feat: improved reference client ip through _APP_TRUSTED_HEADERS

2026-05-26 13:51:13 +00:00 · 2025-12-12 08:42:49 +01:00
parent cd8e93db60
commit 90fb5b6321
4 changed files with 47 additions and 0 deletions
@@ -125,3 +125,4 @@ _APP_WEBHOOK_MAX_FAILED_ATTEMPTS=10
 _APP_PROJECT_REGIONS=default
 _APP_FUNCTIONS_CREATION_ABUSE_LIMIT=5000
 _APP_STATS_USAGE_DUAL_WRITING_DBS=database_db_main
+_APP_TRUSTED_HEADERS=
@@ -357,6 +357,15 @@ return [
                'required' => false,
                'question' => '',
                'filter' => ''
+            ],
+            [
+                'name' => '_APP_TRUSTED_HEADERS',
+                'description' => 'This option allows you to set the list of trusted headers, the value is a comma‑separated list of HTTP header names, evaluated left-to-right for the first valid IP. Header names are treated case-insensitively.',
+                'introduction' => '1.8.0',
+                'default' => 'x-forwarded-for',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
            ]
        ],
    ],
@@ -9,9 +9,12 @@ use Swoole\Http\Request as SwooleRequest;
 use Utopia\Database\Validator\Authorization;
 use Utopia\Route;
 use Utopia\Swoole\Request as UtopiaRequest;
+use Utopia\System\System;

 class Request extends UtopiaRequest
 {
+    protected array $trustedIpHeaders = explode(",", System::getEnv('_APP_TRUSTED_HEADERS') ?? 'x-forwarded-for');
+
    /**
     * @var array<Filter>
     */
@@ -326,4 +326,38 @@ trait AccountBase

        $this->assertEquals($response['headers']['status-code'], 204);
    }
+
+    public function testTrustedIpViaHeaders(): void
+    {
+        $email = uniqid() . 'user@localhost.test';
+        $password = 'password';
+        $name = 'User Name';
+
+        $response = $this->client->call(Client::METHOD_POST, '/account', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'x-forwarded-for' => '203.0.113.195',
+        ]), [
+            'userId' => ID::unique(),
+            'email' => $email,
+            'password' => $password,
+            'name' => $name,
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 201);
+
+        $response = $this->client->call(Client::METHOD_POST, '/account/sessions/email', array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'x-forwarded-for' => '203.0.113.195',
+        ]), [
+            'email' => $email,
+            'password' => $password,
+        ]);
+
+        $this->assertEquals($response['headers']['status-code'], 201);
+        $this->assertEquals('203.0.113.195', $response['body']['clientIp'] ?? $response['body']['ip'] ?? '');
+    }
 }