit c9f9dd3262
9 changed files with 46 additions and 19 deletions

View file

@ -33,6 +33,7 @@ func routes(cfg *config.Config, store *storage.Storage, feedHandler *feed.Handle
router = router.PathPrefix(cfg.BasePath()).Subrouter()
}
router.Use(middleware.ClientIP)
router.Use(middleware.HeaderConfig)
router.Use(middleware.Logging)
router.Use(middleware.CommonHeaders)

View file

@ -24,6 +24,7 @@ const (
FlashMessageContextKey
FlashErrorMessageContextKey
PocketRequestTokenContextKey
ClientIPContextKey
)
// IsAdminUser checks if the logged user is administrator.
@ -103,6 +104,11 @@ func PocketRequestToken(r *http.Request) string {
return getContextStringValue(r, PocketRequestTokenContextKey)
}
// ClientIP returns the client IP address stored in the context.
func ClientIP(r *http.Request) string {
return getContextStringValue(r, ClientIPContextKey)
}
func getContextStringValue(r *http.Request, key ContextKey) string {
if v := r.Context().Value(key); v != nil {
return v.(string)

View file

@ -100,8 +100,8 @@ func HasQueryParam(r *http.Request, param string) bool {
return ok
}
// RealIP returns client's real IP address.
func RealIP(r *http.Request) string {
// FindClientIP returns client's real IP address.
func FindClientIP(r *http.Request) string {
headers := []string{"X-Forwarded-For", "X-Real-Ip"}
for _, header := range headers {
value := r.Header.Get(header)

View file

@ -11,12 +11,12 @@ import (
func TestRealIPWithoutHeaders(t *testing.T) {
r := &http.Request{RemoteAddr: "192.168.0.1:4242"}
if ip := RealIP(r); ip != "192.168.0.1" {
if ip := FindClientIP(r); ip != "192.168.0.1" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
r = &http.Request{RemoteAddr: "192.168.0.1"}
if ip := RealIP(r); ip != "192.168.0.1" {
if ip := FindClientIP(r); ip != "192.168.0.1" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
}
@ -27,7 +27,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
headers.Set("X-Forwarded-For", "203.0.113.195, 70.41.3.18, 150.172.238.178")
r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "203.0.113.195" {
if ip := FindClientIP(r); ip != "203.0.113.195" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
@ -36,7 +36,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
headers.Set("X-Forwarded-For", "2001:db8:85a3:8d3:1319:8a2e:370:7348")
r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
if ip := FindClientIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
@ -45,7 +45,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
headers.Set("X-Forwarded-For", "70.41.3.18")
r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "70.41.3.18" {
if ip := FindClientIP(r); ip != "70.41.3.18" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
@ -54,7 +54,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
headers.Set("X-Forwarded-For", "fake IP")
r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "192.168.0.1" {
if ip := FindClientIP(r); ip != "192.168.0.1" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
}
@ -64,7 +64,7 @@ func TestRealIPWithXRealIPHeader(t *testing.T) {
headers.Set("X-Real-Ip", "192.168.122.1")
r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "192.168.122.1" {
if ip := FindClientIP(r); ip != "192.168.122.1" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
}
@ -76,7 +76,7 @@ func TestRealIPWithBothHeaders(t *testing.T) {
r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
if ip := RealIP(r); ip != "203.0.113.195" {
if ip := FindClientIP(r); ip != "203.0.113.195" {
t.Fatalf(`Unexpected result, got: %q`, ip)
}
}

View file

@ -18,8 +18,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
remoteAddr := request.RealIP(r)
clientIP := request.ClientIP(r)
username, password, authOK := r.BasicAuth()
if !authOK {
logger.Debug("[Middleware:BasicAuth] No authentication headers sent")
@ -28,7 +27,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
}
if err := m.store.CheckPassword(username, password); err != nil {
logger.Error("[Middleware:BasicAuth] [Remote=%v] Invalid username or password: %s", remoteAddr, username)
logger.Error("[Middleware:BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
json.Unauthorized(w)
return
}
@ -41,7 +40,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
}
if user == nil {
logger.Error("[Middleware:BasicAuth] [Remote=%v] User not found: %s", remoteAddr, username)
logger.Error("[Middleware:BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username)
json.Unauthorized(w)
return
}

21
middleware/client_ip.go Normal file
View file

@ -0,0 +1,21 @@
// Copyright 2018 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
package middleware // import "miniflux.app/middleware"
import (
"context"
"net/http"
"miniflux.app/http/request"
)
// ClientIP stores in the real client IP address in the context.
func (m *Middleware) ClientIP(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
ctx = context.WithValue(ctx, request.ClientIPContextKey, request.FindClientIP(r))
next.ServeHTTP(w, r.WithContext(ctx))
})
}

View file

@ -14,7 +14,7 @@ import (
// Logging logs the HTTP request.
func (m *Middleware) Logging(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
logger.Debug("[HTTP] %s %s %s", request.RealIP(r), r.Method, r.RequestURI)
logger.Debug("[HTTP] %s %s %s", request.ClientIP(r), r.Method, r.RequestURI)
next.ServeHTTP(w, r)
})
}

View file

@ -16,7 +16,7 @@ import (
// CheckLogin validates the username/password and redirects the user to the unread page.
func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
remoteAddr := request.RealIP(r)
clientIP := request.ClientIP(r)
sess := session.New(c.store, request.SessionID(r))
authForm := form.NewAuthForm(r)
@ -31,12 +31,12 @@ func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
}
if err := c.store.CheckPassword(authForm.Username, authForm.Password); err != nil {
logger.Error("[Controller:CheckLogin] [Remote=%v] %v", remoteAddr, err)
logger.Error("[Controller:CheckLogin] [ClientIP=%s] %v", clientIP, err)
html.OK(w, r, view.Render("login"))
return
}
sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), remoteAddr)
sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), clientIP)
if err != nil {
html.ServerError(w, err)
return

View file

@ -103,7 +103,7 @@ func (c *Controller) OAuth2Callback(w http.ResponseWriter, r *http.Request) {
}
}
sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.RealIP(r))
sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.ClientIP(r))
if err != nil {
html.ServerError(w, err)
return