Store client IP address in request context

author: Frédéric Guillot <fred@miniflux.net> 2018-09-09 15:15:14 -0700
committer: Frédéric Guillot <fred@miniflux.net> 2018-09-09 15:15:14 -0700
commit: c9f9dd3262b9f8437981f92fac100e508e3c3bcd (patch)
tree: 16a08ddab87276c6cad972311aa2cfb78843557e
parent: c1e1506720e3c8b4e8782da9ff73ce1c57ce71a5 (diff)
9 files changed, 46 insertions, 19 deletions
diff --git a/daemon/routes.go b/daemon/routes.go
index b0a6464..891207e 100644
--- a/daemon/routes.go
+++ b/daemon/routes.go
@@ -33,6 +33,7 @@ func routes(cfg *config.Config, store *storage.Storage, feedHandler *feed.Handle
 		router = router.PathPrefix(cfg.BasePath()).Subrouter()
 	}
 
+	router.Use(middleware.ClientIP)
 	router.Use(middleware.HeaderConfig)
 	router.Use(middleware.Logging)
 	router.Use(middleware.CommonHeaders)
diff --git a/http/request/context.go b/http/request/context.go
index 78014e4..b77365d 100644
--- a/http/request/context.go
+++ b/http/request/context.go
@@ -24,6 +24,7 @@ const (
 	FlashMessageContextKey
 	FlashErrorMessageContextKey
 	PocketRequestTokenContextKey
+	ClientIPContextKey
 )
 
 // IsAdminUser checks if the logged user is administrator.
@@ -103,6 +104,11 @@ func PocketRequestToken(r *http.Request) string {
 	return getContextStringValue(r, PocketRequestTokenContextKey)
 }
 
+// ClientIP returns the client IP address stored in the context.
+func ClientIP(r *http.Request) string {
+	return getContextStringValue(r, ClientIPContextKey)
+}
+
 func getContextStringValue(r *http.Request, key ContextKey) string {
 	if v := r.Context().Value(key); v != nil {
 		return v.(string)
diff --git a/http/request/request.go b/http/request/request.go
index 802b1d0..d27137b 100644
--- a/http/request/request.go
+++ b/http/request/request.go
@@ -100,8 +100,8 @@ func HasQueryParam(r *http.Request, param string) bool {
 	return ok
 }
 
-// RealIP returns client's real IP address.
-func RealIP(r *http.Request) string {
+// FindClientIP returns client's real IP address.
+func FindClientIP(r *http.Request) string {
 	headers := []string{"X-Forwarded-For", "X-Real-Ip"}
 	for _, header := range headers {
 		value := r.Header.Get(header)
diff --git a/http/request/request_test.go b/http/request/request_test.go
index fa2c4b1..946b132 100644
--- a/http/request/request_test.go
+++ b/http/request/request_test.go
@@ -11,12 +11,12 @@ import (
 
 func TestRealIPWithoutHeaders(t *testing.T) {
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242"}
-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 
 	r = &http.Request{RemoteAddr: "192.168.0.1"}
-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@@ -27,7 +27,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "203.0.113.195, 70.41.3.18, 150.172.238.178")
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "203.0.113.195" {
+	if ip := FindClientIP(r); ip != "203.0.113.195" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 
@@ -36,7 +36,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "2001:db8:85a3:8d3:1319:8a2e:370:7348")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
+	if ip := FindClientIP(r); ip != "2001:db8:85a3:8d3:1319:8a2e:370:7348" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 
@@ -45,7 +45,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "70.41.3.18")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "70.41.3.18" {
+	if ip := FindClientIP(r); ip != "70.41.3.18" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 
@@ -54,7 +54,7 @@ func TestRealIPWithXFFHeader(t *testing.T) {
 	headers.Set("X-Forwarded-For", "fake IP")
 	r = &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "192.168.0.1" {
+	if ip := FindClientIP(r); ip != "192.168.0.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@@ -64,7 +64,7 @@ func TestRealIPWithXRealIPHeader(t *testing.T) {
 	headers.Set("X-Real-Ip", "192.168.122.1")
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "192.168.122.1" {
+	if ip := FindClientIP(r); ip != "192.168.122.1" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
@@ -76,7 +76,7 @@ func TestRealIPWithBothHeaders(t *testing.T) {
 
 	r := &http.Request{RemoteAddr: "192.168.0.1:4242", Header: headers}
 
-	if ip := RealIP(r); ip != "203.0.113.195" {
+	if ip := FindClientIP(r); ip != "203.0.113.195" {
 		t.Fatalf(`Unexpected result, got: %q`, ip)
 	}
 }
diff --git a/middleware/basic_auth.go b/middleware/basic_auth.go
index bd8402a..5a7204c 100644
--- a/middleware/basic_auth.go
+++ b/middleware/basic_auth.go
@@ -18,8 +18,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
 
