Fix: Using all IPs including x-forwarded-for when checking if the requester has access to metrics

victoreduardo · victoreduardo · commit e6a9ed92ce17 · 2025-11-19T16:20:54.000-03:00
diff --git a/src/api/routes/index.router.ts b/src/api/routes/index.router.ts
@@ -48,9 +48,14 @@ const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
 const metricsIPWhitelist = (req: Request, res: Response, next: NextFunction) => {
   const metricsConfig = configService.get('METRICS');
   const allowedIPs = metricsConfig.ALLOWED_IPS?.split(',').map((ip) => ip.trim()) || ['127.0.0.1'];
-  const clientIP = req.ip || req.connection.remoteAddress || req.socket.remoteAddress;
-
-  if (!allowedIPs.includes(clientIP)) {
+  const clientIPs = [
+    req.ip,
+    req.connection.remoteAddress,
+    req.socket.remoteAddress,
+    req.headers['x-forwarded-for'],
+  ].filter((ip) => ip !== undefined);
+
+  if (allowedIPs.filter((ip) => clientIPs.includes(ip)) === 0) {
     return res.status(403).send('Forbidden: IP not allowed');
   }
 
