get IP, host, and protocol from trusted proxy

zefir-git · zefir-git · commit 7fd23a2b757c · 2025-04-10T11:23:52.000+03:00
diff --git a/src/Request.ts b/src/Request.ts
@@ -17,7 +17,22 @@ export class Request<A> {
     public readonly method: Request.Method;
 
     /**
-     * The request URL.
+     * The original request address, as sent by the last peer. The {@link !URL} `protocol` is always set to `http:` and
+     * the `host` (and related) are always taken from the `HOST` environment variable or defaulted to `localhost`.
+     *
+     * If basic authentication is available to this request via headers, the `username` and `password` fields are
+     * available in the {@link URL} object.
+     */
+    public readonly originalUrl: Readonly<URL>;
+
+    /**
+     * The address requested by the client (first peer). If the request originated from a trusted proxy, this address
+     * will be constructed based on protocol and host provided by the proxy. If the proxy does not specify protocol,
+     * `http:` will be used as a default. If the proxy does not specify host, will use the `HOST` environment variable
+     * or default to `localhost`. If the proxy is not trusted, will be the same as {@link Request#originalUrl}.
+     *
+     * If basic authentication is available to this request via headers, the `username` and `password` fields are
+     * available in the {@link URL} object.
      */
     public readonly url: Readonly<URL>;
 
@@ -26,13 +41,28 @@ export class Request<A> {
      */
     public readonly headers: Readonly<Headers>;
 
+    /**
+     * The `Host` header provided by the client (first peer). If the request originated from a trusted proxy, this
+     * will be obtained from the proxy. Otherwise, if the proxy does not specify the original `Host` header, or the
+     * proxy is untrusted, this will be the same as the `Host` header in {@link Request#headers} (and `null` if not
+     * set).
+     */
+    public readonly host: string | null;
+
     /**
      * Request body readable stream.
      */
     public readonly bodyStream: stream.Readable;
 
     /**
-     * IP address of request sender.
+     * The IP address of the request sender (last peer). This might be a proxy.
+     */
+    public readonly originalIp: IPv4 | IPv6;
+
+    /**
+     * IP address of client (first peer). If the request originated from a trusted proxy, this will be the client IP
+     * indicated by the proxy. Otherwise, if the proxy specifies no client IP, or the proxy is untrusted, this will be
+     * the proxy IP and equivalent to {@link Request#originalIp}.
      */
     public readonly ip: IPv4 | IPv6;
 
@@ -54,25 +84,34 @@ export class Request<A> {
     /**
      * Construct a new Request.
      * @param method See {@link Request#method}.
+     * @param originalUrl See {@link Request#originalUrl}.
      * @param url See {@link Request#url}.
      * @param headers See {@link Request#headers}.
+     * @param host See {@link Request#host}.
      * @param bodyStream See {@link Request#bodyStream}.
+     * @param originalIp See {@link Request#originalIp}.
      * @param ip See {@link Request#ip}.
      * @param server See {@link Request#server}.
      * @throws {@link !URIError} If the request URL path name contains an invalid URI escape sequence.
      */
     public constructor(
         method: Request<A>["method"],
+        originalUrl: Request<A>["originalUrl"],
         url: Request<A>["url"],
         headers: Request<A>["headers"],
+        host: Request<A>["host"],
         bodyStream: Request<A>["bodyStream"],
+        originalIp: Request<A>["originalIp"],
         ip: Request<A>["ip"],
         server: Request<A>["server"]
     ) {
         this.method = method;
+        this.originalUrl = originalUrl;
         this.url = url;
         this.headers = headers;
+        this.host = host;
         this.bodyStream = bodyStream;
+        this.originalIp = originalIp;
         this.ip = ip;
         this.server = server;
 
@@ -104,6 +143,19 @@ export class Request<A> {
      * @throws {@link Request.SocketClosedError} If the request socket was closed before the request could be handled.
      */
     public static incomingMessage<A>(incomingMessage: http.IncomingMessage, server: Server<A>) {
+        const remoteAddress = incomingMessage.socket.remoteAddress;
+        if (remoteAddress === undefined)
+            throw new Request.SocketClosedError();
+        const ip = IPAddress.fromString(remoteAddress);
+        const isTrustedProxy = server.trustedProxies.has(ip);
+
+        const headers = Request.headersFromNodeDict(incomingMessage.headers);
+
+        const proxy = isTrustedProxy ? this.getClientInfoFromTrustedProxy(headers) : {};
+
+        const clientIp = proxy.ip ?? ip;
+        const clientHost = proxy.host ?? headers.get("host");
+
         const auth =
             incomingMessage.headers.authorization
                 ?.toLowerCase()
@@ -114,18 +166,25 @@ export class Request<A> {
             ).toString()
             : null;
 
