clientAddressKey returns a stable identifier for rate-limit keying. It honours X-Forwarded-For only when the immediate peer is a configured trusted proxy; otherwise it returns the TCP peer IP. This prevents untrusted clients from spoofing rate-limit buckets via header.
(r *http.Request)
| 431 | // trusted proxy; otherwise it returns the TCP peer IP. This prevents |
| 432 | // untrusted clients from spoofing rate-limit buckets via header. |
| 433 | func (s *Server) clientAddressKey(r *http.Request) string { |
| 434 | if s.peerIsTrustedProxy(r) { |
| 435 | if fwd := strings.TrimSpace(strings.Split(r.Header.Get("X-Forwarded-For"), ",")[0]); fwd != "" { |
| 436 | if h, _, err := net.SplitHostPort(fwd); err == nil { |
| 437 | return h |
| 438 | } |
| 439 | return fwd |
| 440 | } |
| 441 | } |
| 442 | host := strings.TrimSpace(r.RemoteAddr) |
| 443 | if h, _, err := net.SplitHostPort(host); err == nil { |
| 444 | return h |
| 445 | } |
| 446 | return host |
| 447 | } |
| 448 | |
| 449 | func (s *Server) sessionStatus(w http.ResponseWriter, r *http.Request) { |
| 450 | cfg := s.currentConfig() |
no test coverage detected