[pocketbase#282] fixed "real" user ip extraction

apis/admin.go

@@ -66,7 +66,7 @@ func (api *adminApi) refresh(c echo.Context) error {
 func (api *adminApi) emailAuth(c echo.Context) error {
 	form := forms.NewAdminLogin(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	admin, submitErr := form.Submit()
@@ -80,7 +80,7 @@ func (api *adminApi) emailAuth(c echo.Context) error {
 func (api *adminApi) requestPasswordReset(c echo.Context) error {
 	form := forms.NewAdminPasswordResetRequest(api.app)
 	if err := c.Bind(form); err != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", err)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", err)
 	}
 
 	if err := form.Validate(); err != nil {
@@ -101,7 +101,7 @@ func (api *adminApi) requestPasswordReset(c echo.Context) error {
 func (api *adminApi) confirmPasswordReset(c echo.Context) error {
 	form := forms.NewAdminPasswordResetConfirm(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	admin, submitErr := form.Submit()

apis/middlewares.go

@@ -304,22 +304,24 @@ func ActivityLogger(app core.App) echo.MiddlewareFunc {
 
 // Returns the "real" user IP from common proxy headers (or fallbackIp if none is found).
 //
-// The returned IP shouldn't be trusted if not behind a trusted reverse proxy!
+// The returned IP value shouldn't be trusted if not behind a trusted reverse proxy!
 func realUserIp(r *http.Request, fallbackIp string) string {
 	if ip := r.Header.Get("CF-Connecting-IP"); ip != "" {
 		return ip
 	}
 
-	if ip := r.Header.Get("X-Forwarded-For"); ip != "" {
-		// extract only the last IP
-		if i := strings.IndexAny(ip, ","); i > 0 {
-			return strings.TrimSpace(ip[:i])
-		}
+	if ip := r.Header.Get("X-Real-IP"); ip != "" {
 		return ip
 	}
 
-	if ip := r.Header.Get("X-Forwarded-For"); ip != "" {
-		return ip
+	if ipsList := r.Header.Get("X-Forwarded-For"); ipsList != "" {
+		ips := strings.Split(ipsList, ",")
+		// extract the rightmost ip
+		for _, ip := range ips {
+			if trimmedIp := strings.TrimSpace(ip); trimmedIp != "" {
+				return trimmedIp
+			}
+		}
 	}
 
 	return fallbackIp

apis/user.go

@@ -152,7 +152,7 @@ func (api *userApi) authMethods(c echo.Context) error {
 func (api *userApi) oauth2Auth(c echo.Context) error {
 	form := forms.NewUserOauth2Login(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	user, authData, submitErr := form.Submit()
@@ -170,7 +170,7 @@ func (api *userApi) emailAuth(c echo.Context) error {
 
 	form := forms.NewUserEmailLogin(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	user, submitErr := form.Submit()
@@ -184,7 +184,7 @@ func (api *userApi) emailAuth(c echo.Context) error {
 func (api *userApi) requestPasswordReset(c echo.Context) error {
 	form := forms.NewUserPasswordResetRequest(api.app)
 	if err := c.Bind(form); err != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", err)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", err)
 	}
 
 	if err := form.Validate(); err != nil {
@@ -205,7 +205,7 @@ func (api *userApi) requestPasswordReset(c echo.Context) error {
 func (api *userApi) confirmPasswordReset(c echo.Context) error {
 	form := forms.NewUserPasswordResetConfirm(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	user, submitErr := form.Submit()
@@ -224,7 +224,7 @@ func (api *userApi) requestEmailChange(c echo.Context) error {
 
 	form := forms.NewUserEmailChangeRequest(api.app, loggedUser)
 	if err := c.Bind(form); err != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", err)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", err)
 	}
 
 	if err := form.Submit(); err != nil {
@@ -237,7 +237,7 @@ func (api *userApi) requestEmailChange(c echo.Context) error {
 func (api *userApi) confirmEmailChange(c echo.Context) error {
 	form := forms.NewUserEmailChangeConfirm(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	user, submitErr := form.Submit()
@@ -251,7 +251,7 @@ func (api *userApi) confirmEmailChange(c echo.Context) error {
 func (api *userApi) requestVerification(c echo.Context) error {
 	form := forms.NewUserVerificationRequest(api.app)
 	if err := c.Bind(form); err != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", err)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", err)
 	}
 
 	if err := form.Validate(); err != nil {
@@ -272,7 +272,7 @@ func (api *userApi) requestVerification(c echo.Context) error {
 func (api *userApi) confirmVerification(c echo.Context) error {
 	form := forms.NewUserVerificationConfirm(api.app)
 	if readErr := c.Bind(form); readErr != nil {
-		return rest.NewBadRequestError("An error occurred while reading the submitted data.", readErr)
+		return rest.NewBadRequestError("An error occurred while loading the submitted data.", readErr)
 	}
 
 	user, submitErr := form.Submit()