getClientIP respect trustProxy setting
This commit is contained in:
		
							parent
							
								
									a07f54f35b
								
							
						
					
					
						commit
						a3b1612938
					
				
					 2 changed files with 36 additions and 21 deletions
				
			
		|  | @ -254,7 +254,9 @@ let needSetup = false; | ||||||
|         // ***************************
 |         // ***************************
 | ||||||
| 
 | 
 | ||||||
|         socket.on("loginByToken", async (token, callback) => { |         socket.on("loginByToken", async (token, callback) => { | ||||||
|             log.info("auth", `Login by token. IP=${getClientIp(socket)}`); |             const clientIP = await server.getClientIP(socket); | ||||||
|  | 
 | ||||||
|  |             log.info("auth", `Login by token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|             try { |             try { | ||||||
|                 let decoded = jwt.verify(token, jwtSecret); |                 let decoded = jwt.verify(token, jwtSecret); | ||||||
|  | @ -270,14 +272,14 @@ let needSetup = false; | ||||||
|                     afterLogin(socket, user); |                     afterLogin(socket, user); | ||||||
|                     log.debug("auth", "afterLogin ok"); |                     log.debug("auth", "afterLogin ok"); | ||||||
| 
 | 
 | ||||||
|                     log.info("auth", `Successfully logged in user ${decoded.username}. IP=${getClientIp(socket)}`); |                     log.info("auth", `Successfully logged in user ${decoded.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                     callback({ |                     callback({ | ||||||
|                         ok: true, |                         ok: true, | ||||||
|                     }); |                     }); | ||||||
|                 } else { |                 } else { | ||||||
| 
 | 
 | ||||||
|                     log.info("auth", `Inactive or deleted user ${decoded.username}. IP=${getClientIp(socket)}`); |                     log.info("auth", `Inactive or deleted user ${decoded.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                     callback({ |                     callback({ | ||||||
|                         ok: false, |                         ok: false, | ||||||
|  | @ -286,7 +288,7 @@ let needSetup = false; | ||||||
|                 } |                 } | ||||||
|             } catch (error) { |             } catch (error) { | ||||||
| 
 | 
 | ||||||
|                 log.error("auth", `Invalid token. IP=${getClientIp(socket)}`); |                 log.error("auth", `Invalid token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: false, |                     ok: false, | ||||||
|  | @ -297,7 +299,9 @@ let needSetup = false; | ||||||
|         }); |         }); | ||||||
| 
 | 
 | ||||||
|         socket.on("login", async (data, callback) => { |         socket.on("login", async (data, callback) => { | ||||||
|             log.info("auth", `Login by username + password. IP=${getClientIp(socket)}`); |             const clientIP = await server.getClientIP(socket); | ||||||
|  | 
 | ||||||
|  |             log.info("auth", `Login by username + password. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|             // Checking
 |             // Checking
 | ||||||
|             if (typeof callback !== "function") { |             if (typeof callback !== "function") { | ||||||
|  | @ -310,7 +314,7 @@ let needSetup = false; | ||||||
| 
 | 
 | ||||||
|             // Login Rate Limit
 |             // Login Rate Limit
 | ||||||
|             if (! await loginRateLimiter.pass(callback)) { |             if (! await loginRateLimiter.pass(callback)) { | ||||||
|                 log.info("auth", `Too many failed requests for user ${data.username}. IP=${getClientIp(socket)}`); |                 log.info("auth", `Too many failed requests for user ${data.username}. IP=${clientIP}`); | ||||||
|                 return; |                 return; | ||||||
|             } |             } | ||||||
| 
 | 
 | ||||||
|  | @ -320,7 +324,7 @@ let needSetup = false; | ||||||
|                 if (user.twofa_status === 0) { |                 if (user.twofa_status === 0) { | ||||||
|                     afterLogin(socket, user); |                     afterLogin(socket, user); | ||||||
