MCPcopy Index your code
hub / github.com/ZenNotes/zennotes / clientAddressKey

Method clientAddressKey

apps/server/internal/httpserver/security.go:433–447  ·  view source on GitHub ↗

clientAddressKey returns a stable identifier for rate-limit keying. It honours X-Forwarded-For only when the immediate peer is a configured trusted proxy; otherwise it returns the TCP peer IP. This prevents untrusted clients from spoofing rate-limit buckets via header.

(r *http.Request)

Source from the content-addressed store, hash-verified

431// trusted proxy; otherwise it returns the TCP peer IP. This prevents
432// untrusted clients from spoofing rate-limit buckets via header.
433func (s *Server) clientAddressKey(r *http.Request) string {
434 if s.peerIsTrustedProxy(r) {
435 if fwd := strings.TrimSpace(strings.Split(r.Header.Get("X-Forwarded-For"), ",")[0]); fwd != "" {
436 if h, _, err := net.SplitHostPort(fwd); err == nil {
437 return h
438 }
439 return fwd
440 }
441 }
442 host := strings.TrimSpace(r.RemoteAddr)
443 if h, _, err := net.SplitHostPort(host); err == nil {
444 return h
445 }
446 return host
447}
448
449func (s *Server) sessionStatus(w http.ResponseWriter, r *http.Request) {
450 cfg := s.currentConfig()

Callers 3

requireAuthMethod · 0.95
watchWSMethod · 0.95
sessionLoginMethod · 0.95

Calls 1

peerIsTrustedProxyMethod · 0.95

Tested by

no test coverage detected