-		remoteAddr := request.RealIP(r)
-
+		clientIP := request.ClientIP(r)
 		username, password, authOK := r.BasicAuth()
 		if !authOK {
 			logger.Debug("[Middleware:BasicAuth] No authentication headers sent")
@@ -28,7 +27,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 		}
 
 		if err := m.store.CheckPassword(username, password); err != nil {
-			logger.Error("[Middleware:BasicAuth] [Remote=%v] Invalid username or password: %s", remoteAddr, username)
+			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] Invalid username or password: %s", clientIP, username)
 			json.Unauthorized(w)
 			return
 		}
@@ -41,7 +40,7 @@ func (m *Middleware) BasicAuth(next http.Handler) http.Handler {
 		}
 
 		if user == nil {
-			logger.Error("[Middleware:BasicAuth] [Remote=%v] User not found: %s", remoteAddr, username)
+			logger.Error("[Middleware:BasicAuth] [ClientIP=%s] User not found: %s", clientIP, username)
 			json.Unauthorized(w)
 			return
 		}
diff --git a/middleware/client_ip.go b/middleware/client_ip.go
new file mode 100644
index 0000000..853fcc9
--- /dev/null
+++ b/middleware/client_ip.go
@@ -0,0 +1,21 @@
+// Copyright 2018 Frédéric Guillot. All rights reserved.
+// Use of this source code is governed by the Apache 2.0
+// license that can be found in the LICENSE file.
+
+package middleware // import "miniflux.app/middleware"
+
+import (
+	"context"
+	"net/http"
+
+	"miniflux.app/http/request"
+)
+
+// ClientIP stores in the real client IP address in the context.
+func (m *Middleware) ClientIP(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctx = context.WithValue(ctx, request.ClientIPContextKey, request.FindClientIP(r))
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
diff --git a/middleware/logging.go b/middleware/logging.go
index 2e78ea8..fdf1ce3 100644
--- a/middleware/logging.go
+++ b/middleware/logging.go
@@ -14,7 +14,7 @@ import (
 // Logging logs the HTTP request.
 func (m *Middleware) Logging(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		logger.Debug("[HTTP] %s %s %s", request.RealIP(r), r.Method, r.RequestURI)
+		logger.Debug("[HTTP] %s %s %s", request.ClientIP(r), r.Method, r.RequestURI)
 		next.ServeHTTP(w, r)
 	})
 }
diff --git a/ui/login_check.go b/ui/login_check.go
index 95c5908..2c5398a 100644
--- a/ui/login_check.go
+++ b/ui/login_check.go
@@ -16,7 +16,7 @@ import (
 
 // CheckLogin validates the username/password and redirects the user to the unread page.
 func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
-	remoteAddr := request.RealIP(r)
+	clientIP := request.ClientIP(r)
 	sess := session.New(c.store, request.SessionID(r))
 	authForm := form.NewAuthForm(r)
 
@@ -31,12 +31,12 @@ func (c *Controller) CheckLogin(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := c.store.CheckPassword(authForm.Username, authForm.Password); err != nil {
-		logger.Error("[Controller:CheckLogin] [Remote=%v] %v", remoteAddr, err)
+		logger.Error("[Controller:CheckLogin] [ClientIP=%s] %v", clientIP, err)
 		html.OK(w, r, view.Render("login"))
 		return
 	}
 
-	sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), remoteAddr)
+	sessionToken, userID, err := c.store.CreateUserSession(authForm.Username, r.UserAgent(), clientIP)
 	if err != nil {
 		html.ServerError(w, err)
 		return
diff --git a/ui/oauth2_callback.go b/ui/oauth2_callback.go
index b1bb933..00112b0 100644
--- a/ui/oauth2_callback.go
+++ b/ui/oauth2_callback.go
@@ -103,7 +103,7 @@ func (c *Controller) OAuth2Callback(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.RealIP(r))
+	sessionToken, _, err := c.store.CreateUserSession(user.Username, r.UserAgent(), request.ClientIP(r))
 	if err != nil {
 		html.ServerError(w, err)
 		return
author	Frédéric Guillot <fred@miniflux.net>	2018-09-09 15:15:14 -0700
committer	Frédéric Guillot <fred@miniflux.net>	2018-09-09 15:15:14 -0700
commit	c9f9dd3262b9f8437981f92fac100e508e3c3bcd (patch)
tree	16a08ddab87276c6cad972311aa2cfb78843557e
parent	c1e1506720e3c8b4e8782da9ff73ce1c57ce71a5 (diff)