hmrc / vat-api

Apache License 2.0
67 stars 18 forks source link

Gov-Client-Public-IP and Gov-Vendor-Forwarded fraud prevention headers don't support hybrid IPv4/IPv6 addresses #1013

Closed DigitalDan1 closed 9 months ago

DigitalDan1 commented 10 months ago

Bug report

Platforms like .NET will correctly provide hybrid IPv4/IPv6 addresses for public IP addresses. If these full addresses are provided in the fraud prevention headers they are seen as invalid by HMRC's API. As this format is common, correct, and unambiguous, it should be seen as valid fraud prevention data.

To Reproduce Use ASP.NET to determine the user's external IP address. This can be in the hybrid format, e.g. ::ffff:216.58.201.110

Expected behaviour The hybrid IP address to be accepted as valid fraud prevention header value.

Additional context I understand that I should contact the Software Developer Support Team directly at SDSTeam@hmrc.gov.uk, but I wanted to share this info for any other development teams seeing the same problem (I couldn't find anything when searching github).

DigitalDan1 commented 9 months ago

The Software Developer Support Team have been very helpful. We eventually worked out what the problem was. Here's their response:

We can confirm the validation rules support processing of IPv4-mapped IPv6 addresses. This is why the error message states "not a public IP address" instead of an invalid IP address.

We believe we started seeing invalid fraud headers after some updates to our hosting environment, then incorrectly assumed the error was due to the change in formatting of the IP address, but we'd actually broken the way we determine the public IP address of the client. After fixing that the headers are valid.