Use the RealIP middleware also behind a reverse proxy (#2858)
* Use the RealIP middleware only behind a reverse proxy * Fix proxy ip source in tests * Fix test for PR#2087 The PR did not update the test after changing the behavior, but the test still passed because another condition was preventing the user from being created in the test. * Use RealIP even without a trusted reverse proxy * Use own type for context key * Fix casing to follow go's conventions * Do not apply RealIP middleware twice * Fix IP source in logs The most interesting data point in the log message is the proxy's IP, but having the client IP too can help identify integration issues.
This commit is contained in:
crazygolem
+24
-8
@@ -11,6 +11,10 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/navidrome/navidrome/model/request"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"github.com/navidrome/navidrome/conf"
|
||||
"github.com/navidrome/navidrome/consts"
|
||||
"github.com/navidrome/navidrome/core/auth"
|
||||
@@ -62,6 +66,13 @@ var _ = Describe("Auth", func() {
|
||||
})
|
||||
|
||||
Describe("Login from HTTP headers", func() {
|
||||
const (
|
||||
trustedIpv4 = "192.168.0.42"
|
||||
untrustedIpv4 = "8.8.8.8"
|
||||
trustedIpv6 = "2001:4860:4860:1234:5678:0000:4242:8888"
|
||||
untrustedIpv6 = "5005:0:3003"
|
||||
)
|
||||
|
||||
fs := os.DirFS("tests/fixtures")
|
||||
|
||||
BeforeEach(func() {
|
||||
@@ -75,7 +86,7 @@ var _ = Describe("Auth", func() {
|
||||
})
|
||||
|
||||
It("sets auth data if IPv4 matches whitelist", func() {
|
||||
req.RemoteAddr = "192.168.0.42:25293"
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
@@ -85,7 +96,7 @@ var _ = Describe("Auth", func() {
|
||||
})
|
||||
|
||||
It("sets no auth data if IPv4 does not match whitelist", func() {
|
||||
req.RemoteAddr = "8.8.8.8:25293"
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), untrustedIpv4))
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
@@ -93,7 +104,7 @@ var _ = Describe("Auth", func() {
|
||||
})
|
||||
|
||||
It("sets auth data if IPv6 matches whitelist", func() {
|
||||
req.RemoteAddr = "[2001:4860:4860:1234:5678:0000:4242:8888]:25293"
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv6))
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
@@ -103,23 +114,28 @@ var _ = Describe("Auth", func() {
|
||||
})
|
||||
|
||||
It("sets no auth data if IPv6 does not match whitelist", func() {
|
||||
req.RemoteAddr = "[5005:0:3003]:25293"
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), untrustedIpv6))
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
Expect(config["auth"]).To(BeNil())
|
||||
})
|
||||
|
||||
It("sets no auth data if user does not exist", func() {
|
||||
req.Header.Set("Remote-User", "INVALID_USER")
|
||||
It("creates user and sets auth data if user does not exist", func() {
|
||||
newUser := "NEW_USER_" + uuid.NewString()
|
||||
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
|
||||
req.Header.Set("Remote-User", newUser)
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
Expect(config["auth"]).To(BeNil())
|
||||
parsed := config["auth"].(map[string]interface{})
|
||||
|
||||
Expect(parsed["username"]).To(Equal(newUser))
|
||||
})
|
||||
|
||||
It("sets auth data if user exists", func() {
|
||||
req.RemoteAddr = "192.168.0.42:25293"
|
||||
req = req.WithContext(request.WithReverseProxyIp(req.Context(), trustedIpv4))
|
||||
serveIndex(ds, fs, nil)(resp, req)
|
||||
|
||||
config := extractAppConfig(resp.Body.String())
|
||||
|
||||
Reference in New Issue
Block a user