supabase / auth / 20445257346 / 1
69%
master: 69%

DEFAULT BRANCH: master
Ran
Files 171
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 68.686% (+0.08%) from 68.607%
20445257346.1

push

github

web-flow 
feat: Add Sb-Forwarded-For header and IP-based rate limiting (#2295)

## What kind of change does this PR introduce?

This PR adds support for IP address forwarding using a new header,
`Sb-Forwarded-For`, optionally gated by
`GOTRUE_SECURITY_SB_FORWARDED_FOR_ENABLED`. When this feature is
enabled, both `utilities.GetIPAddress` and rate limiting will use the
first value of the `Sb-Forwarded-For` header as the IP address/rate
limiting key.

If the feature is disabled or the `Sb-Forwarded-For` header contains an
invalid value, Auth will fall back to existing behavior.

## What is the current behavior?

There are currently two paths along which users are likely to use IP
address information. The first is IP tracking (e.g., logging, MFA
challenge validation, and CAPTCHA challenge validation). The second is
rate limiting. Both of these follow slightly different logical paths,
relying on the `X-Forwarded-For` header explicitly in the former case
and a separate rate limiting key header in the latter.

The presence of these two paths results in some friction for users.
`X-Forwarded-For` can be (and frequently is) rewritten by proxies or
otherwise spoofed, and there is no guarantee that a rate limiting key in
the rate limit header is an IP address.

## What is the new behavior?

The API uses a new middleware, `sbff.Middleware`, that parses the
`Sb-Forwarded-For` header and inserts it into the request context if
`GOTRUE_SECURITY_SB_FORWARDED_FOR_ENABLED` is true. Consumers of the
`Sb-Forwarded-For` header can use `sbff.GetIPAddress` to retrieve the
parsed IP address.

`utilities.GetIPAddress` will prefer the result of `sbff.GetIPAddress`
as the end-user IP address if the feature is enabled and the
`Sb-Forwarded-For` header contains a value value. Similarly, Auth will
use the end user IP address as determined by `sbff.GetIPAddress` as the
rate limiting key under the same circumstances.

If the feature is not enabled or the `Sb-Forwarded-For` header is absent
or o... (continued)

14696 of 21396 relevant lines covered (68.69%)

79.2 hits per line

Source Files on job 20445257346.1