util/get-client-ip: also normalize IPv6 with port numbers

haraldschilly · haraldschilly · commit 1e9a15664c6a · 2025-08-29T11:26:40.000+02:00
diff --git a/src/packages/util/get-client-ip-address.test.ts b/src/packages/util/get-client-ip-address.test.ts
@@ -188,6 +188,15 @@ describe("getClientIpAddress()", () => {
       expect(result).toBe("192.0.2.60");
     });
 
+    it("should handle IPv4 addresses with ports in X-Forwarded-For", () => {
+      const req = createRequest({
+        "x-forwarded-for": "192.168.1.1:8080",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("192.168.1.1");
+    });
+
     it("should handle multiple parameters in Forwarded header", () => {
       const req = createRequest({
         forwarded: "for=192.0.2.60;proto=http;by=203.0.113.43",
@@ -223,6 +232,33 @@ describe("getClientIpAddress()", () => {
       const result = getClientIpAddress(req);
       expect(result).toBeUndefined();
     });
+
+    it("should handle Forwarded header with spaces around commas", () => {
+      const req = createRequest({
+        forwarded: "for=192.0.2.60 , for=203.0.113.43",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("192.0.2.60");
+    });
+
+    it("should handle Forwarded header with spaces around semicolons", () => {
+      const req = createRequest({
+        forwarded: "for=192.0.2.60 ; proto=http ; by=203.0.113.43",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("192.0.2.60");
+    });
+
+    it("should handle Forwarded header with mixed spacing", () => {
+      const req = createRequest({
+        forwarded: "  for=192.0.2.60  ;  proto=http  ;  by=203.0.113.43  ",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("192.0.2.60");
+    });
   });
 
   describe("IPv6 Support", () => {
@@ -252,6 +288,24 @@ describe("getClientIpAddress()", () => {
       const result = getClientIpAddress(req);
       expect(result).toBe("::1");
     });
+
+    it("should handle IPv6 addresses with ports", () => {
+      const req = createRequest({
+        "x-forwarded-for": "[2001:db8::1]:8080",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("2001:db8::1");
+    });
+
+    it("should handle compressed IPv6 addresses with ports", () => {
+      const req = createRequest({
+        "x-forwarded-for": "[::1]:9000",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("::1");
+    });
   });
 
   describe("Edge Cases", () => {
@@ -288,5 +342,23 @@ describe("getClientIpAddress()", () => {
       const result = getClientIpAddress(req);
       expect(result).toBe("192.168.1.1");
     });
+
+    it("should handle IP addresses with whitespace", () => {
+      const req = createRequest({
+        "x-forwarded-for": "  192.168.1.1  ",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("192.168.1.1");
+    });
+
+    it("should handle IPv6 addresses with whitespace and ports", () => {
+      const req = createRequest({
+        "x-forwarded-for": "  [2001:db8::1]:8080  ",
+      });
+
+      const result = getClientIpAddress(req);
+      expect(result).toBe("2001:db8::1");
+    });
   });
 });
diff --git a/src/packages/util/get-client-ip-address.ts b/src/packages/util/get-client-ip-address.ts
@@ -23,8 +23,9 @@ export function getClientIpAddress(req: {
       // Handle comma-separated values (like X-Forwarded-For)
       const ips = headerValue.split(",").map((ip) => ip.trim());
       for (const ip of ips) {
-        if (isIP(ip)) {
-          return ip;
+        const processedIp = normalizeIPAddress(ip);
+        if (isIP(processedIp)) {
+          return processedIp;
         }
       }
     }
@@ -40,36 +41,24 @@ export function getClientIpAddress(req: {
   // https://github.com/pbojinov/request-ip/pull/71
   const forwardedHeader = getHeaderValue(req.headers, "forwarded");
   if (forwardedHeader) {
-    // Split by comma for multiple forwarded entries
-    const forwardedEntries = forwardedHeader.split(",");
+    // Split by comma for multiple forwarded entries, trimming each entry
+    const forwardedEntries = forwardedHeader.split(",").map(entry => entry.trim());
 
     for (const entry of forwardedEntries) {
-      // Split by semicolon for parameters
-      const params = entry.split(";");
+      // Split by semicolon for parameters, trimming each parameter
+      const params = entry.split(";").map(param => param.trim());
 
       for (const param of params) {
-        const trimmed = param.trim();
-        if (trimmed.toLowerCase().startsWith("for=")) {
-          let ipVal = trimmed.substring(4).trim();
+        if (param.toLowerCase().startsWith("for=")) {
+          let ipVal = param.substring(4).trim();
 
           // Remove quotes if present
           if (ipVal.startsWith('"') && ipVal.endsWith('"')) {
             ipVal = ipVal.slice(1, -1);
           }
 
-          // Handle IPv6 brackets
-          if (ipVal.startsWith("[") && ipVal.endsWith("]")) {
-            ipVal = ipVal.slice(1, -1);
-          }
-
-          // Handle port stripping for IPv4 addresses
-          if (ipVal.includes(":")) {
-            const parts = ipVal.split(":");
-            // Only strip port if it looks like IPv4:port (not IPv6)
-            if (parts.length === 2 && isIP(parts[0])) {
-              ipVal = parts[0];
-            }
-          }
+          // Normalize IP address (remove brackets and ports)
+          ipVal = normalizeIPAddress(ipVal);
 
           if (isIP(ipVal)) {
             return ipVal;
@@ -82,6 +71,40 @@ export function getClientIpAddress(req: {
   return undefined;
 }
 
+// Helper function to normalize IP address by removing brackets and ports
+function normalizeIPAddress(ip: string): string {
+  let processedIp = ip.trim();
+
+  // Remove IPv6 brackets if present (do this first!)
+  const bracketStart = processedIp.startsWith("[");
+  const closingBracketIndex = processedIp.indexOf("]");
+  const hasPortAfterBracket = closingBracketIndex > 0 && processedIp[closingBracketIndex + 1] === ":";
+  if (bracketStart && hasPortAfterBracket) {
+    // Extract IPv6 part and port: [2001:db8::1]:8080 -> 2001:db8::1:8080
+    processedIp = processedIp.substring(1, closingBracketIndex) + processedIp.substring(closingBracketIndex + 1);
+  } else if (processedIp.startsWith("[") && processedIp.endsWith("]")) {
+    // Simple bracket removal: [2001:db8::1] -> 2001:db8::1
+    processedIp = processedIp.slice(1, -1);
+  }
+
+  // Strip port if present (handles both IPv4:port and IPv6:port)
+  if (processedIp.includes(":")) {
+    const lastColonIndex = processedIp.lastIndexOf(":");
+    if (lastColonIndex > 0) {
+      const potentialPort = processedIp.substring(lastColonIndex + 1);
+      // If the part after the last colon looks like a port number
+      if (/^\d+$/.test(potentialPort)) {
+        const potentialIP = processedIp.substring(0, lastColonIndex);
+        if (isIP(potentialIP)) {
+          processedIp = potentialIP;
+        }
+      }
+    }
+  }
+
+  return processedIp;
+}
+
 // Helper function to get header value case-insensitively
 function getHeaderValue(
   headers: Record<string, string | string[] | undefined>,
