search

imperfectandcompany / Imperfect-Gamers-Site-Store

Our robust community site integrating Steam for enhanced user interactions and data management, powered by Remix with Tailwind CSS for optimistic, responsive UI. Features CI/CD with GitHub Actions and Docker for seamless deployment and maintenance.
https://store.imperfectgamers.org/
Other
0 stars 0 forks source link

Failed to determine client IP address for basket creation #4

Closed cheesea3 closed 3 months ago

cheesea3 commented 4 months ago

Problem: When creating baskets on the Tebex platform via our backend server, we need to specify the client's IP address explicitly. This requirement is due to the fact that the API calls are proxied through our backend-for-frontend server, which masks the original IP address of the user.

Endpoint Affected: {{baseUrl}}/api/accounts/:webstoreIdentifier/baskets

Example API Call:

curl --location -g '{{baseUrl}}/api/accounts/{{webstoreIdent}}/baskets' \
--header 'Content-Type: application/json' \
--data '{
    "ip_address": "{{ipAddress}}"
}

Current Behavior: The getClientIPAddress utility from remix-utils is not successfully retrieving the client's IP address after deployment to our server. This issue did not arise during local development as the relevant headers used to extract the IP address are not present when testing locally.

Expected Behavior: The utility should accurately determine and forward the client's IP address for API requests.

Server Configuration: We are running our application in a Dockerized environment with Nginx serving as a reverse proxy. Nginx is configured to forward requests to our Node.js app server running inside another Docker container. The Nginx server is set up to handle SSL termination and proxy requests to the app server on the internal Docker network.

Here is a relevant snippet from our Nginx configuration:

location / {
    proxy_pass http://app_server;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    # Potentially missing headers that could carry the client's real IP address
    # proxy_set_header X-Real-IP $remote_addr;
    # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Observation: The client IP address determination it expected to not work locally but is not supposed to fail when deployed to our server, which suggests that the Nginx proxy may not be forwarding the client's IP address properly to the app server.

Next Steps: We need to investigate our Nginx configuration to ensure that it correctly forwards the necessary headers for getClientIPAddress to function correctly. Specifically, we suspect that the X-Real-IP or X-Forwarded-For headers might not be set, which are often used to convey the original client IP address in proxied requests.

Additionally, here are the Docker service definitions related to our app and Nginx:

services:
  app:
    # App service details
  nginx:
    # Nginx service details
    # Including volumes for Nginx configuration and SSL certificates

Documentation Reference: Tebebx API Create Basket Endpoint

Tags:

cheesea3 commented 3 months ago

This issue has been resolved with the merge of PR #6. The changes in this PR address the issues with the Tebex API authentication and secure handling of environment variables.

The changes include:

These changes have been tested and verified both locally and in the dev environment. With these changes, we have not only resolved the immediate issue with the Tebex API but also strengthened our overall security practices, particularly with regard to how we manage sensitive information (secrets) in a public repository setting.

As the changes have been merged into the Dev branch, I'm closing this issue.

1 vulnerability addressed: - **hardcoded-credentials** Embedding credentials in source code risks unauthorized access - https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password