Figure out the correct way to configure `trust proxy` and `HTTP_FORWARDED_COUNT`

infoderm / patients

:face_with_thermometer: Patients meteor app

GNU Affero General Public License v3.0

5 stars 2 forks source link

Figure out the correct way to configure `trust proxy` and `HTTP_FORWARDED_COUNT` #979

Open make-github-pseudonymous-again opened 1 month ago

make-github-pseudonymous-again commented 1 month ago

Maybe this has to be configured for Meteor's router, or maybe this is incorrectly applied twice.

This currently does not work in api/healthcheck and api/ics. The consequence is that all requests fall in the same rate-limiting bucket, which is a UX concern as soon as we have more than one user.

See:

https://expressjs.com/en/api.html#trust.proxy.options.table

make-github-pseudonymous-again commented 1 month ago

Might help to add --full-app tests for token generation/revocation and/or api/ics route tests that check that the requestor IP address is correctly forwarded.

make-github-pseudonymous-again commented 1 month ago

Shower thought: could it be that this does not work because HTTP_FORWARDED_COUNT is a string and not a number?!

https://github.com/infoderm/patients/blob/22277516e4ed4783b11c1d99d6e4ca4d3a566cb4/server/api/healthcheck/index.ts#L13