Rate limits not working in @convex-dev/better-auth due to adapter(s)

[dantman]

I am using Vercel + Next.js + Convex + Better Auth and discovered that Better Auth's rateLimit config was not behaving as expected.

After a lot of digging I found that the betterAuth/rateLimit table in Convex does contain rate limit entries. However I could not find my IP. Instead found a bunch of IPs that a search suggests belong to CloudFlare reverse proxies. And when I try hitting /get-session from the client 100 times I instead get a bunch of random IPs being incremented.

My hunch is that the @convex-dev/better-auth/nextjs adapter's handler for Next.js is at fault. As it seems to work by fetching a new request without any headers to pass along the IP address.

better-auth/src/nextjs/index.ts

Lines 43 to 50 in 5751ea8

	const handler = (request: Request, siteUrl: string) => {
	const requestUrl = new URL(request.url);
	const nextUrl = `${siteUrl}${requestUrl.pathname}${requestUrl.search}`;
	const newRequest = new Request(nextUrl, request);
	newRequest.headers.set("accept-encoding", "application/json");
	newRequest.headers.set("host", new URL(siteUrl).host);
	return fetch(newRequest, { method: request.method, redirect: "manual" });
	};

[dantman]

I did a little more testing and replaced the built-in handler with a custom handler that puts the IP exposed by import { ipAddress } from "@vercel/functions"; into x-forwarded-for and x-real-ip. Then enabled Verbose logging on the Backend.

Here's a redacted list of request headers for get-session:

{
	host: 'api.myapp.test',
	'user-agent': 'Mozilla/5.0 ...',
	accept: '*/*',
	'accept-encoding': 'gzip, br',
	'accept-language': 'en-CA,en-US;q=0.9,en-GB;q=0.8,en;q=0.7',
	'cdn-loop': 'cloudflare; loops=1',
	'cf-connecting-ip': '18.(IP Belonging to Amazon Technologies Inc.)',
	'cf-ipcountry': 'US',
	'cf-ray': '...-IAD',
	'cf-visitor': '{"scheme":"https"}',
	cookie: '...',
	dnt: '1',
	priority: 'u=1, i',
	referer: 'https://myapp.test/dashboard',
	'sec-ch-ua': '...',
	'sec-ch-ua-mobile': '?0',
	'sec-ch-ua-platform': '"..."',
	'sec-fetch-dest': 'empty',
	'sec-fetch-mode': 'cors',
	'sec-fetch-site': 'same-origin',
	via: '2.0 Caddy',
	'x-convex-custom-domain': '1',
	'x-forwarded-for': '104.(IP Belonging to HostRoyale LLC)',
	'x-forwarded-host': 'api.myapp.test',
	'x-forwarded-port': '443',
	'x-forwarded-proto': 'https',
	'x-invocation-id': '...',
	'x-matched-path': '/api/auth/[...all]',
	'x-vercel-deployment-url': '....vercel.app',
	'x-vercel-forwarded-for': '###.(My real IP)',
	'x-vercel-id': '...',
	'x-vercel-ip-as-number': '###',
	'x-vercel-ip-city': '...City Name...',
	'x-vercel-ip-continent': 'NA',
	'x-vercel-ip-country': 'CA',
	'x-vercel-ip-country-region': 'BC',
	'x-vercel-ip-latitude': '...',
	'x-vercel-ip-longitude': '...',
	'x-vercel-ip-postal-code': '...',
	'x-vercel-ip-timezone': 'America/Vancouver',
	'x-vercel-ja4-digest': '...',
	'x-vercel-oidc-token': '...',
	'x-vercel-proxied-for': '###.(My real IP)',
	'x-vercel-proxy-signature': 'Bearer ...',
	'x-vercel-proxy-signature-ts': '...',
	'x-vercel-sc-basepath': '',
	'x-vercel-sc-headers': '...',
	'x-vercel-sc-host': 'iad1.suspense-cache.vercel-infra.com',
	'convex-request-id': '...'
}

From what I can tell here:

1. Convex is behind CloudFlare and strips any x-forwarded-for or x-real-ip you pass along.
2. For Vercel users we might be able to make use of x-vercel-proxied-for and x-vercel-proxy-signature but this might be something that requires more than basic Better Auth config because the Convex backend is publicly exposed and thus you cannot simply trust x-vercel-proxied-for without verification.

Or perhaps there's a way to cheat by passing along Convex Better Auth related headers (i.e. the detected IP plus a shared secret).