include ip, fix env and add trusted proxies

Author: sebasptsch

apps/server/package.json

@@ -17,14 +17,14 @@
 		"@fastify/static": "^8.3.0",
 		"@fastify/websocket": "^11.2.0",
 		"@graphql-yoga/subscription": "^5.0.5",
+		"@t3-oss/env-core": "^0.13.8",
 		"@trpc/server": "11.6.0",
-		"dotenv": "^16.6.1",
-		"dotenv-cli": "^6.0.0",
 		"execa": "^9.6.0",
 		"fastify": "^5.6.1",
 		"gel": "^2.1.1",
+		"ipaddr.js": "^2.2.0",
 		"nanoid": "^3.3.11",
-		"zod": "^3.25.76"
+		"zod": "^4.1.12"
 	},
 	"devDependencies": {
 		"@gel/generate": "^0.7.0",

apps/server/src/env.ts

@@ -1,25 +1,13 @@
-import dotenv from "dotenv";
-
-if (process.env.NODE_ENV !== "production") {
-	dotenv.config({});
-	dotenv.config({ path: "../../.env" });
-}
-
-function envVar(name: string): string | undefined {
-	return process.env[name];
-}
-
-function envVarProdForce(name: string): string | undefined {
-	const value = envVar(name);
-	if (value === undefined && process.env.NODE_ENV === "production") {
-		throw new Error(
-			`${name} environment variable must be defined in production`,
-		);
-	}
-	return value;
-}
-
-export const env = {
-	port: envVarProdForce("PORT") ?? "8080",
-	publicDir: envVarProdForce("PUBLIC_DIR"),
-};
+import { createEnv } from "@t3-oss/env-core";
+import z from "zod";
+
+export const env = createEnv({
+	server: {
+		PORT: z.coerce.number().default(8080),
+		PUBLIC_DIR: z.string().optional(),
+		TRUSTED_PROXIES: z.string()
+			.transform(value => value.split(','))
+			.pipe(z.string().array()).optional(),
+	},
+	runtimeEnv: process.env,
+});

apps/server/src/main.ts

@@ -6,6 +6,7 @@ import {
 } from "@trpc/server/adapters/fastify";
 import type { TRPCReconnectNotification } from "@trpc/server/rpc";
 import fastify from "fastify";
+import ipaddr from "ipaddr.js";
 import { env } from "./env";
 import { roomRouter } from "./routers/room";
 import { roomAdminRouter } from "./routers/room-admin";
@@ -28,6 +29,38 @@ const server = fastify({
 	routerOptions: {
 		maxParamLength: 5000,
 	},
+	trustProxy: env.TRUSTED_PROXIES
+		? (address) => {
+			const ip = ipaddr.parse(address);
+			const trustedCidrs =
+				env.TRUSTED_PROXIES?.filter((c) => ipaddr.isValidCIDR(c)).map((c) =>
+					ipaddr.parseCIDR(c),
+				) || [];
+			const trustedIps =
+				env.TRUSTED_PROXIES?.filter((c) => ipaddr.isValid(c)).map((c) =>
+					ipaddr.parse(c),
+				) || [];
+
+			// Check if the IP matches any trusted CIDR
+			for (const [range, prefix] of trustedCidrs) {
+				if (ip.match(range, prefix)) {
+					return true;
+				}
+			}
+
+			// Check if the IP matches any trusted IP directly
+			for (const trustedIp of trustedIps) {
+				if (
+					ip.kind() === trustedIp.kind() &&
+					ip.toNormalizedString() === trustedIp.toNormalizedString()
+				) {
+					return true;
+				}
+			}
+
+			return false;
+		}
+		: false,
 });
 
 await server.register(ws, {
@@ -50,12 +83,16 @@ await server.register(ws, {
 	},
 });
 
-server.websocketServer.on("connection", (ws) => {
-	console.log(`➕➕ Connection (${server.websocketServer.clients.size})`);
+server.websocketServer.on("connection", (ws, req) => {
+	console.log(
+		`➕➕ Connection (${server.websocketServer.clients.size}) - ${req.socket.remoteAddress}`,
+	);
 	ws.once("close", () => {
-		console.log(`➖➖ Connection (${server.websocketServer.clients.size})`);
+		console.log(
+			`➖➖ Connection (${server.websocketServer.clients.size}) - ${req.socket.remoteAddress}`,
+		);
 	});
-})
+});
 
 // Allow CORS for dev
 if (process.env.NODE_ENV !== "production") {
@@ -86,8 +123,8 @@ await server.register(fastifyTRPCPlugin, {
 	} satisfies FastifyTRPCPluginOptions<AppRouter>["trpcOptions"],
 });
 
-if (env.publicDir) {
-	const publicDir = env.publicDir;
+if (env.PUBLIC_DIR) {
+	const publicDir = env.PUBLIC_DIR;
 	await server.register(import("@fastify/static"), {
 		root: publicDir,
 		prefix: "/",
@@ -98,9 +135,8 @@ if (env.publicDir) {
 	});
 }
 
