PauluzzNL
commented
2 years ago @paragonie-security I've thought about your suggestion and played around a bit but I think there's several approaches that I wanted to check with you first.
Especially for the IP filtering for CloudFlare, there's multiple options:
- additional code that blows up the framework for IP validation and range checking
- add an external dependency to validate the IP address ranges such as https://github.com/mlocati/ip-lib which can be included with composer and has no other external dependencies -> in both of the above we could also choose to put the cloudflare ip's in a txt file with a quick command to update the file to the latest list fetched from CF
or
- make this a configuration option and leave out the validation as well
in that case there's also two options:
- create 1 configuration option to include deeper layer remote ip's (that enables CF, HTTP X FORWARDER FOR, HTTP_CLIENT_IP or
- create multiple options for the different checks
Could you share with me your preferences?
The library's default is to have the HMAC IP check enabled. This gives issues with sites that run through CloudFlare as the remote IP that CloudFlare connects from is different through requests. Thus this could result in an invalid request already if you have a page open for 2 minutes.
The added functionality adds support for the CloudFlare connecting IP and other commonly used proxy methods. With these changes you can continue to use the HMAC check through CloudFlare/proxies.