Ole-Morten Duesund
fc1f7259c5
Go backend with server-rendered HTML/HTMX frontend, SQLite database, and filesystem image storage. Self-hostable single-binary architecture. Phase 1 — Authentication & project foundation: - Argon2id password hashing with timing-attack prevention - Session management with cookie-based auth and periodic cleanup - Login, signup (open/requests/closed modes), logout, forced password reset - CSRF double-submit cookie pattern with HTMX auto-inclusion - Proxy-aware real IP extraction (WireGuard/Tailscale support) - Configurable base path for subdomain and subpath deployment - Rate limiting on auth endpoints with background cleanup - Security headers (CSP, X-Frame-Options, Referrer-Policy) - Structured logging with slog, graceful shutdown - Pico CSS + HTMX vendored and embedded via go:embed Phase 2 — Faves CRUD with tags and images: - Full CRUD for favorites with ownership checks - Image upload with EXIF stripping, resize to 1920px, UUID filenames - Tag system with HTMX autocomplete (prefix search, popularity-sorted) - Privacy controls (public/private per fave, user-configurable default) - Tag browsing, pagination, batch tag loading (avoids N+1) - OpenGraph meta tags on public fave detail pages Includes code quality pass: extracted shared helpers, fixed signup request persistence bug, plugged rate limiter memory leak, removed dead code, and logged previously-swallowed errors. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
68 lines
1.7 KiB
Go
68 lines
1.7 KiB
Go
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"context"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
// RealIP extracts the real client IP from X-Forwarded-For, but only if the
|
|
// direct connection comes from a trusted proxy. This is essential when Caddy
|
|
// runs on a different machine (e.g. connected via WireGuard/Tailscale).
|
|
func RealIP(trustedProxies []*net.IPNet) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ip := extractRealIP(r, trustedProxies)
|
|
ctx := context.WithValue(r.Context(), realIPKey, ip)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
func extractRealIP(r *http.Request, trusted []*net.IPNet) string {
|
|
// Get the direct connection IP.
|
|
directIP, _, _ := net.SplitHostPort(r.RemoteAddr)
|
|
if directIP == "" {
|
|
directIP = r.RemoteAddr
|
|
}
|
|
|
|
// Only trust X-Forwarded-For if the direct connection is from a trusted proxy.
|
|
if !isTrusted(directIP, trusted) {
|
|
return directIP
|
|
}
|
|
|
|
// Parse X-Forwarded-For: client, proxy1, proxy2
|
|
// The rightmost non-trusted IP is the real client.
|
|
xff := r.Header.Get("X-Forwarded-For")
|
|
if xff == "" {
|
|
return directIP
|
|
}
|
|
|
|
ips := strings.Split(xff, ",")
|
|
// Walk from right to left, finding the first non-trusted IP.
|
|
for i := len(ips) - 1; i >= 0; i-- {
|
|
ip := strings.TrimSpace(ips[i])
|
|
if !isTrusted(ip, trusted) {
|
|
return ip
|
|
}
|
|
}
|
|
|
|
// All IPs in the chain are trusted; use the leftmost.
|
|
return strings.TrimSpace(ips[0])
|
|
}
|
|
|
|
func isTrusted(ipStr string, nets []*net.IPNet) bool {
|
|
ip := net.ParseIP(ipStr)
|
|
if ip == nil {
|
|
return false
|
|
}
|
|
for _, n := range nets {
|
|
if n.Contains(ip) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|