Refactor IP address handling in server.js

gvbvdxxalt2 · web-flow · commit 36778156261e · 2026-03-04T14:23:06.000-05:00
diff --git a/server-src/server.js b/server-src/server.js
@@ -87,45 +87,107 @@ function closeUserFromUserSocket(username) {
 function isPrivateIp(ip) {
   if (!ip) return false;
 
-  // Handle IPv6 localhost
-  if (ip === '::1' || ip === 'localhost') return true;
+  // Clean up Node's IPv6-mapped IPv4 prefix (::ffff:)
+  const cleanIp = ip.replace(/^::ffff:/, '');
 
-  // Split the IP into its 4 parts (octets)
-  const parts = ip.split('.');
-  if (parts.length !== 4) return false; // Not a standard IPv4 address
+  if (cleanIp === '::1' || cleanIp === 'localhost') return true;
+
+  const parts = cleanIp.split('.');
+  if (parts.length !== 4) return false;
 
   const first = parseInt(parts[0], 10);
   const second = parseInt(parts[1], 10);
 
-  // 127.x.x.x (Localhost)
-  if (first === 127) return true;
+  // Standard Private Ranges
+  if (first === 127 || first === 10) return true;
+  if (first === 192 && second === 168) return true;
+  if (first === 172 && second >= 16 && second <= 31) return true;
 
-  // 10.x.x.x (Private network)
-  if (first === 10) return true;
+  return false;
+}
 
-  // 192.168.x.x (Private network)
-  if (first === 192 && second === 168) return true;
+function getIPFromRequest(req) {
+  // 1. Always check Cloudflare/Render verified header first
+  if (req.headers['cf-connecting-ip']) {
+    return req.headers['cf-connecting-ip'];
+  }
+
+  const ipListHeader = req.headers['x-forwarded-for'];
+  if (ipListHeader) {
+    const IPs = ipListHeader.split(",").map((ip) => ip.trim());
+    
+    // Start from the right (the most recent proxy)
+    for (let i = IPs.length - 1; i >= 0; i--) {
+      const curIp = IPs[i];
+      // If we hit an IP that is NOT private, check if it's the last one left
+      // or if it's a known public proxy (like Render's Azure IPs).
+      if (!isPrivateIp(curIp)) {
+        // If we are at the very first IP (index 0), it's definitely the user.
+        if (i === 0) return curIp;
+        
+        // If this isn't the first IP, it might be Render's public proxy.
+        // We keep looping until we hit index 0.
+        continue; 
+      }
+    }
+    // If the loop finished or we want the most likely candidate:
+    return IPs[0];
+  }
+
+  // Fallback to socket address, cleaning the prefix if it exists
+  return (req.socket.remoteAddress || "").replace(/^::ffff:/, '');
+}function isPrivateIp(ip) {
+  if (!ip) return false;
 
-  // 172.16.x.x through 172.31.x.x (Private network)
+  // Clean up Node's IPv6-mapped IPv4 prefix (::ffff:)
+  const cleanIp = ip.replace(/^::ffff:/, '');
+
+  if (cleanIp === '::1' || cleanIp === 'localhost') return true;
+
+  const parts = cleanIp.split('.');
+  if (parts.length !== 4) return false;
+
+  const first = parseInt(parts[0], 10);
+  const second = parseInt(parts[1], 10);
+
+  // Standard Private Ranges
+  if (first === 127 || first === 10) return true;
+  if (first === 192 && second === 168) return true;
   if (first === 172 && second >= 16 && second <= 31) return true;
 
   return false;
 }
+
 function getIPFromRequest(req) {
-  var ipListHeader = req.headers['x-forwarded-for'];
+  // 1. Always check Cloudflare/Render verified header first
+  if (req.headers['cf-connecting-ip']) {
+    return req.headers['cf-connecting-ip'];
+  }
+
+  const ipListHeader = req.headers['x-forwarded-for'];
   if (ipListHeader) {
-    var IPString = "" + ipListHeader;
-    var IPs = IPString.split(",").map((ip) => ip.trim());
-    var i = IPs.length-1;
-	while (i > 0) {
-		var curIp = IPs[i];
-		if (!isPrivateIp(curIp)) {
-			return curIp;
-		}
-		i -= 1;
-	}
+    const IPs = ipListHeader.split(",").map((ip) => ip.trim());
+    
+    // Start from the right (the most recent proxy)
+    for (let i = IPs.length - 1; i >= 0; i--) {
+      const curIp = IPs[i];
+      // If we hit an IP that is NOT private, check if it's the last one left
+      // or if it's a known public proxy (like Render's Azure IPs).
+      if (!isPrivateIp(curIp)) {
+        // If we are at the very first IP (index 0), it's definitely the user.
+        if (i === 0) return curIp;
+        
+        // If this isn't the first IP, it might be Render's public proxy.
+        // We keep looping until we hit index 0.
+        continue; 
+      }
+    }
+    // If the loop finished or we want the most likely candidate:
+    return IPs[0];
   }
-  return req.socket.remoteAddress;
+
+  // Fallback to socket address, cleaning the prefix if it exists
+  return (req.socket.remoteAddress || "").replace(/^::ffff:/, '');
 }
 
 var ipBanReasons = {
