Two related problems here, but only opening one issue:
1) The header used for determing the remote IP should be configurable. Not all providers use X-Forwarded-For (even if it is the defacto header) and chained proxies don't always result in a predictable result. Please change this from a hardcoded value to one having x-forwarded-for as a default, but can be overridden in the config.
2) The xff header is being split by the colon. This should be a comma.
The first side-effect is that in chained proxies all of the IP addresses show up increasing the chances that a user can register many addresses if there is a load balancer.
The second is that if the remote user is on IPv6, only the first 16 bits of the address are stored in the database, resulting in entire countries being limited to a single giveaway signup.
Two related problems here, but only opening one issue:
1) The header used for determing the remote IP should be configurable. Not all providers use X-Forwarded-For (even if it is the defacto header) and chained proxies don't always result in a predictable result. Please change this from a hardcoded value to one having x-forwarded-for as a default, but can be overridden in the config.
2) The xff header is being split by the colon. This should be a comma.