Fix: Using all IPs including x-forwarded-for when checking if the requester has access to metrics

[victoreduardo]

📋 Description

We need to use all kind of ips to make sure the requester has access to, including x-forwarded-for ip since when using cloudflare/loadbalance on the front line the ip will be the cloudflare/loadbalance not real requester ip.

🔗 Related Issue

🧪 Type of Change

• 🐛 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected)
• 📚 Documentation update
• 🔧 Refactoring (no functional changes)
• ⚡ Performance improvement
• 🧹 Code cleanup
• 🔒 Security fix

🧪 Testing

• Manual testing completed
• Functionality verified in development environment
• No breaking changes introduced
• Tested with different connection types (if applicable)

✅ Checklist

• My code follows the project's style guidelines
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have manually tested my changes thoroughly
• I have verified the changes work with different scenarios
• Any dependent changes have been merged and published

📝 Additional Notes

Summary by Sourcery

Improve IP whitelist validation for metrics endpoints by aggregating all possible client IP sources and including the X-Forwarded-For header.

Bug Fixes:

• Include the X-Forwarded-For header when verifying if a client IP is allowed to access metrics

Enhancements:

• Collect client IPs from req.ip, connection.remoteAddress, socket.remoteAddress, and X-Forwarded-For into a single array
• Change the whitelist check to verify at least one of the collected IPs matches an allowed IP

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

The metricsIPWhitelist middleware now gathers all possible client IPs (including x-forwarded-for) into an array, filters out undefined values, and then checks for any intersection with the configured allowed IPs to authorize metric access.

Sequence diagram for updated IP whitelist check in metrics middleware

sequenceDiagram
participant Client
participant "Express Server"
participant "metricsIPWhitelist Middleware"
Client->>"Express Server": Request /metrics
"Express Server"->>"metricsIPWhitelist Middleware": Pass request
"metricsIPWhitelist Middleware"->>"metricsIPWhitelist Middleware": Gather IPs (req.ip, remoteAddress, x-forwarded-for)
"metricsIPWhitelist Middleware"->>"metricsIPWhitelist Middleware": Check intersection with allowed IPs
alt IP allowed
"metricsIPWhitelist Middleware"->>"Express Server": next()
"Express Server"->>Client: Return metrics
else IP not allowed
"metricsIPWhitelist Middleware"->>Client: 403 Forbidden
end

Loading

Class diagram for updated metricsIPWhitelist middleware

classDiagram
class metricsIPWhitelist {
  +allowedIPs: string[]
  +clientIPs: string[]
  +Request, Response, NextFunction
  +Gathers IPs from req.ip, req.connection.remoteAddress, req.socket.remoteAddress, req.headers["x-forwarded-for"]
  +Checks intersection with allowedIPs
}

Loading

File-Level Changes

Change	Details	Files
Expanded client IP detection to include multiple sources	Replaced single clientIP assignment with an array of potential sources Added req.headers['x-forwarded-for'] to the list Filtered out undefined values from the array	src/api/routes/index.router.ts
Updated IP authorization check to use array intersection	Replaced includes check on a single IP with filtering allowedIPs against clientIPs Altered the forbidden condition to trigger when no allowed IPs are found in clientIPs	src/api/routes/index.router.ts

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• The conditional allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0 is comparing an array to a number—use .length === 0 or !allowedIPs.some(...) instead.
• req.headers['x-forwarded-for'] can be a comma-separated list of IPs, so you should split it and pick the correct client IP rather than treating it as a single string.
• Consider enabling Express’s trust proxy setting and using req.ips for more reliable handling of proxy and load balancer IPs.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The conditional `allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0` is comparing an array to a number—use `.length === 0` or `!allowedIPs.some(...)` instead.
- `req.headers['x-forwarded-for']` can be a comma-separated list of IPs, so you should split it and pick the correct client IP rather than treating it as a single string.
- Consider enabling Express’s `trust proxy` setting and using `req.ips` for more reliable handling of proxy and load balancer IPs.

## Individual Comments

### Comment 1
<location> `src/api/routes/index.router.ts:51-55` </location>
<code_context>
-  const clientIP = req.ip || req.connection.remoteAddress || req.socket.remoteAddress;
-
-  if (!allowedIPs.includes(clientIP)) {
+  const clientIPs = [
+    req.ip,
+    req.connection.remoteAddress,
+    req.socket.remoteAddress,
+    req.headers['x-forwarded-for'],
+  ].filter((ip) => ip !== undefined);
+
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Consider normalizing and validating IPs from 'x-forwarded-for'.

Split the 'x-forwarded-for' header on commas, trim whitespace from each IP, and validate their formats to ensure accurate and secure IP handling.
</issue_to_address>

### Comment 2
<location> `src/api/routes/index.router.ts:58` </location>
<code_context>
+    req.headers['x-forwarded-for'],
+  ].filter((ip) => ip !== undefined);
+
+  if (allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0) {
     return res.status(403).send('Forbidden: IP not allowed');
   }
</code_context>

<issue_to_address>
**issue (bug_risk):** The IP check logic is incorrect; filter returns an array, not a count.

Update the condition to check 'allowedIPs.filter(...).length === 0' so it correctly determines when no client IPs are allowed.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Consider normalizing and validating IPs from 'x-forwarded-for'.

Split the 'x-forwarded-for' header on commas, trim whitespace from each IP, and validate their formats to ensure accurate and secure IP handling.

[sourcery-ai]

issue (bug_risk): The IP check logic is incorrect; filter returns an array, not a count.

Update the condition to check 'allowedIPs.filter(...).length === 0' so it correctly determines when no client IPs are allowed.