From c9f9dd3262b9f8437981f92fac100e508e3c3bcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= Date: Sun, 9 Sep 2018 15:15:14 -0700 Subject: [PATCH] Store client IP address in request context --- daemon/routes.go | 1 + http/request/context.go | 6 ++++++ http/request/request.go | 4 ++-- http/request/request_test.go | 16 ++++++++-------- middleware/basic_auth.go | 7 +++---- middleware/client_ip.go | 21 +++++++++++++++++++++ middleware/logging.go | 2 +- ui/login_check.go | 6 +++--- ui/oauth2_callback.go | 2 +- 9 files changed, 46 insertions(+), 19 deletions(-) create mode 100644 middleware/client_ip.go diff --git a/daemon/routes.go b/daemon/routes.go index b0a6464d..891207e7 100644 --- a/daemon/routes.go +++ b/daemon/routes.go @@ -33,6 +33,7 @@ func routes(cfg *config.Config, store *storage.Storage, feedHandler *feed.Handle router = router.PathPrefix(cfg.BasePath()).Subrouter() } + router.Use(middleware.ClientIP) router.Use(middleware.HeaderConfig) router.Use(middleware.Logging) router.Use(middleware.CommonHeaders) diff --git a/http/request/context.go b/http/request/context.go index 78014e41..b77365de 100644 --- a/http/request/context.go +++ b/http/request/context.go @@ -24,6 +24,7 @@ const ( FlashMessageContextKey FlashErrorMessageContextKey PocketRequestTokenContextKey + ClientIPContextKey ) // IsAdminUser checks if the logged user is administrator. @@ -103,6 +104,11 @@ func PocketRequestToken(r *http.Request) string { return getContextStringValue(r, PocketRequestTokenContextKey) } +// ClientIP returns the client IP address stored in the context. +func ClientIP(r *http.Request) string { + return getContextStringValue(r, ClientIPContextKey) +} + func getContextStringValue(r *http.Request, key ContextKey) string { if v := r.Context().Value(key); v != nil { return v.(string) diff --git a/http/request/request.go b/http/request/request.go index 802b1d01..d27137bc 100644 --- a/http/request/request.go +++ b/http/request/request.go @@ -100,8 +100,8 @@ func HasQueryParam(r *http.Request, param string) bool { return ok } -// RealIP returns client's real IP address. -func RealIP(r *http.Request) string { +// FindClientIP returns client's real IP address. +func FindClientIP(r *http.Request) string { headers := []string{"X-Forwarded-For", "X-Real-Ip"} for _, header := range headers { value := r.Header.Get(header) diff --git a/http/request/request_test.go b/http/request/request_test.go index fa2c4b14..946b1328 100644 --- a/http/request/request_test.go +++ b/http/request/request_test.go @@ -11,12 +11,12 @@ import ( func TestRealIPWithoutHeaders(t *testing.T) { r := &http.Request{RemoteAddr: "192.168.0.1:4242"} - if ip := RealIP(r); ip != "192.168.0.1" { + if ip := FindClientIP(r); ip != "192.168.0.1" { t.Fatalf(`Unexpected result, got: %q`, ip) } r = &http.Request{RemoteAddr: "192.168.0.1"} - if ip := RealIP(r); ip != "192.168.0.1" { + if ip := FindClientIP(r); ip != "192.168.0.1" { t.Fatalf(`Unexpected result, got: %q`, ip) } } @@ -27,7 +27,7 @@ func TestRealIPWithXFFHeader(t *testing.T) { headers.Set("X-Forwarded-For", "203.0.113.195, 70.41.3.18, 150.172.238.178") r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "203.0.113.195" { + if ip := FindClientIP(r); ip != "203.0.113.195" { t.Fatalf(`Unexpected result, got: %q`, ip) } @@ -36,7 +36,7 @@ func TestRealIPWithXFFHeader(t *testing.T) { headers.Set("X-Forwarded-For", "2001:db8:85a3:8d3:1319:8a2e:370:7348") r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" { + if ip := FindClientIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" { t.Fatalf(`Unexpected result, got: %q`, ip) } @@ -45,7 +45,7 @@ func TestRealIPWithXFFHeader(t *testing.T) { headers.Set("X-Forwarded-For", "70.41.3.18") r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "70.41.3.18" { + if ip := FindClientIP(r); ip != "70.41.3.18" { t.Fatalf(`Unexpected result, got: %q`, ip) } @@ -54,7 +54,7 @@ func TestRealIPWithXFFHeader(t *testing.T) { headers.Set("X-Forwarded-For", "fake IP") r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "192.168.0.1" { + if ip := FindClientIP(r); ip != "192.168.0.1" { t.Fatalf(`Unexpected result, got: %q`, ip) } } @@ -64,7 +64,7 @@ func TestRealIPWithXRealIPHeader(t *testing.T) { headers.Set("X-Real-Ip", "192.168.122.1") r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "192.168.122.1" { + if ip := FindClientIP(r); ip != "192.168.122.1" { t.Fatalf(`Unexpected result, got: %q`, ip) } } @@ -76,7 +76,7 @@ func TestRealIPWithBothHeaders(t *testing.T) { r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers} - if ip := RealIP(r); ip != "203.0.113.195" { + if ip := FindClientIP(r); ip != "203.0.113.195" { t.Fatalf(`Unexpected result, got: %q`, ip) } } diff --git a/middleware/basic_auth.go b/middleware/basic_auth.go index bd8402ad..5a7204c8 100644 --- a/middleware/basic_auth.go +++ b/middleware/basic_auth.go @@ -18,8 +18,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`) - remoteAddr := request.RealIP(r) - + clientIP := request.ClientIP(r) username, password, authOK := r.BasicAuth() if !authOK { logger.Debug("[Middleware:BasicAuth] No authentication headers sent") @@ -28,7 +27,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler { } if err := m.store.CheckPassword(username, password); err != nil { - logger.Error("[Middleware:BasicAuth] [Remote=%v] Invalid username or password: %s", remoteAddr, username) + logger.Error("[Middleware:BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username) json.Unauthorized(w) return } @@ -41,7 +40,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler { } if user == nil { - logger.Error("[Middleware:BasicAuth] [Remote=%v] User not found: %s", remoteAddr, username) + logger.Error("[Middleware:BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username) json.Unauthorized(w) return } diff --git a/middleware/client_ip.go b/middleware/client_ip.go new file mode 100644 index 00000000..853fcc96 --- /dev/null +++ b/middleware/client_ip.go @@ -0,0 +1,21 @@ +// Copyright 2018 Frédéric Guillot. All rights reserved. +// Use of this source code is governed by the Apache 2.0 +// license that can be found in the LICENSE file. + +package middleware // import "miniflux.app/middleware" + +import ( + "context" + "net/http" + + "miniflux.app/http/request" +) + +// ClientIP stores in the real client IP address in the context. +func (m *Middleware) ClientIP(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + ctx = context.WithValue(ctx, request.ClientIPContextKey, request.FindClientIP(r)) + next.ServeHTTP(w, r.WithContext(ctx)) + }) +} diff --git a/middleware/logging.go b/middleware/logging.go index 2e78ea8e..fdf1ce3f 100644 --- a/middleware/logging.go +++ b/middleware/logging.go @@ -14,7 +14,7 @@ import ( // Logging logs the HTTP request. func (m *Middleware) Logging(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - logger.Debug("[HTTP] %s %s %s", request.RealIP(r), r.Method, r.RequestURI) + logger.Debug("[HTTP] %s %s %s", request.ClientIP(r), r.Method, r.RequestURI) next.ServeHTTP(w, r) }) } diff --git a/ui/login_check.go b/ui/login_check.go index 95c5908d..2c5398ae 100644 --- a/ui/login_check.go +++ b/ui/login_check.go @@ -16,7 +16,7 @@ import ( // CheckLogin validates the username/password and redirects the user to the unread page. func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) { - remoteAddr := request.RealIP(r) + clientIP := request.ClientIP(r) sess := session.New(c.store, request.SessionID(r)) authForm := form.NewAuthForm(r) @@ -31,12 +31,12 @@ func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) { } if err := c.store.CheckPassword(authForm.Username, authForm.Password); err != nil { - logger.Error("[Controller:CheckLogin] [Remote=%v] %v", remoteAddr, err) + logger.Error("[Controller:CheckLogin] [ClientIP=%s] %v", clientIP, err) html.OK(w, r, view.Render("login")) return } - sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), remoteAddr) + sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), clientIP) if err != nil { html.ServerError(w, err) return diff --git a/ui/oauth2_callback.go b/ui/oauth2_callback.go index b1bb9332..00112b0b 100644 --- a/ui/oauth2_callback.go +++ b/ui/oauth2_callback.go @@ -103,7 +103,7 @@ func (c *Controller) OAuth2Callback(w http.ResponseWriter, r *http.Request) { } } - sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.RealIP(r)) + sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.ClientIP(r)) if err != nil { html.ServerError(w, err) return