-        const url = `http://${auth ? `${auth}@` : ""}${process.env.HOST ?? "localhost"}${incomingMessage.url ?? "/"}`;
-        if (!URL.canParse(url))
+        const originalUrl = `http://${auth ? `${auth}@` : ""}${process.env.HOST ?? "localhost"}${incomingMessage.url ?? "/"}`;
+        if (!URL.canParse(originalUrl))
             throw new Request.BadUrlError(incomingMessage.url);
-
-        const headers = Request.headersFromNodeDict(incomingMessage.headers);
-
-        const remoteAddress = incomingMessage.socket.remoteAddress;
-        if (remoteAddress === undefined)
-            throw new Request.SocketClosedError();
+        const clientUrl = new URL(originalUrl);
+        if (proxy.protocol !== undefined)
+            clientUrl.protocol = proxy.protocol + ":";
 
         try {
-            return new Request<A>(incomingMessage.method as Request.Method, new URL(url), headers, incomingMessage, IPAddress.fromString(remoteAddress), server);
+            return new Request<A>(
+                incomingMessage.method as Request.Method,
+                new URL(originalUrl),
+                clientUrl,
+                headers,
+                clientHost,
+                incomingMessage,
+                ip,
+                clientIp,
+                server
+            );
         }
         catch (e) {
             if (e instanceof URIError)
@@ -148,6 +207,77 @@ export class Request<A> {
         );
     }
 
+    /**
+     * Extract client IP, protocol, and host, from the information provided by a trusted proxy.
+     * @param headers The HTTP headers sent by a trusted proxy.
+     */
+    private static getClientInfoFromTrustedProxy(headers: Headers): {ip?: IPv4 | IPv6, host?: string, protocol?: "http" | "https"} {
+        if (headers.has("forwarded")) {
+            const forwarded = headers.get("forwarded")!.split(",")[0]!.trim();
+            const forwardedPairs = forwarded.split(";");
+            let ip: IPv4 | IPv6 | undefined = undefined;
+            let host: string | undefined = undefined;
+            let protocol: "http" | "https" | undefined = undefined;
+            for (const pair of forwardedPairs) {
+                let [key, value] = pair.split("=") as [key: string, value?: string];
+                key = key.trim().toLowerCase();
+                value = value?.trim();
+                if (value === undefined || value === "")
+                    continue;
+                if (value.startsWith("\"") && value.endsWith("\""))
+                    value = value.slice(1, -1);
+
+                switch (key) {
+                    case "for": {
+                        if (ip !== undefined)
+                            break;
+                        const [address] = value.split(":") as [ip: string, port: `${number}`];
+                        if (address.startsWith("[") && address.endsWith("]"))
+                            ip = IPv6.fromString(address.slice(1, -1));
+                        else
+                            ip = IPv4.fromString(address);
+                        break;
+                    }
+                    case "host": {
+                        if (host !== undefined)
+                            break;
+                        host = value;
+                        break;
+                    }
+                    case "proto": {
+                        if (protocol !== undefined)
+                            break;
+                        if (value !== "http" && value !== "https")
+                            break;
+                        protocol = value;
+                        break;
+                    }
+                }
+            }
+
+            return {ip, host, protocol};
+        }
+
+        let ip: IPv4 | IPv6 | undefined = undefined;
+        if (headers.has("x-forwarded-for")) {
+            const address = headers.get("x-forwarded-for")!.split(",")[0]!;
+            ip = IPAddress.fromString(address.trim());
+        }
+        else if (headers.has("x-real-ip")) {
+            ip = IPAddress.fromString(headers.get("x-real-ip")!.trim());
+        }
+
+        const host = headers.get("x-forwarded-host") ?? undefined;
+        const proto = headers.get("x-forwarded-proto") ?? undefined;
+        let protocol: "http" | "https" | undefined = undefined;
+        if (proto !== undefined && proto !== "http" && proto !== "https")
+            protocol = undefined;
+        else
+            protocol = proto;
+
+        return {ip, host, protocol};
+    }
+
     /**
      * Attempt to obtain authorisation for this request with one of the {@link Server}’s {@link Authenticator}s.
      * @returns `null` if the request lacks authorisation information.
@@ -168,9 +298,12 @@ export class Request<A> {
         return new AuthenticatedRequest<A>(
             authorisation,
             this.method,
+            this.originalUrl,
             this.url,
             this.headers,
+            this.host,
             this.bodyStream,
+            this.originalIp,
             this.ip,
             this.server,
         );