-const PORT = env.port || 8080;
-server.listen({ port: Number(PORT), host: "0.0.0.0" }).then(() => {
-	console.log(`Server listening on port ${PORT}`);
+server.listen({ port: env.PORT, host: "0.0.0.0" }).then(() => {
+	console.log(`Server listening on port ${env.PORT}`);
 });
 
 process.on("SIGTERM", () => {
@@ -110,4 +146,3 @@ process.on("SIGTERM", () => {
 	});
 });
 
-

bun.lock

@@ -54,14 +54,14 @@
         "@fastify/static": "^8.3.0",
         "@fastify/websocket": "^11.2.0",
         "@graphql-yoga/subscription": "^5.0.5",
+        "@t3-oss/env-core": "^0.13.8",
         "@trpc/server": "11.6.0",
-        "dotenv": "^16.6.1",
-        "dotenv-cli": "^6.0.0",
         "execa": "^9.6.0",
         "fastify": "^5.6.1",
         "gel": "^2.1.1",
+        "ipaddr.js": "^2.2.0",
         "nanoid": "^3.3.11",
-        "zod": "^3.25.76",
+        "zod": "^4.1.12",
       },
       "devDependencies": {
         "@gel/generate": "^0.7.0",
@@ -361,6 +361,8 @@
 
     "@standard-schema/utils": ["@standard-schema/[email protected]", "", {}, "sha512-e7Mew686owMaPJVNNLs55PUvgz371nKgwsc4vxE49zsODpJEnxgxRo2y/OKrqueavXgZNMDVj3DdHFlaSAeU8g=="],
 
+    "@t3-oss/env-core": ["@t3-oss/[email protected]", "", { "peerDependencies": { "arktype": "^2.1.0", "typescript": ">=5.0.0", "valibot": "^1.0.0-beta.7 || ^1.0.0", "zod": "^3.24.0 || ^4.0.0-beta.0" }, "optionalPeers": ["arktype", "typescript", "valibot", "zod"] }, "sha512-L1inmpzLQyYu4+Q1DyrXsGJYCXbtXjC4cICw1uAKv0ppYPQv656lhZPU91Qd1VS6SO/bou1/q5ufVzBGbNsUpw=="],
+
     "@tailwindcss/node": ["@tailwindcss/[email protected]", "", { "dependencies": { "@jridgewell/remapping": "^2.3.4", "enhanced-resolve": "^5.18.3", "jiti": "^2.6.1", "lightningcss": "1.30.2", "magic-string": "^0.30.19", "source-map-js": "^1.2.1", "tailwindcss": "4.1.16" } }, "sha512-BX5iaSsloNuvKNHRN3k2RcCuTEgASTo77mofW0vmeHkfrDWaoFAFvNHpEgtu0eqyypcyiBkDWzSMxJhp3AUVcw=="],
 
     "@tailwindcss/oxide": ["@tailwindcss/[email protected]", "", { "optionalDependencies": { "@tailwindcss/oxide-android-arm64": "4.1.16", "@tailwindcss/oxide-darwin-arm64": "4.1.16", "@tailwindcss/oxide-darwin-x64": "4.1.16", "@tailwindcss/oxide-freebsd-x64": "4.1.16", "@tailwindcss/oxide-linux-arm-gnueabihf": "4.1.16", "@tailwindcss/oxide-linux-arm64-gnu": "4.1.16", "@tailwindcss/oxide-linux-arm64-musl": "4.1.16", "@tailwindcss/oxide-linux-x64-gnu": "4.1.16", "@tailwindcss/oxide-linux-x64-musl": "4.1.16", "@tailwindcss/oxide-wasm32-wasi": "4.1.16", "@tailwindcss/oxide-win32-arm64-msvc": "4.1.16", "@tailwindcss/oxide-win32-x64-msvc": "4.1.16" } }, "sha512-2OSv52FRuhdlgyOQqgtQHuCgXnS8nFSYRp2tJ+4WZXKgTxqPy7SMSls8c3mPT5pkZ17SBToGM5LHEJBO7miEdg=="],
@@ -523,7 +525,7 @@
 
     "cookie-es": ["[email protected]", "", {}, "sha512-RAj4E421UYRgqokKUmotqAwuplYw15qtdXfY+hGzgCJ/MBjCVZcSoHK/kH9kocfjRjcDME7IiDWR/1WX1TM2Pg=="],
 
-    "cross-spawn": ["[email protected].3", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w=="],
+    "cross-spawn": ["[email protected].6", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
 
     "csstype": ["[email protected]", "", {}, "sha512-M1uQkMl8rQK/szD0LNhtqxIPLpimGm8sOBwU7lLnCpSbTyY3yeU1Vc7l4KT5zT4s/yOxHH5O7tIuuLOCnLADRw=="],
 
