Merge pull request pallets-eco#352 from fuhrysteve/develop

X-Forwarded-For can contain multiple IP addresses
lkarthee · May 2, 2015 · 2e08ec8 · 2e08ec8
2 parents 4d3c1c0 + 923ad72
commit 2e08ec8
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -34,3 +34,11 @@ env/
 
 *.db
 *cache*
+
+# vim
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+*~
diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -163,7 +163,8 @@ Feature Flags
                           option. Defaults to ``False``.
 ``SECURITY_TRACKABLE``    Specifies if Flask-Security should track basic user
                           login statistics. If set to ``True``, ensure your
-                          models have the required fields/attribues. Defaults to
+                          models have the required fields/attribues. Be sure to
+                          use `ProxyFix <http://flask.pocoo.org/docs/0.10/deploying/wsgi-standalone/#proxy-setups>` if you are using a proxy. Defaults to
                           ``False``
 ``SECURITY_PASSWORDLESS`` Specifies if Flask-Security should enable the
                           passwordless login feature. If set to ``True``, users

diff --git a/flask_security/utils.py b/flask_security/utils.py
@@ -62,10 +62,10 @@ def login_user(user, remember=None):
         return False
 
     if _security.trackable:
-        if 'X-Forwarded-For' not in request.headers:
-            remote_addr = request.remote_addr or 'untrackable'
+        if 'X-Forwarded-For' in request.headers:
+            remote_addr = request.headers.getlist("X-Forwarded-For")[0].rpartition(' ')[-1]
         else:
-            remote_addr = request.headers.getlist("X-Forwarded-For")[0]
+            remote_addr = request.remote_addr or 'untrackable'
 
         old_current_login, new_current_login = user.current_login_at, datetime.utcnow()
         old_current_ip, new_current_ip = user.current_login_ip, remote_addr

diff --git a/tests/test_trackable.py b/tests/test_trackable.py
@@ -26,3 +26,19 @@ def test_trackable_flag(app, client):
         assert user.last_login_ip == 'untrackable'
         assert user.current_login_ip == '127.0.0.1'
         assert user.login_count == 2
+
+
+def test_trackable_with_multiple_ips_in_headers(app, client):
+    e = '[email protected]'
+    authenticate(client, email=e)
+    logout(client)
+    authenticate(client, email=e, headers={
+        'X-Forwarded-For': '99.99.99.99, 88.88.88.88'})
+
+    with app.app_context():
+        user = app.security.datastore.find_user(email=e)
+        assert user.last_login_at is not None
+        assert user.current_login_at is not None
+        assert user.last_login_ip == 'untrackable'
+        assert user.current_login_ip == '88.88.88.88'
+        assert user.login_count == 2