supabase / auth / 20069619121

69%

push

github

feat: Treat rate limit header value as comma-separated list (#2282)

## What kind of change does this PR introduce?

This PR updates `performRateLimiting` to treat the rate limit header
value as a comma-separated list and enforce rate limiting based on the
first value in that list.

## What is the current behavior?

Certain HTTP headers, such as `X-Forwarded-For` and other headers that
are combined according to RFC 7230, can be represented as a
comma-separated list of values. Intermediate proxies may add their own
values to these headers, modifying the resulting value. For example, an
end user with a single IP address proxied through a fleet of load
balancers using the X-Forwarded-For header may be associated with
multiple `X-Forwarded-For` header values, e.g.,
`2.2.2.2,100.100.100.100` and `2.2.2.2,300.300.300.300`. The current
implementation of `performRateLimiting` treats each of these as separate
rate limiting keys.

## What is the new behavior?

This PR splits the rate limit header by commas and takes the first value
(with whitespace removed) to use as the rate limiting key.

Note that this logic is superficially similar to the
`utilities.GetIPAddress` function with two key differences. In
`performRateLimiting`, there is no set format for a given rate limiting
key, nor is there a fallback value after the first value in the list
that the API should use.

28 of 30 new or added lines in 1 file covered. (93.33%)

14670 of 21425 relevant lines covered (68.47%)

77.91 hits per line