| 
 | 
 | ||||||
|                     log.info("auth", `Successfully logged in user ${data.username}. IP=${getClientIp(socket)}`); |                     log.info("auth", `Successfully logged in user ${data.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                     callback({ |                     callback({ | ||||||
|                         ok: true, |                         ok: true, | ||||||
|  | @ -332,7 +336,7 @@ let needSetup = false; | ||||||
| 
 | 
 | ||||||
|                 if (user.twofa_status === 1 && !data.token) { |                 if (user.twofa_status === 1 && !data.token) { | ||||||
| 
 | 
 | ||||||
|                     log.info("auth", `2FA token required for user ${data.username}. IP=${getClientIp(socket)}`); |                     log.info("auth", `2FA token required for user ${data.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                     callback({ |                     callback({ | ||||||
|                         tokenRequired: true, |                         tokenRequired: true, | ||||||
|  | @ -350,7 +354,7 @@ let needSetup = false; | ||||||
|                             socket.userID, |                             socket.userID, | ||||||
|                         ]); |                         ]); | ||||||
| 
 | 
 | ||||||
|                         log.info("auth", `Successfully logged in user ${data.username}. IP=${getClientIp(socket)}`); |                         log.info("auth", `Successfully logged in user ${data.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                         callback({ |                         callback({ | ||||||
|                             ok: true, |                             ok: true, | ||||||
|  | @ -360,7 +364,7 @@ let needSetup = false; | ||||||
|                         }); |                         }); | ||||||
|                     } else { |                     } else { | ||||||
| 
 | 
 | ||||||
|                         log.warn("auth", `Invalid token provided for user ${data.username}. IP=${getClientIp(socket)}`); |                         log.warn("auth", `Invalid token provided for user ${data.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                         callback({ |                         callback({ | ||||||
|                             ok: false, |                             ok: false, | ||||||
|  | @ -370,7 +374,7 @@ let needSetup = false; | ||||||
|                 } |                 } | ||||||
|             } else { |             } else { | ||||||
| 
 | 
 | ||||||
|                 log.warn("auth", `Incorrect username or password for user ${data.username}. IP=${getClientIp(socket)}`); |                 log.warn("auth", `Incorrect username or password for user ${data.username}. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: false, |                     ok: false, | ||||||
|  | @ -442,6 +446,8 @@ let needSetup = false; | ||||||
|         }); |         }); | ||||||
| 
 | 
 | ||||||
|         socket.on("save2FA", async (currentPassword, callback) => { |         socket.on("save2FA", async (currentPassword, callback) => { | ||||||
|  |             const clientIP = await server.getClientIP(socket); | ||||||
|  | 
 | ||||||
|             try { |             try { | ||||||
|                 if (! await twoFaRateLimiter.pass(callback)) { |                 if (! await twoFaRateLimiter.pass(callback)) { | ||||||
|                     return; |                     return; | ||||||
|  | @ -454,7 +460,7 @@ let needSetup = false; | ||||||
|                     socket.userID, |                     socket.userID, | ||||||
|                 ]); |                 ]); | ||||||
| 
 | 
 | ||||||
|                 log.info("auth", `Saved 2FA token. IP=${getClientIp(socket)}`); |                 log.info("auth", `Saved 2FA token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: true, |                     ok: true, | ||||||
|  | @ -462,7 +468,7 @@ let needSetup = false; | ||||||
|                 }); |                 }); | ||||||
|             } catch (error) { |             } catch (error) { | ||||||
| 
 | 
 | ||||||
|                 log.error("auth", `Error changing 2FA token. IP=${getClientIp(socket)}`); |                 log.error("auth", `Error changing 2FA token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: false, |                     ok: false, | ||||||
