From ffb721a12cbb11146d278e638ba1c0199a854c45 Mon Sep 17 00:00:00 2001
From: Joshua Ryder <ryderjj89@outlook.com>
Date: Tue, 7 Oct 2025 13:54:29 -0400
Subject: [PATCH] more security improvements

---
 server/api/auth/login.post.ts    | 22 ++++++++++++++++------
 server/api/auth/register.post.ts | 20 +++++++++++++++-----
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/server/api/auth/login.post.ts b/server/api/auth/login.post.ts
index 608f96b..7ecda42 100644
--- a/server/api/auth/login.post.ts
+++ b/server/api/auth/login.post.ts
@@ -3,14 +3,24 @@ import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
 import bcrypt from 'bcrypt'
 
 export default defineEventHandler(async (event) => {
-  // Get client IP for rate limiting
-  const clientIp = getRequestIP(event) || 'unknown'
+  // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
+  const xRealIp = getHeader(event, 'x-real-ip')
+  const xForwardedFor = getHeader(event, 'x-forwarded-for')
+  const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
   
-  // Log IP for verification (helps ensure correct public IP is captured)
+  // Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
+  const clientIp = xRealIp || 
+                   (xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
+                   cfConnectingIp ||
+                   getRequestIP(event) || 
+                   'unknown'
+  
+  // Log IP for verification
   console.log(`[LOGIN ATTEMPT] IP: ${clientIp}, Headers:`, {
-    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
-    'x-real-ip': getHeader(event, 'x-real-ip'),
-    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+    'x-forwarded-for': xForwardedFor,
+    'x-real-ip': xRealIp,
+    'cf-connecting-ip': cfConnectingIp,
+    'getRequestIP': getRequestIP(event)
   })
   
   // Check rate limit: 5 attempts per 15 minutes
diff --git a/server/api/auth/register.post.ts b/server/api/auth/register.post.ts
index aed4e02..e32dcdc 100644
--- a/server/api/auth/register.post.ts
+++ b/server/api/auth/register.post.ts
@@ -2,14 +2,24 @@ import { createUser, getUserByUsername, getUserByEmail, checkRateLimit, createSe
 import { setAuthCookie, generateSessionToken } from '~/server/utils/auth'
 
 export default defineEventHandler(async (event) => {
-  // Get client IP for rate limiting
-  const clientIp = getRequestIP(event) || 'unknown'
+  // Get real client IP from proxy headers (prioritize x-real-ip for NPM)
+  const xRealIp = getHeader(event, 'x-real-ip')
+  const xForwardedFor = getHeader(event, 'x-forwarded-for')
+  const cfConnectingIp = getHeader(event, 'cf-connecting-ip')
+  
+  // Use x-real-ip first (set by NPM), then x-forwarded-for, then cf-connecting-ip, then fallback
+  const clientIp = xRealIp || 
+                   (xForwardedFor ? xForwardedFor.split(',')[0].trim() : null) ||
+                   cfConnectingIp ||
+                   getRequestIP(event) || 
+                   'unknown'
   
   // Log IP for verification
   console.log(`[REGISTER ATTEMPT] IP: ${clientIp}, Headers:`, {
-    'x-forwarded-for': getHeader(event, 'x-forwarded-for'),
-    'x-real-ip': getHeader(event, 'x-real-ip'),
-    'cf-connecting-ip': getHeader(event, 'cf-connecting-ip')
+    'x-forwarded-for': xForwardedFor,
+    'x-real-ip': xRealIp,
+    'cf-connecting-ip': cfConnectingIp,
+    'getRequestIP': getRequestIP(event)
   })
   
   // Check rate limit: 3 attempts per hour