Enhance application security and logging

- Set the Express app to trust proxy headers for improved request handling.
- Add middleware to return a 404 status for specific WordPress-related routes.
- Update unauthorized error logging to include the socket IP address along with the original request IP and forwarded IP.

Author: jpatterson933

src/index.ts

@@ -21,6 +21,7 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const publicPath = path.join(__dirname, "public");
 
 const app = express();
+app.set("trust proxy", true);
 
 const sessionManager = new SessionManager();
 app.locals.sessionManager = sessionManager;
@@ -39,6 +40,10 @@ if (config.nodeEnv !== "production") {
 app.use(express.static(publicPath));
 app.use(requestLogger);
 
+app.use(["/wp-admin/*", "/wordpress/*", "/*.php"], (_req, res) => {
+  res.status(404).end();
+});
+
 app.use("/docs", docsRouter);
 app.use("/health", healthRouter);
 app.use("/.well-known", wellKnownRouter);

src/middleware/auth.ts

@@ -33,7 +33,9 @@ function sendUnauthorized(
       errorType: "auth",
       code,
       message,
-      ip: req.ip || req.headers["x-forwarded-for"],
+      ip: req.ip,
+      forwardedFor: req.headers["x-forwarded-for"],
+      socketIp: req.socket.remoteAddress,
       userAgent: req.headers["user-agent"],
       method: req.method,
       path: req.path,