outskirtslabs
diff --git a/‎README.adoc‎
Lines changed: 99 additions & 0 deletions b/‎README.adoc‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 0 additions & 96 deletions b/‎README.md‎
Lines changed: 0 additions & 96 deletions
diff --git a/‎bb.edn‎
Lines changed: 22 additions & 2 deletions b/‎bb.edn‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎doc/antora.yml‎
Lines changed: 6 additions & 0 deletions b/‎doc/antora.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎doc/modules/ROOT/nav.adoc‎
Lines changed: 4 additions & 0 deletions b/‎doc/modules/ROOT/nav.adoc‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎doc/modules/ROOT/pages/api/ol-client-ip-cidr.adoc‎
Lines changed: 67 additions & 0 deletions b/‎doc/modules/ROOT/pages/api/ol-client-ip-cidr.adoc‎
Lines changed: 67 additions & 0 deletions
@@ -0,0 +1,99 @@
+= client-ip
+
+A 0-dependency ring middleware for determining a request's real client IP address from HTTP headers
+
+image:https://github.com/outskirtslabs/client-ip/actions/workflows/ci.yml/badge.svg[Build Status,link=https://github.com/outskirtslabs/client-ip/actions]
+image:https://cljdoc.org/badge/com.outskirtslabs/client-ip[cljdoc,link=https://cljdoc.org/d/com.outskirtslabs/client-ip]
+image:https://img.shields.io/clojars/v/com.outskirtslabs/client-ip.svg[Clojars Project,link=https://clojars.org/com.outskirtslabs/client-ip]
+
+`X-Forwarded-For` and other client IP headers are https://adam-p.ca/blog/2022/03/x-forwarded-for/[often used incorrectly], resulting in bugs and security vulnerabilities. This library provides strategies for extracting the correct client IP based on your network configuration.
+
+It is based on the golang reference implementation https://github.com/realclientip/realclientip-go[realclientip/realclientip-go].
+
+Quick feature list:
+
+* ring middleware determining the client's IP address
+* 0 dependency IP address string parsing with guaranteed no trips to the hosts' DNS services, which can block and timeout (unlike Java's `InetAddress/getByName`)
+* rightmost-ish strategies support the `X-Forwarded-For` and `Forwarded` (RFC 7239) headers
+* IPv6 zone identifiers support
+
+Note that there is no dependency on ring, the public API could also be used for pedestal or sieppari-style interceptors.
+
+== Installation
+
+[source,clojure]
+----
+;; deps.edn
+{:deps {com.outskirtslabs/client-ip {:mvn/version "0.1.1"}}}
+
+;; Leiningen
+[com.outskirtslabs/client-ip "0.1.1"]
+----
+
+== Quick Start
+
+[source,clojure]
+----
+(ns myapp.core
+  (:require [ol.client-ip.core :as client-ip]
+            [ol.client-ip.strategy :as strategy]))
+
+;; Simple case: behind a trusted proxy that sets X-Real-IP
+(def app
+  (-> handler
+      (client-ip/wrap-client-ip
+        {:strategy (strategy/single-ip-header-strategy "x-real-ip")})))
+
+;; The client IP is now available in the request
+(defn handler [request]
+  (let [client-ip (:ol/client-ip request)]
+    {:status 200
+     :body (str "Your IP is: " client-ip)}))
+----
+
+For detailed guidance on choosing strategies, see link:doc/modules/ROOT/pages/usage.adoc[Usage Guide].
+
+Choosing the wrong strategy can result in IP address spoofing security vulnerabilities.
+
+== Recommended Reading
+
+You think it is an easy question:
+
+____
+I have an HTTP application, I just want to know the IP address of my client.
+____
+
+But who is the client?
+
+____
+The computer on the other end of the network connection?
+____
+
+But which network connection? The one connected to your HTTP application is probably a reverse proxy or load balancer.
+
+____
+Well I mean the "user's IP address"
+____
+
+It ain't so easy kid.
+
+There are many good articles on the internet that discuss the perils and pitfalls of trying to answer this deceptively simple question.
+
+You _should_ read one or two of them to get an idea of the complexity in this space. Libraries, like this one, _cannot_ hide the complexity from you, there is no abstraction nor encapsulation nor "default best practice".
+
+Below are some of those good articles:
+
+* MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For#security_and_privacy_concerns[X-Forwarded-For: Security and privacy concerns]
+* https://adam-p.ca/blog/2022/03/x-forwarded-for/[The perils of the "real" client IP] (https://web.archive.org/web/20250416042714/https://adam-p.ca/blog/2022/03/x-forwarded-for/[archive link])
+* https://www.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/[Rails IP Spoofing Vulnerabilities and Protection] (https://web.archive.org/web/20250421121810/https://www.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/[archive link])
+* https://casey.link/blog/client-ip-ring-middleware/[ol.client-ip: A Clojure Library to Prevent IP Spoofing]
+
+== Security
+
+See https://github.com/outskirtslabs/client-ip/security/advisories[here] for security advisories or to report a security vulnerability.
