fix(security): improve IP detection and distributed replay prevention

ralyodio · ralyodio · commit 6a71a818d2c3 · 2026-02-07T10:25:56.000Z
1. X-Forwarded-For spoofing protection:
   - New centralized getClientIp() utility
   - Checks platform-specific headers (CF-Connecting-IP, X-Vercel-Forwarded-For)
   - Validates IP format to reject obviously spoofed values
   - Documents proxy configuration requirements

2. Distributed replay prevention:
   - Move seenSignatures to Supabase (seen_signatures table)
   - Works across multiple server instances
   - Falls back to in-memory if Supabase unavailable
   - Add checkAndRecordSignatureAsync for critical paths

Migration: supabase/migrations/20260207102400_create_seen_signatures.sql
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { createClient } from '@supabase/supabase-js';
 import { login } from '@/lib/auth/service';
 import { checkRateLimitAsync } from '@/lib/web-wallet/rate-limit';
+import { getClientIp } from '@/lib/web-wallet/client-ip';
 import { z } from 'zod';
 
 /**
@@ -12,17 +13,6 @@ const loginSchema = z.object({
   password: z.string().min(1),
 });
 
-/**
- * Get client IP from request headers
- */
-function getClientIp(request: NextRequest): string {
-  return (
-    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
-    request.headers.get('x-real-ip') ||
-    'unknown'
-  );
-}
-
 /**
  * POST /api/auth/login
  * Authenticate a merchant
diff --git a/src/app/api/auth/register/route.ts b/src/app/api/auth/register/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { createClient } from '@supabase/supabase-js';
 import { register } from '@/lib/auth/service';
 import { checkRateLimitAsync } from '@/lib/web-wallet/rate-limit';
+import { getClientIp } from '@/lib/web-wallet/client-ip';
 import { z } from 'zod';
 
 /**
@@ -13,17 +14,6 @@ const registerSchema = z.object({
   name: z.string().optional(),
 });
 
-/**
- * Get client IP from request headers
- */
-function getClientIp(request: NextRequest): string {
-  return (
-    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim() ||
-    request.headers.get('x-real-ip') ||
-    'unknown'
-  );
-}
-
 /**
  * POST /api/auth/register
  * Register a new merchant account
diff --git a/src/lib/web-wallet/client-ip.ts b/src/lib/web-wallet/client-ip.ts
@@ -0,0 +1,101 @@
+/**
+ * Client IP Detection Utility
+ * 
+ * Safely extracts client IP from request headers with proxy awareness.
+ * 
+ * SECURITY NOTES:
+ * - X-Forwarded-For can be spoofed if not behind a trusted proxy
+ * - Railway/Vercel/Cloudflare overwrite this header with the real client IP
+ * - For self-hosted deployments, ensure your reverse proxy (nginx, etc.)
+ *   is configured to set X-Forwarded-For correctly and strip any
+ *   client-provided values
+ * 
+ * Header priority:
+ * 1. CF-Connecting-IP (Cloudflare - most trusted)
+ * 2. X-Real-IP (nginx default)
+ * 3. X-Forwarded-For (first IP, set by proxy)
+ * 4. 'unknown' fallback
+ */
+
+import { NextRequest } from 'next/server';
+
+/**
+ * Extract client IP from request headers.
+ * Uses platform-specific headers when available for better accuracy.
+ */
+export function getClientIp(request: NextRequest): string {
+  // Cloudflare sets this reliably
+  const cfIp = request.headers.get('cf-connecting-ip');
+  if (cfIp && isValidIp(cfIp)) {
+    return cfIp.trim();
+  }
+
+  // Vercel sets this
+  const vercelIp = request.headers.get('x-vercel-forwarded-for');
+  if (vercelIp) {
+    const ip = vercelIp.split(',')[0]?.trim();
+    if (ip && isValidIp(ip)) {
+      return ip;
+    }
+  }
+
+  // Railway/nginx typically use X-Real-IP
+  const realIp = request.headers.get('x-real-ip');
+  if (realIp && isValidIp(realIp)) {
+    return realIp.trim();
+  }
+
+  // Standard X-Forwarded-For (first IP is client when proxy configured correctly)
+  const xff = request.headers.get('x-forwarded-for');
+  if (xff) {
+    const ip = xff.split(',')[0]?.trim();
+    if (ip && isValidIp(ip)) {
+      return ip;
+    }
+  }
+
+  return 'unknown';
+}
+
+/**
+ * Basic IP format validation to reject obviously spoofed values.
+ * Accepts IPv4 and IPv6 formats.
+ */
+function isValidIp(ip: string): boolean {
+  const trimmed = ip.trim();
+  
+  // Reject empty or obviously invalid
+  if (!trimmed || trimmed.length > 45) return false;
+  
+  // IPv4: basic pattern check
+  const ipv4Pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
+  if (ipv4Pattern.test(trimmed)) {
+    // Validate each octet is 0-255
+    const octets = trimmed.split('.').map(Number);
+    return octets.every(o => o >= 0 && o <= 255);
+  }
+  
+  // IPv6: basic pattern check (simplified, allows common formats)
+  const ipv6Pattern = /^[a-fA-F0-9:]+$/;
+  if (ipv6Pattern.test(trimmed) && trimmed.includes(':')) {
+    return true;
+  }
+  
+  // IPv4-mapped IPv6
+  if (trimmed.startsWith('::ffff:')) {
+    return isValidIp(trimmed.slice(7));
+  }
+  
+  return false;
+}
+
+/**
+ * Get a rate limit key that includes IP but is harder to spoof.
+ * Combines IP with other request characteristics.
+ */
+export function getRateLimitKey(request: NextRequest, prefix: string): string {
+  const ip = getClientIp(request);
+  // Could add user-agent hash for additional entropy, but might cause
+  // issues with legitimate users changing browsers
+  return `${prefix}:${ip}`;
+}
diff --git a/src/lib/web-wallet/rate-limit.ts b/src/lib/web-wallet/rate-limit.ts
@@ -282,12 +282,8 @@ export function resetRateLimits(): void {
 // ──────────────────────────────────────────────
 