@@ -547,12 +549,6 @@
 
     "dijkstrajs": ["[email protected]", "", {}, "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA=="],
 
-    "dotenv": ["[email protected]", "", {}, "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow=="],
-
-    "dotenv-cli": ["[email protected]", "", { "dependencies": { "cross-spawn": "^7.0.3", "dotenv": "^16.0.0", "dotenv-expand": "^8.0.1", "minimist": "^1.2.5" }, "bin": { "dotenv": "cli.js" } }, "sha512-qXlCOi3UMDhCWFKe0yq5sg3X+pJAz+RQDiFN38AMSbUrnY3uZshSfDJUAge951OS7J9gwLZGfsBlWRSOYz/TRg=="],
-
-    "dotenv-expand": ["[email protected]", "", {}, "sha512-SErOMvge0ZUyWd5B0NXMQlDkN+8r+HhVUsxgOO7IoPDOdDRD2JjExpN6y3KnFR66jsJMwSn1pqIivhU5rcJiNg=="],
-
     "dts-resolver": ["[email protected]", "", { "peerDependencies": { "oxc-resolver": ">=11.0.0" }, "optionalPeers": ["oxc-resolver"] }, "sha512-xeXHBQkn2ISSXxbJWD828PFjtyg+/UrMDo7W4Ffcs7+YWCquxU8YjV1KoxuiL+eJ5pg3ll+bC6flVv61L3LKZg=="],
 
     "duplexify": ["[email protected]", "", { "dependencies": { "end-of-stream": "^1.4.1", "inherits": "^2.0.3", "readable-stream": "^3.1.1", "stream-shift": "^1.0.2" } }, "sha512-M3BmBhwJRZsSx38lZyhE53Csddgzl5R7xGJNk7CVddZD6CcmwMCH8J+7AprIrQKH7TonKxaCjcv27Qmf+sQ+oA=="],
@@ -729,8 +725,6 @@
 
     "minimatch": ["[email protected]", "", { "dependencies": { "@isaacs/brace-expansion": "^5.0.0" } }, "sha512-IPZ167aShDZZUMdRk66cyQAW3qr0WzbHkPdMYa8bzZhlHhO3jALbKdxcaak7W9FfT2rZNpQuUu4Od7ILEpXSaw=="],
 
-    "minimist": ["[email protected]", "", {}, "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="],
-
     "minipass": ["[email protected]", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="],
 
     "ms": ["[email protected]", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="],
@@ -1019,12 +1013,6 @@
 
     "cross-spawn/which": ["[email protected]", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
 
-    "dotenv-cli/dotenv": ["[email protected]", "", {}, "sha512-ZmdL2rui+eB2YwhsWzjInR8LldtZHGDoQ1ugH85ppHKwpUHL7j7rN0Ti9NCnGiQbhaZ11FpR+7ao1dNsmduNUg=="],
-
-    "execa/cross-spawn": ["[email protected]", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
-
-    "foreground-child/cross-spawn": ["[email protected]", "", { "dependencies": { "path-key": "^3.1.0", "shebang-command": "^2.0.0", "which": "^2.0.1" } }, "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA=="],
-
     "formik/tslib": ["[email protected]", "", {}, "sha512-xNvxJEOUiWPGhUuUdQgAJPKOOJfGnIyKySOc09XkKsgdUV/3E2zvwZYdejjmRgPCgcym1juLH3226yA7sEFJKQ=="],
 
     "gel/semver": ["[email protected]", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w=="],
@@ -1049,8 +1037,6 @@
 
     "server/@types/node": ["@types/[email protected]", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-yIdlVVVHXpmqRhtyovZAcSy0MiPcYWGkoO4CGe/+jpP0hmNuihm4XhHbADpK++MsiLHP5MVlv+bcgdF99kSiFQ=="],
 
-    "server/zod": ["[email protected]", "", {}, "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ=="],
-
     "tsdown/chokidar": ["[email protected]", "", { "dependencies": { "readdirp": "^4.0.1" } }, "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA=="],
 
     "tsdown/debug": ["[email protected]", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA=="],
@@ -1063,20 +1049,12 @@
 
     "cross-spawn/which/isexe": ["[email protected]", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
 
-    "execa/cross-spawn/which": ["[email protected]", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
-
-    "foreground-child/cross-spawn/which": ["[email protected]", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
-
     "rolldown-plugin-dts/debug/ms": ["[email protected]", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
 
     "server/@types/node/undici-types": ["[email protected]", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
 
     "tsdown/chokidar/readdirp": ["[email protected]", "", {}, "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg=="],
 
     "tsdown/debug/ms": ["[email protected]", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
-
-    "execa/cross-spawn/which/isexe": ["[email protected]", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
-
-    "foreground-child/cross-spawn/which/isexe": ["[email protected]", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
   }
 }