|  | @ -472,6 +478,8 @@ let needSetup = false; | ||||||
|         }); |         }); | ||||||
| 
 | 
 | ||||||
|         socket.on("disable2FA", async (currentPassword, callback) => { |         socket.on("disable2FA", async (currentPassword, callback) => { | ||||||
|  |             const clientIP = await server.getClientIP(socket); | ||||||
|  | 
 | ||||||
|             try { |             try { | ||||||
|                 if (! await twoFaRateLimiter.pass(callback)) { |                 if (! await twoFaRateLimiter.pass(callback)) { | ||||||
|                     return; |                     return; | ||||||
|  | @ -481,7 +489,7 @@ let needSetup = false; | ||||||
|                 await doubleCheckPassword(socket, currentPassword); |                 await doubleCheckPassword(socket, currentPassword); | ||||||
|                 await TwoFA.disable2FA(socket.userID); |                 await TwoFA.disable2FA(socket.userID); | ||||||
| 
 | 
 | ||||||
|                 log.info("auth", `Disabled 2FA token. IP=${getClientIp(socket)}`); |                 log.info("auth", `Disabled 2FA token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: true, |                     ok: true, | ||||||
|  | @ -489,7 +497,7 @@ let needSetup = false; | ||||||
|                 }); |                 }); | ||||||
|             } catch (error) { |             } catch (error) { | ||||||
| 
 | 
 | ||||||
|                 log.error("auth", `Error disabling 2FA token. IP=${getClientIp(socket)}`); |                 log.error("auth", `Error disabling 2FA token. IP=${clientIP}`); | ||||||
| 
 | 
 | ||||||
|                 callback({ |                 callback({ | ||||||
|                     ok: false, |                     ok: false, | ||||||
|  | @ -1684,12 +1692,6 @@ async function shutdownFunction(signal) { | ||||||
|     await cloudflaredStop(); |     await cloudflaredStop(); | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| function getClientIp(socket) { |  | ||||||
|     return socket.client.conn.request.headers["x-forwarded-for"] |  | ||||||
|             || socket.client.conn.request.headers["x-real-ip"] |  | ||||||
|             || socket.client.conn.remoteAddress.replace(/^.*:/, ""); |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| /** Final function called before application exits */ | /** Final function called before application exits */ | ||||||
| function finalFunction() { | function finalFunction() { | ||||||
|     log.info("server", "Graceful shutdown successful!"); |     log.info("server", "Graceful shutdown successful!"); | ||||||
|  |  | ||||||
|  | @ -8,6 +8,7 @@ const { log } = require("../src/util"); | ||||||
| const Database = require("./database"); | const Database = require("./database"); | ||||||
| const util = require("util"); | const util = require("util"); | ||||||
| const { CacheableDnsHttpAgent } = require("./cacheable-dns-http-agent"); | const { CacheableDnsHttpAgent } = require("./cacheable-dns-http-agent"); | ||||||
|  | const { setting } = require("./util-server"); | ||||||
| 
 | 
 | ||||||
| /** | /** | ||||||
|  * `module.exports` (alias: `server`) should be inside this class, in order to avoid circular dependency issue. |  * `module.exports` (alias: `server`) should be inside this class, in order to avoid circular dependency issue. | ||||||
|  | @ -128,6 +129,18 @@ class UptimeKumaServer { | ||||||
| 
 | 
 | ||||||
|         errorLogStream.end(); |         errorLogStream.end(); | ||||||
|     } |     } | ||||||
|  | 
 | ||||||
|  |     async getClientIP(socket) { | ||||||
|  |         const clientIP = socket.client.conn.remoteAddress.replace(/^.*:/, ""); | ||||||
|  | 
 | ||||||
|  |         if (await setting("trustProxy")) { | ||||||
|  |             return socket.client.conn.request.headers["x-forwarded-for"] | ||||||
|  |                 || socket.client.conn.request.headers["x-real-ip"] | ||||||
|  |                 || clientIP; | ||||||
|  |         } else { | ||||||
|  |             return clientIP; | ||||||
|  |         } | ||||||
|  |     } | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| module.exports = { | module.exports = { | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue