more security improvements

2025-10-07 13:54:29 -04:00
parent 329becfb08
commit ffb721a12c
2 changed files with 31 additions and 11 deletions
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -3,14 +3,24 @@ import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
 import bcrypt from 'bcrypt'

 export default defineEventHandler(async (event) => {
-  // Get client IP for rate limiting
-  const clientIp = getRequestIP(event) || 'unknown'
+  // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
+  const xRealIp = getHeader(event, 'x-real-ip')
+  const xForwardedFor = getHeader(event, 'x-forwarded-for')
+  const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
  
-  // Log IP for verification (helps ensure correct public IP is captured)
+  // Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
+  const clientIp = xRealIp || 
+                   (xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
+                   cfConnectingIp ||
+                   getRequestIP(event) || 
+                   'unknown'
+  
+  // Log IP for verification
  console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, {
-    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
-    'x-real-ip': getHeader(event, 'x-real-ip'),
-    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+    'x-forwarded-for': xForwardedFor,
+    'x-real-ip': xRealIp,
+    'cf-connecting-ip': cfConnectingIp,
+    'getRequestIP': getRequestIP(event)
  })
  
  // Check rate limit: 5 attempts per 15 minutes
--- a/server/api/auth/register.post.ts
+++ b/server/api/auth/register.post.ts
@@ -2,14 +2,24 @@ import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSe
 import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'

 export default defineEventHandler(async (event) => {
-  // Get client IP for rate limiting
-  const clientIp = getRequestIP(event) || 'unknown'
+  // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
+  const xRealIp = getHeader(event, 'x-real-ip')
+  const xForwardedFor = getHeader(event, 'x-forwarded-for')
+  const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
+  
+  // Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
+  const clientIp = xRealIp || 
+                   (xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
+                   cfConnectingIp ||
+                   getRequestIP(event) || 
+                   'unknown'
  
  // Log IP for verification
  console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, {
-    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
-    'x-real-ip': getHeader(event, 'x-real-ip'),
-    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+    'x-forwarded-for': xForwardedFor,
+    'x-real-ip': xRealIp,
+    'cf-connecting-ip': cfConnectingIp,
+    'getRequestIP': getRequestIP(event)
  })
  
  // Check rate limit: 3 attempts per hour