+
+== License
+
+Copyright (C) 2025 Casey Link <casey@outskirtslabs.com>
+
+Distributed under the https://github.com/outskirtslabs/client-ip/blob/main/LICENSE[MIT License].
@@ -1,6 +1,9 @@
 
 {:min-bb-version "0.8.156"
- :deps           {}
+ :deps           {outskirtslabs/bb-tasks
+                  {:git/url "https://github.com/outskirtslabs/bb-tasks"
+                   :git/sha "103fafddb29ea04b08083742684ab1bb39d87c27"}}
+ :pods           {clj-kondo/clj-kondo {:version "2024.11.14"}}
  :paths          ["resources" "scripts"]
  :tasks          {:requires         ([babashka.fs :as fs]
                                      [clojure.string :as str]
@@ -26,4 +29,21 @@
                   publish           {:doc     "Publish the clojure sdk libs to clojars"
                                      :depends [jar]
                                      :task    (clojure "-T:build deploy")}
-                  ci                {:depends [test fmt.check lint]}}}
+                  ci                {:depends [test fmt.check lint]}
+                  sync-readme       {:doc  "Sync README.adoc as Antora index page"
+                                     :task (let [readme (slurp "README.adoc")
+                                                 index (str/replace readme
+                                                         (re-pattern "link:doc/modules/ROOT/pages/([^\\[]+)\\[")
+                                                         "xref:$1[")]
+                                             (spit "doc/modules/ROOT/pages/index.adoc" index)
+                                             (println "Synced README.adoc -> doc/modules/ROOT/pages/index.adoc"))}
+                  gen-api-docs      {:doc  "Generate AsciiDoc API reference pages"
+                                     :task (let [gen (requiring-resolve 'ol.bb-tasks.gen-api-docs/generate!)
+                                                 branch (str/trim (:out (shell {:out :string} "git rev-parse --abbrev-ref HEAD")))]
+                                             (gen {:project-root "."
+                                                   :source-paths ["src"]
+                                                   :antora-start-path "doc"
+                                                   :github-repo "https://github.com/outskirtslabs/client-ip"
+                                                   :git-branch branch}))}
+                  gen-docs          {:doc     "Generate all Antora documentation"
+                                     :depends [sync-readme gen-api-docs]}}}
@@ -0,0 +1,6 @@
+---
+name: ol.client-ip
+title: Client IP
+version: '0.1'
+nav:
+  - modules/ROOT/nav.adoc
@@ -0,0 +1,4 @@
+* xref:index.adoc[Home]
+* xref:usage.adoc[Usage Guide]
+
+include::partial$api-nav.adoc[]
@@ -0,0 +1,67 @@
+= ol.client-ip.cidr
+
+[#cidr-parts]
+== cidr-parts
+
+[source,clojure]
+----
+(cidr-parts cidr)
+----
+
+Parse an ip network string into its prefix and signifcant bits
+
+`cidr` must be given in CIDR notation, as defined in [RFC 4632 section 3.1](https://tools.ietf.org/html/rfc4632#section-3.1)
+
+Returns a vector of [^InetAddress prefix ^Integer bits]
+
+
+[.api-source]
+link:https://github.com/outskirtslabs/client-ip/blob/v0.1.x/src/ol/client_ip/cidr.clj#L26-L39[source,window=_blank]
+
+'''
+
+[#contains-QMARK-]
+== contains?
+
+[source,clojure]
+----
+(contains? cidr ip)
+(contains? cidr-ip cidr-mask ip)
+----
+
+Check if the given CIDR contains the given IP address.
+ 
+ Arguments:
+   cidr - CIDR notation string (e.g. "192.168.0.0/24" or "2001:db8::/32")
+   ip   - IP address to check (can be InetAddress or string)
+
+
+[.api-source]
+link:https://github.com/outskirtslabs/client-ip/blob/v0.1.x/src/ol/client_ip/cidr.clj#L41-L61[source,window=_blank]
+
+'''
+
+[#reserved-ranges]
+== reserved-ranges
+
+
+
+
+[.api-source]
+link:https://github.com/outskirtslabs/client-ip/blob/v0.1.x/src/ol/client_ip/cidr.clj#L66-L93[source,window=_blank]
+
+'''
+
+[#reserved-QMARK-]
+== reserved?
+
+[source,clojure]
+----
+(reserved? ip)
+----
+
+Check if an IP is in a reserved range (loopback or private network).
+
+
+[.api-source]
+link:https://github.com/outskirtslabs/client-ip/blob/v0.1.x/src/ol/client_ip/cidr.clj#L95-L98[source,window=_blank]