fix: read X-Forwarded-For for client IP in security audit events

[cschuerings]

Description

Fixes #421.

On reverse-proxy deployments (e.g. BTP Cloud Foundry), socket.remoteAddress returns the internal proxy/Go Router IP, not the real client IP. This makes the ipAddress field in security audit events (AttachmentSizeExceeded, AttachmentUploadRejected, AttachmentDownloadRejected) useless for security forensics.

Changes

Read X-Forwarded-For first and fall back to socket.remoteAddress when the header is absent — consistent with how @sap/approuter resolves the client IP (lib/utils/logger.js):

// before
const ipAddress = req.req?.socket?.remoteAddress

// after
const ipAddress = req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress

The full X-Forwarded-For value is logged as-is (may be comma-separated when multiple proxies are in the chain). Falls back to socket.remoteAddress for direct connections without a proxy (e.g. local development).

[KoblerS]

According to https://expressjs.com/en/5x/api.html#req.ip req.ip should be set. Also verified locally using this example that this parameter is available:

const express = require("express");
const app = express();
const PORT = 3000;

app.get("/", (req, res) => {
  console.log("Client IP:", req.ip);
  res.send(`Your IP is: ${req.ip}`);
});

app.listen(PORT, () => {
  console.log(`Server running on http://localhost:${PORT}`);
});

[KoblerS]

Suggested change

	const ipAddress =
	req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress
	const {ipAddress = req.req.ip

[KoblerS]

Suggested change

	const ipAddress =
	req.req?.headers?.["x-forwarded-for"] || req.req?.socket?.remoteAddress
	const {ipAddress = req.req.ip

[cschuerings]

Thanks for checking! However, req.ip doesn't help here in a typical BTP/Cloud Foundry deployment with an approuter in front.

req.ip respects trust proxy — but in CF the app server doesn't (and shouldn't) set app.set('trust proxy', true'), because CAP doesn't configure this. Without that setting, Express leaves req.ip as the raw socket address.

I verified this with a deployed test app (approuter → Express server) that logs all three values. When switching between networks, req.ip and socket.remoteAddress always show the same internal/private IP of the last hop — while X-Forwarded-For correctly reflects the real client IP:

Network 1:

"req.ip": "10.x.x.x",
"socket.remoteAddress": "10.x.x.x",
"x-forwarded-for": "203.x.x.x, 10.x.x.x, 52.x.x.x, 10.x.x.x"

Network 2 (different hotspot):

"req.ip": "10.x.x.x",
"socket.remoteAddress": "10.x.x.x",
"x-forwarded-for": "80.x.x.x, 10.x.x.x, 52.x.x.x, 10.x.x.x"

The internal IPs stay constant regardless of which network the client is on, while the first entry in X-Forwarded-For changes correctly with the client's public IP. Reading X-Forwarded-For directly is therefore necessary to get the real client IP in this deployment topology.

[schiwekM]

Thanks for noticing and please excuse that I overlooked the approuter scenario in the initial impl.