frankenphp

src/Controllers/AuthController.php

@@ -40,7 +40,7 @@ final readonly class AuthController
         $username = (string)($data['username'] ?? '');
         $password = (string)($data['password'] ?? '');
 
-        $ip = $request->getServerParams()['REMOTE_ADDR'] ?? null;
+        $ip = getClientIp();
         $ua = $request->getHeaderLine('User-Agent') ?: null;
 
         $this->logger->info('Login submitted', [

src/Helpers/helpers.php

@@ -21,3 +21,76 @@ if (!function_exists('getStoragePercent')) {
         return $totalBytes > 0 ? ($categoryBytes / $totalBytes * 100) : 0;
     }
 }
+if (!function_exists('getClientIp')) {
+    function getClientIp(): string
+    {
+        $server = $_SERVER;
+
+        $candidates = [
+            $server['HTTP_CF_CONNECTING_IP'] ?? null,
+
+            extractForwardedIp($server['HTTP_FORWARDED'] ?? null),
+            extractForwardedIp($server['HTTP_X_FORWARDED_FOR'] ?? null),
+            extractForwardedIp($server['HTTP_FORWARDED_FOR'] ?? null),
+
+            $server['HTTP_X_REAL_IP'] ?? null,
+            $server['HTTP_CLIENT_IP'] ?? null,
+            $server['REMOTE_ADDR'] ?? null,
+        ];
+
+        foreach ($candidates as $ip) {
+            if ($ip === null) {
+                continue;
+            }
+
+            if ($valid = validateIp($ip)) {
+                return $valid;
+            }
+        }
+
+        return 'unknown';
+    }
+}
+
+if (!function_exists('extractForwardedIp')) {
+    function extractForwardedIp(?string $value): ?string
+    {
+        if (!$value) {
+            return null;
+        }
+
+        if (str_contains($value, 'for=')) {
+            if (preg_match('/for="?([^";, ]+)/i', $value, $m)) {
+                return $m[1];
+            }
+        }
+
+        $parts = explode(',', $value);
+
+        return trim($parts[0]) ?: null;
+    }
+}
+
+if (!function_exists('validateIp')) {
+    function validateIp(string $ip): ?string
+    {
+        $ip = trim($ip);
+
+        if ($ip === '') {
+            return null;
+        }
+
+        if (
+            str_contains($ip, ':') &&
+            !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)
+        ) {
+            $ip = explode(':', $ip, 2)[0];
+        }
+
+        $flags = FILTER_FLAG_IPV4 | FILTER_FLAG_IPV6;
+        
+        return filter_var($ip, FILTER_VALIDATE_IP, $flags)
+            ? $ip
+            : null;
+    }
+}

src/Middlewares/AuthMiddleware.php

@@ -10,6 +10,7 @@ use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
 use Psr\Http\Server\RequestHandlerInterface;
+use Psr\Log\LoggerInterface;
 
 final class AuthMiddleware implements MiddlewareInterface
 {
@@ -26,6 +27,7 @@ final class AuthMiddleware implements MiddlewareInterface
     public function __construct(
         private readonly SessionRepository $sessions,
         private readonly UserRepository    $users,
+        private readonly LoggerInterface   $logger,
     )
     {
     }
@@ -35,6 +37,8 @@ final class AuthMiddleware implements MiddlewareInterface
         RequestHandlerInterface $handler
     ): ResponseInterface
     {
+        $this->logger->debug('getClientIp: ' . getClientIp());
+
         $path = $request->getUri()->getPath();
 
         $token = $request->getCookieParams()['auth_token'] ?? null;

src/Middlewares/ThrottleMiddleware.php

@@ -20,9 +20,8 @@ final class ThrottleMiddleware implements MiddlewareInterface
 
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        $ip = $request->getHeaderLine('X-Forwarded-For') ?: $request->getServerParams()['REMOTE_ADDR'] ?? 'unknown';
-        $ip = explode(',', $ip)[0];
-
+        $ip = getClientIp();
+        
         $stmt = $this->db->prepare("SELECT * FROM login_throttle WHERE ip = :ip ORDER BY id DESC LIMIT 1");
         $stmt->execute(['ip' => $ip]);
         $row = $stmt->fetch(PDO::FETCH_ASSOC);