 /**
- * In-memory store of recently seen signature hashes.
- * Prevents the same signed request from being replayed.
- * Entries expire after the timestamp window (5 minutes).
- * 
- * Note: For multi-instance deployments, consider moving to Supabase
- * similar to rate limiting above.
+ * Distributed replay prevention using Supabase.
+ * Falls back to in-memory for development or when Supabase is unavailable.
  */
 const seenSignatures = new Map<string, number>();
 
@@ -308,6 +304,34 @@ function ensureSigCleanupRunning() {
   if (sigCleanupInterval.unref) sigCleanupInterval.unref();
 }
 
+/**
+ * Check and record signature using Supabase (distributed)
+ */
+async function checkSignatureSupabase(signatureHash: string): Promise<boolean | null> {
+  const sb = getSupabase();
+  if (!sb) return null;
+
+  try {
+    // Try to insert - will fail if exists (primary key constraint)
+    const { error } = await sb
+      .from('seen_signatures')
+      .insert({ hash: signatureHash, seen_at: new Date().toISOString() });
+
+    if (error) {
+      // Check if it's a duplicate key error
+      if (error.code === '23505') {
+        return false; // Replay detected
+      }
+      throw error;
+    }
+
+    return true; // Fresh signature
+  } catch (error) {
+    console.error('[ReplayPrevention] Supabase error:', error);
+    return null; // Fall back to in-memory
+  }
+}
+
 /**
  * Check if a signature has been seen before (replay prevention).
  * Returns true if the signature is fresh (not a replay).
@@ -318,6 +342,39 @@ function ensureSigCleanupRunning() {
 export function checkAndRecordSignature(signatureHash: string): boolean {
   ensureSigCleanupRunning();
 
+  // Check in-memory first (fast path)
+  if (seenSignatures.has(signatureHash)) {
+    return false;
+  }
+
+  // Record in memory
+  seenSignatures.set(signatureHash, Date.now());
+
+  // Fire-and-forget Supabase sync for distributed tracking
+  if (useSupabase) {
+    checkSignatureSupabase(signatureHash).catch(() => {});
+  }
+
+  return true;
+}
+
+/**
+ * Async version that waits for Supabase (use for critical paths)
+ */
+export async function checkAndRecordSignatureAsync(signatureHash: string): Promise<boolean> {
+  // Try Supabase first
+  const sbResult = await checkSignatureSupabase(signatureHash);
+  if (sbResult !== null) {
+    // Also update in-memory cache
+    if (sbResult) {
+      seenSignatures.set(signatureHash, Date.now());
+    }
+    return sbResult;
+  }
+
+  // Fallback to in-memory
+  ensureSigCleanupRunning();
+  
   if (seenSignatures.has(signatureHash)) {
     return false;
   }
diff --git a/supabase/migrations/20260207102400_create_seen_signatures.sql b/supabase/migrations/20260207102400_create_seen_signatures.sql
@@ -0,0 +1,26 @@
+-- Signature replay prevention for distributed deployments
+-- Stores recently used signature hashes to prevent replay attacks
+
+CREATE TABLE IF NOT EXISTS seen_signatures (
+  hash TEXT PRIMARY KEY,
+  seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Index for cleanup queries
+CREATE INDEX IF NOT EXISTS idx_seen_signatures_seen_at ON seen_signatures(seen_at);
+
+-- RLS: Only service role can access (server-side only)
+ALTER TABLE seen_signatures ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Service role only" ON seen_signatures
+  FOR ALL USING (auth.role() = 'service_role');
+
+-- Auto-cleanup function (remove signatures older than 5 minutes)
+CREATE OR REPLACE FUNCTION cleanup_seen_signatures()
+RETURNS void AS $$
+BEGIN
+  DELETE FROM seen_signatures WHERE seen_at < NOW() - INTERVAL '5 minutes';
+END;
+$$ LANGUAGE plpgsql;
+
+COMMENT ON TABLE seen_signatures IS 'Replay prevention - tracks used signatures within 5-minute window';
